Page tree
Skip to end of metadata
Go to start of metadata

Status

Works well.

Description

Changes in OpenDJ are detected using External Change Log (ECL) mechanism, similar mechanism to the one that was known as Retro Change Log in Sun Directory Servers. The ECL is presented as an LDAP subtree with base DN of cn=changelog. Each change is represented as an entry in that subtree and it remains in that subtree for few days.

Modified Identity Connector Framework (ICF) LDAP connector is recommended. The connector scans the cn=changelog subtree for new entries in regular intervals.

The connector is using a special user for accessing OpenDJ, e.g. uid=idm,ou=Administrators,dc=example,dc=com. The connector should not use the cn=directory manager superuser. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.

Recommended Connectors

Type

Description

Comments

OpenICF Generic LDAP connector

LDAP Connector

Need to use simulated activation (enabled/disable)

Resource Configuration

Please see the chapter on OpenDJ Installation and Configuration.

Connector Configuration

See LDAP Connector documentation.

Connector Configuration Example

<configuration
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/org.forgerock.openicf.connectors.ldap-connector/org.identityconnectors.ldap.LdapConnector"
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-2">

    <!-- Configuration specific for the LDAP connector -->
    <icfcldap:configurationProperties>
        <icfcldap:port>1389</icfcldap:port>
        <icfcldap:host>localhost</icfcldap:host>
        <icfcldap:baseContexts>dc=example,dc=com</icfcldap:baseContexts>
        <icfcldap:principal>uid=idm,ou=Administrators,dc=example,dc=com</icfcldap:principal>
        <icfcldap:credentials>
            <clearValue>secret</clearValue>
        </icfcldap:credentials>
        <icfcldap:modifiersNamesToFilterOut>uid=idm,ou=Administrators,dc=example,dc=com</icfcldap:modifiersNamesToFilterOut>
        <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
        <icfcldap:usePagedResultControl>true</icfcldap:usePagedResultControl>
    </icfcldap:configurationProperties>

    <!-- Generic ICF configuration -->

    <icfc:connectorPoolConfiguration>
        <icfc:minEvictableIdleTimeMillis>120000</icfc:minEvictableIdleTimeMillis>
        <icfc:minIdle>1</icfc:minIdle>
        <icfc:maxIdle>10</icfc:maxIdle>
        <icfc:maxObjects>10</icfc:maxObjects>
        <icfc:maxWait>150000</icfc:maxWait>
    </icfc:connectorPoolConfiguration>

    <icfc:producerBufferSize>100</icfc:producerBufferSize>

    <icfc:timeouts>
        <icfc:create>-1</icfc:create>
        <icfc:get>-1</icfc:get>
        <icfc:update>-1</icfc:update>
        <icfc:delete>-1</icfc:delete>
        <icfc:test>-1</icfc:test>
        <icfc:scriptOnConnector>-1</icfc:scriptOnConnector>
        <icfc:scriptOnResource>-1</icfc:scriptOnResource>
        <icfc:authentication>-1</icfc:authentication>
        <icfc:search>-1</icfc:search>
        <icfc:validate>-1</icfc:validate>
        <icfc:sync>-1</icfc:sync>
        <icfc:schema>-1</icfc:schema>
    </icfc:timeouts>

	<icfc:resultsHandlerConfiguration>
		<icfc:enableCaseInsensitiveFilter>true</icfc:enableCaseInsensitiveFilter>
	</icfc:resultsHandlerConfiguration>

 </configuration>

Resource Sample

Simple resource sample (Git master).

Advanced resource sample (Git master).

Troubleshooting

Check External Changelog Availability

ldapsearch -h localhost -p 1389 -D "uid=idm,ou=Administrators,dc=example,dc=com" -w secret -b "cn=changelog" "(objectclass=*)"

Check Replication Purge Delay

dsconfig -h localhost -p 4444 -D "cn=directory manager" -w secret -n get-replication-server-prop --provider-name "Multimaster Synchronization" --advanced --property replication-purge-delay -X

Change Replication Purge Delay

dsconfig -h localhost -p 4444 -D "cn=directory manager" -w secret -n set-replication-server-prop --provider-name "Multimaster Synchronization" --set replication-purge-delay:1d -X

Purging Changelog

There seems not be no better way than to manipulate the replication purge delay. Change the delay to 1s, wait and a second and then change it back to the original value.

Frequent Errors

Password Reset Privileges

LDAP: error code 50 - You do not have sufficient privileges to reset user passwords

This indicates that the connector user does not have privilege to reset users password. In OpenDJ this is a special privilege and the ACI setup is not enough to enable this. Make sure that the IDM LDAP user has the password-reset privilege, e.g.:

dn: uid=idm,ou=Administrators,dc=example,dc=com
uid: idm
...
ds-privilege-name: password-reset

Deployment Tips

  • No labels