README.md revision c778db2859a5f59aa80244e248847d38b8d5df84
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * Copyright 2014 ForgeRock AS. All rights reserved.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * The contents of this file are subject to the terms
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * of the Common Development and Distribution License
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * (the License). You may not use this file except in
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * compliance with the License.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * You can obtain a copy of the License at
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * See the License for the specific language governing
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * permission and limitations under the License.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * When distributing Covered Code, include this CDDL
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * Header Notice in each file and include the License file
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * If applicable, add the following below the CDDL Header,
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * with the fields enclosed by brackets [] replaced by
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * your own identifying information:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * "Portions Copyrighted [year] [name of copyright owner]"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorSample 6 - LiveSync Between Two LDAP Servers
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major============================================
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorThis sample demonstrates use of two real LDAP connections, and both
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorreconciliation and LiveSync. The configurations provided are tailored
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorfor working with Microsoft Active Directory and ForgeRock OpenDJ, however
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorthey could be easily changed to work with any standard LDAP servers.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorFor documentation pertaining to this example see:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorhttp://openidm.forgerock.org/doc/bootstrap/samples-guide/#more-sample-6
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major1. Extract OpenDJ to a folder called opendj.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major2. Run the following command to initialize OpenDJ and import the LDIF data for the sample.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --hostname localhost \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --ldapPort 1389 \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --rootUserDN "cn=Directory Manager" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --rootUserPassword password \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --adminConnectorPort 4444 \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --baseDN dc=com \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --ldifFile /path/to/openidm/samples/sample6/data/Example.ldif \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --acceptLicense \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorThe directory server should now show two users under dc=example,dc=com.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorActive Directory Configuration Alternatives
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major-------------------------------------------
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorThere are two different configuration options. Within the
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorsamples/sample6/alternatives folder, depending on the external resources you
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major have to work with. Within the
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorsamples/sample6/alternatives folder, you will find two provisioner configurations -
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorone for a "real" AD server and one for a "fake" AD server.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major### Option 1 (real)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorIf you have access to a real Microsoft Active Directory server that you
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorwould like to use for this sample, choose the "provisioner.openicf-realad.json".
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorNote that the configuration for this sample is one-way, from AD to DJ, so there
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majoris no risk in configuring a real AD server as part of this sample - changes won't
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorbe made on that server.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ cp samples/sample6/alternatives/provisioner.openicf-realad.json samples/sample6/conf
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorUsing a text editor, open samples/sample6/conf/provisioner.openicf-realad.json and
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majormake the following updates:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "configurationProperties" : {
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "host" : "", // Enter the hostname or IP address of your Active Directory server
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "port" : "389", // Default non-SSL port. If using SSL (below), change to 636
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "ssl" : false, // To use, you may need to import the server's public key into OpenIDM's truststore
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "principal" : "", // Full DN of the account to bind with (ex: "CN=Administrator,CN=Users,DC=example,DC=com")
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "credentials" : null, // Password for account to bind (replace null with string value; it will be encrypted upon startup)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "baseContexts" : [ ], // List of DNs for the containers of accounts. (ex: "CN=Users,DC=example,DC=com")
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "baseContextsToSynchronize" : [ ], // Set to be the same values as "baseContexts"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major // Additional options to further limit the accounts returned. Defaults to active accounts which aren't Computers
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "accountSynchronizationFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major### Option 2 (fake)
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorIf you do not have a real Microsoft Active Directory server available, you can
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorsimulate one using the "fake" AD configuration. This configuration uses the same OpenDJ
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorserver that you installed above, but uses a different base DN for the "AD" users.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major1. Load the AD.ldif supplied in the data folder into OpenDJ.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ opendj/bin/ldapmodify -a --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --port 1389 --filename /path/to/openidm/samples/sample6/data/AD.ldif
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major2. Setup Replication on OpenDJ for fake ad.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ opendj/bin/dsconfig create-replication-server --hostname localhost --port 4444 --bindDN "cn=Directory Manager" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --bindPassword password --provider-name "Multimaster Synchronization" --set replication-port:8989 \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --set replication-server-id:2 --type generic --trustAll --no-prompt
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ opendj/bin/dsconfig create-replication-domain --hostname localhost --port 4444 --bindDN "cn=Directory Manager" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --bindPassword password --provider-name "Multimaster Synchronization" --domain-name fakead_com \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --set base-dn:dc=fakead,dc=com --set replication-server:localhost:8989 --set server-id:3 --type generic \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major --trustAll --no-prompt
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major3. Copy the fake ad configuration file into your conf folder:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ cp samples/sample6/alternatives/provisioner.openicf-fakead.json samples/sample6/conf
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorEdit samples/sample6/conf/provisioner.openicf-fakead.json and review the configuration details,
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorbeing sure to set the connection values to match however you have installed OpenDJ.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorRunning the Sample in OpenIDM
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major-----------------------------
fb379c70e3fd8a537f311b99be4759ae41e02750Peter MajorTo run the sample in OpenIDM, follow these steps.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major1. Start OpenIDM with the configuration for sample 6.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major2. Run reconciliation.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "https://localhost:8443/openidm/recon?_action=recon&mapping=systemAdAccounts_managedUser"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major It should return something like:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major {"_id":"d88ca423-d5f2-4eb5-a451-a229399f92af","state":"ACTIVE"}
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major3. Check that the users from Active Directory were added to OpenDJ:
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" \
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major The way this works is that the reconciliation from step 2 imports the data into managed/user.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major Each change on managed/user triggers a "sync" action for the other mappings which use managed/user
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major as a source; in this case, the managedUser_systemLdapAccounts mapping. This mapping updates
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major4. Edit samples/sample6/conf/schedule-activeSynchroniser_systemAdAccount.json
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorto set "enabled" : true. LiveSync causes synchronization to happen as you
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majormake changes in the source system (Active Directory in this case).
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major5. Make a change within the (real or fake) Active Directory server, and observe the change in managed/user and in OpenDJ.
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major * If you are using a real Active Directory server, you can use the graphical tool
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Major"Active Directory Users and Computers" on the server hosting the directory. Open
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorthis, find a user that you know has been synced to OpenDJ, and make some property
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorchange. Livesync should detect that change within 15 seconds (as per the configuration
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorin schedule-activeSynchroniser_systemAdAccount.json) and update both the managed/user
fb379c70e3fd8a537f311b99be4759ae41e02750Peter Majorand OpenDJ records accordingly.
create a new user in ou=People,dc=fakead,dc=com and then check the result. An example would be to create a bdobbs.ldif
Then use ./ldapmodify -p 1389 -a -D "cn=Directory Manager" -w password -f ~/path/to/bdobbs.ldif
made within the OpenIDM UI will only be persisted within managed/user and OpenDJ, since we
do not have a bidirectional mapping between Active Directory and managed/user.