The enable provisioning. de-provisioning and password synchronization, we need to use the LDAP connector that is included in the OpenIAM Identity Manager. The following section describes how to configure the connector. to work with Active Directory 2008 and Active Directory 2008 R2.
Note:
- To use the Java based LDAP connector with Active Directory, you will need enable a secure connection with AD. Per Microsoft's restrictions, all non .NET implementations must enable TLS/SSL to the AD before a password change is allowed The steps to do this are described at here .
- OpenIAM also provides a .NET based Active Directory and Exchange Connector, part of the EE solution, does not require an SSL connection.
Register the connector
If the Identity Manager has been installed using the steps in the installation guide, then this step is not necessary since the LDAP connector was installed as part of the product install. The following steps should ONLY be used if the LDAP connector has not been registered with the Identity manager.
- Log into the webconsole
- Click on the Provisioning link on the menu bar
- Next click on the Provisioning Connectors link followed by New.
- You will see the screen below, where you can enter the details for the connector.
Field Name | Values |
|---|---|
Connector Name | You can provide any value that like here. By default, we will use 'LDAP CONNECTOR' |
Type | This is the metadata type associated with this connector. Please enter LDAP_Connector |
Service Url | Since this connector is a web service, please enter the url for the service. By default this is: "localhost:8080/openiam-idm-esb/idmsrvc/LDAPConnectorService "
|
Service Namespace | This is the name space used by the service. Please enter *http://www.openiam.org/service/connector * (http://www.openiam.org/service/connector*) |
Service Port | Port name that this service uses: 'LDAPConnectorServicePort' |
Configure Connection to ACTIVE DIRECTORY
Once the connector has been registered with the Identity Manager, we need to configure the connectivity to Active Directory. This includes connection information, base DN, etc. Please follow the steps below to setup the connection.
- Log into the webconsole
- Click on the Provisioning link on the menu bar
- Next click on the Managed Connections link
- Select the security domain for this connection. In most case this should be Default Security Domain
- Next click on New Managed Resource. You will see the screen below, where you can enter the details for the connection.
Note:
- If OpenIAM was installed using the steps described in the install guide, then an entry for ACTIVE DIRECTORY has already been created. Its often easiest to modify this predefined configuration then to create one from scratch. To view the existing connection, click on View Detail for the OPENIAM_ACTIVE_DIRECTORY managed resource
.
Field Name | Values |
|---|---|
Resource Name | This can be any value that will help you identify this ldap connection |
Resource Type | Select Managed System. This field is Optional |
Status | Set to Active to enable this connection |
Connector | Select LDAP Connector, which is the name of LDAP Connector that you provided in the last section |
Host Url | URL and Port of the directory server to which we need to connect |
Communication Protocol | This should be set to CLEAR. The protocol, for LDAP and Active Directory, is determined by the URL (ldap:// vs ldaps://) |
Login Id | This is the ID that the connector will use to connect to LDAP to create and delete users. ie.mydomain\Administrator |
Password | This is the password for the login id entered above. OpenIAM will store this information in encrypted form in its database |
Object Primary Key | This is the field that will be used to maintain a users unique name. For Active Directory this is usually CN. |
Base DN | This is the Base DN with in which the connector will search and create users. An example of a base DN is : CN=Users,DC=iamdev,DC=local. Note: If users are to be created in different OU's, then this can be defined in ou.groovy script in the iamscripts/provisioning folder. If active synchronization is being used, then this logic can also be added to the transformation scripts. |
Search Filter | This is the search filter that will be used by the connector to search for objects within the Base DN. The default search filter for Active Directory is: (&(objectclass=user)(?)) |
Search Base DN | The part of the tree in which we should be searching for users. For example: CN=Users,DC=iamdev,DC=local |
|
|
Attribute Mapping
The next task is to determine which attributes we need to pass to the LDAP connector so that it can persist them in Active Directory. Since the Active Directory schema may have been extended, OpenIAM uses an attribute mapping model to be able to account for these variations.
Combined with our use of the Groovy scripting language, we can dynamically derive any attribute that is needed in Active Directory from the data maintained within OpenIAM. The screen shot below provides a sample mapping between rules in the Identity Manager, called attribute policies, and the LDAP attributes. More details on the attribute policies and mappings can be found at the link below.
Associate Resource To A Role
The final step in setting up provisioning to LDAP is to link the LDAP resource to a role. This will determine, based on Role, which users should be provisioned into LDAP.
To link Resources and Roles, follow the steps below:
- Login into the webconsole
- Select Role from the Access Control menu
- Select the Security Domain - Default Domain is the default
- From the list of Roles, select the role to which the Active Directory resource should be assigned
- Select Resource Map from the side menu
- Select the Active Directory resource from the list below and click and Submit