LDAP
Configuring the LDAP integration for Veza Lifecycle Management
Overview
The Veza LDAP integration supports Lifecycle Management as both a Source of Identity and a Target System. Organizations using Red Hat Identity Manager, FreeIPA, OpenLDAP, or other LDAPv3-compliant directories can use their LDAP directory to trigger lifecycle policy actions, and as a target for automated user and group management.
SOURCE_OF_IDENTITY
LDAP can act as the authoritative identity source that triggers LCM policy actions
✅
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls group memberships for LDAP users
✅
DEPROVISION_IDENTITY
Disables the LDAP account by setting a configurable activation attribute
✅
DELETE_IDENTITY
Permanently removes the user entry from the LDAP directory
✅
CREATE_ENTITLEMENT
Creates new LDAP groups
✅
Prerequisites
You need an existing LDAP integration in Veza, or add a new one for use with Lifecycle Management.
The LDAP integration must have completed at least one successful extraction.
An Insight Point with network access to your LDAP server is required if the server is not publicly accessible.
The service account (bind DN) configured in the integration must have write permissions on the directory entries that Veza will manage.
For MANAGE_RELATIONSHIPS and CREATE_ENTITLEMENT, the
group_member_attributeandgroups_object_classfields must be explicitly set in the integration configuration. These are required at runtime and are not inferred automatically.
Required service account permissions
The bind DN requires these LDAP operations beyond read access for discovery:
add on user entries in target OUs
SYNC_IDENTITIES (create user)
modify (replace) on user attributes
SYNC_IDENTITIES (update), DEPROVISION_IDENTITY
delete on user entries
DELETE_IDENTITY
modify (add/delete) on group member or uniqueMember
MANAGE_RELATIONSHIPS
add and delete on group entries
CREATE_ENTITLEMENT
The exact ACL syntax varies by LDAP implementation. For Red Hat Identity Manager and FreeIPA, add ACIs granting write, add, and delete rights to the service account on the relevant object classes and attributes in the target OUs. For OpenLDAP, grant write access using access to directives in slapd.conf or cn=config.
Enabling Lifecycle Management for LDAP
In Veza, go to the Integrations page.
Search for or select your LDAP integration.
Check the box to Enable usage for Lifecycle Management.
Configure the extraction schedule to ensure your LDAP data remains current:
Go to Veza Administration > System Settings.
In Pipeline > Extraction Interval, set your preferred interval.
Optionally, set a custom override for the LDAP integration in the Active Overrides section.
Configuring deprovisioning
DEPROVISION_IDENTITY works by setting a specific attribute on the user entry. Because different LDAP implementations use different attributes to represent account status, you must configure which attribute Veza should set and what values represent active and inactive states.
Two configuration approaches are supported:
Using an "inactive" attribute (the attribute is present when the account is disabled):
inactive_user_attribute
Attribute to set when disabling or re-enabling
nsAccountLock
inactive_user_value_when_inactive
Value that marks the account as disabled
true
inactive_user_value_when_active
Value that marks the account as enabled
false
Using an "active" attribute (the attribute reflects the enabled state):
active_user_attribute
Attribute to set when disabling or re-enabling
loginDisabled
active_user_value_when_inactive
Value that marks the account as disabled
TRUE
active_user_value_when_active
Value that marks the account as enabled
FALSE
At least one of these approaches must be configured for DEPROVISION_IDENTITY to work. If neither is configured, the action will fail.
Common attribute mappings by directory:
Red Hat Identity Manager / FreeIPA
inactive_user_attribute
nsAccountLock
true
false
Generic LDAPv3
active_user_attribute
implementation-specific
implementation-specific
implementation-specific
Supported actions
SYNC_IDENTITIES
Creates or updates LDAP user entries as part of a provisioning workflow. The DN (id) is used as the unique identifier for all sync operations. The email attribute maps to the mail LDAP attribute. Custom properties configured on the integration are available as sync attributes and map bidirectionally between snake_case attribute names and native LDAP attribute names.
Required attributes for user creation: DN (id) is the only universally required attribute. Depending on your directory's configuration, your organization's LDAP implementation may require additional attributes, such as cn, sn, uid, or schema-specific object class attributes. Veza cannot validate these requirements in advance. Please consult your LDAP administrator and directory documentation to identify which attributes are required in your environment.
Matching on attributes other than DN: To match LDAP identities by an attribute other than DN (such as an employee ID), use a FROM_ENTITY_ATTRIBUTE lookup in your workflow configuration. This is a supported workaround while native configurable unique identifier support is under development.
MANAGE_RELATIONSHIPS
Adds or removes users from LDAP groups. Both groupOfUniqueNames (with uniqueMember) and groupOfNames (with member) schemas are supported. The group_member_attribute setting in the integration configuration determines which attribute is used; it must be explicitly set for this action to work.
DEPROVISION_IDENTITY
Disables the LDAP user account using the activation attribute configuration described in Configuring deprovisioning. The user entry is preserved in the directory.
Inactive user workflows with Kerberos last-login date: In Kerberos-enabled directories such as Red Hat Identity Manager and FreeIPA, the krblastsuccessfulauth attribute records the last successful authentication date. To identify and disable accounts inactive for more than 30 days, add krblastsuccessfulauth as a Custom Date Property in the LDAP integration configuration. You can then build an LCM policy using LDAP as the Source of Identity, filter on krblastsuccessfulauth older than 30 days, and trigger DEPROVISION_IDENTITY on the matched LDAP account.
DELETE_IDENTITY
Permanently removes the LDAP user entry from the directory. This operation cannot be undone. Use DEPROVISION_IDENTITY to preserve the entry for audit purposes while blocking access.
CREATE_ENTITLEMENT
Creates a new group entry in the LDAP directory. The group object class and membership attribute are determined by the configuration of the LDAP integration.
Related resources
Last updated
Was this helpful?