LDAP
Overview
The LDAP connector enables identity provisioning to LDAP v3 servers.
Supported Resources
LDAP v3
OpenLDAP
Sun ONE Directory Server 4.x
Sun Java System Directory Server 5 (2004Q2, 2005Q1), 6.3
OpenDJ
Installation
To install the LDAP connector, add the bundle JAR file to a directory on your disk. If your application has a dedicated directory for connector bundles, put the file in that directory. For example, Apache Syncope looks for connector bundles in the configured bundles directory.
Supported Operations
The LDAP connector supports the following operations:
Authentication
Create
Delete
Get
Schema
ScriptOnConnector
Search
Sync (only with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ)
Test
Update
Validate
Configuration
The following table lists all the configuration properties you can specify when setting up the LDAP connector:
Configuration Property | Required | Type | Default Value | Description |
---|---|---|---|---|
host | X | String |
| LDAP server on which to connect |
port |
| int | 389 | TCP port on which to connect |
ssl |
| boolean | false | Connect using SSL |
failover |
| String |
| An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in the host property, it will try connecting to these failover servers in the specified order. |
principal |
| String |
| Distinguished name (DN) of the LDAP entry under to perform provisioning operations |
credentials |
| GuardedString |
| Password corresponding to the entry specified in the principal property |
baseContexts | X | String |
| Base context DNs for provisioning operations. The connector ignores any entries outside these base contexts. |
passwordAttribute |
| String | "userPassword" | Name of the LDAP attribute that holds the LDAP entry's password. This attribute is read and modified by password-change operations. |
accountObjectClasses |
| String | { "top", | Object classes to which the ACCOUNT object class is mapped. |
accountUserNameAttributes |
| String | { "cn", "uid" } | LDAP attributes to which the authentication user names are mapped. The connector uses this property search for the LDAP entry corresponding to the user name that is passed to an authentication operation. |
accountSearchFilter |
| String |
| LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter. |
addPrincipalToNewGroups |
| boolean | false | When enabled, the configured principal is added as first member of a new group. |
groupMemberAttribute |
| String | "uniqueMember" | LDAP attribute that holds the member of LDAP static groups |
groupObjectClasses |
| String | {"top", "groupOfUniqueNames"} | The group class or classes that will be used when creating new group objects in the LDAP tree. |
groupNameAttributes |
| String | {"cn"} | Attribute or attributes which holds the group's name. |
groupSearchFilter |
| String |
| LDAP Filter for Retrieving Groups. |
maintainLdapGroupMembership |
| boolean | false | Maintain LDAP group membership when renaming or deleting entries |
maintainPosixGroupMembership |
| boolean | false | Maintain POSIX group membership when renaming or deleting entries |
passwordHashAlgorithm |
| String |
| Algorithm used to hash passwords. Valid values are "SHA", "SSHA", "MD5", and "SMD5". If you specify "SSHA" or "SMD5", the connector appends a random salt value to the password value before hashing. |
respectResourcePasswordPolicyChangeAfterReset |
| boolean | false | Check for the Password Expired and Password Policy controls when binding |
useBlocks |
| boolean | true | Use a block-based control for search operations, such as the Simple Paged Results or the Virtual List View (VLV) Index controls |
blockSize |
| int | 100 | Block size to use with block-based controls. This property is meaningful only when theuseBlocks property is true. |
usePagedResultControl |
| boolean | false | Use the Simple Paged Results control for search operations. |
vlvSortAttribute |
| String | "uid" | LDAP attribute to use as the sort key when you are using the VLV Index control. This property is meaningful only when the useBlocks property is true and theusePagedResultControl property is false. |
uidAttribute |
| String | "entryUUID" | LDAP attribute to use as the Uid connector attribute value |
readSchema |
| boolean | true | If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes. |
baseContextsToSynchronize |
| String |
| Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts. |
objectClassesToSynchronize |
| String | "inetOrgPerson" | LDAP object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property. |
attributesToSynchronize |
| String |
| LDAP attributes to synchronize. The connector ignores changes to any LDAP attributes that are not specified in this property. |
modifiersNamesToFilterOut |
| String |
| Modifier DNs to filter out for synchronization. The connector ignores any changes made by an entry specified in this property. |
accountSynchronizationFilter |
| String |
| LDAP search filter used to filter out accounts from synchronization. The connector ignores changes to any accounts that do not match the filter specified in this property. |
changeLogBlockSize |
| int | 100 | Block size to use when reading changes from the change log |
changeNumberAttribute |
| String | "changeNumber" | LDAP attribute that holds the change number name in change log entries |
filterWithOrInsteadOfAnd |
| boolean | false | Use an and filter instead of an or filter when searching for change log entries |
removeLogEntryObjectClassFromFilter |
| boolean | true | Remove the condition that tests whether the object class of the change log entries ischangeLogEntry from the filter used to search for entries in the change log |
synchronizePasswords |
| boolean | false | Synchronize passwords during synchronization. This property is only supported with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ. |
passwordAttributeToSynchronize |
| String |
| LDAP attribute used to synchronize during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
passwordDecryptionKey |
| GuardedByteArray |
| Decryption key used to decrypt passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
passwordDecryptionInitializationVector |
| GuardedByteArray |
| Initialization key used when decrypting passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
statusManagementClass |
| String |
| Java class to be used to enable/disable identities. A couple of convenience implementations are provided:
|
retrievePasswordsWithSearch |
| boolean | false | Whether to retrieve passwords when searching. |
connectTimeout |
| long | 0 | Time to wait when opening new server connections. Value of 0 means the TCP network timeout will be used, which may be several minutes. Value less than 0 means there is no limit. |
readTimeout |
| long | 0 | Time to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. Value 0 or less than 0 means there is no limit. |
Schema
The LDAP connector supports the following objectclasses:
__ACCOUNT__
objectclass: Mapped to the LDAP objectclasses specified in the accountObjectClasses configuration property. This objectclass has the following attributes:
Attribute Name | Description |
---|---|
| Account unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property. |
| DN of the LDAP entry. |
| Account password. |
__GROUP__
objectclass: Mapped to the LDAP objectclass groupOfUniqueNames. This objectclass has the following attributes:
Attribute Name | Description |
---|---|
| Group unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property. |
| DN of the LDAP entry. |
Note:
The schema contents are not related to the connector's ability to handle LDAP objectclasses and attributes. Although LDAP objectclasses are not exposed as connector objectclasses, the connector can create, modify, etc., objects of any objectclass supported by the LDAP server.