This topic has 2 replies, 2 voices, and was last updated 4 years, 5 months ago by lois54.

  • Author
  • #21183


    I am in the process of evaluating/testing openIDM as a tool for managing passwords for accounts on our three different systems: LDAP for UNIX (~7000 accounts), AD for Windows (~600 accounts) and Google apps for email(~1000 accounts).

    The really basic question I have is does the IDM repository keep all the data from all those sources? It is probably obvious but the terminology used in the documentation is not all familiar to me, an old sysadmin. I am reading the docs but I am finding it hard to understand with this basic question in my mind. I can see how IDM could be just the connector between my LDAP and my Ad accounts but what is in the repository?

    My goal is to setup a single web based password changing facility for our users. As you can see all of the users do not have accounts on all the systems. Only the UNIX system has all the users and many accounts are closed but kept. We are a small research organization with little funding thus the open solution.

    Anyway thanks for any help.


    Lois Bennett, MSEE
    Senior System Administrator
    Channing Division of Network Medicine, Brigham & Women’s Hospital
    A Teaching Affiliate of Harvard Medical School and Harvard School of Public Health

     Bill Nelson

    Hi Lois,

    OpenIDM’s data mode is very flexible. You choose what to put in openidm. There are two types of objects that should be understood: 1) managed object and 2) system object. A managed object is used to represent (in your case) users in OpenIDM. A system object is use to reference objects (in your case accounts) stored on external systems. I say, “in your case”, because these can be used to represent all sorts of things: users, system accounts, mobile phones, conference rooms, whatever.

    The managed object is what you are referring to when you talk about storing account data in OpenIDM and that is defined in the (by default) managed/user object. The schema for the managed/user object is stored in the openidm/conf/managed.json file in your deployment. If you look at that file, it simply contains default attributes that are likely to be stored for a user (i.e. cn, givenName) and attributes used by OpenIDM for other purposes (i.e. effectiveAssignments). You can update the schema however you like to add new data (i.e. posix type data from Linux accounts) or remove fields that you don’t want to store locally.

    It is entirely possible to store every single attribute that flows through OpenIDM from some source (i.e. a web application) to some target (i.e. Linux). To do so would create a sort of uber database of all attributes. It is also possible to only store a few attributes in the managed object (i.e. enough information to correlate users between OpenIDM and the remote systems.

    So again, the sky’s the limit. I would suggest you use the data model that comes out of the box first for initial testing and then modify it to meet your own needs.

    Hope this helps,



    Thank you, Bill. That is very helpful. I will probably have more questions but now I think I can test it out with a little clearer picture.!

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?