Skip to end of metadata
Go to start of metadata
To enable provisioning, de-provisioning and password synchronization with OpenLDAP, you can use the LDAP Connector that is included in the OpenIAM Identity Manager. The following section describes how to configure integration with OpenLDAP using this Connector.

You can use the predefined local LDAP Connector both for AD and OpenLDAP. There may be two different Managed Systems: "LDAP" for OpenLDAP and "Active Directory" for AD; both are using the same LDAP Connector.

If OpenIAM has been installed using the steps described in the Installation Guide, then an entry for LDAP has already been created. 

The tools used to configure encryption are provided by the OpenSSL package.



Step 1: Configuring the Connector

The LDAP Connector is typically delivered with the OpenIAM standard configuration. It's often easier to modify the predefined configuration than to create a new one from scratch.

To access and configure the Connector, select ProvisioningConnectors → select the "LDAP CONNECTOR". Refer to Viewing and Editing Provisioning Connectors.

You can develop a custom Connector. Refer to Developing Connectors, Adding a New Connector.

FieldDescriptionExample Value
Connector NameYou can provide any value that like here. By default, we will use "LDAP CONNECTOR."LDAP CONNECTOR
TypeThis is the metadata type associated with this connector. Please enter "LDAP_Connector."LDAP_Connector
Connector Interface Type LOCAL
Service URL

Since this Connector is a web service, please enter the URL for the service. By default, this it is localhost:8080/openiam-idm-esb/idmsrvc/LDAPConnectorService.

DO NOT add "http://" to the URL. The ESB will take care of this.

If you change the port that the IDM server runs on, then this URL needs to be updated as well.

localhost:9080/openiam-idm-esb/idmsrvc/LDAPConnectorService
Service Namespace This is the name space used by the service. Please enter http://www.openiam.org/service/connector. http://www.openiam.org/service/connector
Service PortPort name that this service uses is LDAPConnectorServicePort.LDAPConnectorServicePort

 

 


Step 2: Configuring the Managed System

Once the Connector has been defined in the Identity Manager, configure the connectivity to OpenLDAP. This includes connection information, base DN, etc. The "Managed System" screen allows the administrator to enter credentials that the IdM system will use to connect. The following screenshot describes how to connect with LDAP Managed System.

To configure the properties of the Managed System, select Provisioning → Managed System → Find the "LDAP" Managed System  "Edit" icon. Refer to Viewing and Editing Managed Systems.

To add a new Managed System, select Provisioning Managed System → Create Managed System. Refer to Adding a Managed System.

 

FieldDescriptionExample Value
Linked Resource LDAP
Managed System Resource NameThis can be any value that will help you identify this LDAP connection.LDAP
StatusSet to "Active" to enable this connection.ACTIVE
ConnectorSelect the "LDAP Connector" mentioned in Step 1.LDAP Connector
Host URL

Enter the URL of the server to which we need to connect.

If you use SSL, then the URL will start with ldaps://

ldap://lnx1.openiamdemo.com
Port

Specify the port of the server to which we need to connect.

SSL is initiated upon connection to an alternative port (normally 636).

389
Communication Protocol

The protocol should be set to "CLEAR" unless a certificate has been installed to enable secure communication with OpenLDAP.

Read more about enabling SSL in Installing OpenLDAP and Enabling SSL.

CLEAR
Login IDEnter the the ID that the Connector will use to connect to OpenLDAP to create and delete users.cn=Manager,dc=openiamdemo,dc=com
PasswordEnter the the password for the login ID entered above. OpenIAM will store this information in encrypted form in its database. 
Object Primary KeyFill in this field with a user's unique name. For OpenLDAP, this is usually uid.cn
Base DN

Add the Base DN; within it the Connector will search and create users.

If users are to be created in different OU's, then this can be defined in ou.groovy script in the iamscripts/provisioning folder. If active synchronization is being used, then this logic can also be added to the transformation scripts.

ou=people,ou=dev,dc=openiamdemo,dc=com
Search Base DNSpecify the part of the tree in which we should search for users.ou=dev,dc=openiamdemo,dc=com
Search Filter

Enter the search filter string that will be used by the Connector to search for objects within the Base DN. For OpenLDAP, enter: (&(objectclass=inetOrgPerson)(uid=?)).

The Object class used in this search should match the object of the users that you are searching from. If your organization uses a custom object class, then this should be reflected in the search filter.

(&(objectclass=inetOrgPerson)(cn=?))
Attribute Names Lookup

Enter a path to the Groovy script. The Groovy script must have been already created. It must contain all possible attribute names used in the Policy Map.

This script returns all possible attribute names for LDAP:

output = [
        'uid',
        'cn',
        'mail',
        'o',
        'ou',
        'postalCode',
        'sn',
        'l',
        'st',
        'street',
        'userPassword',
        'postalAddress',
        'telephoneNumber',
        'facsimileTelephoneNumber',
        'mobileTelephoneNumber',
        'departmentNumber',
        'displayName',
        'employeeType',
        'objectclass',
        'title',
        'givenName',
        'uniqueMember',
        'manager',
]

If you need to add some attributes or remove redundant ones, edit this script.

If you leave the "Attribute Names Lookup" field empty, your Policy Map will have simple text boxes instead of drop-down menus for the attribute names.

attribute-lookup/LDAPAttibuteNamesLookup.groovy
Search Scope Subtree
Target System TypeSelect "LDAP."LDAP

Once you have defined connection information, you should validate it. Click on the "Test Connection" button to ensure that this is correct. See Testing the Managed Systems Connection.


Step 3: Configuring the Policy Map

The next task is to determine what attributes you need to pass to the LDAP Connector so that it can persist them in the directory. Since the LDAP schema is potentially different for each Organization, OpenIAM uses an attribute mapping model to be able to account for these variations. 

Combined with our use of the Groovy scripting language, we can dynamically derive any attribute that is needed in OpenLDAP from the data maintained within OpenIAM. The screenshot below provides a sample mapping between rules in the Identity Manager, called attribute policies, and the LDAP attributes. More details on the attribute policies and mappings can be found on the following page: Defining Policy Maps.

To configure the Policy Map, go to Provisioning → Managed System → Find the "LDAP" Managed Systemclick "Edit" icon → Policy Map

In the "Object type" field, determine if this attribute is a part of the set of User attributes or this attribute is used to determine a users identity. If it is used to determine the identity, then select "Principal" as the object type. Otherwise, select "User" as the Object type.

The column titled "Policy" is the name of the attribute policy that will provide the value for the specified Attribute Name.


Step 4: Associating the Resource to the Role

The final step in setting up provisioning to OpenLDAP is to link the LDAP Resource to a role. This will determine, based on Role, which users should be provisioned into OpenLDAP.

Go to Provisioning → Managed System → Find the "LDAP" Managed System "Edit" icon click the Resource name Entitlements → Entitled Roles.

Alternatively, go to Access Control → Role → Select a Role → Role Entitlements → Entitled to Resources Find the "LDAP" Managed System.

Alternatively, go to Access Control → Resource → Select the "LDAP" Resource → Entitlements → Entitled Roles.

 

See Also: 

Creating account in Active Directory for managing data