This tutorial will guide you through connecting LDAP as a target system for user management within CzechIdM. We will utilize the default LDAP connector provided by ConnId.
Navigate to the Systems section from the main menu. Use the Add button above the list of current systems. On the first page, simply enter the system name. If your default password policy does not meet your LDAP configuration requirements, you may need to configure a new password policy here.
In the next step, switch to the Configuration menu of your new system. First, select the connector, which in this case is the LDAP connector. This will open the specific configuration for this connector. Thereafter, fill in the important fields.
Example configuration for our local LDAP: TODO
The Base Contexts property contains one or more starting points in the LDAP directory tree used for searches. When running synchronization in reconciliation mode, the connector initiates a search for every value in the Base Context separately. The search uses paging, meaning entries are processed in blocks of (by default) 100 records according to the configured (VLV) sort. Be cautious if you have multiple values in the Base Contexts and you modify distinguished names of entries during reconciliation. If entries are moved to a different base, other entries may be omitted due to paging and fall into the Missing account state. Try to avoid this use case at all.
Proceed to the Scheme menu on your system. You can let CzechIdM generate the scheme for you by clicking the Generate scheme button.
If you prefer to configure everything manually:
__ACCOUNT__
, as this is a ConnId constant. __NAME__
for your identifier column. Example scheme: TODO
Cannot add entry "uid=john.doe,ou=people,o=domain,c=tld" to POSIX groups because it does not have a "uid" attribute
.
On the other hand, the Able to edit checkbox must not be enabled if uid is part of the distinguishedName. Otherwise, changing uid will result in an error: javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN]
.
Navigate to the Mapping menu. Here, you must define how data from LDAP will be promoted to CzechIdM. First, set:
__ACCOUNT__
Then map all columns as entity attributes as shown in the example below. Ensure that __NAME__
is set as the identifier.
Example attribute mapping: TODO
__NAME__
attribute. If the DN contains CN (common name - a typical setting), do not map the cn attribute again. The CN is already populated by the DN, and mapping it again may cause LDAP to reject changes with the error: LDAP: error code 67 - Not Allowed On RDN
.
Finally, go to the Provisioning menu and add a new provisioning. Set its Name and these fields:
__NAME__
You can leave the rest of the configuration at default values.
Example provisioning results: TODO
To provision an account to LDAP, you must create a role for the system with LDAP provisioning mapping.
To provision a user to LDAP, assign them the role "LDAP - user". The provisioning will occur immediately upon role assignment. You can check the provisioning status at the user profile detail under the Provisioning tab.