Synchronize LDAP Groups

This sample demonstrates synchronization between an LDAP directory and an IDM repository. The sample synchronizes LDAP group objects (rather than LDAP group membership, demonstrated in Synchronize LDAP Group Membership).

The sample has been tested with ForgeRock Directory Services (DS) but should work with any LDAPv3-compliant server. The sample includes mappings from the LDAP server to the IDM repository, and from the IDM repository to the LDAP server. During reconciliation, user entries and group entries are synchronized.

Sample Overview

The mapping configuration file, conf/sync.json, for this sample includes three mappings:

systemLdapAccounts_managedUser

Synchronizes users from the source LDAP server with the target IDM repository.

managedUser_systemLdapAccounts

Synchronizes users from the IDM repository to the LDAP server.

systemLdapGroups_managedGroup

Synchronizes groups from the source LDAP server with the target IDM repository.

This sample focuses only on the groups mapping, systemLdapGroups_managedGroup.

Prepare the Sample

  1. Set up DS using /path/to/openidm/samples/sync-with-ldap-groups/data/Example.ldif.

    The import file includes a number of LDAP groups, including:

    dn: ou=Groups,dc=example,dc=com
    ou: Groups
    objectClass: organizationalUnit
    objectClass: top
    
    dn: cn=openidm,ou=Groups,dc=example,dc=com
    uniqueMember: uid=jdoe,ou=People,dc=example,dc=com
    cn: openidm
    objectClass: groupOfUniqueNames
    objectClass: top
    
    dn: cn=openidm2,ou=Groups,dc=example,dc=com
    uniqueMember: uid=bjensen,ou=People,dc=example,dc=com
    cn: openidm2
    objectClass: groupOfUniqueNames
    objectClass: top

    The user with dn uid=jdoe,ou=People,dc=example,dc=com is also imported with the Example.ldif file.

    There is an additional user, bjensen in the sample LDIF file. This user is essentially a "dummy" user, provided for compliance with RFC 4519, which stipulates that every groupOfUniqueNames object must contain at least one uniqueMember. bjensen is not actually used in this sample.

  2. Prepare IDM, and start the server using the sample configuration:

    cd /path/to/openidm/
    ./startup.sh -p samples/sync-with-ldap-groups

Run the Sample

You can run this sample using the command line or Admin UI:

  1. Reconcile the group objects over the REST interface:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapGroups_managedGroup&waitForCompletion=true"
    {
      "_id": "83f5b34b-0ddd-4c39-9349-de24816487ff-1198",
      "state": "SUCCESS"
    }

    The reconciliation operation returns a reconciliation run ID along with operation status, and creates managed group objects for each group that exists in DS.

  2. To list the managed groups, run the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/managed/group?_queryFilter=true"
    {
      "result": [
        {
          "_id": "b6c4d7ce-2103-42c2-b5f2-74ca9309ad37",
          "_rev": "000000001298f6a6",
          "dn": "cn=Contractors,ou=Groups,dc=example,dc=com",
          "description": null,
          "uniqueMember": [],
          "name": "Contractors"
        },
        {
          "_id": "2326b9ee-6975-4c19-aa3c-d228afc4ff71",
          "_rev": "00000000dc6160c8",
          "dn": "cn=openidm2,ou=Groups,dc=example,dc=com",
          "description": null,
          "uniqueMember": [
            "uid=bjensen,ou=People,dc=example,dc=com"
          ],
          "name": "openidm2"
        },
        {
          "_id": "035f6444-bce3-4931-96b7-e10b2301fe74",
          "_rev": "000000004cab60c8",
          "dn": "cn=Employees,ou=Groups,dc=example,dc=com",
          "description": null,
          "uniqueMember": [],
          "name": "Employees"
        },
        {
          "_id": "65c8fb86-01e6-4fca-9237-e50c251f4575",
          "_rev": "0000000050c62938",
          "dn": "cn=Chat Users,ou=Groups,dc=example,dc=com",
          "description": null,
          "uniqueMember": [],
          "name": "Chat Users"
        },
        {
          "_id": "5c3e4965-16d7-4a8f-af73-3ab165b66cf9",
          "_rev": "000000004121fb7e",
          "dn": "cn=openidm,ou=Groups,dc=example,dc=com",
          "description": null,
          "uniqueMember": [
            "uid=jdoe,ou=People,dc=example,dc=com"
          ],
          "name": "openidm"
        }
      ],
      ...
    }
  1. Log in to the Admin UI.

    Warning

    To protect your deployment in production, you must change the default administrative password. For more information, see "Change the Administrator User Password".

  2. From the navigation bar, click Configure > Mappings.

    The Mappings page displays three configured mappings:

    • From the ldap server user accounts to the IDM repository (managed/user).

    • From the IDM managed users back to the ldap accounts.

    • From the ldap server group entries to the IDM managed/group entries.

  3. Select the LDAP groups to managed groups mapping, and click Reconcile.

    The reconciliation operation creates the two groups from the LDAP server in the IDM repository.

  4. From the navigation bar, click Manage > Group.

    IDM displays the five groups from the LDAP server (source) that were reconciled to the IDM repository (target).

Read a different version of :