Interface eIAM-LDS

eIAM-LDS enables the reading of user data via the Lightweight Directory Access Protocol LDAP. The LDAP interface is only available to applications that are operated in the networks of the Federal Administration. For this purpose, eIAM makes the information on the users of an application available in a dedicated directory.

: System context eIAM-LDS

eIAM-AM: The eIAM-AM contains the accounts of the users. A subject can have several eIAM accounts in different clients in the eIAM. The user's identity references to the IdP identities are stored in the super client. The user's attributes and authorisations for the applications are administered in the access client.
eIAM-LDS: The eIAM-LDS is an AD LDS (Active Directory Lightweight Directory Service), i.e. a directory service. In the eIAM-LDS, a separate directory is maintained for each application group. This directory contains the application and group memberships, as well as the users of these applications.
Provisioning: A provisioning engine is responsible for provisioning the data from the eIAM-Am to the eIAM-LDS. The synchronisation can be triggered event- or time-controlled. The engine reads the data from the eIAM-AM (read-only) via the web service interface and can read and write to the eIAM-LDS via the LDAP interface.
Applications: The client applications have read-only access to their designated user directory via LDAP protocol. Access to the ldap interface takes place via an encrypted connection (ldaps, LDAP over SSL).

Infrastructure

For the eIAM LDS, we operate four separate environments

Environment	Server	Port
DEV	lds.eiam-d.admin.ch	636
REF	lds.eiam-r.admin.ch	636
ABN	lds.eiam-a.admin.ch	636
PROD	lds.eiam.admin.ch	636

Accessibility of AD LDS data

The AD LDS service is accessible from the networks of the Federal Administration. Access to the data from the Internet is not planned for the time being.

For further information, please refer to the eIAM-LDS Integration Guide: