The following excerpt shows the connectorRef
configuration property for connection to an LDAP server. When using the
connect .jar provided in openidm/connectors, and
when using a local connector server, the connectorHostRef
property is optional.
{
"connectorRef": {
"connectorHostRef": "#LOCAL",
"connectorName": "org.identityconnectors.ldap.LdapConnector",
"bundleName":
"org.forgerock.openicf.connectors.ldap-connector",
"bundleVersion": ""
}
}The following excerpt shows settings for many connector configuration properties.
{
"accountSynchronizationFilter": null,
"passwordAttributeToSynchronize": null,
"synchronizePasswords": false,
"removeLogEntryObjectClassFromFilter": true,
"modifiersNamesToFilterOut": [],
"passwordDecryptionKey": null,
"credentials": "Passw0rd",
"changeLogBlockSize": 100,
"baseContextsToSynchronize": [
"ou=People,dc=example,dc=com"
],
"attributesToSynchronize": [
"uid",
"sn",
"cn",
"givenName",
"mail",
"description"
],
"changeNumberAttribute": "changeNumber",
"passwordDecryptionInitializationVector": null,
"filterWithOrInsteadOfAnd": false,
"objectClassesToSynchronize": [
"inetOrgPerson"
],
"port": 1389,
"vlvSortAttribute": "uid",
"passwordAttribute": "userPassword",
"useBlocks": true,
"maintainPosixGroupMembership": false,
"failover": [],
"ssl": false,
"principal": "cn=Directory Manager",
"baseContexts": [
"dc=example,dc=com"
],
"readSchema": true,
"accountObjectClasses": [
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountUserNameAttributes": [
"uid",
"cn"
],
"host": "localhost",
"groupMemberAttribute": "uniqueMember",
"accountSearchFilter": null,
"passwordHashAlgorithm": null,
"usePagedResultControl": false,
"blockSize": 100,
"uidAttribute": "entryUUID",
"maintainLdapGroupMembership": false,
"respectResourcePasswordPolicyChangeAfterReset": false
}- accountSynchronizationFilter
-
Used during synchronization actions to filter out LDAP accounts
- accountObjectClasses
-
The object classes used when creating new LDAP user objects. When specifying more than one object class, add each object class as its own property. For object classes that inherit from parents other than
top, such asinetOrgPerson, specify all object classes in the class hierarchy. - accountSearchFilter
-
Search filter that accounts must match
- accountUserNameAttributes
-
Attributes holding the account's user name. Used during authentication to find the LDAP entry matching the user name.
- attributesToSynchronize
-
List of attributes used during object synchronization. OpenIDM ignores change log updates that do not include any of the specified attributes. If empty, OpenIDM considers all changes.
- baseContexts
-
Base DNs for operations on the LDAP server
- baseContextsToSynchronize
-
Base DNs for entries taken into account during synchronization
- blockSize
-
Block size for simple paged results and VLV index searches, reflecting the maximum number of accounts retrieved at any one time
- changeLogBlockSize
-
Block size used when fetching change log entries
- changeNumberAttribute
-
Change log attribute containing the last change number
- credentials
-
Password to connect to the LDAP server
- failover
-
LDAP URLs specifying alternative LDAP servers to connect to if OpenIDM cannot connect to the primary LDAP server specified in the
hostandportproperties - filterWithOrInsteadOfAnd
-
In most cases, the filter to fetch change log entries is AND-based. If this property is set, the filter ORs the required change numbers instead.
- groupMemberAttribute
-
LDAP attribute holding members for non-POSIX static groups
- host
-
Primary LDAP server host name
- maintainLdapGroupMembership
-
If
true, OpenIDM modifies group membership when entries are renamed or deleted.In the sample LDAP connector configuration file provided with OpenIDM, this property is set to
false. This means that LDAP group membership is not modified when entries are renamed or deleted in OpenIDM. To ensure that entries are removed from LDAP groups when the entries are deleted, set this property totrueor enable referential integrity on the LDAP server. For OpenDJ, see Configuring Referential Integrity for more information. - maintainPosixGroupMembership
-
If
true, OpenIDM modifies POSIX group membership when entries are renamed or deleted. - modifiersNamesToFilterOut
-
Use to avoid loops caused by OpenIDM's own changes
- objectClassesToSynchronize
-
OpenIDM synchronizes only entries having these object classes.
- passwordAttribute
-
Attribute to which OpenIDM writes the predefined PASSWORD attribute
- passwordAttributeToSynchronize
-
OpenIDM synchronizes password values on this attribute.
- passwordDecryptionInitializationVector
-
Initialization vector used to decrypt passwords when performing password synchronization
- passwordDecryptionKey
-
Key used to decrypt passwords when performing password synchronization
- passwordHashAlgorithm
-
Hash password values with the specified algorithm if the LDAP server stores them in clear text
- port
-
Primary LDAP server port number
- principal
-
Bind DN used to connect to the LDAP server
- readSchema
-
If
true, read LDAP schema from the LDAP server. - removeLogEntryObjectClassFromFilter
-
If
true, the filter to fetch change log entries does not contain thechangeLogEntryobject class, and OpenIDM expects no entries with other object types in the change log. Default:true - respectResourcePasswordPolicyChangeAfterReset
-
If
true, bind with the Password Expired and Password Policy controls, and throwPasswordExpiredExceptionand other exceptions appropriately. - ssl
-
If
true, the specified port listens for LDAPS connections. - synchronizePasswords
-
If
true, synchronize passwords. - uidAttribute
-
OpenIDM maps
uidto the specified attribute. - useBlocks
-
If
true, use block-based LDAP controls like simple paged results and virtual list view. - usePagedResultControl
-
If
true, use simple paged results rather than virtual list view when both are available. - vlvSortAttribute
-
Attribute used as the sort key for virtual list view
If you use the LDAP connector over SSL, you must set the
ssl property to true in the provisioner
configuration file. You must also specify the path to a truststore in the
system.properties file. A truststore is provided by
default at openidm/security/truststore. Add the
following line to the system.properties file,
substituting the path to your own truststore if you do not want to use the
default.
# Set the truststore javax.net.ssl.trustStore=/path/to/openidm/security/truststore
