LDAP Mapping
An LDAP repository consists of multiple entries. Each entry represents an object in the directory that is identified by a Distinguished Name (DN) and may contain one or more attributes. In a typical LDAP repository there is usually an entry for users and an entry for groups. The connection between users and groups may be implemented in two different ways:
-
The users belonging to a group are defined in a special multiple-value attribute on the Group entry.
-
The groups to which a user belongs are defined in a special multiple-value attribute on the User entry.
The mapping between LDAP security objects and base security objects is stored in an XML document that can be processed by the LDAP import batch job. As part of setting up your system for LDAP import, you need to define this mapping. The base package provides a sample mapping file called ldapdef.xml that can be used as a starting point and changed per your business requirements and your particular LDAP repository.
Once you have defined the mapping XML document, this is configured as a parameter in the F1-LDAP batch job.
The XML structure:
-
The LDAPEntry element maps the LDAP entries to system objects (User or Group). The mapping file must contain one and only one LDAPEntry element for User and one for Group.
-
The LDAPCDXAttrMapping element within the LDAPEntry element maps attributes in the LDAP entry to attributes in the system object.
-
The LDAPEntryLinks element describes objects linked to the LDAP entry. When mapping the user entity you need to describe how the groups the user belongs to are retrieved. When mapping the group entity you need to describe how the users contained in the group are retrieved.
The following table describes the attributes to define for each element.
|
Element |
Attribute |
Description |
|---|---|---|
|
LDAPEntry |
name |
The name of the LDAP entry: - Group - User |
|
baseDN |
The base distinguished name in LDAP for this entry. |
|
|
cdxEntity |
The name of the base product entity to which the LDAP entry is mapped: - Group - User |
|
|
searchFilter |
An LDAP search filter that is used to locate LDAP entries. A %searchParm% string in that filter is replaced by the value from the user or group parameter from the F1-LDAP batch job submission. |
|
|
Scope |
Sets the scope of the search. Valid values are: - onelevel (the value normally used) - subtree |
|
|
LDAPCDXAttrMapping |
ldapAttr |
The name of the LDAP attribute to be mapped. Note that this may be referenced more than once to allow one LDAP element to map to multiple base product elements. For example, if an email address should be used both for the Login ID and the Email Address. |
|
cdxName |
The name of the base product attribute to be mapped. For User, this is the element within the F1-IDMUser business object. For Group, this is either the ‘group’ or the ‘description’. |
|
|
default |
The default value that will be assigned to the element referenced in the cdxName attribute when one of the following occurs: - The LDAP attribute contains a null or empty value - The LDAP attribute does not exist or is not specified. Default values are applied only when creating a new entity and are not applied to updated entities. |
|
|
autoGenerate |
Set this to true in order to turn on auto generation of the user ID. If this is true, the system will define the user id as <first initial of first name>+<last name> all uppercase, to a maximum of 8 digits. If an existing user is found for the generated ID, a number will replace the eight digit (or be appended to the end). The system will increment the number until a unique ID is found. |
|
|
transform |
Use this attribute to indicate if a transformation of the data should occur. Valid values: uppercase|truncate. Note that this attribute should not be used in conjunction with the autoGenerate attribute. |
|
|
LDAPEntryLink |
linkedToLDAPEntity |
The name of the linked entity (User or Group). Use User when describing the Group entity. Use Group when describing the User entity. |
|
linkingLDAPAttr |
The multiple-value attribute name on the LDAP entity that contains the linked entity. |
|
|
linkingSearchFilter |
The search filter to be applied to retrieve the list of linked objects, for example: (&(objectClass=group)(memberOf=%attr%)) The search filter may contain the string % attr % that acts as a substitution string and is replaced at run time by the value of the attribute named "attr" of the imported entity. If the LDAP entry you are describing is a Group and the string is %name%, it is replaced by the value of the "name" attribute of the group you are importing. If the LDAP entry you are describing is a User and the string is %dn%, it is replaced by the "dn" attribute of the User you are importing. |
|
|
linkingSearchScope |
Sets the scope of the search. Valid values are: - onelevel (the value normally used) - subtree |
Sample Mapping
The following XML describes a sample mapping. The example makes the following assumptions:
-
The base product attribute displayProfileCodeis defaulted to "NORTHAM" when adding a new user.
-
The LDAP Group entry contains the list of users belonging to the group in the departmentNumber attribute.
-
The groups to which a user belongs are retrieved by applying a search filter.
<LDAPEntries>
<LDAPEntry name=" User" baseDN="ou=people,dc=example,dc=com" cdxEntity="
user" searchFilter=" (&(objectClass=inetOrgPerson)(uid=%searchParm%))">
<LDAPCDXAttrMappings>
<LDAPCDXAttrMapping ldapAttr="uid" cdxName=" user" />
<LDAPCDXAttrMapping ldapAttr="cn" cdxName="externalUserId" />
<LDAPCDXAttrMapping cdxName="language" default=" ENG" />
<LDAPCDXAttrMapping ldapAttr="givenName" cdxName="firstName"/>
<LDAPCDXAttrMapping ldapAttr="sn" cdxName= "lastName"/>
<LDAPCDXAttrMapping cdxName="displayProfileCode" default="NORTHAM" />
<LDAPCDXAttrMapping cdxName="toDoEntriesAge1" default="30" />
<LDAPCDXAttrMapping cdxName="toDoEntriesAge2" default="90" />
<LDAPCDXAttrMapping cdxName="userEnable" default="ENBL"/>
</LDAPCDXAttrMappings>
<LDAPEntryLinks>
<LDAPEntryLink linkedToLDAPEntity="Group" linkingLDAPAttr="departmentNumber" />
</LDAPEntryLinks>
</LDAPEntry>
<LDAPEntry name="Group" baseDN="ou=people,dc=example,dc=com" cdxEntity="
Group" searchFilter=" (&(objectClass=organizationalUnit)(ou=%searchParm%))">
<LDAPCDXAttrMappings>
<LDAPCDXAttrMapping ldapAttr="name" cdxName="Group" />
<LDAPCDXAttrMapping ldapAttr="description" cdxName=" Description" default="Unknown" />
</LDAPCDXAttrMappings>
<LDAPEntryLinks>
<LDAPEntryLink linkedToLDAPEntity="User" linkingSearchFilter="
(&(objectClass=inetOrgPerson)(departmentNumber=%distinguishedName%))"
linkingSearchScope="onelevel" />
</LDAPEntryLinks>
</LDAPEntry>
</LDAPEntries>