One Way Synchronization From LDAP to IDM
This sample demonstrates one-way synchronization from an LDAP directory to an IDM repository and shows how IDM detects new or changed objects from an external resource.
The sample has been tested with ForgeRock Directory Services (DS) but should work with any LDAPv3-compliant server. The configuration includes one mapping, from the LDAP resource to the IDM repository. The sample does not push any changes made to IDM managed user objects out to the LDAP server.
The mapping configuration file (conf/sync.json
) for this sample includes one mapping, systemLdapAccounts_managedUser
, which synchronize users from the source LDAP server with the target IDM repository.
Prepare the Sample
Set up DS using
/path/to/openidm/samples/sync-with-ldap/data/Example.ldif
.Prepare IDM, and start the server using the sample configuration:
cd /path/to/openidm/ ./startup.sh -p samples/sync-with-ldap
Run the Sample
You can work through the sample using the command line or Admin UI:
Reconcile the repository:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser&waitForCompletion=true"
{ "_id": "b1394d10-29b0-4ccf-81d8-c88948ea121c-4", "state": "SUCCESS" }
The reconciliation operation creates the two users from the LDAP server in the IDM repository and assigns the new objects random unique IDs.
Retrieve the users from the repository:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/user?_queryFilter=true&_fields=id,userName"
{ "result": [ { "_id": "0326cbff-8f6e-4531-97dd-7b1a4c04b23a", "_rev": "00000000657c9a27", "userName": "bjensen" }, { "_id": "9afbf2bc-0323-4cbe-89b3-92f2f47742c3", "_rev": "0000000015ae92f5", "userName": "jdoe" } ], ... }
To retrieve an individual user object, include their ID in the URL. For example:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/user/0326cbff-8f6e-4531-97dd-7b1a4c04b23a"
{ "_id": "0326cbff-8f6e-4531-97dd-7b1a4c04b23a", "_rev": "00000000657c9a27", "displayName": "Barbara Jensen", "description": "Created for OpenIDM", "givenName": "Barbara", "mail": "bjensen@example.com", "sn": "Jensen", "telephoneNumber": "1-360-229-7105", "userName": "bjensen", "accountStatus": "active", "effectiveAssignments": [], "effectiveRoles": [] }
Log in to the Admin UI at
http://localhost:8080/admin
as the default administrative user:openidm-admin
with passwordopenidm-admin
.Warning
To protect your deployment in production, you must change the default administrative password. For more information, see "Change the Administrator User Password".
Select Configure > Mappings.
The Mappings page displays one mapping, from the
ldap
server to the IDM repository (Managed/User
).Select the mapping, and click Reconcile.
The reconciliation operation creates the two users from the LDAP server in the IDM repository.
To verify the new users exist in the repository:
From the navigation bar, click Manage > User.
IDM displays the two users.
To view the details for a user account, from the User List page, click any username row.
The User details page displays.