Systems - LDAP: Manage users

Systems - LDAP: Manage users

Introduction

This tutorial will guide you through connecting LDAP as a target system for user management within CzechIdM. We will utilize the default LDAP connector provided by ConnId.

Basic configuration

Navigate to the Systems section from the main menu. Use the Add button above the list of current systems. On the first page, simply enter the system name. If your default password policy does not meet your LDAP configuration requirements, you may need to configure a new password policy here.

Connector configuration

In the next step, switch to the Configuration menu of your new system. First, select the connector, which in this case is the LDAP connector. This will open the specific configuration for this connector. Thereafter, fill in the important fields.

Example configuration for our local LDAP: TODO

Enable Use VLV Controls and set the VLV Sort Attribute to the same value as the Uid Attribute. Otherwise, account searches may not function correctly in the current version of the LDAP connector (the first result is skipped due to a bug).

Base Contexts

The Base Contexts property contains one or more starting points in the LDAP directory tree used for searches. When running synchronization in reconciliation mode, the connector initiates a search for every value in the Base Context separately. The search uses paging, meaning entries are processed in blocks of (by default) 100 records according to the configured (VLV) sort. Be cautious if you have multiple values in the Base Contexts and you modify distinguished names of entries during reconciliation. If entries are moved to a different base, other entries may be omitted due to paging and fall into the Missing account state. Try to avoid this use case at all.

Scheme

Proceed to the Scheme menu on your system. You can let CzechIdM generate the scheme for you by clicking the Generate scheme button.

Generating a scheme typically marks most attributes as multivalued (even for e.g. givenName, sn, cn). This may be acceptable, but could complicate things if you intend to populate these attributes from EAVs and transform them - see more. Make sure to verify what was generated.

If you prefer to configure everything manually:

Use the Add button to create a new scheme. For users, name it __ACCOUNT__, as this is a ConnId constant.
Add all file columns you want to work with. Use the ConnId constant __NAME__ for your identifier column.
Set all attributes as Able to read.

Example scheme: TODO

The uid attribute must have the following checkboxes enabled: Able to read, Able to create, and Returned by default. The Able to create checkbox is crucial if you manage posixGroups. The LDAP connector requires the uid attribute during creation if posixGroups is also set. Otherwise, it throws an error: Cannot add entry "uid=john.doe,ou=people,o=domain,c=tld" to POSIX groups because it does not have a "uid" attribute. On the other hand, the Able to edit checkbox must not be enabled if uid is part of the distinguishedName. Otherwise, changing uid will result in an error: javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN].

Mapping

Navigate to the Mapping menu. Here, you must define how data from LDAP will be promoted to CzechIdM. First, set:

Operation type: Provisioning
Object name: __ACCOUNT__
Entity type: Identity
Set the Mapping name to whatever you prefer, e.g., "Provisioning of users".

Then map all columns as entity attributes as shown in the example below. Ensure that __NAME__ is set as the identifier.

Example attribute mapping: TODO

The distinguished name should be mapped in the __NAME__ attribute. If the DN contains CN (common name - a typical setting), do not map the cn attribute again. The CN is already populated by the DN, and mapping it again may cause LDAP to reject changes with the error: LDAP: error code 67 - Not Allowed On RDN.

Provisioning

Finally, go to the Provisioning menu and add a new provisioning. Set its Name and these fields:

Allowed: true
Set of mapped attributes: Select the mapping from the previous step.
Correlation attribute: __NAME__

You can leave the rest of the configuration at default values.

Example provisioning results: TODO

Create LDAP role in IdM

To provision an account to LDAP, you must create a role for the system with LDAP provisioning mapping.

Create a role, e.g., "LDAP - user", and save it.
Go to the System tab on the role detail page and add the LDAP system created in this tutorial, then save.

To provision a user to LDAP, assign them the role "LDAP - user". The provisioning will occur immediately upon role assignment. You can check the provisioning status at the user profile detail under the Provisioning tab.

Table of Contents