This chapter describes how to connect to external resources such as LDAP, Active Directory, flat files, and others. Configurations shown here are simplified to show essential aspects. Not all resources support all OpenIDM operations, however the resources shown here support most of the CRUD operations, and also reconciliation and LiveSync.
In OpenIDM, resources are external systems, databases, directory servers, and other sources of identity data to be managed and audited by the identity management system. OpenIDM connects to resources through the identity connector framework, OpenICF. OpenICF aims to avoid the need to install agents to access resources, instead using the resources' native protocols. For example, OpenICF connects to database resources using the database's Java connection libraries or JDBC driver. It connects to directory servers over JNDI. It connects to UNIX systems by using ssh.
Connectors are configured through files named
openidm/conf/provisioner.openicf-
where namename corresponds to the name of the
connector. Do not include dash characters ( - )
in the connector name. A number of
sample connectors are available in the openidm/samples/provisioners
directory. To use these connectors, edit the configuration files
as required, and copy them to the openidm/conf directory.
The following figure shows how OpenIDM can connect to resources through an OpenICF server. In most cases, the OpenICF server runs as part of OpenIDM.
OpenICF provides a common service provider interface to allow identity services access to the resources that contain user information. OpenICF uses a connection server that can run as a local connector server inside OpenIDM, or as a remote connector server that is a standalone process.
A remote connector server is required when access libraries that cannot be included as part of the OpenIDM process are needed. If a resource, such as Microsoft ADSI, does not provide a connection library that can be included inside the Java Virtual Machine, then OpenICF can use the native .dll with a remote .NET connector server. (OpenICF connects to ADSI through a remote connector server implemented as a .NET service.)
Tip
Not only .NET connector servers but also Java connector servers can be run as standalone, remote services. Run them as remote services for scalability, or to have the service run in the cloud.
By default, and for convenience, OpenIDM includes a Java connector
server that runs as a "#LOCAL" service.
When you configure remote connectors, you must use the connector info
provider service to connect through remote connector servers. The configuration is
stored in the configuration file,
openidm/conf/provisioner.openicf.connectorinfoprovider.json.
A sample can be found under openidm/samples/provisioners/.
To use the file, edit it as required, and then copy it to the
openidm/conf directory.
The connector info provider service takes the following configuration:
{
"connectorsLocation" : string,
"remoteConnectorServers" : [remoteConnectorServer objects]
}- connectorsLocation
string, optional
Specifies the directory where the OpenICF connectors are located. The default location is
openidm/connectors.- remoteConnectorServers
array of RemoteConnectorServer objects, optional
A list of remote connector servers managed by this service.
The following example shows a remoteConnectorServer
object configuration.
{
"name" : "testServer",
"host" : "127.0.0.1",
"port" : 8759,
"heartbeatInterval" : 60,
"useSSL" : false,
"timeout" : 0,
"key" : "changeit",
"trustManagers" :
[
"X509TrustManager",
"BlindTrustManager"
]
}OpenIDM supports the following remote connector server object properties.
- name
string, required
The name of the remote connector server object. Used to identify the remote connector server in connector reference objects.
- host
string, required
Remote host to connect to.
- port
string, optional
Remote port to connect to. Default value: 8759
- heartbeatInterval
integer, optional
Specifies the interval, in seconds, at which heartbeat packets are transmitted. If the connector server is unreachable, based on this heartbeat interval, all services that use the connector server are made unavailable until the connector server can be reached again. Default value: 60
- useSSL
boolean, optional
Specifies whether or not to use SSL to connect. Default value:
false- timeout
integer, optional
Specifies the timeout (in milliseconds) to use for the connection. Default value: 0
- key
string, required
The secret key to use to authenticate to the remote connector server.
- trustManagers
not specified
Not implemented yet. The service uses the default JVM
TrustManager.
Connectors are configured through the OpenICF provisioner service.
Each connector configuration is stored in a file in the
openidm/conf/ folder or under the same URL respectively.
Configuration files are named
openidm/conf/provisioner.openicf-
where namename corresponds to the name of the
connector. Do not include dash characters ( - )
in the connector name. A number of
sample connectors are available in the openidm/samples/provisioners
directory. To use these connectors, edit the configuration files
as required, and copy them to the openidm/conf directory.
The following example shows an OpenICF provisioner service configuration for an XML file resource.
{
"name" : "xml",
"connectorRef" : connector-ref-object,
"poolConfigOption" : pool-config-option-object,
"operationTimeout" : operation-timeout-object,
"configurationProperties" : configuration-properties-object,
"objectTypes" : object-types-object,
"operationOptions" : operation-options-object
}The following example shows a connector reference object.
{
"bundleName" : "org.forgerock.openicf.connectors.file.xml",
"bundleVersion" : "",
"connectorName" : "com.forgerock.openicf.xml.XMLConnector",
"connectorHostRef" : "host"
}- bundleName
string, required
The
ConnectorBundle-Nameof the OpenICF connector.- bundleVersion
string, required
The
ConnectorBundle-Versionof the OpenICF connector.- connectorName
string, required
The Connector implementation class name.
- connectorHostRef
string, optional
The name of the RemoteConnectorServer object.
If the connector server is local and the connector .jar is installed in
openidm/bundle/(currently not recommended), then the value must be"osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager".If the connector server is local and the connector .jar is installed in
openidm/connectors/, then the value must be"#LOCAL". This is currently the default location.
The following example shows a pool configuration option object for the connection pool between OpenIDM and the OpenICF connector server.
{
"maxObjects" : 10,
"maxIdle" : 10,
"maxWait" : 150000,
"minEvictableIdleTimeMillis" : 120000,
"minIdle" : 1
}- maxObjects
Maximum number of idle and active objects.
- maxIdle
Maximum number of idle objects
- maxWait
The maximum time in milliseconds which the pool waits for an object before timing out. Zero means never time out.
- minEvictableIdleTimeMillis
Maximum time in milliseconds an object can be idle before it is removed. Zero means never time out.
- minIdle
The minimum number of idle objects.
This configuration sets the timeout per operation type.
{
"CREATE" : -1,
"TEST" : -1,
"AUTHENTICATE" : -1,
"SEARCH" : -1,
"VALIDATE" : -1,
"GET" : -1,
"UPDATE" : -1,
"DELETE" : -1,
"SCRIPT_ON_CONNECTOR" : -1,
"SCRIPT_ON_RESOURCE" : -1,
"SYNC" : -1,
"SCHEMA" : -1
}operation-nameTimeout in milliseconds
A value of
-1disables the timeout.
This object contains the configuration for the connection between the connection server and the resource, and is therefore resource specific.
The following example shows a configuration properties object for the default XML sample resource connector.
{
"xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd",
"xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd",
"xmlFilePath": "samples/sample1/data/xmlConnectorData.xml"
}propertyIndividual properties depend on the type of connector.
This configuration object specifies the supported object types. The
property name defines the objectType used in the
URI: system/$systemName/$objectType
The configuration is based on JSON Schema with extensions described below.
Attribute names which start and/or end with __ are
resource type specific attributes used by OpenICF for particular
purposes, such as __NAME__ as the naming attribute
for objects on a resource.
{
"account" :
{
"$schema" : "http://json-schema.org/draft-03/schema",
"id" : "__ACCOUNT__",
"type" : "object",
"nativeType" : "__ACCOUNT__",
"properties" :
{
"name" :
{
"type" : "string",
"nativeName" : "__NAME__",
"nativeType" : "JAVA_TYPE_PRIMITIVE_LONG",
"flags" :
[
"NOT_CREATABLE",
"NOT_UPDATEABLE",
"NOT_READABLE",
"NOT_RETURNED_BY_DEFAULT"
]
},
"groups" :
{
"type" : "array",
"items" :
{
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "__GROUPS__",
"nativeType" : "string",
"flags" :
[
"NOT_RETURNED_BY_DEFAULT"
]
},
"givenName" : {
"type" : "string",
"nativeName" : "givenName",
"nativeType" : "string"
},
}
}
}- Object Level Extensions
- nativeType
string, optional
The native OpenICF object type.
- Property Level Extensions
- nativeType
string, optional
The native OpenICF attribute type.
- nativeName
string, optional
The native OpenICF attribute name.
- flags
string, optional
The native OpenICF attribute flags. The
requiredandmultivaluedflags are defined by the JSON schema.required="required" : truemultivalued="type" : "array"
Note
Avoid using the dash character ( - ) in property
names, like last-name, as dashes in names make
JavaScript syntax more complex. If you cannot avoid the dash, then write
source['last-name'] instead of
source.last-name in the java script scripts.
Operation options define how to act on specified operations. You can for example deny operations on specific resources to avoid OpenIDM accidentally updating a read-only resource during a synchronization operation.
{
"SYNC" :
{
"denied" : true,
"onDeny" : "DO_NOTHING",
"objectFeatures" :
{
"__ACCOUNT__" :
{
"denied" : true,
"onDeny" : "THROW_EXCEPTION",
"operationOptionInfo" :
{
"$schema" : "http://json-schema.org/draft-03/schema",
"id" : "FIX_ME",
"type" : "object",
"properties" :
{
"_OperationOption-float" :
{
"type" : "number",
"nativeType" : "JAVA_TYPE_PRIMITIVE_FLOAT"
}
}
}
},
"__GROUP__" :
{
"denied" : false,
"onDeny" : "DO_NOTHING"
}
}
}
}The list of operations is as follows.
AUTHENTICATE: AuthenticationApiOpCREATE: CreateApiOpDELETE: DeleteApiOpGET: GetApiOpRESOLVEUSERNAME: ResolveUsernameApiOpSCHEMA: SchemaApiOpSCRIPT_ON_CONNECTOR: ScriptOnConnectorApiOpSCRIPT_ON_RESOURCE: ScriptOnResourceApiOpSEARCH: SearchApiOpSYNC: SyncApiOpTEST: TestApiOpUPDATE: UpdateApiOpVALIDATE: ValidateApiOp
- denied
boolean, optional
This property prevents operation execution if the value is
true.- onDeny
string, optional
If
deniedistrue, then the service uses this value. Default value:DO_NOTHING.DO_NOTHING: On operation the service does nothing.THROW_EXCEPTION: On operation the service throws aForbiddenExceptionexception.
This section explains provisioner configurations for common connectors. Also see Section 9.5, “Creating Default Connector Configurations” for instructions on interactively building connector configurations.
The following example shows an excerpt of the provisioner configuration for an XML file connector.
{
"connectorRef": {
"connectorHostRef": "#LOCAL",
"bundleName":
"org.forgerock.openicf.connectors.file.file.openicf-xml-connector",
"bundleVersion": "",
"connectorName": "com.forgerock.openicf.xml.XMLConnector"
}
}The connectorHostRef is optional if the connector server is local.
The configuration properties for the XML file connector set the relative path to the file containing the identity data, and also the paths to the XML schemas required.
{
"configurationProperties": {
"xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd",
"xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd",
"xmlFilePath": "samples/sample1/data/xmlConnectorData.xml"
}
}- xmlFilePath
References the XML file containing account entries
- xsdIcfFilePath
References the XSD file defining schema common to all XML file resources. Do not change the schema defined in this file.
- xsdFilePath
References custom schema defining attributes specific to your project
The following excerpt shows the connectorRef
configuration property for connection to an LDAP server. When using the
connect .jar provided in openidm/connectors, and
when using a local connector server, the connectorHostRef
property is optional.
{
"connectorRef": {
"connectorHostRef": "#LOCAL",
"connectorName": "org.identityconnectors.ldap.LdapConnector",
"bundleName":
"org.forgerock.openicf.connectors.ldap-connector",
"bundleVersion": ""
}
}The following excerpt shows settings for many connector configuration properties.
{
"accountSynchronizationFilter": null,
"passwordAttributeToSynchronize": null,
"synchronizePasswords": false,
"removeLogEntryObjectClassFromFilter": true,
"modifiersNamesToFilterOut": [],
"passwordDecryptionKey": null,
"credentials": "Passw0rd",
"changeLogBlockSize": 100,
"baseContextsToSynchronize": [
"ou=People,dc=example,dc=com"
],
"attributesToSynchronize": [
"uid",
"sn",
"cn",
"givenName",
"mail",
"description"
],
"changeNumberAttribute": "changeNumber",
"passwordDecryptionInitializationVector": null,
"filterWithOrInsteadOfAnd": false,
"objectClassesToSynchronize": [
"inetOrgPerson"
],
"port": 1389,
"vlvSortAttribute": "uid",
"passwordAttribute": "userPassword",
"useBlocks": true,
"maintainPosixGroupMembership": false,
"failover": [],
"ssl": false,
"principal": "cn=Directory Manager",
"baseContexts": [
"dc=example,dc=com"
],
"readSchema": true,
"accountObjectClasses": [
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountUserNameAttributes": [
"uid",
"cn"
],
"host": "localhost",
"groupMemberAttribute": "uniqueMember",
"accountSearchFilter": null,
"passwordHashAlgorithm": null,
"usePagedResultControl": false,
"blockSize": 100,
"uidAttribute": "entryUUID",
"maintainLdapGroupMembership": false,
"respectResourcePasswordPolicyChangeAfterReset": false
}- accountSynchronizationFilter
Used during synchronization actions to filter out LDAP accounts
- accountObjectClasses
The object classes used when creating new LDAP user objects. When specifying more than one object class, add each object class as its own property. For object classes that inherit from parents other than
top, such asinetOrgPerson, specify all object classes in the class hierarchy.- accountSearchFilter
Search filter that accounts must match
- accountUserNameAttributes
Attributes holding the account's user name. Used during authentication to find the LDAP entry matching the user name.
- attributesToSynchronize
List of attributes used during object synchronization. OpenIDM ignores change log updates that do not include any of the specified attributes. If empty, OpenIDM considers all changes.
- baseContexts
Base DNs for operations on the LDAP server
- baseContextsToSynchronize
Base DNs for entries taken into account during synchronization
- blockSize
Block size for simple paged results and VLV index searches, reflecting the maximum number of accounts retrieved at any one time
- changeLogBlockSize
Block size used when fetching change log entries
- changeNumberAttribute
Change log attribute containing the last change number
- credentials
Password to connect to the LDAP server
- failover
LDAP URLs specifying alternative LDAP servers to connect to if OpenIDM cannot connect to the primary LDAP server specified in the
hostandportproperties- filterWithOrInsteadOfAnd
In most cases, the filter to fetch change log entries is AND-based. If this property is set, the filter ORs the required change numbers instead.
- groupMemberAttribute
LDAP attribute holding members for non-POSIX static groups
- host
Primary LDAP server host name
- maintainLdapGroupMembership
If
true, OpenIDM modifies group membership when entries are renamed or deleted.In the sample LDAP connector configuration file provided with OpenIDM, this property is set to
false. This means that LDAP group membership is not modified when entries are renamed or deleted in OpenIDM. To ensure that entries are removed from LDAP groups when the entries are deleted, set this property totrueor enable referential integrity on the LDAP server. For OpenDJ, see Configuring Referential Integrity for more information.- maintainPosixGroupMembership
If
true, OpenIDM modifies POSIX group membership when entries are renamed or deleted.- modifiersNamesToFilterOut
Use to avoid loops caused by OpenIDM's own changes
- objectClassesToSynchronize
OpenIDM synchronizes only entries having these object classes.
- passwordAttribute
Attribute to which OpenIDM writes the predefined PASSWORD attribute
- passwordAttributeToSynchronize
OpenIDM synchronizes password values on this attribute.
- passwordDecryptionInitializationVector
Initialization vector used to decrypt passwords when performing password synchronization
- passwordDecryptionKey
Key used to decrypt passwords when performing password synchronization
- passwordHashAlgorithm
Hash password values with the specified algorithm if the LDAP server stores them in clear text
- port
Primary LDAP server port number
- principal
Bind DN used to connect to the LDAP server
- readSchema
If
true, read LDAP schema from the LDAP server.- removeLogEntryObjectClassFromFilter
If
true, the filter to fetch change log entries does not contain thechangeLogEntryobject class, and OpenIDM expects no entries with other object types in the change log. Default:true- respectResourcePasswordPolicyChangeAfterReset
If
true, bind with the Password Expired and Password Policy controls, and throwPasswordExpiredExceptionand other exceptions appropriately.- ssl
If
true, the specified port listens for LDAPS connections.- synchronizePasswords
If
true, synchronize passwords.- uidAttribute
OpenIDM maps
uidto the specified attribute.- useBlocks
If
true, use block-based LDAP controls like simple paged results and virtual list view.- usePagedResultControl
If
true, use simple paged results rather than virtual list view when both are available.- vlvSortAttribute
Attribute used as the sort key for virtual list view
If you use the LDAP connector over SSL, you must set the
ssl property to true in the provisioner
configuration file. You must also specify the path to a truststore in the
system.properties file. A truststore is provided by
default at openidm/security/truststore. Add the
following line to the system.properties file,
substituting the path to your own truststore if you do not want to use the
default.
# Set the truststore javax.net.ssl.trustStore=/path/to/openidm/security/truststore
In contrast to most other connectors, the Active Directory connector is written not in Java, but instead in .NET. OpenICF should connect to Active Directory over ADSI, the native connection protocol for Active Directory. The connector therefore requires a connector server that has access to the ADSI .dll files.
A .NET connector server is useful when an application is written in Java, but a connector bundle is written using C#. Because a Java application (for example, a J2EE application) cannot load C# classes, it is necessary to deploy the C# bundles under a .NET connector server. The Java application can communicate with the C# connector server over the network, and the C# connector server acts as a proxy to provide access to the C# bundles that are deployed within the C# connector server, to any authenticated application.
Note
The .NET connector server requires version 4.0.30319 of the .NET framework.
By default, the connector server outputs log messages to
C:>. If you do not have permission to write to the root of the hard drive, an error is generated. To change the location of the log file, set theinitializeDataparameter in the trace settings of the configuration file.
Download the OPENICF .NET Connector Server from the OpenIDM download page under the ForgeRock Open Stack download page.
Execute ServiceInstall--dotnet.msi.
Complete the wizard.
When the wizard has run, the Connector Server is installed as a Windows Service.
The .NET Connector Server can be started one of two ways.
In the Microsoft Service Console, go to
Start, typeServices,Services.or
In the command prompt, go to
Start, typecmd, thencmdagain.Change the directory to the location where the Connector Server was installed. The default location is
Program Files/Identity Connectors/Connector Server.Enter
cd Program Files (x86)/Identity Connectors/Connector Server.Start the server with the following command:
ConnectorServer.exe/run
.
After starting the Microsoft Services Console, follow these steps to configure the .NET Connector Server.
Check to see if the Connector Server is currently running. If so, stop it. All configuration changes require that the Connector Server be stopped and restarted after the changes are saved.
At the command prompt (click
Start,Run, then typecmd, set the key for the Connector Server by changing to the directory where the Connector Server was installed and executing the following command, using a string value fornewkey:ConnectorServer.exe /setkey <newkey>
This key is used by clients connecting to the Connector Server.
Review the
ConnectorServer.exe.configfile to verify additional configuration, including the port, address, and SSL settings in theAppSettings.<add key="connectorserver.port" value="8759" /> <add key="connectorserver.usessl" value="false" /> <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" /> <add key="connectorserver.ipaddress" value="0.0.0.0" />
The port can be set by changing the value of
connectorserver.port. The listening socket can be bound to a particular address, or can be left as 0.0.0.0.To configure the server to use SSL, set the value of
connectorserver.usessltotrueand set the value ofconnectorserver.certifacatestorenameto the certificate store name.Trace settings are also in the configuration file.
<system.diagnostics> <trace autoflush="true" indentsize="4"> <listeners> <remove name="Default" /> <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime"> <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" /> </add> </listeners> </trace> </system.diagnostics>The Connector Server uses the standard .NET trace mechanism. For more information about the tracing options, see Microsoft's .NET documentation for
System.Diagnostics.Note
The default settings are a good starting point, but for less tracing, you can change the EventTypeFilter's initializeData to "Warning" or "Error". For very verbose logging you can set the value to "Verbose" or "All". The amount of logging performed has a direct effect on the performance of the Connector Servers, so be careful of the setting.
Download the AD Connector from the OpenIDM download page under the ForgeRock Open Stack download page.
Unzip the directory in the Connector Server folder.
Start the Connector Server service.
When you configure remote connectors, you must use the connector
info provider service to connect through remote connector servers.
The configuration is stored in the configuration file,
openidm/conf/provisioner.openicf.connectorinfoprovider.json.
A sample can be found under openidm/samples/provisioners/.
Make sure that OpenIDM is running and copy the
provisioner.openicf.connectorinfoprovider.jsonto/path/to/openidm/confand edit it as needed.$ cd path/to/openidm $ cp samples/provisioners/provisioner.openicf.connectorinfoprovider.json conf/Create the connector file
provisioner.openicf-ad.jsoninconf/ directory. The following is an example of what thename,bundleVersion, and a few other configuration properties will look like.{ "name" : "ad", "connectorRef" : { "connectorHostRef" : "dotnet", "connectorName" : "Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector", "bundleName" : "ActiveDirectory.Connector", "bundleVersion" : "1.0.0.0" }, "poolConfigOption" : { "maxObjects" : 10, "maxIdle" : 10, "maxWait" : 150000, "minEvictableIdleTimeMillis" : 120000, "minIdle" : 1 }, "operationTimeout" : { "SYNC" : -1, "TEST" : -1, "SEARCH" : -1, "RESOLVEUSERNAME" : -1, "SCRIPT_ON_CONNECTOR" : -1, "VALIDATE" : -1, "DELETE" : -1, "UPDATE" : -1, "AUTHENTICATE" : -1, "CREATE" : -1, "SCRIPT_ON_RESOURCE" : -1, "GET" : -1, "SCHEMA" : -1 }, "configurationProperties" : { "DirectoryAdminName" : "EXAMPLE\\Administrator", "DirectoryAdminPassword" : { "$crypto" : { "value" : { "iv" : "QJctjWJi9w2uPLsO2Pucfw==", "data" : "Akqzk1PW0m9QP5cfOMIuYw==", "cipher" : "AES/CBC/PKCS5Padding", "key" : "openidm-sym-default" }, "type" : "x-simple-encryption" } }, "ObjectClass" : "User", "Container" : "dc=example,dc=com", "CreateHomeDirectory" : true, "LDAPHostName" : "10.0.0.2", "SearchChildDomains" : false, "DomainName" : "example", "SyncGlobalCatalogServer" : null, "SyncDomainController" : null, "SearchContext" : "" }Edit the
configurationPropertiesaccording to your setup and make sure that thebundleVersionis the same version asActiveDirectory.Connector.dllin the Windows Connector Server folder. (Right click on thedll,properties,tab details, andProduct version.)Make sure the connector was installed properly using the following command:
scr listThis should return all of the installed modules, including the following:
[ 24] [active ] org.forgerock.openidm.provisioner.openicf
Note
The number may differ. Make sure to note the number returned.
Review the content of the connector using the following command, using the number returned from the previous step:
scr info <your number>
Create the
sync.jsonfile where you define mappings of various attributes and behaviors during reconciliation. The following is a simple example of async.json.{ "mappings" : [ { "name" : "systemADAccounts_managedUser", "source" : "system/ad/account", "target" : "managed/user", "properties" : [ { "source" : "sAMAccountName", "target" : "userName" }, { "source" : "sn", "target" : "lastname" }, { "source" : "givenName", "target" : "firstname" } ] } ] }Run the reconciliation with the following command.
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/recon? _action=recon&mapping=systemADAccounts_managedUser"
This will return a reconciliation id similar to the following:
{"_id":"0629d920-e29f-4650-889f-4423632481ad"}Check the internal repository (OrientDB or MySQL) to make sure that the users were reconciled. For information about connecting to OrientDB, see Before You Begin in the Installation Guide. For information about using MySQL as a repository, see Installing a Repository For Production in the Installation Guide.
It may be necessary to set up a remote Java Connector Server (JSC). This section provides directions for setting up the standalone connecter on Unix/Linux and Windows.
Download the OPENICF JAVA Connector Server from the OpenIDM download page under the ForgeRock Open Stack download page.
Run the terminal and unpack it. The following command will unzip the file in the current folder, so make sure to move to the appropriate location prior to running the command.
unzip openicf--java.zip
Change the directory to OpenICF using the following command:
$ cd path/to/openicf
If needed, secure the communication between OpenIDM and JCS. The JCS uses a property called
secret keyto authenticate the connection. The default secret key value ischangeit. To change the value of the secret key enter the following, replacingnewkeywith the your own string value:java - cp "./lib/framework/*" org.identityconnectors.framework.server.Main -setKey -key <newkey> -properties ./conf/ConnectorServer.propertiesReview the
ConnectorServer.propertiesin the/confdirectory, and make changes as necessary. The file contains setting information, including things like ports, the allowance of one/all IP addresses, and SSL. The file provides the required information to update these settings.Run the JCS.
java -cp "./lib/framework/*" org.identityconnectors.framework.server.Main -run -properties ./conf/ConnectorServer.properties
If necessary, you can stop the JCS by pressing
^C.
Download the OPENICF JAVA Connector Server from the OpenIDM download page under the ForgeRock Open Stack download page.
Unpack the zip file in the desired location, for example
C:\openicf.Run the command line (
Start, typecmd, andcmd) and change the working directory toopenicf\bin cd c:\openicf\binChange the directory to OpenICF using the following command:
$ cd path/to/openicf
If needed, secure the communication between OpenIDM and JCS. The JCS uses a property called
secret keyto authenticate the connection. The default secret key value ischangeit.To change the value of the secret key enter the following, replacing
newkeywith the your own string value:/ConnectorServer.bat /setkey <newkey>
Review the
ConnectorServer.propertiesin the/confdirectory, and make changes as necessary. The file contains setting information, including things like ports, the allowance of one/all IP addresses, and SSL. The file provides the required information to update these settings.If you would like the JCS to run as a Windows service, enter the following command.
./ConnecorServer.bat /install (for uninstalling use /uninstall )
Note
If you install JCS as a Windows service you can start/stop it by Microsoft's Service Console (
Start, typeService, andService). The JCS service is called:OpenICFConnectorServerJava.Or
If you would like to run the JCS from command line, enter the following command:
.\ConnectorServer.bat /run
If necessary, stop the JCS by pressing
^C.
You can view the log files in the openicf/logs directory.
This sample demonstrates using reconciliation of users stored in a MySQL database on a remote machine. The JCS runs on the same machine as the MySQL database and mediates the connection between OpenIDM and MySQL database.
Download MySQL JDBC Driver.
Unpack the
MySQL JDBC Driverand copy themysql-connector-java-5.1.22-bin.jarto theopenicf/libdirectory.Go to the
/toolsdirectory. The groovy scripts in the folder run on the JCS side. Copy them frompath/to/openidm/sample/sample3/toolsfolder toopenicf/.
Start OpenIDM. You can ignore errors like
cannot connect to databaseandcannot find jdbc driver. These errors will be fixed once OpenIDM is configured and restarted.Go to the
provisioner.openicf.connectorinfoprovider.jsonto see information about your remote connector servers. Copy this file fromopenidm/samples/provisionerstoopenidm/conf.For Unix/Linux, enter the following in Terminal.
$ cd path/to/openidm $ cp samples/provisioners/provisioner.openicf.connectorinfoprovider.json ./conf
For Windows, enter the following on the command line.
c:\> cd path/to/openidm .\> copy .\samples\provisioners\provisioner.openicf.connectorinfoprovider.json .\conf
Edit the
provisioner.openicf.connectorinfoprovider.jsonto meet your needs. The following is an example.{ "connectorsLocation" : "connectors", "remoteConnectorServers" : [ { "name" : "mysql", "host" : "10.0.0.2", "port" : 8759, "useSSL" : false, "timeout" : 0, "key" : "password" } ], }Copy all of the files from
openidm/samples/sample3/conftoopenidm/conf.For Unix/Linux, enter the following in Terminal.
$ cp -r ./samples/sample3/conf ./conf
For Window, enter the following on the command line.
.\> copy .\samples\sample3\conf\ .\conf\
Edit the
provisioner.openicf-scriptedsql.jsonto read like the following.{ "name" : "hrdb", "connectorRef" : { "connectorHostRef" : "mysql", "bundleName" : "org.forgerock.openicf.connectors.db.openicf-scriptedsql -connector", "bundleVersion" : "", "connectorName" : "org.forgerock.openicf.scriptedsql.ScriptedSQLConnector" }, "producerBufferSize" : 100, "connectorPoolingSupported" : true, "poolConfigOption" : { "maxObjects" : 10, "maxIdle" : 10, "maxWait" : 150000, "minEvictableIdleTimeMillis" : 120000, "minIdle" : 1 }, "operationTimeout" : { "CREATE" : -1, "TEST" : -1, "AUTHENTICATE" : -1, "SEARCH" : -1, "VALIDATE" : -1, "GET" : -1, "UPDATE" : -1, "DELETE" : -1, "SCRIPT_ON_CONNECTOR" : -1, "SCRIPT_ON_RESOURCE" : -1, "SYNC" : -1, "SCHEMA" : -1 }, "configurationProperties" : { "host" : "10.0.0.2", "port" : "3306", "user" : "root", "password" : { "$crypto" : { "value" : { "iv" : "dsrEhCU45UakY6Uh9Jxfww==", "data" : "X1+77+0I7Yog/6ZirsFSyg==", "cipher" : "AES/CBC/PKCS5Padding", "key" : "openidm-sym-default" }, "type" : "x-simple-encryption" } }, "database" : "HRDB", "autoCommit" : true, "reloadScriptOnExecution" : false, "keyColumn" : "uid", "jdbcDriver" : "com.mysql.jdbc.Driver", "jdbcConnectionUrl" : "jdbc:mysql://10.0.0.2:3306/HRDB", "jdbcUrlTemplate" : "jdbc:mysql://%h:%p/%d", "createScriptFileName" : "/home/tester/openicf/tools/CreateScript.groovy", "testScriptFileName" : "/home/tester/openicf/tools/TestScript.groovy", "searchScriptFileName" : "/home/tester/openicf/tools/SearchScript.groovy", "deleteScriptFileName" : "/home/tester/openicf/tools/DeleteScript.groovy", "updateScriptFileName" : "/home/tester/openicf/tools/UpdateScript.groovy", "syncScriptFileName" : "/home/tester/openicf/tools/SyncScript.groovy" }, "objectTypes" : { "group" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__GROUP__", "type" : "object", "nativeType" : "__GROUP__", "properties" : { "name" : { "type" : "string", "required" : true, "nativeName" : "__NAME__", "nativeType" : "string" }, "gid" : { "type" : "string", "required" : true, "nativeName" : "gid", "nativeType" : "string" }, "description" : { "type" : "string", "required" : false, "nativeName" : "description", "nativeType" : "string" } } }, "organization" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "organization", "type" : "object", "nativeType" : "organization", "properties" : { "name" : { "type" : "string", "required" : true, "nativeName" : "__NAME__", "nativeType" : "string" }, "description" : { "type" : "string", "required" : false, "nativeName" : "description", "nativeType" : "string" } } }, "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "firstName" : { "type" : "string", "nativeName" : "firstname", "nativeType" : "string", "required" : true }, "email" : { "type" : "array", "items" : { "type" : "string", "nativeType" : "string" }, "nativeName" : "email", "nativeType" : "string" }, "__PASSWORD__" : { "type" : "string", "nativeName" : "password", "nativeType" : "JAVA_TYPE_GUARDEDSTRING", "flags" : [ "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, "uid" : { "type" : "string", "nativeName" : "__NAME__", "required" : true, "nativeType" : "string" }, "fullName" : { "type" : "string", "nativeName" : "fullname", "nativeType" : "string" }, "lastName" : { "type" : "string", "required" : true, "nativeName" : "lastname", "nativeType" : "string" }, "organization" : { "type" : "string", "required" : true, "nativeName" : "organization", "nativeType" : "string" } } } }, "operationOptions" : { } }Verify that the following settings are correct.
The value of
connectorHostRef : mysqlpoints to the propertynameofprovisioner.openicf.connectorinfoprovider.json. This indicates which connectorinfoprovider to use.The
bundleVersion :must be exactly the same asopenicf-scriptedsql-connector-.jar. on JCS/bundles. Unpack the.jarfile, openMETA-INF/MANIFEST.MF, and search for theBundle-Versionproperty.The path to groovy scripts should be
createScriptFileName : /home/tester/openicf/tools/CreateScript.groovy.For Windows, the path will follow Unix notation. For example the path could be
Program Files (x86)/openicf/tools/CreateScript.groovy, which in Windows notation would beC:\Program Files (x86)\openicf\tools\CreateScript.groovy.All instances of the connection setting must be properly set, for example,
jdbcConnectionUrl : jdbc:mysql://10.0.0.2:3306/HRDB.
Restart OpenIDM to verify that all of the configuration changes have occurred. There should be no error message when OpenIDM is restarted. To check run the following.
src list
This returns a list of installed modules, including the following:
[ 17] [active ] org.forgerock.openidm.provisioner.openicf
Note
The number may differ. Make sure to note the number returned.
When you have installed more connectors, there will be more OpenICF modules. If the state of the module is active, the module is installed properly. If the state is unsatisfied, then you have not configured it correctly and you must check your configuration. You can also check the content of installed module (which could be handy if you have unsatisfied state and you want to see if the content is the same as in
*.json– to verify that the configuration you just set was picked up). To list the content of the module use the following with the number returned from the previous step:scr info 17 <your number>
Note
You can also check the
provisioner.openicf.connectorinfoproviderRun reconciliation with the following command:
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/recon?_action=recon&mapping=systemHrdb_managedUser"
This will return a reconciliation id similar to the following:
{"_id":"a5346543-db9a-4f8b-ba25-af2a1b576a54"}Check the internal repository (OrientDB or MySQL) to make sure that the users were reconciled. For information about connecting to OrientDB, see Before You Begin in the Installation Guide. For information about using MySQL as a repository, see Installing a Repository For Production in the Installation Guide.
This sample demonstrates using reconciliation of users created in an XML folder on a remote machine. The JCS provides a way for OpenIDM to pick up and synchronize the OpenIDM repository with the remote XML user repository.
Copy the
openidm/samples/sample1/datadirectory to a location on the JCS machine.
Start OpenIDM. You can ignore errors like
cannot connect to databaseandcannot find jdbc driver. These errors will be fixed once OpenIDM has been configured and restarted.Copy the
openidm/samples/sample1/confdirectory toopenidm/conf. Overwrite any existing files.For Unix/Linux, enter the following in a terminal window.
$ cd path/to/openidm $ cp -r ./samples/sample1/conf ./conf
For Windows, enter the following on the command line.
c:\> cd path\to\openidm .\> copy .\samples\sample1\conf .\conf
Copy the
openidm/samples/provisioners/provisioner.openicf.connectorinfoprovider.jsotoopenidm/conf.$ cp . samples/provisioners/provisioner.openicf.connectorinfoprovider.json ./conf
Edit the
provisioner.openicf.connectorinfoprovider.jsonto match your network setup. The following is an example of how it could look.{ "connectorsLocation" : "connectors", "remoteConnectorServers" : [ { "name" : "xml", "host" : "10.0.0.2", "port" : 8759, "useSSL" : false, "timeout" : 0, "key" : "password" } ], }Edit the
provisioner.openicf-xml.jsonin the/confdirectory to read like the following.{ "name" : "xmlfile", "connectorRef" : { "connectorHostRef" : "xml", "bundleName" : "org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion" : "", "connectorName" : "com.forgerock.openicf.xml.XMLConnector" }, "producerBufferSize" : 100, "connectorPoolingSupported" : true, "poolConfigOption" : { "maxObjects" : 10, "maxIdle" : 10, "maxWait" : 150000, "minEvictableIdleTimeMillis" : 120000, "minIdle" : 1 }, "operationTimeout" : { "CREATE" : -1, "TEST" : -1, "AUTHENTICATE" : -1, "SEARCH" : -1, "VALIDATE" : -1, "GET" : -1, "UPDATE" : -1, "DELETE" : -1, "SCRIPT_ON_CONNECTOR" : -1, "SCRIPT_ON_RESOURCE" : -1, "SYNC" : -1, "SCHEMA" : -1 }, "configurationProperties" : { "xsdIcfFilePath" : "/Program files (x86)/openicf/data/ resource-schema-1.xsd", "xsdFilePath" : "/Program Files (x86)/openicf/data/ resource-schema-extension.xsd", "xmlFilePath" : "/Program Files (x86)/openicf/data/xmlConnectorData.xml" }, "objectTypes" : { "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "description" : { "type" : "string", "nativeName" : "__DESCRIPTION__", "nativeType" : "string" }, "firstname" : { "type" : "string", "nativeName" : "firstname", "nativeType" : "string" }, "email" : { "type" : "array", "items" : { "type" : "string", "nativeType" : "string" }, "nativeName" : "email", "nativeType" : "string" }, "__UID__" : { "type" : "string", "nativeName" : "__UID__" }, "password" : { "type" : "string", "required" : false, "nativeName" : "__PASSWORD__", "nativeType" : "JAVA_TYPE_GUARDEDSTRING", "flags" : [ "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, "name" : { "type" : "string", "required" : true, "nativeName" : "__NAME__", "nativeType" : "string" }, "lastname" : { "type" : "string", "required" : true, "nativeName" : "lastname", "nativeType" : "string" } } } }, "operationOptions" : { } }Verify that the following settings are correct.
The value of
connectorHostRef : xmlpoints to the propertynameofprovisioner.openicf.connectorinfoprovider.json. This indicates which connectorinfoprovider to use.The
bundleVersion :must be exactly the same asopenicf-scriptedsql-connector-.jar. on JCS/bundles.The path to
xsdIcfFilePath : /Program files (x86)/openicf/data/resource-schema-1.xs
Restart OpenIDM to verify that all of the configuration changes have occurred. There should be no error message when OpenIDM is restarted. To check, run the following command:
src list
This returns a list of installed modules, including the following:
[ 17] [active ] org.forgerock.openidm.provisioner.openicf
Note
The number may differ. Make sure to note the number returned.
When you have installed more connectors, there will be more OpenIFC modules. If the state of the module is active, the module is installed properly. If the state is unsatisfied, then you have not configured it correctly and you must check your configuration. You can also check the content of installed modules. This can be useful if you have an unsatisfied state and you want to check that the content is the same as in the
*.jsonfile, to verify that the configuration change you made was picked up. To list the content of the module run the following command, with the number returned from the previous step:scr info 17 <your number>
Note
You can also check the
provisioner.openicf.connectorinfoproviderRun reconciliation with the following command.
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/recon?_action=recon&mapping=systemXmlfileAccounts_managedUser"
This will return a reconciliation id similar to the following:
{"_id":"a5346543-db9a-4f8b-ba25-af2a1b576a54"}Check the internal repository (OrientDB or MySQL) to make sure that the users were reconciled. For information about connecting to OrientDB, see Before You Begin in the Installation Guide. For information about using MySQL as a repository, see Installing a Repository For Production in the Installation Guide.
A sample Active Directory Connector configuration file is provided
in opendim/samples/provisioners/provisioner.openicf-ad.json.
The following excerpt shows the configuration for the connector.
{
"connectorHostRef": "dotnet",
"connectorName":
"Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector",
"bundleName": "ActiveDirectory.Connector",
"bundleVersion": "1.0.0.6109"
}The connectorHostRef must point by name to an
existing connector info provider configuration, that you store in
openidm/conf/provisioner.openicf.connectorinfoprovider.json.
The connectorHostRef property is required as the Active
Directory connector must be installed on a .NET connector server, which is
always "remote" relative to OpenIDM.
The following excerpt shows the configuration for the connector info provider.
{
"connectorsLocation": "connectors",
"remoteConnectorServers": [
{
"name": "dotnet",
"host": "10.0.0.10",
"port": 8759,
"useSSL": false,
"timeout": 0,
"key": "Passw0rd"
}
]
}The following excerpt shows typical configuration properties.
{
"DirectoryAdminName": "EXAMPLE\\Administrator",
"DirectoryAdminPassword": "passw0rd",
"ObjectClass": "User",
"Container": "dc=example,dc=com",
"CreateHomeDirectory": true,
"LDAPHostName": "127.0.0.1",
"SearchChildDomains": false,
"DomainName": "example",
"SyncGlobalCatalogServer": null,
"SyncDomainController": null,
"SearchContext": "dc=example,dc=com"
}- DirectoryAdminName
Account used to authenticate. This can be a
domainname\user- DirectoryAdminPassword
Password used to authenticate
- ObjectClass
Object class for user objects
- Container
Base context for all searches
- CreateHomeDirectory
When
true, create a home directory for new users.- LDAPHostName
Use to enforce connection to a particular Active Directory server.
- SearchChildDomains
When set to
trueorfalse, applySyncGlobalCatalogServerandSyncDomainControllersettings- DomainName
Windows domain name
- SyncGlobalCatalogServer
Global catalog server to use when searching child domains
- SyncDomainController
Domain controller to use during synchronization when not searching child domains
- SearchContext
Reserved for future use
The Active Directory connector supports PowerShell scripting. The following example shows a simple PowerShell script that is referenced in the connector configuration and can be called over the REST interface.
This PowerShell script creates a new MS SQL user with a username
that is specified when the script is called. The script sets the user's
password to Passw0rd and, optionally, gives the user a
role. Save this script as openidm/script/createUser.ps1.
if ($loginName -ne $NULL) {
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SqlServer.SMO') | Out-Null
$sqlSrv = New-Object ('Microsoft.SqlServer.Management.Smo.Server') ('WIN-C2MSQ8G1TCA')
$login = New-Object -TypeName ('Microsoft.SqlServer.Management.Smo.Login') ($sqlSrv, $loginName)
$login.LoginType = 'SqlLogin'
$login.PasswordExpirationEnabled = $false
$login.Create('Passw0rd')
# The next two lines are optional, and to give the new login a server role, optional
$login.AddToRole('sysadmin')
$login.Alter()
} else {
$Error_Message = [string]"Required variables 'loginName' is missing!"
Write-Error $Error_Message
throw $Error_Message
}
Now edit the Active Directory connector configuration to reference
the script. Add the following section to the connector configuration file
(opendim/conf/provisioner.openicf-ad.json).
"systemActions" : [
{
"_scriptId" : "ConnectorScriptName",
"actions" : [
{
"systemType" : ".*ActiveDirectoryConnector",
"actionType" : "Shell",
"actionSource" : "@echo off \r\n echo %loginName%\r\n"
},
{
"systemType" : ".*ActiveDirectoryConnector",
"actionType" : "PowerShell",
"actionFile" : "script/createUser.ps1"
}
]
}
]
To call the PowerShell script over the REST interface, use the following request, specifying the userName as input:
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/system/ActiveDirectory/account?_action=script&_scriptId=ConnectorScriptName&loginName=myUser"
The CSV file connector often serves when importing users, either for initial provisioning or for ongoing updates. When used continuously in production, a CSV file serves as a change log, often containing only user records that changed.
The following example shows an excerpt of the provisioner configuration.
The default connector-jar location is openidm/connectors.
Therefore the connectorHostRef must point to
"#LOCAL".
{
"connectorRef": {
"connectorHostRef": "#LOCAL",
"connectorName": "org.forgerock.openicf.csvfile.CSVFileConnector",
"bundleName":
"org.forgerock.openicf.connectors.csvfile-connector",
"bundleVersion": ""
}
}The following excerpt shows required configuration properties.
{
"configurationProperties": {
"filePath": "data/hr.csv",
"uniqueAttribute": "uid"
}
}The CSV file connector also supports a number of optional configuration properties, in addition to the required properties.
- encoding (optional)
Default:
"utf-8"- fieldDelimiter (optional)
Default:
","- filePath (required)
References the CSV file containing account entries
- multivalueDelimiter (optional)
Used with multi-valued attributes. Default:
";"- passwordAttribute (optional)
Attribute containing the password. Use when password-based authentication is required.
- uniqueAttribute (required)
Primary key used for the CSV file
- usingMultivalue (optional)
Whether attributes can have multiple values. Default:
false
The Scripted SQL Connector uses customizable Groovy scripts to interact with the database.
The connector uses one script for each of the following actions on the external database.
Create
Delete
Search
Sync
Test
Update
See the openidm/samples/sample3/tools/ directory
for example scripts.
The scripted SQL connector runs with autocommit mode enabled by default.
As soon as a statement is executed that modifies a table, the update is stored
on disk and the change cannot be rolled back. This setting applies to all
database actions (search, create, delete, test, synch, and update).
You can disable autocommit in the connector configuration file
(conf/provisioner.openicf-scriptedsql.json) by adding the
autocommit property and setting it to
false, for example:
"configurationProperties" : {
"host" : "localhost",
"port" : "3306",
...
"database" : "HRDB",
"autoCommit" : false,
"reloadScriptOnExecution" : true,
"createScriptFileName" : "/path/to/openidm/tools/CreateScript.groovy",
If you require a traditional transaction with a manual commit for a specific script, you can disable autocommit mode in the script or scripts for each action that requires a manual commit.
Rather than creating provisioner files by hand, use the service that
OpenIDM exposes through the REST interface to create basic connector
configuration files named provisioner-openicf- file.Connector
Name.json
You create a new connector configuration file in three stages.
List available connectors.
Generate the core configuration.
Connect to the target system and generate the final configuration.
List available connectors using the following command.
$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION"
Available connectors are installed in
openidm/connectors. OpenIDM bundles the following
connectors.
csvfile
ldap
scriptedsql
xml
The command above therefore should return the following output (formatted here with lines folded to make it easier to read.)
{
"connectorRef": [
{
"connectorName": "org.identityconnectors.ldap.LdapConnector",
"bundleName":
"org.forgerock.openicf.connectors.ldap-connector",
"bundleVersion": ""
},
{
"connectorName": "com.forgerock.openicf.xml.XMLConnector",
"bundleName":
"org.forgerock.openicf.connectors.file.openicf-xml-connector",
"bundleVersion": ""
},
{
"connectorHostRef":
"osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager",
"connectorName": "org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector",
"bundleName":
"org.forgerock.openicf.connectors.scriptedsql-connector",
"bundleVersion": ""
},
{
"connectorHostRef":
"osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager",
"connectorName": "org.forgerock.openicf.csvfile.CSVFileConnector",
"bundleName":
"org.forgerock.openicf.connectors.csvfile-connector",
"bundleVersion": ""
}
]
}To generate the core configuration, choose one of the available connectors by copying JSON objects from the list into the body of the REST command, as shown below for the XML connector.
$ curl
--header "X-OpenIDM-Username: openidm-admin"
--header "X-OpenIDM-Password: openidm-admin"
-d '{"connectorRef":
{"connectorName":"com.forgerock.openicf.xml.XMLConnector",
"bundleName":"org.forgerock.openicf.connectors.file.openicf-xml-connector",
"bundleVersion":""}}'
--request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION"The command returns a core connector configuration. The core connector configuration returned is not yet functional. It does not contain system specific "configurationProperties" such as the host name and port for web based connectors, or the "xmlFilePath" for the XML file based connectors as can be seen below. In addition, the configuration returned does not include complete "objectTypes" and "operationOptions" parts.
{
"connectorRef": {
"connectorName": "com.forgerock.openicf.xml.XMLConnector",
"bundleName":
"org.forgerock.openicf.connectors.file.openicf-xml-connector",
"bundleVersion": ""
},
"poolConfigOption": {
"maxObjects": 10,
"maxIdle": 10,
"maxWait": 150000,
"minEvictableIdleTimeMillis": 120000,
"minIdle": 1
},
"resultsHandlerConfig": {
"enableNormalizingResultsHandler": true,
"enableFilteredResultsHandler": true,
"enableCaseInsensitiveFilter": false,
"enableAttributesToGetSearchResultsHandler": true
},
"operationTimeout": {
"CREATE": -1,
"UPDATE": -1,
"DELETE": -1,
"TEST": -1,
"SCRIPT_ON_CONNECTOR": -1,
"SCRIPT_ON_RESOURCE": -1,
"GET": -1,
"RESOLVEUSERNAME": -1,
"AUTHENTICATE": -1,
"SEARCH": -1,
"VALIDATE": -1,
"SYNC": -1,
"SCHEMA": -1
},
"configurationProperties": {
"xmlFilePath": null,
"xsdFilePath": null,
"xsdIcfFilePath": null
}
}To generate the final configuration, add the missing "configurationProperties" to the core configuration, and use the updated core configuration as the body for the next command.
$ curl
--header "X-OpenIDM-Username: openidm-admin"
--header "X-OpenIDM-Password: openidm-admin"
--data '{
"connectorRef" :
{
"connectorName" : "com.forgerock.openicf.xml.XMLConnector",
"bundleName" :
"org.forgerock.openicf.connectors.file.openicf-xml-connector",
"bundleVersion" : ""
},
"poolConfigOption" :
{
"maxObjects" : 10,
"maxIdle" : 10,
"maxWait" : 150000,
"minEvictableIdleTimeMillis" : 120000,
"minIdle" : 1
},
"resultsHandlerConfig" :
{
"enableNormalizingResultsHandler" : true,
"enableFilteredResultsHandler" : true,
"enableCaseInsensitiveFilter" : false,
"enableAttributesToGetSearchResultsHandler" : true
},
"operationTimeout" :
{
"CREATE" : -1,
"UPDATE" : -1,
"DELETE" : -1,
"TEST" : -1,
"SCRIPT_ON_CONNECTOR" : -1,
"SCRIPT_ON_RESOURCE" : -1,
"GET" : -1,
"RESOLVEUSERNAME" : -1,
"AUTHENTICATE" : -1,
"SEARCH" : -1,
"VALIDATE" : -1,
"SYNC" : -1,
"SCHEMA" : -1
},
"configurationProperties" :
{
"xsdIcfFilePath" : "samples/sample1/data/resource-schema-1.xsd",
"xsdFilePath" : "samples/sample1/data/resource-schema-extension.xsd",
"xmlFilePath" : "samples/sample1/data/xmlConnectorData.xml"
}
}'
--request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION"Note
Notice the single quotes around the argument to the
--data option in the command above. For most UNIX shells,
single quotes around a string prevent the shell from executing the command
when encountering a newline in the content. You can therefore pass the
--data '...' option on a single line or including line feeds.
OpenIDM attempts to read the schema, if available, from the external resource in order to generate output. OpenIDM then iterates through schema objects and attributes, creating JSON representations for "objectTypes" and "operationOptions" for supported objects and operations.
{
"connectorRef": {
"connectorHostRef": "#LOCAL",
"connectorName": "com.forgerock.openicf.xml.XMLConnector",
"bundleName":
"org.forgerock.openicf.connectors.file.openicf-xml-connector",
"bundleVersion": "-EA"
},
"poolConfigOption": {
"maxObjects": 10,
"maxIdle": 10,
"maxWait": 150000,
"minEvictableIdleTimeMillis": 120000,
"minIdle": 1
},
"resultsHandlerConfig": {
"enableNormalizingResultsHandler": true,
"enableFilteredResultsHandler": true,
"enableCaseInsensitiveFilter": false,
"enableAttributesToGetSearchResultsHandler": true
},
"operationTimeout": {
"CREATE": -1,
"UPDATE": -1,
"DELETE": -1,
"TEST": -1,
"SCRIPT_ON_CONNECTOR": -1,
"SCRIPT_ON_RESOURCE": -1,
"GET": -1,
"RESOLVEUSERNAME": -1,
"AUTHENTICATE": -1,
"SEARCH": -1,
"VALIDATE": -1,
"SYNC": -1,
"SCHEMA": -1
},
"configurationProperties": {
"xmlFilePath": "samples/sample1/data/xmlConnectorData.xml",
"xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd",
"xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd"
},
"objectTypes": {
"OrganizationUnit": {
"...": "..."
},
"__GROUP__": {
"$schema": "http://json-schema.org/draft-03/schema",
"id": "__GROUP__",
"type": "object",
"nativeType": "__GROUP__",
"properties": {
"__DESCRIPTION__": {
"type": "string",
"required": true,
"nativeName": "__DESCRIPTION__",
"nativeType": "string"
},
"__NAME__": {
"type": "string",
"required": true,
"nativeName": "__NAME__",
"nativeType": "string"
}
}
},
"__ACCOUNT__": {
"$schema": "http://json-schema.org/draft-03/schema",
"id": "__ACCOUNT__",
"type": "object",
"nativeType": "__ACCOUNT__",
"properties": {
"firstname": {
"type": "string",
"nativeName": "firstname",
"nativeType": "string"
},
"__DESCRIPTION__": {
"type": "string",
"nativeName": "__DESCRIPTION__",
"nativeType": "string"
},
"__UID__": {
"type": "string",
"nativeName": "__UID__",
"nativeType": "string"
},
"__NAME__": {
"type": "string",
"required": true,
"nativeName": "__NAME__",
"nativeType": "string"
}
}
}
},
"operationOptions": {
"CREATE": {
"objectFeatures": {
"OrganizationUnit": {
"...": "..."
},
"__GROUP__": {
"...": "..."
},
"__ACCOUNT__": {
"denied": false,
"onDeny": "DO_NOTHING",
"operationOptionInfo": {
"$schema": "http://json-schema.org/draft-03/schema",
"id": "FIX_ME",
"type": "object",
"properties": {
"...": "..."
}
}
}
}
},
"UPDATE": {
"objectFeatures": {
"__ACCOUNT__": {
"denied": false,
"onDeny": "DO_NOTHING",
"operationOptionInfo": {
"$schema": "http://json-schema.org/draft-03/schema",
"id": "FIX_ME",
"type": "object",
"properties": {
"...": "..."
}
}
}
}
}
}
}As OpenIDM produces a full property set for all attributes and all object types in the schema from the external resource, the resulting configuration can be large. For an LDAP server, OpenIDM can generate a configuration containing several tens of thousands of lines, for example. You might therefore want to reduce the schema to a minimum on the external resource before you run the final command.