login to openidm using dirserver user credentials

This topic has 5 replies, 3 voices, and was last updated 6 years, 1 month ago by subbub18.

  • Author
    Posts
  • #11817
     subbub18
    Participant

    hi all,
    I have a usecase, where I am working on finding out a way to allow user to get auth & login to openidm for users who are available in my dir server [like OpenDJ or MS – AD], is there are any suggestions or approaches that I can follow to achieve this.

    please respond with your inputs.

    thanks,
    subbu

    #11821
     Andrew Potter
    Participant

    Search the Integrators Guide for Pass-Through Authentication.

    #12224
     subbub18
    Participant

    Hi Andrew,

    Scenario is I would need my active directory users to login to openidm without having their accounts reconciled to openidm.
    Could you provide any inputs on this scenario.

    Thanks,
    Subbu

    #12227
     andyr
    Participant

    I’ve also been looking at this, and wanted to authenticate users against an AD and assign the openidm-admin role to users in a specific AD group. These users are not reconciled to OpenIDM as managed users, however looking at the examples it looks like this might be required?

    I would be interested if you find a solution.

    #12281
     Andrew Potter
    Participant

    @subbub18, an authentication.json config like this:

                {
                    "name" : "PASSTHROUGH",
                    "enabled" : true,
                    "properties" : {
                        "propertyMapping" : {
                            "authenticationId" : "uid"
                        },
                        "queryOnResource" : "system/ldap/account",
                        "defaultUserRoles" : [
                            "openidm-authorized"
                        ]
                    }
                }

    Allows me to log in to the user-ui without synchronising accounts to the IDM repo. Note it still depends on the connector being defined. But, there is no mapping in this config to a managed/user object

    If you want people to be able to log in to the admin-ui you can include ‘openidm-admin’ in the defaultUserRoles.

    @andyr in theory you can use the groupRoleMappings to control OpenIDM roles based on LDAP group membership. I’ve not tried it, but it’s included in the Integrators guide: https://backstage.forgerock.com/#!/docs/openidm/4/integrators-guide#passthrough-auth
    e.g.

    "groupRoleMapping" : {
                 "openidm-admin" : ["cn=admins"]
              }
    #12510
     subbub18
    Participant

    Thanks for your response Andrew & others.
    Have a nice day!

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?