You can use the predefined local LDAP Connector both for AD and OpenLDAP. There may be two different Managed Systems: "LDAP" for OpenLDAP and "Active Directory" for AD; both are using the same LDAP Connector.
If OpenIAM has been installed using the steps described in the Installation Guide, then an entry for LDAP has already been created.
The tools used to configure encryption are provided by the OpenSSL package.
The LDAP Connector is typically delivered with the OpenIAM standard configuration. It's often easier to modify the predefined configuration than to create a new one from scratch.
To access and configure the Connector, select Provisioning → Connectors → select the "LDAP CONNECTOR". Refer to Viewing and Editing Provisioning Connectors.
|Connector Name||You can provide any value that like here. By default, we will use "LDAP CONNECTOR."||LDAP CONNECTOR|
|Type||This is the metadata type associated with this connector. Please enter "LDAP_Connector."||LDAP_Connector|
|Connector Interface Type||LOCAL|
Since this Connector is a web service, please enter the URL for the service. By default, this it is
DO NOT add "http://" to the URL. The ESB will take care of this.
If you change the port that the IDM server runs on, then this URL needs to be updated as well.
|Service Namespace|| This is the name space used by the service. Please enter || |
|Service Port||Port name that this service uses is |
Once the Connector has been defined in the Identity Manager, configure the connectivity to OpenLDAP. This includes connection information, base DN, etc. The "Managed System" screen allows the administrator to enter credentials that the IdM system will use to connect. The following screenshot describes how to connect with LDAP Managed System.
To configure the properties of the Managed System, select Provisioning → Managed System → Find the "LDAP" Managed System → "Edit" icon. Refer to Viewing and Editing Managed Systems.
To add a new Managed System, select Provisioning → Managed System → Create Managed System. Refer to Adding a Managed System.
|Managed System Resource Name||This can be any value that will help you identify this LDAP connection.||LDAP|
|Status||Set to "Active" to enable this connection.||ACTIVE|
|Connector||Select the "LDAP Connector" mentioned in Step 1.||LDAP Connector|
Enter the URL of the server to which we need to connect.
If you use SSL, then the URL will start with
Specify the port of the server to which we need to connect.
SSL is initiated upon connection to an alternative port (normally 636).
The protocol should be set to "CLEAR" unless a certificate has been installed to enable secure communication with OpenLDAP.
Read more about enabling SSL in Installing OpenLDAP and Enabling SSL.
|Login ID||Enter the the ID that the Connector will use to connect to OpenLDAP to create and delete users.|
|Password||Enter the the password for the login ID entered above. OpenIAM will store this information in encrypted form in its database.|
|Object Primary Key||Fill in this field with a user's unique name. For OpenLDAP, this is usually |
Add the Base DN; within it the Connector will search and create users.
If users are to be created in different OU's, then this can be defined in
|Search Base DN||Specify the part of the tree in which we should search for users.|
Enter the search filter string that will be used by the Connector to search for objects within the Base DN. For OpenLDAP, enter:
The Object class used in this search should match the object of the users that you are searching from. If your organization uses a custom object class, then this should be reflected in the search filter.
|Attribute Names Lookup|
Enter a path to the Groovy script. The Groovy script must have been already created. It must contain all possible attribute names used in the Policy Map.
This script returns all possible attribute names for LDAP:
If you need to add some attributes or remove redundant ones, edit this script.
If you leave the "Attribute Names Lookup" field empty, your Policy Map will have simple text boxes instead of drop-down menus for the attribute names.
|Target System Type||Select "LDAP."||LDAP|
Once you have defined connection information, you should validate it. Click on the "Test Connection" button to ensure that this is correct. See Testing the Managed Systems Connection.
The next task is to determine what attributes you need to pass to the LDAP Connector so that it can persist them in the directory. Since the LDAP schema is potentially different for each Organization, OpenIAM uses an attribute mapping model to be able to account for these variations.
Combined with our use of the Groovy scripting language, we can dynamically derive any attribute that is needed in OpenLDAP from the data maintained within OpenIAM. The screenshot below provides a sample mapping between rules in the Identity Manager, called attribute policies, and the LDAP attributes. More details on the attribute policies and mappings can be found on the following page: Defining Policy Maps.
To configure the Policy Map, go to Provisioning → Managed System → Find the "LDAP" Managed System → click "Edit" icon → Policy Map.
In the "Object type" field, determine if this attribute is a part of the set of User attributes or this attribute is used to determine a users identity. If it is used to determine the identity, then select "Principal" as the object type. Otherwise, select "User" as the Object type.
The column titled "Policy" is the name of the attribute policy that will provide the value for the specified Attribute Name.
The final step in setting up provisioning to OpenLDAP is to link the LDAP Resource to a role. This will determine, based on Role, which users should be provisioned into OpenLDAP.
Go to Provisioning → Managed System → Find the "LDAP" Managed System → "Edit" icon → click the Resource name → Entitlements → Entitled Roles.
Alternatively, go to Access Control → Role → Select a Role → Role Entitlements → Entitled to Resources → Find the "LDAP" Managed System.
Alternatively, go to Access Control → Resource → Select the "LDAP" Resource → Entitlements → Entitled Roles.