README.md revision e90f327dcf46d61cf847f239ef5af5a9ca431449
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * Copyright 2014 ForgeRock AS. All rights reserved.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * The contents of this file are subject to the terms
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * of the Common Development and Distribution License
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * (the License). You may not use this file except in
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * compliance with the License.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * You can obtain a copy of the License at
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * See the License for the specific language governing
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * permission and limitations under the License.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * When distributing Covered Code, include this CDDL
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * Header Notice in each file and include the License file
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * If applicable, add the following below the CDDL Header,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * with the fields enclosed by brackets [] replaced by
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * your own identifying information:
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * "Portions Copyrighted [year] [name of copyright owner]"
a20efbd22b33014647993674c901e85b7aca2c42Jason LemaySample 2 - One-way LDAP -> Internal Repository
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay==============================================
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThe sample shows you reconciliation between the OpenIDM internal repository
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemayand a local LDAP directory server, such as OpenDJ, with data flowing from
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayOpenDJ into the internal repository. No changes are pushed from OpenIDM
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThe sample includes these configuration files.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/provisioner.openicf-ldap.json configures the LDAP connector.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay By default, the LDAP connector uses the following parameters:
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "host" : "localhost",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "port" : 1389,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "principal" : "cn=Directory Manager",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "credentials" : "password",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "baseContextsToSynchronize" : [ "ou=People,dc=example,dc=com" ],
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "attributesToSynchronize" : [ "uid", "sn", "cn", "givenName", "mail", "description", "telephoneNumber" ],
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/scheduler-recon.json configures a scheduler you can use to run
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay reconciliation periodically.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/sync.json describes how identities in the directory server map to
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay identities in the internal repository target.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/authentication.json specifies an additional "authModule" entry for "PASSTHROUGH"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay authentication. This is used to allow the managed/user entries created from LDAP to
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay login with the credentials which remain in LDAP.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay1. Extract OpenDJ to a folder called opendj.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay2. Run the following command to initialize OpenDJ.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ opendj/setup --cli --hostname localhost --ldapPort 1389 --rootUserDN "cn=Directory Manager" \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --rootUserPassword password --adminConnectorPort 4444 --baseDN dc=com --acceptLicense --addBaseEntry \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --no-prompt --quiet
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay3. Load the Example.ldif file supplied in the data folder into OpenDJ.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ opendj/bin/ldapmodify -a -c --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --port 1389 --filename /path/to/openidm/samples/sample2/data/Example.ldif
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayAfter you import the data, ou=People,dc=example,dc=com contains two user entries. Although all attributes to synchronize
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemaycan be multi-valued in LDAP, this sample defines only mail as a multi-valued attribute in OpenIDM, in order to match
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemaythe definition in the first sample.
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayRun The Sample In OpenIDM
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay-------------------------
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay1. Start the sample.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay2. Run reconciliation once, creating users defined in OpenDJ in OpenIDM's internal repository.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay Alternatively, edit conf/scheduler-recon.json to enable scheduled
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay reconciliation:
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "enabled" : true,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay3. Request all identifiers in OpenIDM's internal repository. Use this command to see the results after reconciliation.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "result" : [ {
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "678eb8f7-5e3f-4bef-b001-bc0f01353dae",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_rev" : "0"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "5e9534cb-c37e-48c0-9c1f-0782a7e2a9c0",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_rev" : "0"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "resultCount" : 2,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "pagedResultsCookie" : null,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "remainingPagedResults" : -1
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike JangAfter you have created the managed/user entries you can use them to login to the UI at https://localhost:8443/