Sun Java[TM] System Identity Manager 7.1 Resources Reference |
LDAPIdentity Manager provides the following resource adapters for supporting Lightweight Directory Access Protocol (LDAP) v3:
GUI Name
Class Name
LDAP
com.waveset.adapter.LDAPResourceAdapter
LDAP Listener Active Sync
com.waveset.adapter.LDAPListenerActiveSyncAdapter
The LDAP adapter provides provisioning services for standard LDAP installations.It can also read the replication changelog of an LDAP server and apply those changes to Identity Manager users or custom workflows.
The LDAP Listener Active Sync adapter uses an LDAP Listener to discover changes as they are made on the server, queues them, and processes them at the scheduling interval. The listener is primarily intended for demos as it requires the Identity Manager server to be connected at all times. Any changes made when the adapter is not running will be lost.
Resource Configuration Notes
To setup a Sun Java System Directory Server resource for use with the LDAP adapter, you must configure the server to enable the change log and enable tracking of modifier information. This is done from the directory server configuration tab.
- Click on the Replication folder, then select the “Enable change log” box. For 5.0 and later servers, you must also enable the RetroChangelog Snapin. On the configuration tab go to the plugin object, select the Retro change log plugin and enable it.
- To verify that the server is configured to maintain special attributes for newly created or modified entries, in the Directory Server console, click the Configuration tab, then select the root entry in the navigation tree in the left pane.
- Click the Settings subtab and verify that the Track Entry Modification Times box is checked.
The server adds the following attributes to a newly created or modified entry to determine if an event was initiated from Identity Manager.
To connect to a directory server via SSL in which a self-signed certificate has been implemented, perform the following procedure:
- Export the CA certificate from the directory server to a temporary file. For example, on Sun Java System Directory, enter the following command:
certutil -L -d DB_Directory -P slapd-HostName- -n Nickname -a > ds-cert.txt
- Import this certificate into your keystore.
cd $JAVA_HOME/jre/lib/security
keytool -import -file PathTo/ds-cert.txt -keystore ./cacerts
-storepass changeit -trustcacertsIdentity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
This section provides information related to using the LDAP resource adapter, which is organized into the following sections:
For information about enabling password synchronization on an LDAP resource, see Synchronizing LDAP Passwords.
General Notes
You should create an Identity Manager service account to connect to LDAP, rather than using the administrator account CN=Directory Manager. Use your LDAP Directory Server management tool to set permissions via an ACI (access control instructions) at each base context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an authoritative source, then set read, search, and possibly compare permissions only. If the adapter is used to write back, then you will need to set write and possibly delete permissions.
For the Listener adapter, the changes by users listed in the “Filter changes by” resource parameter will be ignored. Add the User DN used by any adapter to make changes through Identity Manager. This avoids loops where a change is made through Identity Manager, and then the change is detected and reapplied. If this field is blank, changes from any administrator are processed and will be filtered by the Identity Manager provisioning engine if they are unnecessary.
The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of an Active Sync resource adapter. ResourceName must be replaced with the name of the Resource object.
Virtual List View Support
In Directory Server, the nsLookThroughLimit and nsslapd-sizelimit attributes define how many LDAP entries can be searched and returned, respectively. The default value for nsLookThroughLimit is 5,000, while the default for nsslapd-sizelimit is 2,000. Both attributes can be set to -1 to disable limits. You must restart Directory Server if you change the value of these attributes.
It is not always desirable to change the default values. To improve performance on LDAP searches, you can enable the LDAP Virtual List View (VLV) control. VLV returns partial results of a search, rather than returning all results at once.
The Use Blocks resource attribute enables Identity Manager to stay within the query result size limit by using the VLV control. The Block Count resource attribute specifies how many users to return, but this value must be less than or equal to the value set in the nsslapd-sizelimit attribute.
A VLV index (also known as a browsing index) must be created, or the nsslapd-sizelimit size limit will still be in effect. Using a VLV index significantly improves the performance of iterating over accounts, so you should set up the index if you plan to reconcile, load from resource, or export to file frequently.
Refer to the Directory Server documentation for detailed instructions on creating a VLV index. The basic process follows:
- Create a vlvsearch object with the following properties:
vlvbase: YourBaseContext
vlvfilter: (&(objectclass=top)(objectclass=person)
(objectclass=organizationalPerson) (objectclass=inetorgperson))vlvscope: 2
The vlvbase attribute must match the value specified in the Base Context resource attribute. The vlvfilter attribute must contain the classes specified in the Object Classes resource attribute in the format shown. The vlvscope value of 2 indicates subtree searches.
- Create a vlvindex component as a subobject of vlvsearch. The vlvsort attribute must be set to uid.
- Build the VLV index using the vlvindex command or other mechanism.
- Set permissions via access control instructions (ACI) for the following:
To set up VLV for the changelog, use the following general steps. Refer to the Directory Server documentation for detailed instructions.
- If you have not already done so, create a browsing index for the changelog. If you use the Directory Server user interface, then by default, a vlvsearch object named “MCC cn=changelog” and a vlvindex object named “SN MCC cn=changelog” will be created.
- Set permissions via access control instructions (ACI) so that the Identity Manager account has read, compare, and search rights for the following:
- The changelog (cn=changelog)
- The vlvsearch object (cn=”MCC cn=changelog”,cn=config,cn=ldbm)
- The vlvindex object (“SN MCC cn=changelog”,cn=config,cn=ldbm)
Active Sync Configuration
Before Identity Manager 5.5, the LDAP Active Sync adapters used the Process to run with changes field to determine which process to launch when a change was detected. The process specified in this field is now specified in the Active Sync Resolve Process Rule.
In addition, before Identity Manager 5.5, if the Process deletes as updates check box was selected, Identity Manager would disable a deleted Identity Manager user as well as all resource accounts and mark the user for later deletion. By default, this check box was selected. In Identity Manager 5.5 and beyond, this functionality is configured by setting the Delete Rule set to None.
If the checkbox was previously deselected, then the Delete Rule will be set to ActiveSync has isDeleted set.
Disabling and Enabling Accounts
The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.
Change the password to an unknown value
To disable accounts by changing the password to an unknown value accounts, leave the LDAP Activation Method and LDAP Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.
Assign the nsmanageddisabledrole role
To use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:
- On the Resource Parameters page, set the LDAP Activation Method field to nsmanageddisabledrole.
- Set the LDAP Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)
- On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.
- Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.
LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.
If the account is later re-enabled, the account is removed from the role.
Set the nsAccountLock attribute
To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:
- On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.
- Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.
- On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.
- Set the nsAccountLock LDAP attribute on the resource to true.
Identity Manager sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.
Disable accounts without the nsmanageddisabledrole and nsAccountLock attributes
If the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the LDAP Activation Method field. The value to enter in the LDAP Activation Parameter field varies, depending on the class.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to communicate with the LDAP adapter.
Required Administrative Privileges
If the value cn=Directory Manager is specified in the User DN resource parameter, then the Identity Manager administrator has the necessary permissions to manage LDAP accounts. If a different distinguished name is specified, that user must have the ability to read, write, delete, and add users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
Yes
Before/after actions
No
Data loading methods
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is boolean, string, or integer in nature. Octet strings are NOT supported.
Default Account Attributes
The following attributes are displayed on the Account Attributes page for the LDAP resource adapters. All attributes are of type String unless otherwise noted.
Group Management Attributes
The account attributes in the following table are not displayed in the schema by default. You must add the attribute to the schema map before you can manage groups.
Note the following behavior when either posixGroups or ldapGroups is defined in the schema map:
- When an LDAP account is deleted, then Identity Manager removes the account's DN from any LDAP groups and the account’s uid from any posixGroups.
- When the uid of an account changes, then Identity Manager replaces the old uid with the new uid in the appropriate posixGroups.
- When an account is renamed, then Identity Manager replaces the old DN with the new DN in the appropriate LDAP groups.
Person Object Class
The following table lists additional supported attributes that are defined in the LDAP Person object class. Some attributes defined in the Person object class are displayed by default.
Organizationalperson Object Class
The following table lists additional supported attributes that are defined in the LDAP Organizationalperson object class. This object class can also inherit attributes from the Person object class.
inetOrgPerson Object Class
The following table lists additional supported attributes that are defined in the LDAP inetOrgPerson object class. This object class can also inherit attributes from the organizationalPerson object class.
Resource Object Management
Identity Manager supports the following LDAP objects by default. Any string-, integer-, or boolean-based attributes can also be managed.
The LDAP resource adapter provides management of posixGroup entries. By default, the list of accounts that are available to be assigned to a posixGroup have the posixAccount object class. The LDAP Create Posix Group Form and LDAP Update Posix Group From can be customized to list accounts other than posixAccounts. However, these accounts must have a uid attribute defined to be a member of a posixGroup.
Identity Template
The default identity template is
uid=$accountId$,ou=EngUsers,dc=support,dc=waveset,dc=com
You must replace the default template with a valid value.
Sample Forms
Built-in
Also Available
The LDAPGroupCreateExt.xml and LDAPGroupUpdateExt.xml forms allow non-unique member names.
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following classes: