LDAP Mapping

An LDAP repository consists of multiple entries. Each entry represents an object in the directory that is identified by a Distinguished Name (DN) and may contain one or more attributes. In a typical LDAP repository there is usually an entry for users and an entry for groups. The connection between users and groups may be implemented in two different ways:

The mapping between LDAP security objects and base security objects is stored in an XML document that can be processed by the LDAP import batch job. As part of setting up your system for LDAP import, you need to define this mapping. The base package provides a sample mapping file called ldapdef.xml that can be used as a starting point and changed per your business requirements and your particular LDAP repository.

Once you have defined the mapping XML document, this is configured as a parameter in the F1-LDAP batch job.

The XML structure:

The following table describes the attributes to define for each element.

Element

Attribute

Description

LDAPEntry

name

The name of the LDAP entry:

- Group

- User

baseDN

The base distinguished name in LDAP for this entry.

cdxEntity

The name of the base product entity to which the LDAP entry is mapped:

- Group

- User

searchFilter

An LDAP search filter that is used to locate LDAP entries. A %searchParm% string in that filter is replaced by the value from the user or group parameter from the F1-LDAP batch job submission.

Scope

Sets the scope of the search. Valid values are:

- onelevel (the value normally used)

- subtree

LDAPCDXAttrMapping

ldapAttr

The name of the LDAP attribute to be mapped. Note that this may be referenced more than once to allow one LDAP element to map to multiple base product elements. For example, if an email address should be used both for the Login ID and the Email Address.

cdxName

The name of the base product attribute to be mapped.

For User, this is the element within the F1-IDMUser business object.

For Group, this is either the ‘group’ or the ‘description’.

default

The default value that will be assigned to the element referenced in the cdxName attribute when one of the following occurs:

- The LDAP attribute contains a null or empty value

- The LDAP attribute does not exist or is not specified.

Default values are applied only when creating a new entity and are not applied to updated entities.

autoGenerate

Set this to true in order to turn on auto generation of the user ID. If this is true, the system will define the user id as <first initial of first name>+<last name> all uppercase, to a maximum of 8 digits. If an existing user is found for the generated ID, a number will replace the eight digit (or be appended to the end). The system will increment the number until a unique ID is found.

transform

Use this attribute to indicate if a transformation of the data should occur. Valid values: uppercase|truncate. Note that this attribute should not be used in conjunction with the autoGenerate attribute.

LDAPEntryLink

linkedToLDAPEntity

The name of the linked entity (User or Group). Use User when describing the Group entity. Use Group when describing the User entity.

linkingLDAPAttr

The multiple-value attribute name on the LDAP entity that contains the linked entity.

linkingSearchFilter

The search filter to be applied to retrieve the list of linked objects, for example:

(&amp;(objectClass=group)(memberOf=%attr%))

The search filter may contain the string % attr % that acts as a substitution string and is replaced at run time by the value of the attribute named "attr" of the imported entity. If the LDAP entry you are describing is a Group and the string is %name%, it is replaced by the value of the "name" attribute of the group you are importing. If the LDAP entry you are describing is a User and the string is %dn%, it is replaced by the "dn" attribute of the User you are importing.

linkingSearchScope

Sets the scope of the search. Valid values are:

- onelevel (the value normally used)

- subtree

Sample Mapping

The following XML describes a sample mapping. The example makes the following assumptions:

<LDAPEntries>
  <LDAPEntry name=" User" baseDN="ou=people,dc=example,dc=com" cdxEntity=" user" searchFilter=" (&amp;(objectClass=inetOrgPerson)(uid=%searchParm%))">
    <LDAPCDXAttrMappings>
      <LDAPCDXAttrMapping ldapAttr="uid" cdxName=" user" />
      <LDAPCDXAttrMapping ldapAttr="cn" cdxName="externalUserId" />
      <LDAPCDXAttrMapping cdxName="language" default=" ENG" />
      <LDAPCDXAttrMapping ldapAttr="givenName" cdxName="firstName"/>
      <LDAPCDXAttrMapping ldapAttr="sn" cdxName= "lastName"/>
      <LDAPCDXAttrMapping cdxName="displayProfileCode" default="NORTHAM" />
      <LDAPCDXAttrMapping cdxName="toDoEntriesAge1" default="30" />
      <LDAPCDXAttrMapping cdxName="toDoEntriesAge2" default="90" />
      <LDAPCDXAttrMapping cdxName="userEnable" default="ENBL"/>
    </LDAPCDXAttrMappings>
    <LDAPEntryLinks>
      <LDAPEntryLink linkedToLDAPEntity="Group" linkingLDAPAttr="departmentNumber" />
    </LDAPEntryLinks>
 </LDAPEntry>
  <LDAPEntry name="Group" baseDN="ou=people,dc=example,dc=com" cdxEntity=" Group" searchFilter=" (&amp;(objectClass=organizationalUnit)(ou=%searchParm%))">
    <LDAPCDXAttrMappings>
      <LDAPCDXAttrMapping ldapAttr="name" cdxName="Group" />
      <LDAPCDXAttrMapping ldapAttr="description" cdxName=" Description" default="Unknown" />
    </LDAPCDXAttrMappings>
    <LDAPEntryLinks>
      <LDAPEntryLink linkedToLDAPEntity="User" linkingSearchFilter=" (&amp;(objectClass=inetOrgPerson)(departmentNumber=%distinguishedName%))" linkingSearchScope="onelevel" />
    </LDAPEntryLinks>
  </LDAPEntry>
</LDAPEntries>