LDAP

Owned by Francesco Chicchiriccò
Last updated: Dec 24, 2024
5 min read

Overview

The LDAP connector enables identity provisioning to LDAP v3 servers.

Supported Resources

  • LDAP v3

  • OpenLDAP

  • Sun ONE Directory Server 4.x

  • Sun Java System Directory Server 5 (2004Q2, 2005Q1), 6.3

  • OpenDJ

Installation

To install the LDAP connector, add the bundle JAR file to a directory on your disk. If your application has a dedicated directory for connector bundles, put the file in that directory. For example, Apache Syncope looks for connector bundles in the configured bundles directory.

Supported Operations

The LDAP connector supports the following operations:

  • Authentication

  • Create

  • Delete

  • Get

  • Schema

  • ScriptOnConnector

  • Search

  • Sync (only with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ)

  • Test

  • Update

  • Validate

Configuration

The following table lists all the configuration properties you can specify when setting up the LDAP connector:

 

Configuration Property

Required

Type

Default Value

Description

Configuration Property

Required

Type

Default Value

Description

host

X

String

 

LDAP server on which to connect

port

 

int

389

TCP port on which to connect

ssl

 

boolean

false

Connect using SSL

failover

 

String

 

An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in the host property, it will try connecting to these failover servers in the specified order.

principal

 

String

 

Distinguished name (DN) of the LDAP entry under to perform provisioning operations

credentials

 

GuardedString

 

Password corresponding to the entry specified in the principal property

baseContexts

X

String

 

Base context DNs for provisioning operations. The connector ignores any entries outside these base contexts.

passwordAttribute

 

String

"userPassword"

Name of the LDAP attribute that holds the LDAP entry's password. This attribute is read and modified by password-change operations.

accountObjectClasses

 

String

{ "top", 
"person", 
"organizationalPerson",
"inetOrgPerson" }

Object classes to which the ACCOUNT object class is mapped.

accountUserNameAttributes

 

String

{ "cn", "uid" }

LDAP attributes to which the authentication user names are mapped. The connector uses this property search for the LDAP entry corresponding to the user name that is passed to an authentication operation.

accountSearchFilter

 

String

 

LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter.

addPrincipalToNewGroups

 

boolean

false

When enabled, the configured principal is added as first member of a new group.

groupMemberAttribute

 

String

"uniqueMember"

LDAP attribute that holds the member of LDAP static groups

groupObjectClasses

 

String

{"top", "groupOfUniqueNames"}

The group class or classes that will be used when creating new group objects in the LDAP tree.

groupNameAttributes

 

String

{"cn"}

Attribute or attributes which holds the group's name.

groupSearchFilter

 

String

 

LDAP Filter for Retrieving Groups.

maintainLdapGroupMembership

 

boolean

false

Maintain LDAP group membership when renaming or deleting entries

maintainPosixGroupMembership

 

boolean

false

Maintain POSIX group membership when renaming or deleting entries

passwordHashAlgorithm

 

String

 

Algorithm used to hash passwords. Valid values are "SHA", "SSHA", "MD5", and "SMD5". If you specify "SSHA" or "SMD5", the connector appends a random salt value to the password value before hashing.

respectResourcePasswordPolicyChangeAfterReset

 

boolean

false

Check for the Password Expired and Password Policy controls when binding

useBlocks

 

boolean

true

Use a block-based control for search operations, such as the Simple Paged Results or the Virtual List View (VLV) Index controls

blockSize

 

int

100

Block size to use with block-based controls. This property is meaningful only when theuseBlocks property is true.

usePagedResultControl

 

boolean

false

Use the Simple Paged Results control for search operations. 

If false, the connector uses VLV Index control. This property is meaningful only when theuseBlocks property is true.

vlvSortAttribute

 

String

"uid"

LDAP attribute to use as the sort key when you are using the VLV Index control. This property is meaningful only when the useBlocks property is true and theusePagedResultControl property is false.

uidAttribute

 

String

"entryUUID"

LDAP attribute to use as the Uid connector attribute value

readSchema

 

boolean

true

If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes.

baseContextsToSynchronize

 

String

 

Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts.

objectClassesToSynchronize

 

String

"inetOrgPerson"

LDAP object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property.

attributesToSynchronize

 

String

 

LDAP attributes to synchronize. The connector ignores changes to any LDAP attributes that are not specified in this property.

modifiersNamesToFilterOut

 

String

 

Modifier DNs to filter out for synchronization. The connector ignores any changes made by an entry specified in this property.

accountSynchronizationFilter

 

String

 

LDAP search filter used to filter out accounts from synchronization. The connector ignores changes to any accounts that do not match the filter specified in this property.

changeLogBlockSize

 

int

100

Block size to use when reading changes from the change log

changeNumberAttribute

 

String

"changeNumber"

LDAP attribute that holds the change number name in change log entries

filterWithOrInsteadOfAnd

 

boolean

false

Use an and filter instead of an or filter when searching for change log entries

removeLogEntryObjectClassFromFilter

 

boolean

true

Remove the condition that tests whether the object class of the change log entries ischangeLogEntry from the filter used to search for entries in the change log

synchronizePasswords

 

boolean

false

Synchronize passwords during synchronization. This property is only supported with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ.

passwordAttributeToSynchronize

 

String

 

LDAP attribute used to synchronize during password synchronization. This property is meaningful only when the synchronizePasswords property is true.

passwordDecryptionKey

 

GuardedByteArray

 

Decryption key used to decrypt passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.

passwordDecryptionInitializationVector

 

GuardedByteArray

 

Initialization key used when decrypting passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true.

statusManagementClass

 

String

 

Java class to be used to enable/disable identities.

Any custom implementation must extend org.identityconnectors.ldap.commons.StatusManagement in order to implement all the required methods to manage enable/disable requests.

A couple of convenience implementations are provided:

  1. org.connid.bundles.ldap.commons.AttributeStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement (>= 1.4.0)
    Uses the description attribute for storing Active / Inactive values; this is basically a sample class, meant for subclassing.

  2. org.connid.bundles.ldap.commons.NSStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.NSStatusManagement (>= 1.4.0)
    Works on the nsAccountLock attribute; this is ready for usage with RedHat / Fedora 389 and Oracle DSEE.

  3. net.tirasa.connid.bundles.ldap.commons.OpenDJStatusManagement ( >= 1.5.5)
    Works on the ds-pwp-account-disabled attribute; this is ready for usage with OpenDJ.

retrievePasswordsWithSearch

 

boolean

false

Whether to retrieve passwords when searching.

connectTimeout

 

long

0

Time to wait when opening new server connections. Value of 0 means the TCP network timeout will be used, which may be several minutes. Value less than 0 means there is no limit.

readTimeout

 

long

0

Time to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. Value 0 or less than 0 means there is no limit.

Schema

The LDAP connector supports the following objectclasses:

  • __ACCOUNT__ objectclass: Mapped to the LDAP objectclasses specified in the accountObjectClasses configuration property. This objectclass has the following attributes:

Attribute Name

Description

Attribute Name

Description

__UID__

Account unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.

__NAME__

DN of the LDAP entry.

__PASSWORD__

Account password.

  • __GROUP__ objectclass: Mapped to the LDAP objectclass groupOfUniqueNames. This objectclass has the following attributes:

Attribute Name

Description

Attribute Name

Description

__UID__

Group unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property.

__NAME__

DN of the LDAP entry.

Note:

The schema contents are not related to the connector's ability to handle LDAP objectclasses and attributes. Although LDAP objectclasses are not exposed as connector objectclasses, the connector can create, modify, etc., objects of any objectclass supported by the LDAP server.