Cross Reference: /forgerock/openidm-v4/openidm-zip/src/main/resources/samples/sample2/README

	README revision 4b3769ce483ece06f60f983193712492b920144f
Sample 2 - One-way LDAP -> Internal Repository
----------------------------------------------
Copyright (c) 2012-2014 ForgeRock AS
This work is licensed under a Creative Commons Attribution-
NonCommercial-NoDerivs 3.0 Unported License. See
http://creativecommons.org/licenses/by-nc-nd/3.0/

The sample shows you reconciliation between the OpenIDM internal repository
and a local LDAP directory server, such as OpenDJ, with data flowing from
OpenDJ into the internal repository. No changes are pushed from OpenIDM
to OpenDJ.

To run this sample, launch OpenIDM with the sample configuration as follows:
$ /path/to/openidm/startup.sh -p samples/sample2

or follow the documentation in the Install Guide:
http://openidm.forgerock.org/doc/install-guide/index.html#more-sample2

The sample includes these configuration files.

*   conf/provisioner.openicf-ldap.json configures the LDAP connector.
    By default, the LDAP connector uses the following parameters:
    "host" : "localhost",
    "port" : 1389,
    "principal" : "cn=Directory Manager",
    "credentials" : "password",
    "baseContextsToSynchronize" : [ "ou=People,dc=example,dc=com" ],
    "attributesToSynchronize" : [ "uid", "sn", "cn", "givenName", "mail", "description", "telephoneNumber" ],
*   conf/scheduler-recon.json configures a scheduler you can use to run
    reconciliation periodically.
*   conf/sync.json describes how identities in the directory server map to
    identities in the internal repository target.
*   conf/authentication.json specifies an additional "authModule" entry for "PASSTHROUGH"
    authentication. This is used to allow the managed/user entries created from LDAP to
    login with the credentials which remain in LDAP.

Data for this sample is stored in data/Example.ldif. After you import
the data, ou=People,dc=example,dc=com contains a single user entry for
the user from the first sample. Although all attributes to synchronize
can be multi-valued in LDAP, this sample defines only mail as a multi-
valued attribute in OpenIDM, in order to match the definition in the
first sample.

The following curl command runs reconciliation once, creating users defined
in OpenDJ in OpenIDM's internal repository:

$ curl -k --header "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"

Alternatively, edit conf/scheduler-recon.json to enable scheduled
reconciliation:

    "enabled" : true,

The following curl command requests all identifiers in OpenIDM's internal
repository. Use it to see the results after reconciliation for example.

$ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
{
  "result" : [ {
    "_id" : "678eb8f7-5e3f-4bef-b001-bc0f01353dae",
    "_rev" : "0"
  }, {
    "_id" : "5e9534cb-c37e-48c0-9c1f-0782a7e2a9c0",
    "_rev" : "0"
  } ],
  "resultCount" : 2,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}

After you have created the managed/user entries you can use them to login to the UI at https://localhost:8443/openidmui/