Cross Reference: /forgerock/openidm-v4/openidm-zip/src/main/resources/samples/sample6/README

	README revision 0942ced8a2cc0c0f5fb5015ec53f81d5360ee79c
/**
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2014 ForgeRock AS. All rights reserved.
 *
 * The contents of this file are subject to the terms
 * of the Common Development and Distribution License
 * (the License). You may not use this file except in
 * compliance with the License.
 *
 * You can obtain a copy of the License at
 * http://forgerock.org/license/CDDLv1.0.html
 * See the License for the specific language governing
 * permission and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL
 * Header Notice in each file and include the License file
 * at http://forgerock.org/license/CDDLv1.0.html
 * If applicable, add the following below the CDDL Header,
 * with the fields enclosed by brackets [] replaced by
 * your own identifying information:
 * "Portions Copyrighted [year] [name of copyright owner]"
 */

Sample 6 - LiveSync Between Two LDAP Servers
--------------------------------------------

This sample demonstrates use of two real LDAP connections, and both
reconciliation and LiveSync. The configurations provided are tailored
for working with Microsoft Active Directory and ForgeRock OpenDJ, however
they could be easily changed to work with any standard LDAP servers.

For documentation pertaining to this example see:
http://openidm.forgerock.org/doc/install-guide/index.html#more-sample6

To prepare to run the sample, download OpenDJ directory server from
http://forgerock.org/opendj.html. Install OpenDJ using QuickSetup:

    * Use "password" as the password for cn=Directory Manager.
    * When presented with Topology Options, be sure to choose "This server
      will be part of a replication topology" to ensure the change log is set
      up.
    * Import samples/sample6/data/Example.ldif during installation.

The directory server should now show two users under dc=example,dc=com.


--- CONFIGURATION ALTERNATIVES ---

There are two different configuration options available to choose between,
depending on the external resources you have to work with. Within the
samples/sample6/alternatives folder, you will find two provisioner configurations -
one for a "real" AD server and one for a "fake" AD server.

Option 1 (real): If you have access to a real Microsoft Active Directory server that you
would like to use for this sample, choose the "provisioner.openicf-realad.json".
Note that the configuration for this sample is one-way, from AD to DJ, so there
is no risk in configuring a real AD server as part of this sample - changes won't
be made on that server.

  $ cp samples/sample6/alternatives/provisioner.openicf-realad.json samples/sample6/conf

Using a text editor, open samples/sample6/conf/provisioner.openicf-realad.json and
make the following updates:

    "configurationProperties" : {
        "host" : "",          // Enter the hostname or IP address of your Active Directory server
        "port" : "389",       // Default non-SSL port. If using SSL (below), change to 636
        "ssl" : false,        // To use, you may need to import the server's public key into OpenIDM's truststore
        "principal" : "",     // Full DN of the account to bind with (ex: "CN=Administrator,CN=Users,DC=example,DC=com")
        "credentials" : null, // Password for account to bind (replace null with string value; it will be encrypted upon startup)
        "baseContexts" : [ ], // List of DNs for the containers of accounts. (ex: "CN=Users,DC=example,DC=com")
        "baseContextsToSynchronize" : [ ], // Set to be the same values as "baseContexts"

        // Additional options to further limit the accounts returned. Defaults to active accounts which aren't Computers
        "accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
        "accountSynchronizationFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",

Option 2 (fake): If you do not have a real Microsoft Active Directory server available, you can
simulate one using the "fake" AD configuration. This configuration uses the same OpenDJ
server that you installed above, but uses a different base DN for the "AD" users.

After your OpenDJ installation from above completes, click Launch Control Panel. Then,
use the New Base DN... window to create dc=fakead,dc=com and import
samples/sample6/data/AD.ldif into the same userRoot database as you used by default
for Example.ldif.

Next, copy the fake ad configuration file into your conf folder:

  $ cp samples/sample6/alternatives/provisioner.openicf-fakead.json samples/sample6/conf

Edit samples/sample6/conf/provisioner.openicf-fakead.json and review the configuration details,
being sure to set the connection values to match however you have installed OpenDJ.

---

To run the sample in OpenIDM, follow these steps.

    1. Start OpenIDM with the configuration for sample 6.

    $ cd /path/to/openidm
    $ ./startup.sh -p samples/sample6

    2. Run reconciliation.

    $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemAdAccounts_managedUser"
    {"reconId":"d88ca423-d5f2-4eb5-a451-a229399f92af"}

    3. Check that the users from Active Directory were added to OpenDJ:

    $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"

    The way this works is that the reconciliation from step 2 imports the data into managed/user.
    Each change on managed/user triggers a "sync" action for the other mappings which use managed/user
    as a source; in this case, the managedUser_systemLdapAccounts mapping. This mapping updates
    OpenDJ.

    4. Edit samples/sample6/conf/schedule-activeSynchroniser_systemAdAccount.json
    to set "enabled" : true. LiveSync causes synchronization to happen as you
    make changes in the source system (Active Directory in this case).

    5. Make a change within the (real or fake) Active Directory server, and observe the
       change in managed/user and in OpenDJ.

      If you are using a real Active Directory server, you can use the graphical tool
      "Active Directory Users and Computers" on the server hosting the directory. Open
      this, find a user that you know has been synced to OpenDJ, and make some property
      change. Livesync should detect that change within 15 seconds (as per the configuration
      in schedule-activeSynchroniser_systemAdAccount.json) and update both the managed/user
      and OpenDJ records accordingly.

      If you are using the fake Active Directory configuration, you can use ldapmodify to
      create a new user in ou=People,dc=fakead,dc=com and then check the result.

       An example would be to create a bdobbs.ldif file and paste the following in it.
           dn: uid=bdobbs,ou=People,dc=fakead,dc=com
           objectClass: person
           objectClass: inetOrgPerson
           objectClass: organizationalPerson
           objectClass: top
           givenName: Bob
           description: Created to see LiveSync work
           uid: bdobbs
           cn: Bob Dobbs
           sn: Dobbs
           mail: bdobbs@example.com
           telephoneNumber: 1-555-111-2222
           userPassword: password

       Then use ./ldapmodify -p 1389 -a -D "cn=Directory Manager" -w password -f ~/path/to/bdobbs.ldif

        $ ./ldapsearch -p 1389 -b dc=example,dc=com "(uid=*)" cn description
        dn: uid=jdoe,dc=example,dc=com
        description: Created for OpenIDM
        cn: John Doe

        dn: uid=bdobbs,dc=example,dc=com
        description: Created to see LiveSync work
        cn: Bob Dobbs

  6. You can login to the OpenIDM UI with any of the Active Directory user credentials. Changes
     made within the OpenIDM UI will only be persisted within managed/user and OpenDJ, since we
     do not have a bidirectional mapping between Active Directory and managed/user.