a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * Copyright 2014 ForgeRock AS. All rights reserved.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * The contents of this file are subject to the terms
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * of the Common Development and Distribution License
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * (the License). You may not use this file except in
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * compliance with the License.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * You can obtain a copy of the License at
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * See the License for the specific language governing
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * permission and limitations under the License.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * When distributing Covered Code, include this CDDL
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * Header Notice in each file and include the License file
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * If applicable, add the following below the CDDL Header,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * with the fields enclosed by brackets [] replaced by
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * your own identifying information:
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay * "Portions Copyrighted [year] [name of copyright owner]"
a20efbd22b33014647993674c901e85b7aca2c42Jason LemaySample 2b - Bi-directional LDAP <-> Internal Repository
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay=======================================================
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThe sample shows you reconciliation between the OpenIDM internal repository
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemayand a local LDAP directory server, such as OpenDJ, with data flowing from
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayOpenDJ into the internal repository, and from the internal repository into
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThe sample includes these configuration files.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/provisioner.openicf-ldap.json configures the LDAP connector.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay By default, the LDAP connector uses the following parameters:
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "host" : "localhost",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "port" : 1389,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "principal" : "cn=Directory Manager",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "credentials" : "password",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "baseContextsToSynchronize" : [ "ou=People,dc=example,dc=com" ],
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "attributesToSynchronize" : [ "uid", "sn", "cn", "givenName", "mail", "description", "telephoneNumber" ],
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/scheduler-recon.json configures a scheduler you can use to run
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay reconciliation periodically.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/sync.json describes how identities in the directory server map to
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay identities in the internal repository target.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay* conf/authentication.json specifies an additional "authModule" entry for "PASSTHROUGH"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay authentication. This is used to allow the managed/user entries created from LDAP to
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay login with the credentials which remain in LDAP.
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThis sample includes the script script/ldapBackCorrelationQuery.js which
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemaycorrelates entries in the directory with identities in OpenIDM.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay1. Extract OpenDJ to a folder called opendj.
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost2. Run the following command to initialize OpenDJ and import the LDIF data for the sample.
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --hostname localhost \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --ldapPort 1389 \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --rootUserDN "cn=Directory Manager" \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --rootUserPassword password \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --adminConnectorPort 4444 \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --baseDN dc=com \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --ldifFile /path/to/openidm/samples/sample2b/data/Example.ldif \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost --acceptLicense \
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayAfter you import the data, ou=People,dc=example,dc=com contains two user entries. Although
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemayall attributes to synchronize can be multi-valued in LDAP, this sample defines only mail as a multi-valued attribute
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayThis sample includes the script script/ldapBackCorrelationQuery.js which
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemaycorrelates entries in the directory with identities in OpenIDM.
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayRun The Sample In OpenIDM
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay-------------------------
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay1. Launch OpenIDM with the sample configuration as follows.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ /path/to/openidm/startup.sh -p samples/sample2b
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay2. Run reconciliation once, creating users defined in OpenDJ in OpenIDM's internal repository.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay3. Create or update a user in OpenIDM.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl --header "Content-Type: application/json" \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --header "X-OpenIDM-Username: openidm-admin" \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --header "X-OpenIDM-Password: openidm-admin" \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay --request POST \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "userName": "user.smith",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "givenName": "User",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "sn" : "Smith",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "password" : "TestPassw0rd",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "displayName" : "User Smith",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "mail" : "user.smith@example.com",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "user"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay http://localhost:8080/openidm/managed/user?_action=create
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay4. Run reconciliation, creating users defined in OpenIDM in OpenDJ.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "https://localhost:8443/openidm/recon?_action=recon&mapping=managedUser_systemLdapAccounts"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay5. Request all identifiers in OpenDJ. Use it to see the results after reconciliation.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "result" : [ {
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "dn" : "uid=bjensen,ou=People,dc=example,dc=com",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "uid=bjensen,ou=People,dc=example,dc=com"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "dn" : "uid=user.smith,ou=People,dc=example,dc=com",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "uid=user.smith,ou=People,dc=example,dc=com"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "resultCount" : 3,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "pagedResultsCookie" : null,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "remainingPagedResults" : -1
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay6. Request all identifiers in OpenIDM's internal repository. Use this command to see the results after reconciliation.
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay $ curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "result" : [ {
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "455b1cd5-ae51-41c0-ade9-0dfcc6dee265",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_rev" : "0"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "bdd64b1a-015b-4a00-a979-1d699bca2f6b",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_rev" : "0"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_id" : "user",
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "_rev" : "0"
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "resultCount" : 3,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "pagedResultsCookie" : null,
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemay "remainingPagedResults" : -1
a20efbd22b33014647993674c901e85b7aca2c42Jason LemayNow you can login to the UI with the credentials from any of the DJ users. They
a20efbd22b33014647993674c901e85b7aca2c42Jason Lemaycan update their profile or their password; the changes will be synced back to LDAP.