IGA 2021.11.0

LDAP Onboarding

LDAP (Lightweight Directory Access Protocol) is an open, industry standard application protocol for storing distributed directory information. Typical directory information includes organizations, users, applications, and devices data.

IGA uses IDM generic LDAPv3 service connector that is based on the Java Naming and Directory Interface (JNDI) protocol. Popular brands of LDAPv3-compliant directory servers are supported, such as ForgeRock Directory Services (DS), OpenLDAP, Oracle Directory Server Enterprise Edition, IBM Security Directory Server, and Microsoft Active Directory.

Microsoft Active Directory onboarding procedures are covered in [chap-ad-onboarding].

Assumptions

The following preconditions are assumed for this example:

  • LDAP Server Exists. Make sure you have an LDAP server with data configured. The server should be running and accessible remotely.

  • IGA Setup. Make sure you have administrator privileges and have logged in to IGA.

Set Up Authoritative Application Onboarding

  1. On the IGA UI, click Applications > Add Application.

  2. For Application Type, click Enterprise, and then click Next.

  3. Click LDAP, and then click Next.

  4. On the Application Integration LDAP page, click Add Application.

  5. On the Application Details page, enter the following:

    1. Enter the name of the server.

    2. Enter a description for the server.

    3. Select or enter the application owner for the server.

    4. Optional. Specify the file path for the LDAP server logo.

    5. Click Create Application. You should see an "LDAP application successfully create!" message.

  6. On the Application Successfully Created page, click Configure Provisioning.

  7. On the Provisioning tab, click Authoritative if your LDAP server is authoritative, or a source of truth. You will see an Application Updated Successfully! message.

  8. Click Connect Application to set up the connection settings to the server.

  9. Enter some or all of the following settings, and then click Connect.

    • Host Name or IP. Enter the host name or IP address of the LDAP server.

    • Port. Enter the LDAP port number, for example, 1389.

    • Use SSL. Enable to turn on SSL.

    • Login Account DN. Enter the login account DN. For example, uid=admin.

    • Password. Enter the login account DN password.

    • Base DN. Enter the base DN for the LDAP users and groups to which you want to connect.

    • Base DN for LiveSync. Enter the base DN for the LDAP users and groups to which you want to connect. LiveSync captures any changes that occur in your LDAP server and automatically pushes them to IDM.

      For more advanced settings, see Advanced Settings.

  10. Click Authoritative if the server a trusted, source-of-truth database. Otherwise, keep it on Target.

  11. Click Connect. You will see a Connection Settings Updated message.

Reconciliation for Authoritative Applications

Reconciliation is the process of correlating and synchronizing identity attributes in IGA with data from the onboarded application. This ensures that any changed identity and application attributes are properly synchronized across other data stores and within IGA.

One important task in the reconciliation process is to set up attribute mappings in the objects between the external LDAP directory and the IGA data store. You also need to set up a correlation script that runs a query against the target depending on the mapping. For more information on correlation queries, see Writing Correlation Queries.

  1. Make sure that you have Authoritative enabled.

  2. Next, on the LDAP Application page for your server, click Choose Object Type, and select the __ACCOUNT__ object type.

    1. On the Add Object Type: ACCOUNT modal, click any object type properties to add to the object type.

    2. Click Add Object Type. You will see an Object Type Added Successfully! message.

  3. Click the Properties tab. Review the properties. To add a new property to the target, click Add Property.

    1. On the Add Property modal, select an account property. The associated property name appears in the Name field.

    2. Click Entitlement to set the property as an entitlement. This step adds the property to the entitlements lists.

    3. Click Save.

  4. Click the Mappings tab to set up the mapping rules for source and target properties. You will see a list of source versus target mappings.

    1. Click the dots on the right of a property, for example userName, and then click Rules.

    2. In the Edit Property modal, select the source property in the Select Source field, for example, uid. Click Save. You will see Mapping updated successfully!.

  5. Click Rules, and then click Add Correlation query to add a correlation script for your properties.

    1. Select or enter a link qualifier for the query. A link qualifier is a label that identifies the type of relationship between objects. Link qualifiers are typically used to map a single managed user account to multiple accounts, such as customer and employee. In this case, you would set up two link qualifiers, one for each account to the managed user’s account. For this example, select Default.

    2. Next, enter a correlation query. For example, the following script matches source and target objects if the value of the uid attribute on the target is the same as the userName attribute on the source:

      var qry = {'_queryFilter': 'target/userName eq \"' + source.uid[0] + '\"'}; qry

    3. Click Save. You should see a Mapping updated successfully message.

  6. Click the Inactive button, and select Activate. You will see an Application activated message.

  7. Once the application is active, click the Reconciliation tab, and then click Reconcile Now. You can view a summary report of the reconciliation job. You will see an Application reconciliation started! message.

  8. After the reconciliation, click View Report to review the results, regardless if it ended in success or failure. For a successful reconciliation, you will see something like the following:

    Last reconciled 11/17/2021 1:55:21 PM - SUCCESS

  9. Click View: All valid records to view the records. The options are the following:

    • All valid records. View all valid records.

    • 1-to-1 match. View one-to-one matching records.

    • No match found. View records where no match was found.

    • Conflicting matches. View any records that conflict with each other.

    • All other identities. View other identity records.

    • Unresolved source records. View any unresolved source records.

    • Unresolved target records. View any unresolved target records.

    • Ignored identities. View any ignored identity records.

If you see a reconciliation failure, you can troubleshoot the reconciliation by viewing the IDM logs for the error.

kubectl -n iga logs -f openidm-<pod-ID>

Make the fix, and then rerun the reconciliation.

Set Up Targeted Application Onboarding

  1. Follow the steps in the section, Set Up Authoritative Application Onboarding, select Target, and then follow the rest of the procedure to complete the connection.

Reconciliation for Targeted Applications

The reconciliation process for target applications differs slightly to that of authoritative applications.

  1. Next, on the LDAP Application page for your server, click Add Default Object Types. The __ACCOUNT__ and __GROUP__ object types are added.

  2. Click Group to review the group properties, and then click Save.

  3. Click the Properties tab. Review the properties. Click Add Property to add a new property.

    1. On the Add Property modal, select a property, for example, ldapGroups and click Entitlement.

    2. Click Entitlement to tag the attribute as an entitlement, which you can see after reconciliation on the entitlements menu.

    3. Select an object type, for example, Group.

    4. Click Save.

  4. Click Account, and then click Rules to set up the owner correlation scripts.

    1. Click Edit Correlation Script to add correlation script(s) for the owner correlation.

    2. In the Set Owner Correlation modal, enter the following correlation script:

      var userQueryFilter = "/userName eq \"" + source.uid.join(",") + "\"";
var user = openidm.query("managed/user", {"_queryFilter": userQueryFilter}, ["_id"]);
var userId = user._id;

    3. Click Save. You should see a Mapping Updated Successfully message.

  5. Click the Inactive button, and select Activate. You will see an Application Activated message.

  6. Once the application is active, click the Reconciliation tab, and then click Reconcile Now. You can view a summary report of the reconciliation job.

  7. You have the option to view all reconciled or some unreconciled records. The options are the following:

    • All valid records. View all valid records.

    • 1-to-1 match. View one-to-one matching records.

    • No match found. View records where no match was found.

    • Conflicting matches. View any records that conflict with each other.

    • All other identities. View other identity records.

    • Unresolved source records. View any unresolved source records.

    • Unresolved target records. View any unresolved target records.

    • Ignored identities. View any ignored identity records.

  8. Click the Assignments tab to check the populated users and groups.

  9. Click Entitlements to check the populated entitlements.

Viewing the Reconciliation Report

When a reconciliation job completed, either a success or failure, you can view a job summary report by clicking View Report.

The report displays the start and end times for the job, resulting state of the job, time duration of the job, and the number of success and failures.

The situation summary displays the synchronization situations and action as reported through IDM.

Advanced Settings

The advanced connection settings provide options to filter user or group entries, set up LDAP controls, specify failover LDAP servers, configure a provisioning timestamp, and other controls.

To use advanced connection settings:

  1. On the Connection Settings, click Show Advanced Settings.

  2. Click Filter Users to connect to only a subset of users by using a querying filter based on user attributes.

    1. Enter the User Filter.

    2. Enter the User Filter for LiveSync.

    3. Specify the user object classes to include in the query filter.

  3. Click Filter Groups to connect to only a subset of groups by using a querying filter based on group attributes.

    1. Enter the Group Filter.

    2. Enter the Group Filter for LiveSync.

    3. Specify the group object classes to include in the query filter.

  4. Enter the attributes to synchronize. For example, uid or cn. If blank, all attributes are synchronized.

  5. Enter a password hash algorithm, such as MD5 or sha256 that the identity system should hash the password.

  6. Click remove the log entry from the filter. This is enabled by default.

  7. Click Filter with OR instead of AND to fetch change log entries with OR, rather then the default AND.

  8. For List of Names to Filter, enter filter DNs. Always include uid=admin.

  9. For Get Group Member ID, click to specify whether to add an extra _memberId attribute to the group members. This setting is enabled by default but be aware that this property can incur a large performance cost on group handling.

  10. For Use block-based LDAP controls for simple-paged results and VLV index searches. This is enabled by default.

    1. Enter the block size.

  11. For Use Paged Results Control to retrieve change logs. Use only if useBlocks is true, in preferences over VLV.

    1. Enter the block size when retrieving change logs.

    2. Enter the change number attribute, such as changeNumber, which is the change log attribute containing the last change number.

    3. Enter the object classes to synchronize. IGA synchronizes only entries filtered with these object classes, such as inetOrgPerson.

  12. For Sort Attribute, enter the attribute to use to sort VLV indexes on the resouce. For example, uid.

  13. For Password Attribute, enter the name of the LDAP attribute that holds the password. For example, userPassword. When changing a user’s password, the new password is to this attribute.

  14. For Failover LDAP servers by URL, list all servers that should be used for failover.

  15. For How to Handle LDAP Referrals, enter a value to define how to handle LDAP referrals. Possible values are: follow, ignore, or throw.

  16. For Maintain POSIX Group Membership, enable this feature to update POSIX group members or retain referential integrity.

  17. For Read Schema, enable the LDAP connector to read the schema for LDAP users and groups.

  18. For Respect Resource Password Policy Change After Reset, click to bind with the Password Expired and Password Policy Controls.

  19. For Maintain LDAP Group Membership, click if you want IGA modifies group membership when entries are renamed or deleted.

  20. For User Timestamp for Provisioning, click to enable a timestamp.

  21. For Start TLS, click to initiate an TLS session over an insecure LDAP port. This requires disabling SSL.

  22. For Group Membership Attribute, enter the group attribute to be updated with the DN of newly added users.

  23. For uid attribute, enter the LDAP attribute as the immutable ID.

  24. For username attribute, enter the attribute to be used for the user name in the account, such as uid, cn.

  25. Click Connect.

Copyright © 2010-2025 ForgeRock, all rights reserved.