README
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2014 ForgeRock AS. All rights reserved.
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* http://forgerock.org/license/CDDLv1.0.html
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at http://forgerock.org/license/CDDLv1.0.html
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*/
Sample 2b - Bi-directional LDAP Internal Repository
-------------------------------------------------------
The sample shows you reconciliation between the OpenIDM internal repository
and a local LDAP directory server, such as OpenDJ, with data flowing from
OpenDJ into the internal repository, and from the internal repository into
OpenDJ.
To run this sample, launch OpenIDM with the sample configuration as follows:
$ /path/to/openidm/startup.sh -p samples/sample2b
or follow the documentation in the Install Guide:
http://openidm.forgerock.org/doc/install-guide/index.html#more-sample2b
Data for this sample is stored in data/Example.ldif. After you import
the data, ou=People,dc=example,dc=com contains a single user entry. Although
all attributes to synchronize can be multi-valued in LDAP, this sample
defines only mail as a multi-valued attribute in OpenIDM.
The sample includes these configuration files.
* conf/provisioner.openicf-ldap.json configures the LDAP connector.
By default, the LDAP connector uses the following parameters:
"host" : "localhost",
"port" : 1389,
"principal" : "cn=Directory Manager",
"credentials" : "password",
"baseContextsToSynchronize" : [ "ou=People,dc=example,dc=com" ],
"attributesToSynchronize" : [ "uid", "sn", "cn", "givenName", "mail", "description", "telephoneNumber" ],
* conf/scheduler-recon.json configures a scheduler you can use to run
reconciliation periodically.
* conf/sync.json describes how identities in the directory server map to
identities in the internal repository target.
* conf/authentication.json specifies an additional "authModule" entry for "PASSTHROUGH"
authentication. This is used to allow the managed/user entries created from LDAP to
login with the credentials which remain in LDAP.
This sample includes the script script/ldapBackCorrelationQuery.js which
correlates entries in the directory with identities in OpenIDM.
The following curl command runs reconciliation once, creating users defined
in OpenDJ in OpenIDM's internal repository:
$ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
Create or update a user on the directory server, for example using OpenDJ
Control Panel > Manage Entries, and then run reconciliation. Reconciliation
flows your changes to the OpenIDM repository.
The following curl command requests all identifiers in OpenIDM's internal
repository. Use it to see the results after reconciliation for example.
$ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
{
"result" : [ {
"_id" : "56821f89-6d04-4a0c-b544-efa4302f4791",
"_rev" : "0"
}, {
"_id" : "eeb26c52-6ae3-4c3b-9578-bb9dc1995cd1",
"_rev" : "0"
} ],
"resultCount" : 2,
"pagedResultsCookie" : null,
"remainingPagedResults" : -1
}
Now you can login to the UI with the credentials from any of the DJ users. They
can update their profile or their password; the changes will be synced back to LDAP.