LDAP Data Source
The LDAP data source collector discovers user accounts and groups from generic LDAP directory services. This enables organizations to identify all directory-based identities, manage access for non-Microsoft directory systems, and support compliance requirements across diverse identity infrastructure.
Permissions
In order to collect identity data from LDAP, a user or service account with read access to root directory tree must be created. Ensure the account has rscdx privileges, refer to OpenLDAP information.
Setting up the LDAP Data Source
The following guides you through the necessary steps.
- Login to your Hydden tenant.
- To access the data sources page, navigate to Configuration > Discover and select Data Sources or use the data source URL:
https://portal.hydden.com/configuration/datasource. - To add the LDAP data source, click + Add Data Source.
- From the configuration wizard, select the LDAP logo tile.
- For Name enter an easy-to-identify name, especially if several data sources for the same service are to be created.
- You may ignore the optional Preset field. When pre-configured data source presets are available for selection from the drop-down, but they can also be added manually via the +.
- For Domain/Controller, enter your LDAP domain controller name.
- If you already created your credential, select that credential from the Credential drop-down. If you have not yet created a credential, click the + to add an Account Credential for your LDAP instance.
- You may ignore the optional Schedule field. To specify a Schedule either select from the list of pre-configured collection schedules or manually enter a new schedule via +.
- Under Site, which is an optional field, specify the site that your client is installed, it can also be “default” if there is only one client for your organization.
- Custom Properties is an optional field, if needed for your organization, enter specific
key=valuepairs, for example, environment=production. - Click Add to save the data source. You have an option to manually run the data collection via the Run Now button.
NOTE
If custom mapping rules are required, refer to the Advanced Configuration section in the Data Source Overview topic.
At this point, you can run a collection from the Data Sources page and shortly after, you will see your LDAP users listed on the Identity Posture dashboard, in Global Search and the Search Library.
Advanced LDAP Configuration
Multiple Organizational Units (OUs)
The LDAP collector supports collecting from multiple Organizational Units within a single data source configuration. This enables targeted collection from specific branches of your LDAP tree without scanning the entire directory.
Configuring Multiple OUs:
In the Advanced Configuration section, specify multiple OUs separated by semicolons:
ou=Users,dc=example,dc=com;ou=Contractors,dc=example,dc=com;ou=ServiceAccounts,dc=example,dc=comUse Cases:
- Collect only from specific departments or business units
- Separate employees from contractors or external users
- Improve collection performance by targeting specific tree branches
- Exclude irrelevant directory sections
NOTE
If no OU is specified, the collector searches from the root of the directory tree.
Configurable Search Parameters
The LDAP collector provides configurable search parameters for fine-tuning collection behavior and compatibility with different LDAP implementations.
Available Parameters:
| Parameter | Purpose | Default | Example |
|---|---|---|---|
| Search Base | Root DN for searches | Auto-detected | dc=example,dc=com |
| Search Scope | Subtree, one-level, or base | Subtree | subtree |
| Page Size | Results per page | 1000 | 500 |
| Timeout | Query timeout in seconds | 60 | 120 |
| Follow Referrals | Follow LDAP referrals | true | false |
Configure these parameters in the data source Advanced Configuration section to optimize for your LDAP server's capabilities and network conditions.
IBM Verify Server Support
The LDAP collector includes enhanced support for IBM Security Verify (formerly IBM Security Access Manager) and IBM Tivoli Directory Server.
IBM-Specific Features:
IBM-ENTRYUUID Attribute Support The collector recognizes and uses the
IBM-ENTRYUUIDattribute for unique identity tracking when the standardentryUUIDis not available.Naming Context Validation Automatically skips invalid or inaccessible naming contexts that some IBM directory configurations may return, preventing collection errors.
IBM Verify Server Compatibility Full compatibility with IBM Security Verify's LDAP interface, including attribute mappings and schema variations.
Configuration for IBM Verify:
- Use the standard LDAP data source configuration
- The collector automatically detects IBM-specific attributes
- No special configuration required for IBM-ENTRYUUID support
TIP
When connecting to IBM Verify Server, ensure your credential has access to all naming contexts you want to collect from. The collector will log and skip any contexts that return access errors.
LDAP Filter Customization
For advanced filtering, you can specify custom LDAP filters to control which entries are collected.
Example Custom Filters:
# Collect only active user accounts
(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# Collect groups with specific membership
(&(objectClass=group)(member=*))
# Collect service accounts
(&(objectClass=user)(servicePrincipalName=*))Specify custom filters in the Advanced Configuration section under "LDAP Filter" field.