README revision 185941104719f48494a107996e17a23aad237c7d
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2014 ForgeRock AS. All rights reserved.
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* http://forgerock.org/license/CDDLv1.0.html
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at http://forgerock.org/license/CDDLv1.0.html
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*/
Sample 3 - Scripted SQL
-----------------------
This sample demonstrates an example configuration for a scripted SQL
connector, a connector that communicates with a database through configurable
SQL scripts. This example requires a fresh installation of OpenIDM.
For documentation pertaining to this example see:
http://openidm.forgerock.org/doc/install-guide/index.html#more-sample3
This sample now also demonstrates the use of complex data types. Complex types
can be stored, retrieved and sync'ed like any other property of an object. These
types can be mapped to your external data sources in any way you choose but are
generally stored in the managed data as JSON represented as a String. This may
be customized further to do additional work with or transformation on that data.
The sync.json script demonstrates the use of event hooks to perform an action. In
this example there are two hooks, one for the onCreate event and another for onUpdate,
both for the managed user to external repo user case. In both events this sample
will log a statement to OpenIDM's log file (see the logs directory) when a managed
user is created or updated in the external repo. In both cases the script is
explicitly included in the sync.json file but could just as easily have referenced
an external file for the script source instead. For more information see:
http://openidm.forgerock.org/doc/webhelp/integrators-guide/appendix-scripting.html
The scripted connector supports any number of custom scripted endpoints. These are
configured via the provisioner script and currently support only Groovy. See
provisioner.openicf-scriptedsql.json and tools/ResetDatabaseScript.groovy for the
sample implementation. Step 5b below executes this script.
CAVEAT: Because MySQL cannot "un-hash" user passwords there is no way for a recon
to retrieve and store the password in the managed user object in OpenIDM. This may
impact configurations that support multiple external repos insofar as passwords
will likely not be in sync immediately after a mysql -> managed recon. Despite
creating any missing users in the managed repo during recon their passwords are
empty so those same users sync'ed into the other external repos will have blank
passwords. Some additional scripting may be required to handle this situation
depending on the requirements of your deployment.
To try the example, follow these steps.
1. Copy the MySQL Connector/J .jar to the OpenIDM bundle/ directory.
$ cp mysql-connector-java-5.1.18-bin.jar /path/to/openidm/bundle/
3. Set up MySQL to listen on localhost:3306, connecting as root:password.
4. Start OpenIDM with the configuration for sample 3.
$ /path/to/openidm/startup.sh -p samples/sample3
5. Populate the MySQL database with sample data. You do this with either 5a or 5b below:
5a. Import the sample data definition language file into MySQL.
$ ./bin/mysql -u root -p < /path/to/openidm/samples/sample3/data/sample_HR_DB.mysql
Enter password:
$ ./bin/mysql -u root -p
Enter password:
mysql> use hrdb;
mysql> select * from users;
+----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
| id | uid | password | firstname | lastname | fullname | email | organization | timestamp |
+----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
| 1 | bob | e38ad214943daad1d64c102faec29de4afe9da3d | Bob | Fleming | Bob Fleming | Bob.Fleming@example.com | HR | 2014-04-04 07:03:12 |
| 2 | rowley | 2aa60a8ff7fcd473d321e0146afd9e26df395147 | Rowley | Birkin | Rowley Birkin | Rowley.Birkin@example.com | SALES | 2014-04-04 07:03:12 |
| 3 | louis | 1119cfd37ee247357e034a08d844eea25f6fd20f | Louis | Balfour | Louis Balfour | Louis.Balfour@example.com | SALES | 2014-04-04 07:03:12 |
| 4 | john | a1d7584daaca4738d499ad7082886b01117275d8 | John | Smith | John Smith | John.Smith@example.com | SUPPORT | 2014-04-04 07:03:12 |
| 5 | jdoe | edba955d0ea15fdef4f61726ef97e5af507430c0 | John | Doe | John Doe | John.Doe@example.com | ENG | 2014-04-04 07:03:12 |
+----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
5 rows in set (0.01 sec)
mysql> quit
Bye
* Note that these passwords are hashed, and not available to be read into OpenIDM as cleartext.
* sha1 is used to hash these passwords for compatibility reasons; in production, use more secure algorithms.
5b. Use REST to execute a custom script that, in this case, resets and populates the database.
$ curl -k --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --header "Content-Type: application/json" --request POST "https://localhost:8443/openidm/system/scriptedsql?_action=script&scriptId=ResetDatabase"
{
"actions": [
{
"result": "Successfully reset the database"
}
]
}
6. Run reconciliation:
$ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemHrdb_managedUser"
7. Retrieve the list of users from OpenIDM's internal repository:
$ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/managed/user/?_queryId=query-all&fields=_openidm_id,userName,sn,givenName&_prettyPrint=true"
{
"result" : [ {
"_id" : "5b8c0ea8-3f11-4588-97af-723a76c8ef40",
"_rev" : "0",
"userName" : "rowley",
"sn" : "Birkin",
"givenName" : "Rowley"
}, {
"_id" : "7de6b0f6-2930-43fc-8e66-c6dd79e37160",
"_rev" : "0",
"userName" : "john",
"sn" : "Smith",
"givenName" : "John"
}, {
"_id" : "6fc473c4-9837-43f0-af6f-6fb4aa13a666",
"_rev" : "0",
"userName" : "louis",
"sn" : "Balfour",
"givenName" : "Louis"
}, {
"_id" : "163237fd-934d-4160-878d-c59f32a3eec9",
"_rev" : "0",
"userName" : "jdoe",
"sn" : "Doe",
"givenName" : "John"
}, {
"_id" : "3bbc3706-b6e2-4013-960a-6d1beed582e1",
"_rev" : "0",
"userName" : "bob",
"sn" : "Fleming",
"givenName" : "Bob"
} ],
"resultCount" : 5,
"pagedResultsCookie" : null,
"remainingPagedResults" : -1
}
8. Query for an individual user (by userName):
$ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/managed/user?_queryId=for-userName&uid=rowley&_prettyPrint=true"
{
"result" : [ {
"mail" : "Rowley.Birkin@example.com",
"sn" : "Birkin",
"passwordAttempts" : "0",
"lastPasswordAttempt" : "Wed Oct 22 2014 09:51:31 GMT-0700 (PDT)",
"address2" : "",
"givenName" : "Rowley",
"effectiveRoles" : [ "openidm-authorized" ],
"country" : "",
"city" : "",
"lastPasswordSet" : "",
"organization" : "SALES",
"postalCode" : "",
"_id" : "ed8bbe46-08a1-4716-9d5f-3cc5d09e2a7c",
"_rev" : "1",
"cars" : [ {
"make" : "BMW",
"year" : "2013",
"model" : "328ci"
}, {
"make" : "Lexus",
"year" : "2010",
"model" : "ES300"
} ],
"accountStatus" : "active",
"telephoneNumber" : "",
"roles" : [ "openidm-authorized" ],
"effectiveAssignments" : null,
"postalAddress" : "",
"userName" : "rowley",
"stateProvince" : ""
} ],
"resultCount" : 1,
"pagedResultsCookie" : null,
"remainingPagedResults" : -1
}
9. Show paging results with page size of 2
$ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/system/scriptedsql/account?_queryId=query-all-ids&_pageSize=2&_sortKeys=timestamp,id"
{
"result":[
{
"uid":"bob",
"_id":"1"
},
{
"uid":"rowley",
"_id":"2"
} ],
"resultCount":2,
"pagedResultsCookie":"2014-09-11 10:07:57.0,2",
"remainingPagedResults":-1
}
10. Use the pagedResultsCookie from the result in step 9 for the next query to retrieve the next result set. Make sure you encode the date:time.
$ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/system/scriptedsql/account?_queryId=query-all-ids&_pageSize=2&_sortKeys=timestamp,id&_pagedResultsCookie=2014-09-11%2010:07:57.0,2"
{
"result":[
{
"uid":"louis",
"_id":"3"
},
{
"uid":"john",
"_id":"4"
}],
"resultCount":2,
"pagedResultsCookie":"2014-09-11 10:07:57.0,4",
"remainingPagedResults":-1
}
You can log in to the OpenIDM UI (https://localhost:8443/openidmui) with any of
the users that were created in the repository by the reconciliation operation.
Consult the values from "sample_HR_DB.mysql" to retrieve their clear text
passwords. Users can update their profiles or passwords. Any changes will be
automatically synchronized back to the MySQL database.