When specifying LDAP mapping relationships using transform maps, there is a major
difference in how reference fields are set for manager and department.
When using a transform map, it is necessary to use a transform
script to create references. This is because the value associated with an LDAP
attribute like "manager" is the distinguished name (DN) of the manager.
Without some extra logic in place, the result is the creation of a user record with a
manager name that is the distinguished name of that user in LDAP. The integration includes a
transform script to facilitate the creation of these references. The default transform map
"LDAP User Import" includes transform scripts for these references.
Existing mapping relationships
When updating legacy import maps to transform maps, you can retain the LDAP mapping
relationships that existed prior to the addition of the System LDAP application. The LDAP
server has a Map
field that is a reference to the legacy import
Note: By default this field is hidden, so you have to configure the form to display
If you want to transition to using a transform map, clear the reference to the
legacy import map.
LDAP import map settings
Verify and use attributes to limit the fields the integration imports from the LDAP source.
Additionally, it is important to map the user_name field to the LDAP attribute that contains
the user's login ID. For Active Directory this is usually the sAMAccountName attribute. If
you would like to import and coalesce on a binary attribute (such as objectSID or
objectGUID), you have to create a custom transform script.
Note: Any value mapped to the
user_name field must be unique.
If you do not specify a transform map (such as LDAP User Import), the integration uses the
following default mappings:
Table 1. LDAP import default mapping
|User field or variable