Select a Repository
By default, IDM uses an embedded ForgeRock Directory Services (DS) instance for its internal repository. This means that you don't need to install a database to evaluate the software. Before you use IDM in production, you must replace the embedded DS repository with a supported repository. For supported versions, see Supported Repositories:
Both the default embedded and the external DS repositories do not support storage of audit data. Audit logging to the repository is disabled by default. Do not enable logging to the repository if you are using a DS repository.
The "MySQL Repository" instructions are also applicable to MariaDB.
You must also decide how IDM should map objects to the tables in a JDBC database or to organizational units in DS:
Generic mapping, which allows you to store arbitrary objects without special configuration or administration.
Explicit mapping, which maps specific objects and properties to tables and columns in the JDBC database or to organizational units in DS.
By default, IDM uses a generic mapping for user-definable objects, for both a JDBC and a DS repository. A generic mapping speeds up initial deployment, and can make system maintenance more flexible by providing a stable database structure. In a test environment, generic tables enable you to modify the user and object model easily, without database access, and without the need to constantly add and drop table columns. However, generic mapping does not take full advantage of the underlying database facilities, such as validation within the database and flexible indexing. Using an explicit mapping generally results in a substantial performance improvement. It is therefore strongly advised that you change to an explicit mapping before deploying in a production environment. If you are integrating IDM with other ForgeRock Identity Platform products, your repository must use an explicit schema mapping.
IDM provides a sample configuration, for each JDBC repository, that sets up an explicit mapping for the managed user object and a generic mapping for all other managed objects. This configuration is defined in the files named
/path/to/openidm/db/repository/conf/repo.jdbc-repository-explicit-managed-user.json. To use this configuration, copy the file that corresponds to your repository to your project's
conf/ directory and rename it
repo.jdbc.json. Run the
sample-explicit-managed-user.sql data definition script (in the
path/to/openidm/db/repository/scripts directory) to set up the corresponding tables when you configure your JDBC repository.
This chapter describes how to set up IDM to work with each of the supported repositories, and lists the minimum rights required for database installation and operation.