README.md revision e90f327dcf46d61cf847f239ef5af5a9ca431449
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * Copyright 2014 ForgeRock AS. All rights reserved.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * The contents of this file are subject to the terms
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * of the Common Development and Distribution License
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * (the License). You may not use this file except in
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * compliance with the License.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * You can obtain a copy of the License at
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * See the License for the specific language governing
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * permission and limitations under the License.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * When distributing Covered Code, include this CDDL
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * Header Notice in each file and include the License file
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * If applicable, add the following below the CDDL Header,
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * with the fields enclosed by brackets [] replaced by
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * your own identifying information:
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * "Portions Copyrighted [year] [name of copyright owner]"
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemaySample 6 - LiveSync Between Two LDAP Servers
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay============================================
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayThis sample demonstrates use of two real LDAP connections, and both
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayreconciliation and LiveSync. The configurations provided are tailored
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayfor working with Microsoft Active Directory and ForgeRock OpenDJ, however
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaythey could be easily changed to work with any standard LDAP servers.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayFor documentation pertaining to this example see:
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayhttp://openidm.forgerock.org/doc/install-guide/index.html#more-sample6
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay1. Extract OpenDJ to a folder called opendj.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay2. Run the following command to initialize OpenDJ.
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang $ opendj/setup --cli --hostname localhost --ldapPort 1389 \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang --rootUserDN "cn=Directory Manager" \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang --rootUserPassword password --adminConnectorPort 4444 \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang --baseDN dc=com --acceptLicense --addBaseEntry \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --no-prompt --quiet
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay3. Load the Example.ldif file supplied in the data folder into OpenDJ.
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang $ opendj/bin/ldapmodify --bindDN "cn=Directory Manager" \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang --bindPassword password --hostname localhost \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang --port 1389 --filename \
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang /path/to/openidm/samples/sample6/data/Example.ldif
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayThe directory server should now show two users under dc=example,dc=com.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayActive Directory Configuration Alternatives
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay-------------------------------------------
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike JangThere are two different configuration options. Within the
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jangsamples/sample6/alternatives folder, depending on the external resources you
e90f327dcf46d61cf847f239ef5af5a9ca431449Mike Jang have to work with. Within the
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaysamples/sample6/alternatives folder, you will find two provisioner configurations -
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayone for a "real" AD server and one for a "fake" AD server.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay### Option 1 (real)
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayIf you have access to a real Microsoft Active Directory server that you
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaywould like to use for this sample, choose the "provisioner.openicf-realad.json".
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayNote that the configuration for this sample is one-way, from AD to DJ, so there
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayis no risk in configuring a real AD server as part of this sample - changes won't
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaybe made on that server.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ cp samples/sample6/alternatives/provisioner.openicf-realad.json samples/sample6/conf
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayUsing a text editor, open samples/sample6/conf/provisioner.openicf-realad.json and
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaymake the following updates:
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "configurationProperties" : {
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "host" : "", // Enter the hostname or IP address of your Active Directory server
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "port" : "389", // Default non-SSL port. If using SSL (below), change to 636
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "ssl" : false, // To use, you may need to import the server's public key into OpenIDM's truststore
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "principal" : "", // Full DN of the account to bind with (ex: "CN=Administrator,CN=Users,DC=example,DC=com")
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "credentials" : null, // Password for account to bind (replace null with string value; it will be encrypted upon startup)
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "baseContexts" : [ ], // List of DNs for the containers of accounts. (ex: "CN=Users,DC=example,DC=com")
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "baseContextsToSynchronize" : [ ], // Set to be the same values as "baseContexts"
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay // Additional options to further limit the accounts returned. Defaults to active accounts which aren't Computers
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "accountSynchronizationFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay### Option 2 (fake)
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayIf you do not have a real Microsoft Active Directory server available, you can
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaysimulate one using the "fake" AD configuration. This configuration uses the same OpenDJ
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayserver that you installed above, but uses a different base DN for the "AD" users.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay1. Load the AD.ldif supplied in the data folder into OpenDJ.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ opendj/bin/ldapmodify --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --port 1389 --filename /path/to/openidm/samples/sample6/data/AD.ldif
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay2. Setup Replication on OpenDJ for fake ad.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ opendj/bin/dsconfig create-replication-server --hostname localhost --port 4444 --bindDN "cn=Directory Manager" \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --bindPassword password --provider-name "Multimaster Synchronization" --set replication-port:8989 \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --set replication-server-id:2 --type generic --trustAll --no-prompt
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ opendj/bin/dsconfig create-replication-domain --hostname localhost --port 4444 --bindDN "cn=Directory Manager" \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --bindPassword password --provider-name "Multimaster Synchronization" --domain-name fakead_com \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --set base-dn:dc=fakead,dc=com --set replication-server:localhost:8989 --set server-id:3 --type generic \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay --trustAll --no-prompt
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay3. Copy the fake ad configuration file into your conf folder:
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ cp samples/sample6/alternatives/provisioner.openicf-fakead.json samples/sample6/conf
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayEdit samples/sample6/conf/provisioner.openicf-fakead.json and review the configuration details,
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaybeing sure to set the connection values to match however you have installed OpenDJ.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayRunning the Sample in OpenIDM
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay-----------------------------
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason LemayTo run the sample in OpenIDM, follow these steps.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay1. Start OpenIDM with the configuration for sample 6.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay2. Run reconciliation.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "https://localhost:8443/openidm/recon?_action=recon&mapping=systemAdAccounts_managedUser"
49da166d507312f800a326215fea42407ce9bc25Laurent Bristiel {"_id":"d88ca423-d5f2-4eb5-a451-a229399f92af","state":"ACTIVE"}
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay3. Check that the users from Active Directory were added to OpenDJ:
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" \
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"
c4615ce1da9a7a86f1789d1c6449f86c5cda4c5cLaurent Bristiel The way this works is that the reconciliation from step 2 imports the data into managed/user.
c4615ce1da9a7a86f1789d1c6449f86c5cda4c5cLaurent Bristiel Each change on managed/user triggers a "sync" action for the other mappings which use managed/user
c4615ce1da9a7a86f1789d1c6449f86c5cda4c5cLaurent Bristiel as a source; in this case, the managedUser_systemLdapAccounts mapping. This mapping updates
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay4. Edit samples/sample6/conf/schedule-activeSynchroniser_systemAdAccount.json
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayto set "enabled" : true. LiveSync causes synchronization to happen as you
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaymake changes in the source system (Active Directory in this case).
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay5. Make a change within the (real or fake) Active Directory server, and observe the change in managed/user and in OpenDJ.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * If you are using a real Active Directory server, you can use the graphical tool
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay"Active Directory Users and Computers" on the server hosting the directory. Open
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaythis, find a user that you know has been synced to OpenDJ, and make some property
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaychange. Livesync should detect that change within 15 seconds (as per the configuration
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayin schedule-activeSynchroniser_systemAdAccount.json) and update both the managed/user
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayand OpenDJ records accordingly.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay * If you are using the fake Active Directory configuration, you can use ldapmodify to
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaycreate a new user in ou=People,dc=fakead,dc=com and then check the result. An example would be to create a bdobbs.ldif
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemayfile and paste the following in it.
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay dn: uid=bdobbs,ou=People,dc=fakead,dc=com
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay objectClass: person
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay objectClass: inetOrgPerson
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay objectClass: organizationalPerson
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay objectClass: top
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay givenName: Bob
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay description: Created to see LiveSync work
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay cn: Bob Dobbs
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay mail: bdobbs@example.com
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay telephoneNumber: 1-555-111-2222
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay userPassword: password
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay Then use ./ldapmodify -p 1389 -a -D "cn=Directory Manager" -w password -f ~/path/to/bdobbs.ldif
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay $ ./ldapsearch -p 1389 -b dc=example,dc=com "(uid=*)" cn description
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay dn: uid=jdoe,dc=example,dc=com
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay description: Created for OpenIDM
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay cn: John Doe
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay dn: uid=bdobbs,dc=example,dc=com
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay description: Created to see LiveSync work
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay cn: Bob Dobbs
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemay6. You can login to the OpenIDM UI with any of the Active Directory user credentials. Changes
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaymade within the OpenIDM UI will only be persisted within managed/user and OpenDJ, since we
c6797c60b5ccc19170f48ad150e6c1c1ffd660a3Jason Lemaydo not have a bidirectional mapping between Active Directory and managed/user.