Status
Works well.
Description
The connector is using a special user for accessing OpenLDAP, e.g. uid=idm,ou=Administrators,dc=example,dc=com. Access for this user is allowed by ACLs. The connector should not use root user. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.
Recommended Connectors
Type | Description | Comments |
|---|---|---|
Evolveum version of OpenICF LDAP connector |
|
Resource Configuration
See OpenLDAP Installation and Configuration page.
Connector Configuration
See LDAP Connector documentation.
The default security setup in recent OpenLDAP version seems to be using STARTTLS mechanism. The stock OpenICF LDAP connector does not support it. Evolveum version of the connector does.
Connector Configuration Example
<connectorConfiguration
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<icfc:configurationProperties>
<icfcldap:port>389</icfcldap:port>
<icfcldap:host>localhost</icfcldap:host>
<icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
<icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
<icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
Resource Sample
OpenLDAP configuration samples from master branch.
Limitations
- OpenLDAP does not advertise the support for permissive modify control in root DSE, therefore the connector cannot detect it automatically. To use the permissive modify control in the connector it has to be explicitly enabled (
usePermissiveModify=true) - Lockout status: LDAP connector can unlock OpenLDAP accounts if that functionality is enabled (
lockoutStrategy=openldap). The connector can also read the lockout status. However, it cannot detect the status of expired locks correctly. See http://www.openldap.org/lists/openldap-technical/201606/msg00035.html and the follow-up messages.