OpenIDM Integrator's Guide
9.4.3. Active Directory Connector

Procedure 9.1. Installing the .NET Connector Server

1. Download the OPENICF .NET Connector Server from the OpenIDM download page under the ForgeRock Open Stack download page.

2. Execute ServiceInstall--dotnet.msi.

3. Complete the wizard.

Procedure 9.2. Running the .NET Connector Server

The .NET Connector Server can be started one of two ways.

1. In the Microsoft Service Console, go to Start, type Services, Services.

   or

2. In the command prompt, go to Start, type cmd, then cmd again.

3. Change the directory to the location where the Connector Server was installed. The default location is Program Files/Identity Connectors/Connector Server.

4. Enter cd Program Files (x86)/Identity Connectors/Connector Server.

5. Start the server with the following command:

   ConnectorServer.exe/run

   .

Procedure 9.3. Configuring the .NET Connector Server

After starting the Microsoft Services Console, follow these steps to configure the .NET Connector Server.

1. Check to see if the Connector Server is currently running. If so, stop it. All configuration changes require that the Connector Server be stopped and restarted after the changes are saved.

2. At the command prompt (click Start, Run, then type cmd, set the key for the Connector Server by changing to the directory where the Connector Server was installed and executing the following command, using a string value for newkey:

   ConnectorServer.exe /setkey <newkey>

   This key is used by clients connecting to the Connector Server.

3. Review the ConnectorServer.exe.config file to verify additional configuration, including the port, address, and SSL settings in the AppSettings.

   <add key="connectorserver.port" value="8759" />
   <add key="connectorserver.usessl" value="false" />
   <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />
   <add key="connectorserver.ipaddress" value="0.0.0.0" />
   

   The port can be set by changing the value of connectorserver.port. The listening socket can be bound to a particular address, or can be left as 0.0.0.0.

   To configure the server to use SSL, set the value of connectorserver.usessl to true and set the value of connectorserver.certifacatestorename to the certificate store name.

4. Trace settings are also in the configuration file.

   <system.diagnostics>
   <trace autoflush="true" indentsize="4">
   <listeners>
   <remove name="Default" />
   <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" 
   initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime">
   <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
   </add>
   </listeners>
   </trace>
   </system.diagnostics>
         

   The Connector Server uses the standard .NET trace mechanism. For more information about the tracing options, see Microsoft's .NET documentation for System.Diagnostics.

   	Note
   	The default settings are a good starting point, but for less tracing, you can change the EventTypeFilter's initializeData to "Warning" or "Error". For very verbose logging you can set the value to "Verbose" or "All". The amount of logging performed has a direct effect on the performance of the Connector Servers, so be careful of the setting.

5. Download the AD Connector from the OpenIDM download page under the ForgeRock Open Stack download page.

6. Unzip the directory in the Connector Server folder.

7. Start the Connector Server service.

Procedure 9.4. Configuring the .NET Connector Server with OpenIDM

When you configure remote connectors, you must use the connector info provider service to connect through remote connector servers. The configuration is stored in the configuration file, openidm/conf/provisioner.openicf.connectorinfoprovider.json. A sample can be found under openidm/samples/provisioners/.

1. Make sure that OpenIDM is running and copy the provisioner.openicf.connectorinfoprovider.json to /path/to/openidm/conf and edit it as needed.

   $ cd path/to/openidm
   $ cp samples/provisioners/provisioner.openicf.connectorinfoprovider.json conf/
         

2. Create the connector file provisioner.openicf-ad.json in conf/ directory. The following is an example of what the name, bundleVersion, and a few other configuration properties will look like.

         {
   "name" : "ad",
   "connectorRef" : {
   "connectorHostRef" : "dotnet",
   "connectorName" : "Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector",
   "bundleName" : "ActiveDirectory.Connector",
   "bundleVersion" : "1.0.0.0"
   },
   "poolConfigOption" : {
   "maxObjects" : 10,
   "maxIdle" : 10,
   "maxWait" : 150000,
   "minEvictableIdleTimeMillis" : 120000,
   "minIdle" : 1
   },
   "operationTimeout" : {
   "SYNC" : -1,
   "TEST" : -1,
   "SEARCH" : -1,
   "RESOLVEUSERNAME" : -1,
   "SCRIPT_ON_CONNECTOR" : -1,
   "VALIDATE" : -1,
   "DELETE" : -1,
   "UPDATE" : -1,
   "AUTHENTICATE" : -1,
   "CREATE" : -1,
   "SCRIPT_ON_RESOURCE" : -1,
   "GET" : -1,
   "SCHEMA" : -1
   },
   "configurationProperties" : {
   "DirectoryAdminName" : "EXAMPLE\\Administrator",
   "DirectoryAdminPassword" : {
   "$crypto" : {
   "value" : {
   "iv" : "QJctjWJi9w2uPLsO2Pucfw==",
   "data" : "Akqzk1PW0m9QP5cfOMIuYw==",
   "cipher" : "AES/CBC/PKCS5Padding",
   "key" : "openidm-sym-default"
   },
   "type" : "x-simple-encryption"
   }
   },
   "ObjectClass" : "User",
   "Container" : "dc=example,dc=com",
   "CreateHomeDirectory" : true,
   "LDAPHostName" : "10.0.0.2",
   "SearchChildDomains" : false,
   "DomainName" : "example",
   "SyncGlobalCatalogServer" : null,
   "SyncDomainController" : null,
   "SearchContext" : ""
   }

3. Edit the configurationProperties according to your setup and make sure that the bundleVersion is the same version as ActiveDirectory.Connector.dll in the Windows Connector Server folder. (Right click on the dll, properties, tab details, and Product version.)

4. Make sure the connector was installed properly using the following command:

   scr list
         

   This should return all of the installed modules, including the following:

   [  24] [active       ] org.forgerock.openidm.provisioner.openicf

   	Note
   	The number may differ. Make sure to note the number returned.

   Review the content of the connector using the following command, using the number returned from the previous step:

   scr info <your number>

5. Create the sync.json file where you define mappings of various attributes and behaviors during reconciliation. The following is a simple example of a sync.json.

   { 
   "mappings" : [ 
   { 
   "name" : "systemADAccounts_managedUser", 
   "source" : "system/ad/account", 
   "target" : "managed/user", 
   "properties" : [ 
    { 
      "source" : "sAMAccountName", 
       "target" : "userName" 
    }, 
    { 
       "source" : "sn", 
       "target" : "lastname" 
    }, 
    { 
       "source" : "givenName", 
       "target" : "firstname" 
       } 
      ] 
     }
    ]
   }

6. Run the reconciliation with the following command.

   $ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: 
   openidm-admin" --request POST  "http://localhost:8080/openidm/recon?
   _action=recon&mapping=systemADAccounts_managedUser"

   This will return a reconciliation id similar to the following:

   {"_id":"0629d920-e29f-4650-889f-4423632481ad"}

7. Check the internal repository (OrientDB or MySQL) to make sure that the users were reconciled. For information about connecting to OrientDB, see Before You Begin in the Installation Guide. For information about using MySQL as a repository, see Installing a Repository For Production in the Installation Guide.