This tutorial will show you how to connect LDAP as target system for users from CzechIdM. We will use default LDAP connector from ConnId.
Go to Systems from main menu, then above list of current systems use Add button. On first page just fill system name. On the same page you may need to set new password policy in case that your default policy does not meet your all requirements of your LDAP configuration.
In next step switch to menu Configuration of your new system. At first you need to choose connector, which in this case is LDAP connector. It will open specific configuration for that choice.
Thereafter fill important fields.
Example configuration for our local LDAP: TODO
The property Base Contexts contains one or more starting points in the LDAP tree that will be used when searching the tree.
When you run synchronization in the reconciliation mode, the connector starts the search for every value in the Base Context separately. The search uses paging, which means that the entries are processed in blocks consisting of (by default) 100 records according to the configured (VLV) sort. Be careful, when you have multiple values in the Base Contexts and you modify distinguished name of the entries during the reconciliation. If entries are moved to a different base, then other entries may be omitted due to the paging and they fall to the Missing account state. So try to avoid this use case at all.
For next step, go to menu Scheme on your system.
You can let CzechIdM generate scheme for you by click on Generate scheme button.
But if you want to set everything by yourself:
Example scheme: TODO
On the other hand, the checkbox Able to edit mustn't be set, if uid is the part of distinguishedName. Otherwise changing of uid throws an error "javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN];"
Now go to menu Mapping. There you must set how data from LDAP will be promoted to CzechIdM.
At first set:
Then map all columns as entity attributes as you can see it on picture below. Just \_\_NAME\_\_ set as identifier.
Example attribute mapping:
Finally go to menu Provisioning and add new one set its Name and these fields:
You can leave the rest of configuration at the default values.
Example provisioning results: TODO
To provision an account to LDAP, one must create a role for the system with LDAP provisioning mapping.
To provision a user to LDAP, assign them a role "LDAP - user". The provisioning will be provided as soon as the role is assigned to the user. The state of the provisioning you can check at the user profile detail at the tab "provisioning".