Overview

The LDAP connector enables identity provisioning to LDAP v3 servers.

Supported Resources

LDAP v3
OpenLDAP
Sun ONE Directory Server 4.x
Sun Java System Directory Server 5 (2004Q2, 2005Q1), 6.3
OpenDJ

Installation

To install the LDAP connector, add the bundle JAR file to a directory on your disk. If your application has a dedicated directory for connector bundles, put the file in that directory. For example, Apache Syncope looks for connector bundles in the configured bundles directory.

Supported Operations

The LDAP connector supports the following operations:

Authentication
Create
Delete
Get
Schema
ScriptOnConnector
Search
Sync (only with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ)
Test
Update
Validate

Configuration

The following table lists all the configuration properties you can specify when setting up the LDAP connector:

Configuration Property	Required	Type	Default Value	Description
host	X	String		LDAP server on which to connect
port		int	389	TCP port on which to connect
ssl		boolean	false	Connect using SSL
failover		String		An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in the host property, it will try connecting to these failover servers in the specified order.
principal		String		Distinguished name (DN) of the LDAP entry under to perform provisioning operations
credentials		GuardedString?		Password corresponding to the entry specified in the principal property
baseContexts	X	String		Base context DNs for provisioning operations. The connector ignores any entries outside these base contexts.
passwordAttribute		String	"userPassword"	Name of the LDAP attribute that holds the LDAP entry's password. This attribute is read and modified by password-change operations.
accountObjectClasses		String	{ "top", "person", "organizationalPerson", "inetOrgPerson" }	Object classes to which the ACCOUNT object class is mapped.
accountUserNameAttributes		String	{ "cn", "uid" }	LDAP attributes to which the authentication user names are mapped. The connector uses this property search for the LDAP entry corresponding to the user name that is passed to an authentication operation.
accountSearchFilter		String		LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter.
addPrincipalToNewGroups		boolean	false	When enabled, the configured principal is added as first member of a new group.
groupMemberAttribute		String	"uniqueMember"	LDAP attribute that holds the member of LDAP static groups
groupObjectClasses		String	{"top", "groupOfUniqueNames"}	The group class or classes that will be used when creating new group objects in the LDAP tree.
groupNameAttributes		String	{"cn"}	Attribute or attributes which holds the group's name.
groupSearchFilter		String		LDAP Filter for Retrieving Groups.
maintainLdapGroupMembership		boolean	false	Maintain LDAP group membership when renaming or deleting entries
maintainPosixGroupMembership		boolean	false	Maintain POSIX group membership when renaming or deleting entries
passwordHashAlgorithm		String		Algorithm used to hash passwords. Valid values are "SHA", "SSHA", "MD5", and "SMD5". If you specify "SSHA" or "SMD5", the connector appends a random salt value to the password value before hashing.
respectResourcePasswordPolicyChangeAfterReset		boolean	false	Check for the Password Expired and Password Policy controls when binding
useBlocks		boolean	true	Use a block-based control for search operations, such as the Simple Paged Results or the Virtual List View (VLV) Index controls
blockSize		int	100	Block size to use with block-based controls. This property is meaningful only when theuseBlocks property is true.
usePagedResultControl		boolean	false	Use the Simple Paged Results control for search operations. If false, the connector uses VLV Index control. This property is meaningful only when theuseBlocks property is true.
vlvSortAttribute		String	"uid"	LDAP attribute to use as the sort key when you are using the VLV Index control. This property is meaningful only when the useBlocks property is true and theusePagedResultControl property is false.
uidAttribute		String	"entryUUID"	LDAP attribute to use as the Uid connector attribute value
readSchema		boolean	true	If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes.
baseContextsToSynchronize		String		Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts.
objectClassesToSynchronize		String	"inetOrgPerson"	LDAP object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property.
attributesToSynchronize		String		LDAP attributes to synchronize. The connector ignores changes to any LDAP attributes that are not specified in this property.
modifiersNamesToFilterOut		String		Modifier DNs to filter out for synchronization. The connector ignores any changes made by an entry specified in this property.
accountSynchronizationFilter		String		LDAP search filter used to filter out accounts from synchronization. The connector ignores changes to any accounts that do not match the filter specified in this property.
changeLogBlockSize		int	100	Block size to use when reading changes from the change log
changeNumberAttribute		String	"changeNumber"	LDAP attribute that holds the change number name in change log entries
filterWithOrInsteadOfAnd		boolean	false	Use an and filter instead of an or filter when searching for change log entries
removeLogEntryObjectClassFromFilter		boolean	true	Remove the condition that tests whether the object class of the change log entries ischangeLogEntry from the filter used to search for entries in the change log
synchronizePasswords		boolean	false	Synchronize passwords during synchronization. This property is only supported with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ.
passwordAttributeToSynchronize		String		LDAP attribute used to synchronize during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
passwordDecryptionKey		GuardedByteArray		Decryption key used to decrypt passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
passwordDecryptionInitializationVector		GuardedByteArray		Initialization key used when decrypting passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
statusManagementClass		String		Java class to be used to enable/disable identities. Any custom implementation must extend `org.identityconnectors.ldap.commons.StatusManagement` in order to implement all the required methods to manage enable/disable requests. A couple of convenience implementations are provided: `org.connid.bundles.ldap.commons.AttributeStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement (>= 1.4.0)` Uses the `description` attribute for storing `Active` / `Inactive` values; this is basically a sample class, meant for subclassing. `org.connid.bundles.ldap.commons.NSStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.NSStatusManagement (>= 1.4.0)`Works on the `nsAccountLock` attribute; this is ready for usage with RedHat / Fedora 389 and Oracle DSEE. `net.tirasa.connid.bundles.ldap.commons.OpenDJStatusManagement` ( >= 1.5.5) Works on the `ds-pwp-account-disabled` attribute; this is ready for usage with OpenDJ.
retrievePasswordsWithSearch		boolean	false	Whether to retrieve passwords when searching.
connectTimeout		long	0	Time to wait when opening new server connections. Value of 0 means the TCP network timeout will be used, which may be several minutes. Value less than 0 means there is no limit.
readTimeout		long	0	Time to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. Value 0 or less than 0 means there is no limit.

Schema

The LDAP connector supports the following objectclasses:

ACCOUNT objectclass: Mapped to the LDAP objectclasses specified in the accountObjectClasses configuration property. This objectclass has the following attributes:

Attribute Name	Description
UID	Account unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.
NAME	DN of the LDAP entry.
PASSWORD	Account password.

GROUP objectclass: Mapped to the LDAP objectclass groupOfUniqueNames. This objectclass has the following attributes:

Attribute Name	Description
UID	Group unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.
NAME	DN of the LDAP entry.

Note:

The schema contents are not related to the connector's ability to handle LDAP objectclasses and attributes. Although LDAP objectclasses are not exposed as connector objectclasses, the connector can create, modify, etc., objects of any objectclass supported by the LDAP server.