The LDAP adapter provides provisioning services for standard LDAP installations. It can also read the replication changelog of an LDAP server and apply those changes to Identity Manager users or custom workflows.
The LDAP ChangeLog Active Sync and LDAP Listener Active Sync adapters have been deprecated. All functionality of these adapters have been merged into the LDAP resource adapter.
The LDAP adapter supports Active Sync for the Sun JavaTM System Directory Server resource using the resource's Retro change log. On the Identity Manager side, use either the LDAPActiveSyncForm.xml or LDAPPasswordActiveSyncForm.xml as input forms for synchronization. See the Chapter 4, Data Loading and Synchronization, in Sun Identity Manager Deployment Guide and Chapter 51, Synchronizing LDAP Passwordsfor details on configuring Identity Manager.
To configure the Sun Java System Directory Server to enable the change log and tracking of modifier information, use the following instructions as guide (the actual procedure depends on the Directory Server version).
From the directory server configuration tab, click on the Replication folder, then select the “Enable change log” box. For 5.0 and later servers, you must also enable the RetroChangelog Snapin. On the configuration tab go to the plugin object, select the Retro change log plugin and enable it.
To verify that the server is configured to maintain special attributes for newly created or modified entries, in the Directory Server console, click the Configuration tab, then select the root entry in the navigation tree in the left pane.
Click the Settings subtab and verify that the Track Entry Modification Times box is checked.
The server adds the following attributes to a newly created or modified entry to determine if an event was initiated from Identity Manager.
creatorsName: The DN of the person who initially created the entry.
modifiersName: The DN of the person who last modified the entry.
Connect to a directory server through SSL in which a self-signed certificate has been implemented by performing the following procedure:
Export the CA certificate from the directory server to a temporary file. For example, on Sun Java System Directory Server, enter the following command:
certutil -L -d DB_Directory -P slapd-HostName- -n Nickname -a > ds-cert.txt |
Import this certificate into your keystore.
cd $JAVA_HOME/jre/lib/security keytool -import -file PathTo/ds-cert.txt -keystore ./cacerts -storepass changeit -trustcacerts |
No additional installation procedures are required on this resource.
This section provides information related to using the LDAP resource adapter, which is organized into the following sections:
For information about enabling password synchronization on an LDAP resource, see Chapter 51, Synchronizing LDAP Passwords.
You should create an Identity Manager service account to connect to LDAP, rather than using the administrator account CN=Directory Manager. Use your LDAP Directory Server management tool to set permissions by an ACI (access control instructions) at each base context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an authoritative source, then set read, search, and possibly compare permissions only. If the adapter is used to write back, then you will need to set write and possibly delete permissions.
If the account will be used for the monitoring the changelog, an ACI should also be created on cn=changelog. The permissions should be set to read and search only, because you cannot write or delete changelog entries.
The LDAP adapter can manage aliases. However, when a getUser call is performed, the alias is dereferenced and the adapter returns the referenced object. As a result, the adapter will not find attributes on the alias object itself.
This occurs because JNDI defaults to the following setting:
java.naming.ldap.derefAliases=always
You can change this property globally by creating a jndi.properties file that contains the following line:
java.naming.ldap.derefAliases=never
The jndi.properties file must be placed in the Java library path, such as $WSHOME/WEB-INF/classes. You must restart the application server for the change to take effect.
When editing synchronization policy, be sure to specify a value for the Filter Changes By field. The standard value is the administrator name used by this adapter. Entering an administrator name will prevent infinite loops from occurring. Entries should be of the format cn=Directory Manager.
This discussion assumes that Identity Manager connects to the LDAP resource as a non-RootDN user. If you are connecting as a RootDN user, the procedures described are applicable, but additional LDAP attribute values might be possible. Consult the Directory Server documentation for more information.
See Modifying the ADAM Schema for information about enabling this feature with Microsoft ADAM.
In Directory Server, the nsLookThroughLimit and nsslapd-sizelimit attributes define how many LDAP entries can be searched and returned, respectively. The default value for nsLookThroughLimit is 5,000, while the default for nsslapd-sizelimit is 2,000. Both attributes can be set to -1 to disable limits. You must restart Directory Server if you change the value of these attributes.
It is not always desirable to change the default values. To improve performance on LDAP searches, you can enable the LDAP Virtual List View (VLV) control. VLV returns partial results of a search, rather than returning all results at once.
The Use Blocks resource attribute enables Identity Manager to stay within the query result size limit by using the VLV control. The Block Count resource attribute specifies how many users to return, but this value must be less than or equal to the value set in the nsslapd-sizelimit attribute.
A VLV index (also known as a browsing index) must be created, or the nsslapd-sizelimit size limit will still be in effect. Using a VLV index significantly improves the performance of iterating over accounts, so you should set up the index if you plan to reconcile, load from resource, or export to file frequently.
Refer to the Directory Server documentation for detailed instructions on creating a VLV index. The basic process follows:
Create a vlvsearch object with the following properties:
vlvbase: YourBaseContext vlvfilter: (&(objectclass=top)(objectclass=person) (objectclass=organizationalPerson) (objectclass=inetorgperson)) vlvscope: 2 |
The vlvbase attribute must match the value specified in the Base Context resource attribute. The vlvfilter attribute must contain the classes specified in the Object Classes resource attribute in the format shown. The vlvscope value of 2 indicates subtree searches.
Create a vlvindex component as a subobject of vlvsearch. The vlvsort attribute must be set to uid.
Build the VLV index using the vlvindex command or other mechanism.
Set permissions through access control instructions (ACI) for the following:
If you have not already done so, create a browsing index for the changelog. If you use the Directory Server user interface, then by default, a vlvsearch object named “MCC cn=changelog” and a vlvindex object named “SN MCC cn=changelog” will be created.
Set permissions through access control instructions (ACI) so that the Identity Manager account has read, compare, and search rights for the following:
The changelog (cn=changelog)
The vlvsearch object (cn=”MCC cn=changelog”,cn=config,cn=ldbm)
The vlvindex object (“SN MCC cn=changelog”,cn=config,cn=ldbm)
On some versions of Directory Server, the changelog nsLookThroughLimit attribute has a hard-coded value of 5,000. To avoid hitting the changelog lookthrough limit, restrict the maximum number of changelog entries that are kept on the server to less than 5,000. To avoid losing changelog entries, set the polling frequency for the adapter to a short interval.
The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.
To disable accounts by changing the password to an unknown value accounts, leave the LDAP Activation Method and LDAP Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.
To use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:
On the Resource Parameters page, set the LDAP Activation Method field to nsmanageddisabledrole.
Set the LDAP Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)
On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.
Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.
LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.
If the account is later re-enabled, the account is removed from the role.
To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:
On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.
Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.
On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.
Set the nsAccountLock LDAP attribute on the resource to true.
Identity Manager sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.
If the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the LDAP Activation Method field. The value to enter in the LDAP Activation Parameter field varies, depending on the class.
Class Name |
When to Use: |
---|---|
com.waveset.adapter.util.ActivationByAttributeEnableFalse |
The directory server enables an account by setting an attribute to false, and disables an account by setting the attribute to true. Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field. |
com.waveset.adapter.util.ActivationByAttributeEnableTrue |
The directory server enables an account by setting an attribute to true, and disables an account by setting the attribute to false. Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field. |
com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable |
Identity Manager should disable accounts by pulling an attribute/value pair from LDAP and enable accounts by pushing an attribute/value pair to LDAP. Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map. |
com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable |
Identity Manager should disable accounts by pushing an attribute/value pair to LDAP and enable accounts by pulling an attribute/value pair from LDAP. Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map. |
com.waveset.adapter.util.ActivationNsManagedDisabledRole |
The directory uses a specific role to determine the account status. If an account is assigned to this role, the account is disabled. Add the role name to the schema map. Then enter a value in the LDAP Activation Parameter field, using the following format: IDMAttribute=CN=roleName,baseContext IDMAttribute is the Identity Manager name for the role, as defined on the left side of the schema map. |
The LDAP adapter can be configured to provision to Microsoft’s Active Directory Application Mode (ADAM). The following sections describe how to enable ADAM support.
The ADAM schema may have to be adjusted for use with Identity Manager. The resource schema and the identity template in an LDAP resource often contains a reference to a unique identifier (or account ID). ADAM differs from other LDAP implementation in that
In ADAM, objectclass definitions only allow a single naming attribute. (A naming attribute is an attribute that appears in the leftmost RDN component of the DN.)
The uid attribute is defined as multi-valued.
The cn attribute is defined as single-valued and cannot be longer than 64 characters.
The ADAM schema defines the attribute index configuration. Each attribute definition entry in the schema has a searchFlags attribute. For example, the definition for Uid is located at cn=Uid,cn=Schema under the schema context. The searchFlags attribute is a bitmask and values 1 (create index), 2 (create index in each container) and 64 (index to support efficient VLV queries) are related to indexing.
Refer to the Microsoft documentation on updating the schema in an ADAM instance.
Reconciliation in ADAM can use either the Paged Results Control or the Virtual List View Control. To use the former, check the “Use Paged Results Control” checkbox in the resource's resource parameters configuration page. To use the latter, the attribute named in the “VLV Sort Attribute” field on the resource's resource parameters configuration page must be indexed in ADAM with the option to support efficient VLV queries. See Modifying the ADAM Schema for details.
Active Sync is not supported with ADAM.
Use the following procedure to allow Identity Manager to enable and disable accounts in ADAM.
On the LDAP Resource Parameters page, set the LDAP Activation Method parameter to com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable
Set the LDAP Activation Parameter to Identity_System_Attribute=true (The Identity System attribute will be specified on the Account Attributes page in the next step.) For example, MyUserAccountDisabled=true
On the Account Attributes page, add the Identity System attribute specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to msDS-UserAccountDisabled. The attribute must be of type string.
This section provides information about supported connections and privilege requirements.
Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to communicate with the LDAP adapter.
If you are using TCP/IP, specify port 389 on the Resource Parameters page.
If you are using SSL, specify port 636.
If the value cn=Directory Manager is specified in the User DN resource parameter, then the Identity Manager administrator has the necessary permissions to manage LDAP accounts. If a different distinguished name is specified, that user must have the ability to read, write, delete, and add users.
The following table summarizes the provisioning capabilities of this adapter.
Feature |
Supported? |
---|---|
Enable/disable account |
Yes |
Rename account |
Yes |
Pass-through authentication |
Yes |
Before/after actions |
No |
Data loading methods |
|
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.
LDAP Syntax |
Attribute Type |
Object ID |
---|---|---|
Audio |
Binary |
1.3.6.1.4.1.1466.115.121.1.4 |
Binary |
Binary |
1.3.6.1.4.1.1466.115.121.1.5 |
Boolean |
Boolean |
1.3.6.1.4.1.1466.115.121.1.7 |
Country String |
String |
1.3.6.1.4.1.1466.115.121.1.11 |
DN |
String |
1.3.6.1.4.1.1466.115.121.1.12 |
Directory String |
String |
1.3.6.1.4.1.1466.115.121.1.15 |
Generalized Time |
String |
1.3.6.1.4.1.1466.115.121.1.24 |
IA5 String |
String |
1.3.6.1.4.1.1466.115.121.1.26 |
Integer |
Int |
1.3.6.1.4.1.1466.115.121.1.27 |
Postal Address |
String |
1.3.6.1.4.1.1466.115.121.1.41 |
Printable String |
String |
1.3.6.1.4.1.1466.115.121.1.44 |
Telephone Number |
String |
1.3.6.1.4.1.1466.115.121.1.50 |
The following attributes are displayed on the Account Attributes page for the LDAP resource adapters. All attributes are of type String unless otherwise noted.
Identity System Attribute |
Resource User Attribute |
LDAP Syntax |
Description |
---|---|---|---|
accountId |
uid |
Directory string |
User ID |
accountId |
cn |
Directory string |
Required. The user’s full name. |
firstname |
givenname |
Directory string |
The user’s first (given) name. |
lastname |
sn |
Directory string |
Required. The user’s last name (surname). |
modifyTimeStamp |
modifyTimeStamp |
Generalized time |
Indicates when a user entry was modified. |
password |
userPassword |
Octet string |
Encrypted. The user’s password. |
The account attributes in the following table are not displayed in the schema by default. You must add the attribute to the schema map before you can manage groups.
Identity System Attribute |
Resource User Attribute |
LDAP Syntax |
Description |
---|---|---|---|
user defined |
ldapGroups |
ldapGroups |
A list of distinguished names of groups the LDAP user is a member of. The resource attribute Group Member Attr specifies the attribute of the LDAP group entry that will be updated to contain the distinguished name of the user. The default value for the Group Member Attr is uniquemember. |
user defined |
posixGroups |
N/A |
A list of distinguished names of posixGroups entries the LDAP user is a member of. For an account to be assigned membership in a Posix group, it must have a value for the uid LDAP attribute. The memberUid attribute of the posixGroup entries will be updated to contain the uid of the user. |
Note the following behavior when either posixGroups or ldapGroups is defined in the schema map:
When an LDAP account is deleted, then Identity Manager removes the account’s DN from any LDAP groups and the account’s uid from any posixGroups.
When the uid of an account changes, then Identity Manager replaces the old uid with the new uid in the appropriate posixGroups.
When an account is renamed, then Identity Manager replaces the old DN with the new DN in the appropriate LDAP groups.
The following table lists additional supported attributes that are defined in the LDAP Person object class. Some attributes defined in the Person object class are displayed by default.
Identity System Attribute |
Resource User Attribute |
LDAP Syntax |
Description |
---|---|---|---|
description |
Directory string |
String |
A short informal explanation of special interests of a person |
seeAlso |
DN |
String |
A reference to another person |
telephoneNumber |
Telephone number |
String |
Primary telephone number |
The following table lists additional supported attributes that are defined in the LDAP Organizationalperson object class. This object class can also inherit attributes from the Person object class.
Resource User Attribute |
LDAP Syntax |
Attribute Type |
Description |
---|---|---|---|
destinationIndicator |
Printable string |
String |
This attribute is used for the telegram service. |
facsimileTelephoneNumber |
Facsimile telephone number |
String |
The primary fax number. |
internationaliSDNNumber |
Numeric string |
String |
Specifies an International ISDN number associated with an object. |
l |
Directory string |
String |
The name of a locality, such as a city, county or other geographic region |
ou |
Directory string |
String |
The name of an organizational unit |
physicalDeliveryOfficeName |
Directory string |
String |
The office where deliveries are routed to. |
postalAddress |
Postal address |
String |
The office location in the user’s place of business. |
postalCode |
Directory string |
String |
The postal or zip code for mail delivery. |
postOfficeBox |
Directory string |
String |
The P.O. Box number for this object. |
preferredDeliveryMethod |
Delivery method |
String |
The preferred way to deliver to addressee |
registeredAddress |
Postal Address |
String |
A postal address suitable for reception of telegrams or expedited documents, where it is necessary to have the recipient accept delivery. |
st |
Directory string |
String |
State or province name. |
street |
Directory string |
String |
The street portion of the postal address. |
teletexTerminalIdentifier |
Teletex Terminal Identifier |
String |
The teletex terminal identifier for a teletex terminal associated with an object |
telexNumber |
Telex Number |
String |
The telex number in the international notation |
title |
Directory string |
String |
Contains the user’s job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS. |
x121Address |
Numeric string |
String |
The X.121 address for an object. |
The following table lists additional supported attributes that are defined in the LDAP inetOrgPerson object class. This object class can also inherit attributes from the organizationalPerson object class.
Identity System Attribute |
Resource User Attribute |
LDAP Syntax |
Description |
---|---|---|---|
audio |
Audio |
Binary |
An audio file. |
businessCategory |
Directory string |
String |
The kind of business performed by an organization. |
carLicense |
Directory string |
String |
Vehicle license or registration plate |
departmentNumber |
Directory string |
String |
Identifies a department within an organization |
displayName |
Directory string |
String |
Preferred name of a person to be used when displaying entries |
employeeNumber |
Directory string |
String |
Numerically identifies an employee within an organization |
employeeType |
Directory string |
String |
Type of employment, such as Employee or Contractor |
homePhone |
Telephone number |
String |
The user’s home telephone number. |
homePostalAddress |
Postal address |
String |
The user’s home address. |
initials |
Directory string |
String |
Initials for parts of the user’s full name |
jpegPhoto |
JPEG |
Binary |
An image in JPEG format. |
labeledURI |
Directory string |
String |
A Universal Resource Indicator (URI) and optional label associated with the user. |
|
IA5 string |
String |
One or more email addresses. |
manager |
DN |
String |
Directory name of the user’s manager. |
mobile |
Telephone number |
String |
The user’s cell phone number. |
o |
Directory string |
String |
The name of an organization. |
pager |
Telephone number |
String |
The user’s pager number. |
preferredLanguage |
Directory string |
String |
Preferred written or spoken language for a person. |
roomNumber |
Directory string |
String |
The user’s office or room number. |
secretary |
DN |
String |
Directory name of the user’s administrative assistant. |
userCertificate |
certificate |
Binary |
A certificate, in binary format. |
Identity Manager supports the following LDAP objects by default. Any string-, integer-, or Boolean-based attributes can also be managed.
Resource Object |
Features Supported |
Attributes Managed |
---|---|---|
Group |
Create, update, delete, rename, saveas |
cn, description, owner, uniqueMember |
Posix Group |
Create, update, delete, rename, saveas |
cn, description, gid, memberUid |
Domain |
Find |
dc |
Organizational Unit |
Create, delete, rename, saveas, find |
ou |
Organization |
Create, delete, rename, saveas, find |
o |
The LDAP resource adapter provides management of posixGroup entries. By default, the list of accounts that are available to be assigned to a posixGroup have the posixAccount object class. The LDAP Create Posix Group Form and LDAP Update Posix Group From can be customized to list accounts other than posixAccounts. However, these accounts must have a uid attribute defined to be a member of a posixGroup.
You must define the identity template for this resource.
LDAP Create Group Form
LDAP Create Organization Form
LDAP Create Organizational Unit Form
LDAP Create Person Form
LDAP Create Posix Group Form
LDAP Update Group Form
LDAP Update Organization Form
LDAP Update Organizational Unit Form
LDAP Update Person Form
LDAP Update Posix Group Form
LDAPGroupCreateExt.xml
LDAPGroupUpdateExt.xml
LDAPgroupScalable.xml
LDAPPasswordActiveSyncForm.xml
The LDAPGroupCreateExt.xml and LDAPGroupUpdateExt.xml forms allow non-unique member names.
Use the Identity Manager debug pages to set trace options on one or more of the following classes:
com.waveset.adapter.LDAPResourceAdapterBase
com.waveset.adapter.LDAPResourceAdapter