The connector is using a special user for accessing OpenLDAP, e.g.
uid=idm,ou=Administrators,dc=example,dc=com. Access for this user is allowed by ACLs. The connector should not use root user. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.
Evolveum version of OpenICF LDAP connector
See OpenLDAP Installation and Configuration page.
The default security setup in recent OpenLDAP version seems to be using STARTTLS mechanism. The stock OpenICF LDAP connector does not support it. Evolveum version of the connector does.
Connector Configuration Example
- OpenLDAP does not advertise the support for permissive modify control in root DSE, therefore the connector cannot detect it automatically. To use the permissive modify control in the connector it has to be explicitly enabled (
- Lockout status: LDAP connector can unlock OpenLDAP accounts if that functionality is enabled (
lockoutStrategy=openldap). The connector can also read the lockout status. However, it cannot detect the status of expired locks correctly. See http://www.openldap.org/lists/openldap-technical/201606/msg00035.html and the follow-up messages.