Sync Ldap Group members with local object

This topic has 1 reply, 2 voices, and was last updated 6 years, 2 months ago by Jake Feasel.

  • Author
    Posts
  • #12931
     fepufihuxu
    Participant

    I have local users and group object in OpenIDM, imported from AD LDAP.
    I need manage LDAP group trough IDM.
    I create local object group with attribute member

    
                        "member" : {
                            "description" : "",
                            "title" : "member",
                            "viewable" : true,
                            "searchable" : true,
                            "userEditable" : false,
                            "policies" : [ ],
                            "returnByDefault" : true,
                            "minLength" : "",
                            "pattern" : "",
                            "type" : "array",
                            "items" : {
                                "type" : "relationship",
                                "reverseRelationship" : false,
                                "reversePropertyName" : "",
                                "validate" : false,
                                "properties" : {
                                    "_ref" : {
                                        "type" : "string"
                                    },
                                    "_refProperties" : {
                                        "type" : "string",
                                        "properties" : {
                                            "_id" : {
                                                "type" : "string",
                                                "label" : ""
                                            }
                                        }
                                    }
                                },
                                "resourceCollection" : [
                                    {
                                        "path" : "managed/user",
                                        "label" : "User",
                                        "query" : {
                                            "queryFilter" : "true",
                                            "fields" : [
                                                "LDAPdn"
                                            ],
                                            "sortKeys" : [ ]
                                        }
                                    }
                                ]
                            }
                        },
    

    How on sync LDAP -> IDM and IDM -> LDAP with auto link-unlink through ldap member dn?

    • This topic was modified 6 years, 2 months ago by Jake Feasel. Reason: formatting
    #12945
     Jake Feasel
    Moderator

    Direct translation of remote system relationships such as accounts and groups in LDAP into OpenIDM relationships is presently not well supported. It is possible via some complex transform scripts within your mapping, but you might find that a challenge to build out.

    I recommend using roles to handle the provisioning aspect. Basically, rather than maintaining a managed/group copy of the ldap group, you could define some roles which have assignments associated with them designed for use with your managedUser-to-ldapAccount mapping. Each of these assignments will contain attributes defining values for ldapGroups, so that when a user is granted the role they will have these ldapGroup values defined for them via the mapping. Ideally you could establish some rules around determining which users should have which roles (for example, if they have the title “manager” then they should have the “Manager” role, which grants an assignment in LDAP with the ldapGroup of cn=Manager,ou=Groups,dc=example,dc=com). This should be especially easy if you are using OpenIDM 4.5, since you can declare conditions for granting roles automatically.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?