LDAP

Overview

The LDAP connector enables identity provisioning to LDAP v3 servers.

Supported Resources

  • LDAP v3
  • OpenLDAP
  • Sun ONE Directory Server 4.x
  • Sun Java System Directory Server 5 (2004Q2, 2005Q1), 6.3
  • OpenDJ

Installation

To install the LDAP connector, add the bundle JAR file to a directory on your disk. If your application has a dedicated directory for connector bundles, put the file in that directory. For example, Apache Syncope looks for connector bundles in the configured bundles directory.

Supported Operations

The LDAP connector supports the following operations:

  • Authentication
  • Create
  • Delete
  • Get
  • Schema
  • ScriptOnConnector
  • Search
  • Sync (only with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ)
  • Test
  • Update
  • Validate

Configuration

The following table lists all the configuration properties you can specify when setting up the LDAP connector:


Configuration PropertyRequiredTypeDefault ValueDescription
hostXString
LDAP server on which to connect
port
int389TCP port on which to connect
ssl
booleanfalseConnect using SSL
failover
String
An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in the host property, it will try connecting to these failover servers in the specified order.
principal
String
Distinguished name (DN) of the LDAP entry under to perform provisioning operations
credentials
GuardedString?
Password corresponding to the entry specified in the principal property
baseContextsXString
Base context DNs for provisioning operations. The connector ignores any entries outside these base contexts.
passwordAttribute
String"userPassword"Name of the LDAP attribute that holds the LDAP entry's password. This attribute is read and modified by password-change operations.
accountObjectClasses
String{ "top", 
"person", 
"organizationalPerson",
"inetOrgPerson" }
Object classes to which the ACCOUNT object class is mapped.
accountUserNameAttributes
String{ "cn", "uid" }LDAP attributes to which the authentication user names are mapped. The connector uses this property search for the LDAP entry corresponding to the user name that is passed to an authentication operation.
accountSearchFilter
String
LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter.
groupMemberAttribute
String"uniqueMember"LDAP attribute that holds the member of LDAP static groups
groupObjectClasses
String{"top", "groupOfUniqueNames"}The group class or classes that will be used when creating new group objects in the LDAP tree.
groupNameAttributes
String{"cn"}

Attribute or attributes which holds the group's name.

groupSearchFilter
String

LDAP Filter for Retrieving Groups.

maintainLdapGroupMembership
booleanfalseMaintain LDAP group membership when renaming or deleting entries
maintainPosixGroupMembership
booleanfalseMaintain POSIX group membership when renaming or deleting entries
passwordHashAlgorithm
String
Algorithm used to hash passwords. Valid values are "SHA", "SSHA", "MD5", and "SMD5". If you specify "SSHA" or "SMD5", the connector appends a random salt value to the password value before hashing.
respectResourcePasswordPolicyChangeAfterReset
booleanfalseCheck for the Password Expired and Password Policy controls when binding
useBlocks
booleantrueUse a block-based control for search operations, such as the Simple Paged Results or the Virtual List View (VLV) Index controls
blockSize
int100Block size to use with block-based controls. This property is meaningful only when theuseBlocks property is true.
usePagedResultControl
booleanfalseUse the Simple Paged Results control for search operations. 

If false, the connector uses VLV Index control. This property is meaningful only when theuseBlocks property is true.
vlvSortAttribute
String"uid"LDAP attribute to use as the sort key when you are using the VLV Index control. This property is meaningful only when the useBlocks property is true and theusePagedResultControl property is false.
uidAttribute
String"entryUUID"LDAP attribute to use as the Uid connector attribute value
readSchema
booleantrueIf true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes.
baseContextsToSynchronize
String
Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts.
objectClassesToSynchronize
String"inetOrgPerson"LDAP object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property.
attributesToSynchronize
String
LDAP attributes to synchronize. The connector ignores changes to any LDAP attributes that are not specified in this property.
modifiersNamesToFilterOut
String
Modifier DNs to filter out for synchronization. The connector ignores any changes made by an entry specified in this property.
accountSynchronizationFilter
String
LDAP search filter used to filter out accounts from synchronization. The connector ignores changes to any accounts that do not match the filter specified in this property.
changeLogBlockSize
int100Block size to use when reading changes from the change log
changeNumberAttribute
String"changeNumber"LDAP attribute that holds the change number name in change log entries
filterWithOrInsteadOfAnd
booleanfalseUse an and filter instead of an or filter when searching for change log entries
removeLogEntryObjectClassFromFilter
booleantrueRemove the condition that tests whether the object class of the change log entries ischangeLogEntry from the filter used to search for entries in the change log
synchronizePasswords
booleanfalseSynchronize passwords during synchronization. This property is only supported with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ.
passwordAttributeToSynchronize
String
LDAP attribute used to synchronize during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
passwordDecryptionKey
GuardedByteArray
Decryption key used to decrypt passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
passwordDecryptionInitializationVector
GuardedByteArray
Initialization key used when decrypting passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.
statusManagementClass
String

Java class to be used to enable/disable identities.

Any custom implementation must extend org.identityconnectors.ldap.commons.StatusManagement in order to implement all the required methods to manage enable/disable requests.

A couple of convenience implementations are provided:

  1. org.connid.bundles.ldap.commons.AttributeStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement (>= 1.4.0)
    Uses the description attribute for storing Active / Inactive values; this is basically a sample class, meant for subclassing.
  2. org.connid.bundles.ldap.commons.NSStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.NSStatusManagement (>= 1.4.0)
    Works on the nsAccountLock attribute; this is ready for usage with RedHat / Fedora 389 and Oracle DSEE.
  3. net.tirasa.connid.bundles.ldap.commons.OpenDJStatusManagement ( >= 1.5.5)
    Works on the ds-pwp-account-disabled attribute; this is ready for usage with OpenDJ.
retrievePasswordsWithSearch
booleanfalseWhether to retrieve passwords when searching.
connectTimeout
long0Time to wait when opening new server connections. Value of 0 means the TCP network timeout will be used, which may be several minutes. Value less than 0 means there is no limit.
readTimeout
long0Time to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. Value 0 or less than 0 means there is no limit.


Schema

The LDAP connector supports the following objectclasses:

  • ACCOUNT objectclass: Mapped to the LDAP objectclasses specified in the accountObjectClasses configuration property. This objectclass has the following attributes:


Attribute NameDescription
UIDAccount unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.
NAMEDN of the LDAP entry.
PASSWORDAccount password.


  • GROUP objectclass: Mapped to the LDAP objectclass groupOfUniqueNames. This objectclass has the following attributes:


Attribute NameDescription
UIDGroup unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.
NAMEDN of the LDAP entry.


Note:

The schema contents are not related to the connector's ability to handle LDAP objectclasses and attributes. Although LDAP objectclasses are not exposed as connector objectclasses, the connector can create, modify, etc., objects of any objectclass supported by the LDAP server.