This is an old revision of the document!
Systems - LDAP: Manage users
Introduction
This tutorial will show you how to connect LDAP as target system for users from CzechIdM. We will use default LDAP connector from ConnId.
Basic configuration
Go to Systems from main menu, then above list of current systems use Add button. On first page just fill system name. On the same page you may need to set new password policy in case that your default policy does not meet your all requirements of your LDAP configuration.
Connector configuration
In next step switch to menu Configuration of your new system. At first you need to choose connector, which in this case is LDAP connector. It will open specific configuration for that choice.
Thereafter fill important fields.
Example configuration for our local LDAP: TODO
Scheme
For next step, go to menu Scheme on your system.
You can let CzechIdM generate scheme for you by click on Generate scheme button. But if you want to set everything by yourself:
- Use button Add for create new scheme. For users you need to name it "\_\_ACCOUNT\_\_", because it is ConnId constant
- Add all file columns which you want to work with. Instead of name of your identifier column use ConnId constant "\_\_NAME\_\_"
- Set all attributes as Able to read
Example scheme: TODO
On the other hand, the checkbox Able to edit mustn't be set, if uid is the part of distinguishedName. Otherwise changing of uid throws an error "javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN];"
Mapping
Now go to menu Mapping. There you must set how data from LDAP will be promoted to CzechIdM.
At first set:
- Operation type: Provisioning
- Object name: \_\_ACCOUNT\_\_
- Entity type: Identity
- As Mapping name set whatever you want to, for example Provisioning of users.
Then map all columns as entity attributes as you can see it on picture below. Just \_\_NAME\_\_ set as identifier.
Example attribute mapping:
Provisioning
Finally go to menu Provisioning and add new one set its Name and these fields:
- Allowed: true
- Set of mapped attributes: Select mapping from previous step.
- Correlation attribute: \_\_NAME\_\_
You can leave the rest of configuration at the default values.
Example provisioning results:
To provision an account to LDAP, one must create a role for the system with LDAP provisioning mapping.