LDAP AU is needed for most of the identity sources. Why? because Identity Source provides {user, machine, IP} to the PDP.
However, we are missing the identity groups, which most customers are using for identity based enforcement.
In other words - both AD Query and Identity Collector will provide to PDP only {user, machine, IP} - AD Query will do it with WMI, while IDC will do it with Microsoft API. In both cases, PDP will query the AD (with LDAP) for the identity groups (user groups, machine groups). After this query, the information will be {user, machine, IP, groups} and PDP will be able to calculate the needed access roles for enforcement.
On the other hand, since Identity Logging is not related to enforcement, no LDAP query will be executed for identity groups.
I hope it makes things clear. If not, tag me again 🙂
Royi Priov.
Thanks,
Royi Priov
R&D Group manager, Infinity Identity