/**
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2014 ForgeRock AS. All rights reserved.
 *
 * The contents of this file are subject to the terms
 * of the Common Development and Distribution License
 * (the License). You may not use this file except in
 * compliance with the License.
 *
 * You can obtain a copy of the License at
 * http://forgerock.org/license/CDDLv1.0.html
 * See the License for the specific language governing
 * permission and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL
 * Header Notice in each file and include the License file
 * at http://forgerock.org/license/CDDLv1.0.html
 * If applicable, add the following below the CDDL Header,
 * with the fields enclosed by brackets [] replaced by
 * your own identifying information:
 * "Portions Copyrighted [year] [name of copyright owner]"
 */

Sample 2b - Bi-directional LDAP Internal Repository

The sample shows you reconciliation between the OpenIDM internal repository and a local LDAP directory server, such as OpenDJ, with data flowing from OpenDJ into the internal repository, and from the internal repository into OpenDJ.

The sample includes these configuration files.

• conf/provisioner.openicf-ldap.json configures the LDAP connector. By default, the LDAP connector uses the following parameters: "host" : "localhost", "port" : 1389, "principal" : "cn=Directory Manager", "credentials" : "password", "baseContextsToSynchronize" : [ "ou=People,dc=example,dc=com" ], "attributesToSynchronize" : [ "uid", "sn", "cn", "givenName", "mail", "description", "telephoneNumber" ],
• conf/scheduler-recon.json configures a scheduler you can use to run reconciliation periodically.
• conf/sync.json describes how identities in the directory server map to identities in the internal repository target.
• conf/authentication.json specifies an additional "authModule" entry for "PASSTHROUGH" authentication. This is used to allow the managed/user entries created from LDAP to login with the credentials which remain in LDAP.

This sample includes the script script/ldapBackCorrelationQuery.js which correlates entries in the directory with identities in OpenIDM.

Setup OpenDJ

1. Extract OpenDJ to a folder called opendj.

2. Run the following command to initialize OpenDJ.

   $ opendj/setup --cli --hostname localhost --ldapPort 1389 --rootUserDN "cn=Directory Manager" \
   --rootUserPassword password --adminConnectorPort 4444 --baseDN dc=com --acceptLicense --addBaseEntry \
   --no-prompt --quiet
   

3. Load the Example.ldif file supplied in the data folder into OpenDJ.

   $ opendj/bin/ldapmodify -a -c --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost \
   --port 1389 --filename /path/to/openidm/samples/sample2b/data/Example.ldif
   

After you import the data, ou=People,dc=example,dc=com contains two user entries. Although all attributes to synchronize can be multi-valued in LDAP, this sample defines only mail as a multi-valued attribute in OpenIDM.

This sample includes the script script/ldapBackCorrelationQuery.js which correlates entries in the directory with identities in OpenIDM.

Run The Sample In OpenIDM

1. Launch OpenIDM with the sample configuration as follows.

   $ /path/to/openidm/startup.sh -p samples/sample2b
   

2. Run reconciliation once, creating users defined in OpenDJ in OpenIDM's internal repository.

   $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
   "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
   

3. Create or update a user in OpenIDM.

   $ curl --header "Content-Type: application/json" \
   --header "X-OpenIDM-Username: openidm-admin" \
   --header "X-OpenIDM-Password: openidm-admin" \
   --request POST \
   --data '{
   "userName": "user.smith",
   "givenName": "User",
   "sn" : "Smith",
   "password" : "TestPassw0rd",
   "displayName" : "User Smith",
   "mail" : "user.smith@example.com",
   "_id" : "user"
   }' \
   http://localhost:8080/openidm/managed/user?_action=create
   

4. Run reconciliation, creating users defined in OpenIDM in OpenDJ.

   $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
   "https://localhost:8443/openidm/recon?_action=recon&mapping=managedUser_systemLdapAccounts"
   

5. Request all identifiers in OpenDJ. Use it to see the results after reconciliation.

   $ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"
   {
     "result" : [ {
       "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
       "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
     }, {
       "dn" : "uid=bjensen,ou=People,dc=example,dc=com",
       "_id" : "uid=bjensen,ou=People,dc=example,dc=com"
     }, {
       "dn" : "uid=user.smith,ou=People,dc=example,dc=com",
       "_id" : "uid=user.smith,ou=People,dc=example,dc=com"
     } ],
     "resultCount" : 3,
     "pagedResultsCookie" : null,
     "remainingPagedResults" : -1
   }
   

6. Request all identifiers in OpenIDM's internal repository. Use this command to see the results after reconciliation.

   $ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
   {
     "result" : [ {
       "_id" : "455b1cd5-ae51-41c0-ade9-0dfcc6dee265",
       "_rev" : "0"
     }, {
       "_id" : "bdd64b1a-015b-4a00-a979-1d699bca2f6b",
       "_rev" : "0"
     }, {
       "_id" : "user",
       "_rev" : "0"
     } ],
     "resultCount" : 3,
     "pagedResultsCookie" : null,
     "remainingPagedResults" : -1
   }
   

Now you can login to the UI with the credentials from any of the DJ users. They can update their profile or their password; the changes will be synced back to LDAP.