IDM 7.2.0

Synchronize data between two external resources

This sample demonstrates synchronization between two external resources, routed through the IDM repository.

The resources are named LDAP and AD and represent two separate LDAP directories. In the sample both resources are simulated with simple CSV files.

The sample also demonstrates the (optional) configuration of an outbound email service. You can set up outbound email if you want to receive emailed reconciliation summaries.

Configure email for the sample

If you do not configure the email service, the functionality of the sample does not change. However, you might see the following message in the OSGi console when you run a reconciliation operation:

Email service not configured; report not generated.

To configure IDM to send a reconciliation summary by email, follow these steps:

  1. Copy external.email.json from samples/example-configurations/conf/ to the conf/ directory of this sample:

    cd /path/to/openidm/
    cp samples/example-configurations/conf/external.email.json samples/sync-two-external-resources/conf/
  2. Edit external.email.json for outbound email.

  3. In the samples/sync-two-external-resources/script directory, edit the reconStats.js script to reflect the correct email details.

    Near the start of the file, locate the var email variable and update the values as required:

    var email = {
          //UPDATE THESE VALUES
          from : "openidm@example.com",
          to : "youremail@example.com",
          cc : "idmadmin2@example.com,idmadmin3@example.com",
          subject : "Recon stats for " + global.mappingName,
          type : "text/html"
    },
    template,
    ...

Run the sample

No external configuration is required for this sample. Before you start, prepare IDM as described in Prepare IDM.

  1. Start the server with the configuration of this sample:

    cd /path/to/openidm/
    ./startup.sh -p samples/sync-two-external-resources
  2. Examine the data files.

    The CSV files that simulate the two LDAP resources are located in the openidm/samples/sync-two-external-resources/data/ directory. Look at the contents of these files. Initially, the csvConnectorLDAPData.csv file contains one user and the csvConnectorADData.csv file contains no users.

  3. Run a reconciliation operation to synchronize the contents of the simulated LDAP resource with the IDM repository.

    You can run the reconciliation in the admin UI (Configure > Mappings, click systemLdapAccounts_managedUser, then click Reconcile) or over the command line as follows:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser&waitForCompletion=true"
    {
      "_id": "75e08ea9-411f-4c25-96b9-8e2396fb75aa-1062",
      "state": "SUCCESS"
    }

    The reconciliation creates a managed user in the IDM repository. You do not need to run a second reconciliation to synchronize the AD resource. Implicit synchronization propagates any change made to managed users in the repository to the simulated AD resource.

    For more information about implicit synchronization, see Synchronization types.

  4. Review the contents of the simulated AD resource (csvConnectorADData.csv ):

    more /path/to/openidm/samples/sync-two-external-resources/data/csvConnectorADData.csv
    "uid", "username", "firstname", "description", "email", "lastname"
    "1",,"Barbara",,"bjensen@example.com","Jensen"

    This file should now contain the same user that was present in the csvConnectorLDAPData.csv file.

    Alternatively, you can list users in the AD resource with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/system/ad/account?_queryId=query-all-ids"
    {
      "result": [
        {
          "_id": "1",
          "name": "1"
        }
      ],
      ...
    }
  5. Use the _id of the user to read the complete user record from the AD resource:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/system/ad/account/1"
    {
      "_id": "1",
      "firstname": "Barbara",
      "lastname": "Jensen",
      "email": [
        "bjensen@example.com"
      ],
      "name": "1"
    }
  6. To verify that the sample is working, repeat the process.

    Set up a second user in the csvConnectorLDAPData.csv file. The following example shows how that file might appear with a second user (scarter):

    "uid","username","firstname","description", "email", "lastname"
    "1", "bjensen", "Barbara", "Created By CSV","bjensen@example.com","Jensen"
    "2", "scarter", "Steve", "Created By CSV","scarter@example.com","Carter"
  7. Rerun the reconciliation and query REST commands shown previously.

    The reconciliation operation creates the new user from the simulated LDAP resource in the IDM repository. An implicit synchronization operation then creates that user in the AD resource.

  8. If you configured the reconciliation email summary at the beginning of this sample, you should have received an email that lists the details of the reconciliation operations.

Copyright © 2010-2022 ForgeRock, all rights reserved.