midPoint
Page tree
Skip to end of metadata
Go to start of metadata

Status

Works well.

Description

The connector is using a special user for accessing OpenLDAP, e.g. uid=idm,ou=Administrators,dc=example,dc=com. Access for this user is allowed by ACLs. The connector should not use root user. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.

Recommended Connectors

Type

Description

Comments

Evolveum version of OpenICF LDAP connector

LDAP Connector


Resource Configuration

See OpenLDAP Installation and Configuration page.

Connector Configuration

See LDAP Connector documentation.

The default security setup in recent OpenLDAP version seems to be using STARTTLS mechanism. The stock OpenICF LDAP connector does not support it. Evolveum version of the connector does.

Connector Configuration Example

<connectorConfiguration 
            xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
            xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
        <icfc:configurationProperties>
            <icfcldap:port>389</icfcldap:port>
            <icfcldap:host>localhost</icfcldap:host>
            <icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
            <icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
            <icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
            <icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
            <icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
            <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
            <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
            <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
            <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
            <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
        </icfc:configurationProperties>
        <icfc:resultsHandlerConfiguration>
            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
        </icfc:resultsHandlerConfiguration>
    </connectorConfiguration>

Resource Sample

OpenLDAP configuration samples from master branch.

Limitations

  • OpenLDAP does not advertise the support for permissive modify control in root DSE, therefore the connector cannot detect it automatically. To use the permissive modify control in the connector it has to be explicitly enabled (usePermissiveModify=true)
  • Lockout status: LDAP connector can unlock OpenLDAP accounts if that functionality is enabled (lockoutStrategy=openldap). The connector can also read the lockout status. However, it cannot detect the status of expired locks correctly. See http://www.openldap.org/lists/openldap-technical/201606/msg00035.html and the follow-up messages.

See Also

  • No labels

Copyright © 2011-2020 Evolveum s.r.o. and Contributors