[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openidm
Subject: [OpenIDM] Some basic questions about OpenIDM
From: ladislav.folta () profiq ! cz (Ladislav Folta)
Date: 2014-02-07 14:03:54
Message-ID: 52F4E7CA.5070608 () profiq ! cz
[Download RAW message or body]
Hello Jaime,
I looked a bit on your configuration files. If I understood, you want to
synchronize user accounts from AD to OpenDJ directly.
Let me give you a bit of explanation for few things:
* In provisioner you define an object schema which look like:
"objectTypes" : {
"user" : { <-- Here you define the object type like account,
group, OU etc. and later you refer to this name.
"$schema" : "http://json-schema.org/draft-03/schema",
"id" : "__ACCOUNT__",
"type" : "object",
"nativeType" : "__ACCOUNT__",
"properties" : {
"cn" : { <-- Here you define name of the attribute for
OpenICF (in sync.json you will refer to this name)
"type" : "string",
"nativeName" : "cn", <-- Here you define native
name of attribute in the end system (AD for example.)
"nativeType" : "string",
"required" : true
},
* Also in provisioner you set the name of the connection to the
external system:
"name" : "ldap",
* Sync.json:
"mappings" : [
{
"name" : "systemAdAccounts_managedUser", <- Here you
specify the name of the mapping in. You later refer to this name when
you trigger the syncing.
"source" : "system/ad/account", <- here you specify the
source endpoint. See the explanation below.
"target" : "managed/user",<- here you specify the target
endpoint. See the explanation below.
"properties" : [
{
"source" : "cn", <- name of attribute from source.
In case of external system, you provide here the name of attribute in
OpenICF as you defined it in provisioner file.
"target" : "displayName" <- target name of the
attibute. Again, in case of external system, you provide the ICF
attribute name from provisioner.
},
* URL Endpoints
If you need to access the external resource (AD or DJ), the resource can
be find in following endpoint: http(s)://host:port/openidm/system/<name
from provisoner file>/<object type from provisioner>
Example: "system/ad/account" refers to external name of the connection
AD and objectType account.
From provisioner file, it uses this setting:
"name" : "*AD*",
"objectTypes" : {
"*account*" : {
"$schema" : "http://json-schema.org/draft-03/schema",
"id" : "__ACCOUNT__",
"type" : "object",
"nativeType" : "__ACCOUNT__",
"properties" : {...
Repository is accessible on endpoint openidm/managed/<objectType>
(Example: openidm/manager/user for user accounts).
Therefore your mapping should look like:
{
"mappings" : [
{
"name" : "systemADUser_SystemDJAccount",
"source" : "system/ad/user",
"target" : "system/ldap/account",
"properties" : [
{
"source" : "cn",
"target" : "cn"
},
{
"source" : "description",
"target" : "description"
},
{
"source" : "givenName",
"target" : "givenName"
},
{
"source" : "mail",
"target" : "mail"
},
{
"source" : "sn",
"target" : "sn"
},
{
"source" : "samaccountname",
"target" : "samaccountname"
}
],
"policies" : [
...
]
}
]
}
THT,
Lada
On 02/03/2014 05:39 PM, Jaime Cardoso wrote:
> Hello again all and, before anything else, sorry about all this noob
> questions.
>
> Last week I was trying to set up my first Demo of OpenIDM. Well,
> thanks to sed, awk and ed, I exported an LDIF from AD, changed it to
> suite my needs and loaded it up in an OpenDJ so, I gained about an
> extra week to try and set up OpenIDM without delaying everything else.
> Unfortunatelly, I'm now totally lost.
>
> I'm trying to read from AD using LDAP protocol and write in OpenDJ
> (well, this example was supposed to write in OpenIDM but, I was seeing
> this as another step in trying to understand the examples). I have the
> most out of the box deplyment, with that unsupported DB and, the only
> config key I changed was to uncomment openidm.config.repo.enabled=false
>
> I attached here my provisioning files and my sync.json files
> The sync file doesn't really do much but, it's still giving me an
> error (those wonderfull java exceptions) that I have no ideia what
> it's this about
>
> INFO: Reconciliation reported exception
> org.forgerock.openidm.sync.SynchronizationException:
> org.forgerock.openidm.objset.BadRequestException: Unsupported object
> type: account not in supported types[user]
> at
> org.forgerock.openidm.sync.impl.ObjectMapping.queryAllIds(ObjectMapping.java:407)
> at
> org.forgerock.openidm.sync.impl.ObjectMapping.queryAllIds(ObjectMapping.java:375)
> at
> org.forgerock.openidm.sync.impl.ObjectMapping.doRecon(ObjectMapping.java:749)
> at
> org.forgerock.openidm.sync.impl.ObjectMapping.recon(ObjectMapping.java:726)
> at
> org.forgerock.openidm.sync.impl.ReconciliationService.reconcile(ReconciliationService.java:314)
> at
> org.forgerock.openidm.sync.impl.ReconciliationService.access$000(ReconciliationService.java:86)
> at
> org.forgerock.openidm.sync.impl.ReconciliationService$1.run(ReconciliationService.java:267)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> at java.lang.Thread.run(Unknown Source)
> Caused by: org.forgerock.openidm.objset.BadRequestException:
> Unsupported object type: account not in supported types[user]
> at
> org.forgerock.openidm.objset.JsonResourceObjectSet.convertException(JsonResourceObjectSet.java:79)
> at
> org.forgerock.openidm.objset.JsonResourceObjectSet.query(JsonResourceObjectSet.java:172)
> at
> org.forgerock.openidm.sync.impl.ObjectMapping.queryAllIds(ObjectMapping.java:395)
> ... 9 more
> Caused by: org.forgerock.json.resource.JsonResourceException:
> Unsupported object type: account not in supported types[user]
> at
> org.forgerock.openidm.provisioner.openicf.impl.OperationHelperBuilder.build(OperationHelperBuilder.java:69)
> at
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.query(OpenICFProvisionerService.java:545)
> at
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.handle(OpenICFProvisionerService.java:335)
> at
> org.forgerock.openidm.provisioner.impl.SystemObjectSetService.handle(SystemObjectSetService.java:139)
> at
> org.forgerock.json.resource.JsonResourceRouter.handle(JsonResourceRouter.java:79)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.openidm.router.JsonResourceRouterService$Filter.filter(JsonResourceRouterService.java:571)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.openidm.router.JsonResourceRouterService$Filter.filter(JsonResourceRouterService.java:571)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.json.resource.JsonResourceFilterChain.handle(JsonResourceFilterChain.java:53)
> at
> org.forgerock.openidm.router.JsonResourceRouterService.handle(JsonResourceRouterService.java:321)
> at
> org.forgerock.json.resource.JsonResourceAccessor.query(JsonResourceAccessor.java:161)
> at
> org.forgerock.openidm.objset.JsonResourceObjectSet.query(JsonResourceObjectSet.java:167)
>
> ... 10 more
>
> --
> JaimeC
>
>
> On 29-01-2014 22:15, Matthias Tristl wrote:
> > Hi Jaime,
> >
> > With looking at samples 2 to 2d you have started at the right place.
> > If you only want to read from AD, then the LDAP connector is also
> > easy to use for this, no need to use ADSI and the .NET connector
> > server. You connect to AD just in the same way as to OpenDJ.
> >
> > You can also sync from AD to LDAP directly, without creating users in
> > the repository first, if that simplifies your installation.
> > The AD change log is also available to the latest versions of the
> > LDAP connector. So LiveSync would work too.
> >
> > If you fully understand samples 2 to 2d you should be able to set up
> > your use case.
> >
> > And we do have a partner program that might suit you needs about
> > reseller contracts.
> >
> > Good luck with the Demo,
> >
> > Matthias
> >
> >
> >
> >
> > Matthias Tristl : ForgeRock INC
> > e: matthias.tristl at forgerock.com <mailto:matthias.tristl at forgerock.com>
> > t: +47 47707662
> > w: forgerock.com <http://forgerock.com>
> >
> >
> > On Wed, Jan 29, 2014 at 10:30 PM, Jaime Cardoso <jaimec at jaimec.pt
> > <mailto:jaimec at jaimec.pt>> wrote:
> >
> > Hello Folks
> >
> > Since I have a Demo to put up for early next week, I'm (only) now
> > looking at what kind of issues openIDM can solve for my needs.
> >
> > I confess I'm a bit overwhelmed with the OpenIDM's documentation
> > (well, combined with the lack of time) so, I was hopping someone
> > could help me out with some very basic questions:
> >
> > What I want to do is pretty simple, to read from 2 independent
> > Active Directories a couple of things and load them up in an
> > OpenDJ with a few changes:
> >
> > - Users in AD are spread in multiple places on different levels,
> > I want to put them all in OpenDJ inside ou=people, just one level.
> >
> > - I want to create each user in OpenDJ following some simple
> > rules like:
> > cn --> comes from AD unchanged (there will be others like that,
> > I'm just pointing one as an example)
> > uid --> comes from AD's samaccountname
> > samaccountname --> comes from AD unchanged (OpenDJ's schema is
> > already changed to support this attribute)
> > MemberOf --> comes from AD in a format like cn=groupA,
> > ou=groups1, ou=groups2, dc=AD tree, AD=local --> change
> > everything after the comma into ou=potatoes
> > add to each user some attributes with a fixed value (basically,
> > the OpenDJ's security policy, my custom objectclass, things like
> > that).
> > The uniqueness of attributes like samaccountname between both
> > AD's will be assured externally, I can take that for granted.
> >
> > Now, for the actual questions:
> > - Is OpenIDM a good choice of a product to solve this needs? It
> > seems a bit overkill compared with the old AD sync services in
> > Netscape / iPlanet but, I don't know of anything in that level of
> > simplicity anymore.
> > - I'm going to "import" the data from AD into the OpenIDM
> > internal DB and then I'll provision the LDAP server, is that
> > correct? Is this the way the product works?
> > - I really really would like NOT to use the AD connector and to
> > be able to do everything using LDAP. Is that possible? (Passwords
> > will NOT be syncked and writes in the AD are forbidden to me).
> >
> > Finally, is there anything in the samples that I could use? I was
> > thinking on sample2 (LDAP one way) but, I will only have an
> > ordinary user in AD to connect, I doubt I can access the AD's
> > changelog.
> >
> > Last, and thinking that some people from Forgerock may read this,
> > you should have an subscription model for resellers to buy
> > support for installations and Demo's that can be aquired even if
> > the end customer doesn't pay your support, well, just an idea :)
> >
> > Thanks for your time
> >
> > --
> > JaimeC
> > _______________________________________________
> > OpenIDM mailing list
> > OpenIDM at forgerock.org <mailto:OpenIDM at forgerock.org>
> > https://lists.forgerock.org/mailman/listinfo/openidm
> >
> >
> >
> >
> > _______________________________________________
> > OpenIDM mailing list
> > OpenIDM at forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openidm
>
>
>
> _______________________________________________
> OpenIDM mailing list
> OpenIDM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openidm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openidm/attachments/20140207/5d543632/attachment-0001.html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic