IDM 7.2.0

Two-way synchronization between LDAP and IDM

This sample demonstrates bidirectional synchronization between an LDAP directory and an IDM repository.

The sample has been tested with ForgeRock Directory Services, but should work with any LDAPv3-compliant server. The configuration includes two mappings, one from the LDAP resource to the IDM repository, and one from IDM to LDAP.

In this sample, you will start IDM and reconcile the two data sources. The mapping configuration file (sync.json ) for this sample includes two mappings, systemLdapAccounts_managedUser, which synchronizes users from the source LDAP server with the target repository, and managedUser_systemLdapAccounts, which synchronizes changes from the repository to the LDAP server.

Prepare the sample

  1. Set up DS using /path/to/openidm/samples/sync-with-ldap-bidirectional/data/Example.ldif .

  2. Prepare IDM, and start the server using the sample configuration:

    cd /path/to/openidm/
    ./startup.sh -p samples/sync-with-ldap-bidirectional

Run the sample

You can work through the sample using the command line or the admin UI:

Use the Command Line
  1. Reconcile the repository over the REST interface:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser&waitForCompletion=true"
    {
      "state": "SUCCESS",
      "_id": "027e25e3-7a33-4858-9080-161c2b40a6bf-2"
    }

    The reconciliation operation returns a reconciliation run ID and the status of the operation. Reconciliation creates user objects from LDAP in the IDM repository, assigning the new objects random unique IDs.

  2. To retrieve the users from the repository, query their IDs:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/managed/user?_queryFilter=true&_fields=_id"
    {
      "result": [
        {
          "_id": "d460ed00-74f9-48fb-8cc1-7829be60ddac",
          "_rev": "00000000792afa08"
        },
        {
          "_id": "74fe2d25-4eb1-4148-a3ae-ff80f194b3a6",
          "_rev": "00000000a92657c7"
        }
      ],
      …​
    }
  3. To retrieve individual user objects, include the ID in the URL, for example:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/managed/user/d460ed00-74f9-48fb-8cc1-7829be60ddac"
    {
      "_id": "d460ed00-74f9-48fb-8cc1-7829be60ddac",
      "_rev": "00000000792afa08",
      "displayName": "Barbara Jensen",
      "description": "Created for OpenIDM",
      "givenName": "Barbara",
      "mail": "bjensen@example.com",
      "telephoneNumber": "1-360-229-7105",
      "sn": "Jensen",
      "userName": "bjensen",
      "accountStatus": "active",
      "effectiveRoles": [],
      "effectiveAssignments": []
    }
  4. To test the second mapping, create a user in the IDM repository:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --header "Content-Type: application/json" \
    --request POST \
    --data '{
      "mail": "fdoe@example.com",
      "sn": "Doe",
      "telephoneNumber": "555-1234",
      "userName": "fdoe",
      "givenName": "Felicitas",
      "description": "Felicitas Doe",
      "displayName": "fdoe"}' \
    "http://localhost:8080/openidm/managed/user?_action=create"
    {
      "_id": "90d1f388-d8c3-4438-893c-be4e498e7a1c",
      "_rev": "00000000792afa08",
      "mail": "fdoe@example.com",
      "sn": "Doe",
      "telephoneNumber": "555-1234",
      "userName": "fdoe",
      "givenName": "Felicitas",
      "description": "Felicitas Doe",
      "displayName": "fdoe",
      "accountStatus": "active",
      "effectiveRoles": [],
      "effectiveAssignments": []
    }
  5. By default, implicit synchronization is enabled for mappings from the managed/user repository to any external resource. This means that when you update a managed object, any mappings defined in the sync.json file that have the managed object as the source are automatically executed to update the target system. For more information, see Resource mapping.

    To test that the implicit synchronization has been successful, query the users in the LDAP directory over REST:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/system/ldap/account?_queryId=query-all-ids"
    {
      "result": [
        {
          "_id": "0da50512-79bb-3461-bd04-241ee4c785bf"
        },
        {
          "_id": "887732e8-3db2-31bb-b329-20cd6fcecc05"
        },
        {
          "_id": "2f03e095-ec81-4eb5-9201-a4df2f1f9add"
        }
      ],
      …​
    }

    Note the additional user entry.

  6. To query the complete entry, include the _id in the URL:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request GET \
    "http://localhost:8080/openidm/system/ldap/account/2f03e095-ec81-4eb5-9201-a4df2f1f9add"
    {
      "_id": "2f03e095-ec81-4eb5-9201-a4df2f1f9add",
      "givenName": "Felicitas",
      "dn": "uid=fdoe,ou=People,dc=example,dc=com",
      "mail": "fdoe@example.com",
      "ldapGroups": [],
      "uid": "fdoe",
      "employeeType": [],
      "aliasList": [],
      "telephoneNumber": "555-1234",
      "kbaInfo": [],
      "cn": "fdoe",
      "objectClass": [
        "person",
        "organizationalPerson",
        "inetOrgPerson",
        "top"
      ],
      "sn": "Doe",
      "description": "Felicitas Doe"
    }
Use the admin UI
  1. Log in to the admin UI.

  2. From the navigation bar, click Configure > Mappings .

    The Mappings page displays two configured mappings, one from the ldap server to the IDM repository (managed/user) and one from the repository to the ldap server.

  3. Select the LDAP to managed user mapping, and click Reconcile .

    The reconciliation operation creates the two users from the LDAP server in the IDM repository.

  4. To view the new users in the repository, from the navigation bar, click Manage > User .

    IDM displays the two users.

  5. To add a user account, from the User List page, click + New User .

  6. On the New User page, enter the user details, and click Save .

    By default, implicit synchronization is enabled for mappings from the managed/user repository to any external resource. This means that when you update a managed object, any mappings defined in the sync.json file that have the managed object as the source are automatically executed to update the target system. For more information, see Resource mapping.
  7. To test for successful implicit synchronization, from the navigation bar, click Manage > User .

    • From the Users List page, click the new user you created in the previous step.

    • Click the Linked Systems tab.

      IDM displays the user’s mapped external resource.

Copyright © 2010-2022 ForgeRock, all rights reserved.