[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openidm
Subject: Re: [OpenIDM] adding group member ship to Active Directory user
From: Matthias Tristl <matthias.tristl () forgerock ! com>
Date: 2015-09-23 12:16:24
Message-ID: CAKrWytH6Y0dG3HDANW4MSb-LiYNJEqYj8v7ne_WXVJRdEiUVOA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I have checked a bit and did not find much more that what is there in the
sample description.
What extra attributes there are depends on the connector.
Common ones, i.e. for all connectors are:
__NAME__ (takes the naming attribute on the external resource, i.e. DN in
case of LDAP/AD)
__UID__ gets the immutable id back from the external object. It is
configured through the uidAttribute property what is used here in the
LDAP-connector. On OpenDJ you should use the entryUUID, on AD the GUID.
Matthias
Matthias Tristl : ForgeRock INC
e: matthias.tristl@forgerock.com
t: +47 47707662
w: forgerock.com
On Wed, Sep 23, 2015 at 2:07 PM, Vincent Koldenhof <
vincent.koldenhof@everett.nl> wrote:
> Hi Matthias,
>
> I see where I was making a mistake. I used the sample provisioner file
> *provisioner.openicf-adldap.json* from the samples/provisioners folder to
> setup my Active Directory connection. This provisioner file does not by
> default contain the ldapGroups attribute. So when I tried to use it before
> it was failing and I concluded that this was not working for Active
> Directory but probably was needed for other LDAP directory servers.
>
> Looking at the Managing Users, Groups and Roles (chap.8
> https://backstage.forgerock.com/#!/docs/openidm/3.1.0/integrators-guide/chap-users-groups-roles)
> made it worse for me to see my mistake. The sample role definition for Two
> Remote Systems mentions LDAP and AD so I went for the AD configuration
> using the adSystems. That did not work either.
>
> Anyway, thank you for helping to clarify. Just a last thought though, is
> there any documentation on this special attribute and are there more
> special attributes?
>
> kind regards,
> Vincent
>
> Op 23/09/15 om 12:25 schreef openidm-request@forgerock.org:
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 23 Sep 2015 12:25:23 +0200
> From: Matthias Tristl <matthias.tristl@forgerock.com> \
> <matthias.tristl@forgerock.com>
> To: "openidm@forgerock.org" <openidm@forgerock.org> <openidm@forgerock.org> \
> <openidm@forgerock.org>
> Subject: Re: [OpenIDM] adding group member ship to Active Directory
> user
> Message-ID:
> <CAKrWytHNsBmxRy47vKin6f6gR_XvSkR3-HGpO8egfV07GaU2pw@mail.gmail.com> \
> <CAKrWytHNsBmxRy47vKin6f6gR_XvSkR3-HGpO8egfV07GaU2pw@mail.gmail.com>
>
> Content-Type: text/plain; charset="utf-8"
>
> Just to give some background if you are interested: the isMemberOf (or
> similar) attribute in most LDAP servers is a virtual attribute, i.e. it is
> calculated on request time and therefore read only.
>
> Adding users to groups needs manipulating the group object, not the user
> object.
>
> Fortunately the LDAP connector can do it for you, when using the special
> attribute "ldapGroups". The value of the attribute is not set in the user's
> object, as it might look like, but interpreted by the connector (if the
> nativeType of the object is __ACCOUNT__).
>
> Please see sample 2c that comes with \
> openidm:https://backstage.forgerock.com/#!/docs/openidm/3.1.0/install-guide/chap-samples#more-sample2c
>
> Cheers,
>
> Matthias
>
>
>
> Matthias Tristl : ForgeRock INC
> e: matthias.tristl@forgerock.com
> t: +47 47707662
> w: forgerock.com
>
> On Wed, Sep 23, 2015 at 11:47 AM, Pavel Horal <pavel.horal@orchitech.cz> \
> <pavel.horal@orchitech.cz> wrote:
>
>
> Hi Vincent,
>
> use *ldapGroups* attribute to set group membership in LDAP. This
> attribute should hold JSON array of group DNs.
>
> Regards,
> Pavel
>
> ------------------------------
> *From: *"Vincent Koldenhof" <vincent.koldenhof@everett.nl> \
> <vincent.koldenhof@everett.nl>
> *To: *openidm@forgerock.org
> *Sent: *Wednesday, September 23, 2015 11:34:22 AM
> *Subject: *[OpenIDM] adding group member ship to Active Directory user
>
>
> Hi everyone,
>
> I need some help and guidance towards a working solution. What I want to
> achieve is adding a group membership to a user in Active Directory. I have
> already setup OpenIDM 3.1.0 to work against a Windows 2012 Active Directory
> using the Generic LDAP connector. I can create new users, enable them and
> set a random password. The source of the users is a SQL Server 2012
> database with a view providing the information to create a user.
> So my next step is to add a group membership to this user.
>
> I have the following user:
> CN=vcorleon,OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com
>
> I want to make this user member of this group:
> CN=TestGroup,OU=Roles,OU=Accounts,DC=ad,DC=example,DC=com
>
>
> However, I do not seem to be able to achieve this. Adding a value to the
> *memberOf* attribute of the user does not seem to work. There is no error
> message (or I am unable to find it) and the entry is not added. I did
> investigate and apparently this approach is not correct for Active
> Directory.
>
> So I tried a different approach, namely adding the *dn* of the user to
> the group's *member* attribute. However, this also does not seem to work
> and does not provide any error message. I have set the debugging to finest.
>
> Here is my setup, any help, suggestions would be nice. However, I do not
> want to use the powershell connector or a remote connector. I want to be
> able to use the generic LDAP connector.
>
>
> in my Sync.json you can see I add the user dn directly to the member
> attribute in the testrole object and expect this to be exported to the
> Active Directory. But this is not happening and I do not see any error
> message.
>
> ---------------- Sync.json -------------------
>
> vincent@openidm:~/openidm/vincent/conf$ clear
> vincent@openidm:~/openidm/vincent/conf$ cat sync.json
> {
> "mappings" : [
> {
> "target" : "managed/user",
> "correlationQuery" : {
> "type" : "text/javascript",
> "expressionTree" : {
> "any" : [
> "uid"
> ]
> },
> "mapping" :
> "sourcePersonenmetwerkrelatiesPersoon_managedUser",
> "file" : "ui/correlateTreeToQueryFilter.js"
> },
> "properties" : [
> {
> "target" : "firstname",
> "source" : "Roepnaam"
> },
> {
> "target" : "lastname",
> "source" : "Achternaam"
> },
> {
> "target" : "userName",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "(source.Roepnaam.substring(0,1) +
> source.Achternaam.substring(0,7)).toLowerCase();"
> }
> },
> {
> "target" : "mail",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" :
> "(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();" \
> <(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();><(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();> \
> <(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();> }
> },
> {
> "target" : "givenName",
> "source" : "Voornamen"
> },
> {
> "target" : "sn",
> "source" : "Achternaam"
> },
> {
> "target" : "id",
> "source" : "ID"
> },
> {
> "target" : "bronid",
> "source" : "BronID"
> },
> {
> "target" : "uid",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "(source.Roepnaam.substring(0,1) +
> source.Achternaam.substring(0,7)).toLowerCase();"
> }
> },
> {
> "target" : "description",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "'Created by OpenIDM on '+ new Date();"
> }
> },
> {
> "target" : "telephoneNumber",
> "source" : "Telefoonnummer"
> },
> {
> "target" : "password",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "var
> caps=\"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\nvar nums=\"1234567890\";\nvar
> par1=Math.random().toString(36).slice(-6);\nvar
> par2=caps.substr(Math.round(Math.random()*(caps.length-1)),1);\nvar
> par3=nums.substr(Math.round(Math.random()*(nums.length-1)),1);\npar1+par2+par3;\n"
> }
> },
> {
> "target" : "actief",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "var today = new Date();\n\nif (new
> Date(source.StartDatum) < today && new Date(source.EindDatum) > today ){\n
> 'Actief';\n}else{\n 'Inactief';\n}"
> }
> },
> {
> "target" : "eindDatum",
> "source" : "EindDatum"
> },
> {
> "target" : "startDatum",
> "source" : "StartDatum"
> }
> ],
> "source" : "system/personenmetwerkrelaties/persoon",
> "policies" : [
> {
> "action" : "CREATE",
> "situation" : "ABSENT"
> },
> {
> "action" : "IGNORE",
> "situation" : "ALL_GONE"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "AMBIGUOUS"
> },
> {
> "action" : "UPDATE",
> "situation" : "CONFIRMED"
> },
> {
> "action" : "UPDATE",
> "situation" : "FOUND"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "FOUND_ALREADY_LINKED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "LINK_ONLY"
> },
> {
> "action" : "DELETE",
> "situation" : "MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "SOURCE_IGNORED"
> },
> {
> "action" : "DELETE",
> "situation" : "SOURCE_MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "TARGET_IGNORED"
> },
> {
> "action" : "DELETE",
> "situation" : "UNASSIGNED"
> },
> {
> "action" : "DELETE",
> "situation" : "UNQUALIFIED"
> }
> ],
> "name" : "sourcePersonenmetwerkrelatiesPersoon_managedUser"
> },
> {
> "target" : "system/ad/account",
> "assignmentsToMap" : [
> "ad"
> ],
> "correlationQuery" : {
> "type" : "text/javascript",
> "expressionTree" : {
> "any" : [
> "mail"
> ]
> },
> "mapping" : "managedUser_sourceAdAccount",
> "file" : "ui/correlateTreeToQueryFilter.js"
> },
> "properties" : [
> {
> "target" : "sn",
> "source" : "lastname"
> },
> {
> "target" : "givenName",
> "source" : "firstname"
> },
> {
> "target" : "mail",
> "source" : "mail"
> },
> {
> "target" : "sAMAccountName",
> "source" : "userName"
> },
> {
> "target" : "dn",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" :
> "\"CN=\"+source.userName+\",OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com\";"
> }
> },
> {
> "target" : "telephoneNumber",
> "source" : "telephoneNumber"
> },
> {
> "target" : "description",
> "source" : "description"
> },
> {
> "target" : "userAccountControl",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "512"
> }
> },
> {
> "target" : "userPassword",
> "source" : "password"
> },
> {
> "target" : "cn",
> "source" : "userName"
> },
> {
> "target" : "memberOf",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" :
> "'CN=Employees,OU=Roles,OU=Accounts,DC=ad,DC=example,DC=com'"
> }
> },
> {
> "target" : "company",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "'bla'"
> }
> }
> ],
> "source" : "managed/user",
> "policies" : [
> {
> "action" : "CREATE",
> "situation" : "ABSENT"
> },
> {
> "action" : "IGNORE",
> "situation" : "ALL_GONE"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "AMBIGUOUS"
> },
> {
> "action" : "UPDATE",
> "situation" : "CONFIRMED"
> },
> {
> "action" : "UPDATE",
> "situation" : "FOUND"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "FOUND_ALREADY_LINKED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "LINK_ONLY"
> },
> {
> "action" : "UNLINK",
> "situation" : "MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "SOURCE_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "SOURCE_MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "TARGET_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "UNASSIGNED"
> },
> {
> "action" : "DELETE",
> "situation" : "UNQUALIFIED"
> }
> ],
> "name" : "managedUser_sourceAdAccount"
> },
> {
> "target" : "system/ad/group",
> "correlationQuery" : {
> "type" : "text/javascript",
> "expressionTree" : {
> "any" : [
> "dn"
> ]
> },
> "mapping" : "managedTestrole_sourceAdGroup",
> "file" : "ui/correlateTreeToQueryFilter.js"
> },
> "properties" : [
> {
> "target" : "samAccountName",
> "source" : "samAccountName"
> },
> {
> "target" : "dn",
> "source" : "dn"
> },
> {
> "target" : "description",
> "source" : "description"
> },
> {
> "target" : "member",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" :
> "'CN=vcorleon,OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com'"
> }
> }
> ],
> "source" : "managed/testrole",
> "policies" : [
> {
> "action" : "CREATE",
> "situation" : "ABSENT"
> },
> {
> "action" : "IGNORE",
> "situation" : "ALL_GONE"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "AMBIGUOUS"
> },
> {
> "action" : "UPDATE",
> "situation" : "CONFIRMED"
> },
> {
> "action" : "UPDATE",
> "situation" : "FOUND"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "FOUND_ALREADY_LINKED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "LINK_ONLY"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "SOURCE_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "SOURCE_MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "TARGET_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "UNASSIGNED"
> },
> {
> "action" : "DELETE",
> "situation" : "UNQUALIFIED"
> }
> ],
> "name" : "managedTestrole_sourceAdGroup"
> },
> {
> "target" : "managed/testrole",
> "correlationQuery" : {
> "type" : "text/javascript",
> "expressionTree" : {
> "any" : [
> "dn"
> ]
> },
> "mapping" : "sourceAdGroup_managedTestrole",
> "file" : "ui/correlateTreeToQueryFilter.js"
> },
> "properties" : [
> {
> "target" : "dn",
> "source" : "dn"
> },
> {
> "target" : "description",
> "source" : "",
> "transform" : {
> "type" : "text/javascript",
> "source" : "'doei'"
> }
> },
> {
> "target" : "samAccountName",
> "source" : "samAccountName"
> }
> ],
> "source" : "system/ad/group",
> "policies" : [
> {
> "action" : "CREATE",
> "situation" : "ABSENT"
> },
> {
> "action" : "IGNORE",
> "situation" : "ALL_GONE"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "AMBIGUOUS"
> },
> {
> "action" : "UPDATE",
> "situation" : "CONFIRMED"
> },
> {
> "action" : "UPDATE",
> "situation" : "FOUND"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "FOUND_ALREADY_LINKED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "LINK_ONLY"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "SOURCE_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "SOURCE_MISSING"
> },
> {
> "action" : "IGNORE",
> "situation" : "TARGET_IGNORED"
> },
> {
> "action" : "EXCEPTION",
> "situation" : "UNASSIGNED"
> },
> {
> "action" : "DELETE",
> "situation" : "UNQUALIFIED"
> }
> ],
> "name" : "sourceAdGroup_managedTestrole"
> }
> ]
>
>
>
> --------------- Provisioner.openicf-ldap.json ---------------
> vincent@openidm:~/openidm/vincent/conf$ cat provisioner.openicf-ldap.json
> {
> "name" : "ldap",
> "connectorRef" : {
> "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
> "bundleVersion" : "[1.4.0.0,2.0.0.0)",
> "connectorName" : "org.identityconnectors.ldap.LdapConnector"
> },
> "configurationProperties" : {
> "host" : "192.168.249.164",
> "port" : 636,
> "ssl" : true,
> "principal" : "cn=admin,cn=Users,DC=ad,DC=example,DC=com",
> "credentials" : {
> "$crypto" : {
> "value" : {
> "iv" : "I4zpnzi9gWGuengIrk2fIw==",
> "data" : "TSeKycZEDZCifOwzscRrlA==",
> "cipher" : "AES/CBC/PKCS5Padding",
> "key" : "openidm-sym-default"
> },
> "type" : "x-simple-encryption"
> }
> },
> "baseContexts" : [
> "ou=accounts,dc=ad,dc=example,dc=com"
> ],
> "baseContextsToSynchronize" : [
> "ou=accounts,dc=ad,dc=example,dc=com"
> ],
> "accountSearchFilter" : null,
> "accountSynchronizationFilter" : null,
> "groupSearchFilter" : null,
> "groupSynchronizationFilter" : null,
> "passwordAttributeToSynchronize" : null,
> "synchronizePasswords" : false,
> "removeLogEntryObjectClassFromFilter" : true,
> "modifiersNamesToFilterOut" : [ ],
> "passwordDecryptionKey" : null,
> "changeLogBlockSize" : 100,
> "attributesToSynchronize" : [ ],
> "changeNumberAttribute" : "changeNumber",
> "passwordDecryptionInitializationVector" : null,
> "filterWithOrInsteadOfAnd" : false,
> "objectClassesToSynchronize" : [
> "user"
> ],
> "vlvSortAttribute" : "uid",
> "passwordAttribute" : "unicodePwd",
> "useBlocks" : false,
> "maintainPosixGroupMembership" : false,
> "failover" : [ ],
> "readSchema" : true,
> "accountObjectClasses" : [
> "top",
> "person",
> "organizationalPerson",
> "user"
> ],
> "accountUserNameAttributes" : [
> "sAMAccountName"
> ],
> "groupMemberAttribute" : "uniqueMember",
> "passwordHashAlgorithm" : "WIN-AD",
> "usePagedResultControl" : false,
> "blockSize" : 100,
> "uidAttribute" : "dn",
> "maintainLdapGroupMembership" : false,
> "respectResourcePasswordPolicyChangeAfterReset" : false
> },
> "resultsHandlerConfig" : {
> "enableNormalizingResultsHandler" : true,
> "enableFilteredResultsHandler" : false,
> "enableCaseInsensitiveFilter" : false,
> "enableAttributesToGetSearchResultsHandler" : true
> },
> "poolConfigOption" : {
> "maxObjects" : 10,
> "maxIdle" : 10,
> "maxWait" : 150000,
> "minEvictableIdleTimeMillis" : 120000,
> "minIdle" : 1
> },
> "operationTimeout" : {
> "CREATE" : -1,
> "VALIDATE" : -1,
> "TEST" : -1,
> "SCRIPT_ON_CONNECTOR" : -1,
> "SCHEMA" : -1,
> "DELETE" : -1,
> "UPDATE" : -1,
> "SYNC" : -1,
> "AUTHENTICATE" : -1,
> "GET" : -1,
> "SCRIPT_ON_RESOURCE" : -1,
> "SEARCH" : -1
> },
> "syncFailureHandler" : {
> "maxRetries" : 5,
> "postRetryAction" : "logged-ignore"
> },
> "objectTypes" : {
> "account" : {
> "$schema" : "http://json-schema.org/draft-03/schema" \
> <http://json-schema.org/draft-03/schema><http://json-schema.org/draft-03/schema> \
> <http://json-schema.org/draft-03/schema>, "id" : "__ACCOUNT__",
> "type" : "object",
> "nativeType" : "__ACCOUNT__",
> "properties" : {
> "cn" : {
> "type" : "string",
> "nativeName" : "cn",
> "nativeType" : "string"
> },
> "description" : {
> "type" : "string",
> "nativeName" : "description",
> "nativeType" : "string"
> },
> "givenName" : {
> "type" : "string",
> "nativeName" : "givenName",
> "nativeType" : "string"
> },
> "mail" : {
> "type" : "string",
> "nativeName" : "mail",
> "nativeType" : "string"
> },
> "telephoneNumber" : {
> "type" : "string",
> "nativeName" : "telephoneNumber",
> "nativeType" : "string"
> },
> "sn" : {
> "type" : "string",
> "nativeName" : "sn",
> "nativeType" : "string"
> },
> "uid" : {
> "type" : "string",
> "nativeName" : "uid",
> "nativeType" : "string"
> },
> "sAMAccountName" : {
> "type" : "string",
> "nativeName" : "sAMAccountName",
> "nativeType" : "string"
> },
> "dn" : {
> "type" : "string",
> "nativeName" : "__NAME__",
> "nativeType" : "string",
> "required" : true
> },
> "userAccountControl" : {
> "type" : "string",
> "nativeName" : "userAccountControl",
> "required" : true,
> "nativeType" : "string"
> },
> "userPassword" : {
> "type" : "string",
> "nativeName" : "__PASSWORD__",
> "nativeType" : "JAVA_TYPE_GUARDEDSTRING",
> "flags" : [
> "NOT_READABLE",
> "NOT_RETURNED_BY_DEFAULT"
> ]
> },
> "ldapGroups" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "ldapGroups",
> "nativeType" : "string"
> }
> }
> },
> "group" : {
> "$schema" : "http://json-schema.org/draft-03/schema" \
> <http://json-schema.org/draft-03/schema><http://json-schema.org/draft-03/schema> \
> <http://json-schema.org/draft-03/schema>, "id" : "__GROUP__",
> "type" : "object",
> "nativeType" : "__GROUP__",
> "properties" : {
> "seeAlso" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "seeAlso",
> "nativeType" : "string"
> },
> "description" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "description",
> "nativeType" : "string"
> },
> "uniqueMember" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "uniqueMember",
> "nativeType" : "string"
> },
> "dn" : {
> "type" : "string",
> "required" : true,
> "nativeName" : "__NAME__",
> "nativeType" : "string"
> },
> "o" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "o",
> "nativeType" : "string"
> },
> "ou" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "ou",
> "nativeType" : "string"
> },
> "businessCategory" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "businessCategory",
> "nativeType" : "string"
> },
> "owner" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "owner",
> "nativeType" : "string"
> },
> "cn" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "required" : true,
> "nativeName" : "cn",
> "nativeType" : "string"
> }
> }
> }
> },
> "operationOptions" : {
> "DELETE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> },
> "UPDATE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> },
> "CREATE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> }
> },
> "_id" : "provisioner.openicf/ldap"
> }vincent@openidm:~/openidm/
> vincent/conf$
>
>
>
>
> --
> Vincent Koldenhof
> everett
> MAKING IDENTITY *MATTER*
>
> Wiersedreef 5-7, 3433 ZX Nieuwegein, the Netherlands
> P.O. Box 1487, 3430 BL Nieuwegein, the Netherlands
>
> Tel: +31 6 462 33 666
> Office: +31 30 659 22 55
> Email: <vincent.koldenhof@everett.nl> \
> <vincent.koldenhof@everett.nl>vincent.koldenhof@everett.nl
> Website: <http://www.everett.nl> <http://www.everett.nl>http://www.everett.nl
> Skype: vincent.koldenhof.everett
>
>
>
>
> _______________________________________________
> OpenIDM mailing listOpenIDM@forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
>
>
> _______________________________________________
> OpenIDM mailing listOpenIDM@forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.forgerock.org/pipermail/openidm/attachments/20150923/836defc9/attachment.html> \
> <http://lists.forgerock.org/pipermail/openidm/attachments/20150923/836defc9/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> OpenIDM mailing listOpenIDM@forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
>
>
> End of OpenIDM Digest, Vol 64, Issue 22
> ***************************************
>
>
> --
> Vincent Koldenhof
> everett
> MAKING IDENTITY *MATTER*
>
> Wiersedreef 5-7, 3433 ZX Nieuwegein, the Netherlands
> P.O. Box 1487, 3430 BL Nieuwegein, the Netherlands
>
> Tel: +31 6 462 33 666
> Office: +31 30 659 22 55
> Email: <vincent.koldenhof@everett.nl>vincent.koldenhof@everett.nl
> Website: <http://www.everett.nl>http://www.everett.nl
> Skype: vincent.koldenhof.everett
>
>
>
>
> _______________________________________________
> OpenIDM mailing list
> OpenIDM@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openidm
>
>
[Attachment #5 (text/html)]
<div dir="ltr">I have checked a bit and did not find much more that what is there in \
the sample description.<div><br></div><div>What extra attributes there are depends on \
the connector. </div><div><br></div><div>Common ones, i.e. for all connectors \
are:</div><div>__NAME__ (takes the naming attribute on the external resource, i.e. DN \
in case of LDAP/AD)</div><div>__UID__ gets the immutable id back from the external \
object. It is configured through the uidAttribute property what is used here in the \
LDAP-connector. On OpenDJ you should use the entryUUID, on AD the \
GUID.</div><div><br></div><div>Matthias</div></div><div class="gmail_extra"><br \
clear="all"><div><div class="gmail_signature"><div \
dir="ltr"><div><br></div><div><br></div><div>Matthias Tristl : ForgeRock INC<br>e: <a \
href="mailto:matthias.tristl@forgerock.com" \
target="_blank">matthias.tristl@forgerock.com</a><br>t: +47 47707662<br>w: <a \
href="http://forgerock.com" target="_blank">forgerock.com</a></div></div></div></div> \
<br><div class="gmail_quote">On Wed, Sep 23, 2015 at 2:07 PM, Vincent Koldenhof <span \
dir="ltr"><<a href="mailto:vincent.koldenhof@everett.nl" \
target="_blank">vincent.koldenhof@everett.nl</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Matthias,<br>
<br>
I see where I was making a mistake. I used the sample provisioner
file <b>provisioner.openicf-adldap.json</b> from the
samples/provisioners folder to setup my Active Directory connection.
This provisioner file does not by default contain the ldapGroups
attribute. So when I tried to use it before it was failing and I
concluded that this was not working for Active Directory but
probably was needed for other LDAP directory servers. <br>
<br>
Looking at the Managing Users, Groups and Roles (chap.8
<a href="https://backstage.forgerock.com/#!/docs/openidm/3.1.0/integrators-guide/chap-users-groups-roles" \
target="_blank">https://backstage.forgerock.com/#!/docs/openidm/3.1.0/integrators-guide/chap-users-groups-roles</a>)
made it worse for me to see my mistake. The sample role definition
for Two Remote Systems mentions LDAP and AD so I went for the AD
configuration using the adSystems. That did not work either. <br>
<br>
Anyway, thank you for helping to clarify. Just a last thought
though, is there any documentation on this special attribute and are
there more special attributes? <br>
<br>
kind regards,<br>
Vincent<br>
<br>
<div>Op 23/09/15 om 12:25 schreef
<a href="mailto:openidm-request@forgerock.org" \
target="_blank">openidm-request@forgerock.org</a>:<br> </div>
<blockquote type="cite">
<pre>----------------------------------------------------------------------
Message: 1
Date: Wed, 23 Sep 2015 12:25:23 +0200
From: Matthias Tristl <a href="mailto:matthias.tristl@forgerock.com" \
target="_blank"><matthias.tristl@forgerock.com></a>
To: <a href="mailto:openidm@forgerock.org" \
target="_blank">"openidm@forgerock.org"</a> <a \
href="mailto:openidm@forgerock.org" \
target="_blank"><openidm@forgerock.org></a>
Subject: Re: [OpenIDM] adding group member ship to Active Directory
user
Message-ID:
<a href="mailto:CAKrWytHNsBmxRy47vKin6f6gR_XvSkR3-HGpO8egfV07GaU2pw@mail.gmail.com" \
target="_blank"><CAKrWytHNsBmxRy47vKin6f6gR_XvSkR3-HGpO8egfV07GaU2pw@mail.gmail.com></a>
Content-Type: text/plain; charset="utf-8"
Just to give some background if you are interested: the isMemberOf (or
similar) attribute in most LDAP servers is a virtual attribute, i.e. it is
calculated on request time and therefore read only.
Adding users to groups needs manipulating the group object, not the user
object.
Fortunately the LDAP connector can do it for you, when using the special
attribute "ldapGroups". The value of the attribute is not set in the \
user's object, as it might look like, but interpreted by the connector (if the
nativeType of the object is __ACCOUNT__).
Please see sample 2c that comes with openidm:
<span class=""><a href="https://backstage.forgerock.com/#!/docs/openidm/3.1.0/install-guide/chap-samples%23more-sample2c" \
target="_blank">https://backstage.forgerock.com/#!/docs/openidm/3.1.0/install-guide/chap-samples#more-sample2c</a>
Cheers,
Matthias
Matthias Tristl : ForgeRock INC
e: <a href="mailto:matthias.tristl@forgerock.com" \
target="_blank">matthias.tristl@forgerock.com</a>
t: <a href="tel:%2B47%2047707662" value="+4747707662" target="_blank">+47 \
47707662</a>
w: <a href="http://forgerock.com" target="_blank">forgerock.com</a>
On Wed, Sep 23, 2015 at 11:47 AM, Pavel Horal <a \
href="mailto:pavel.horal@orchitech.cz" \
target="_blank"><pavel.horal@orchitech.cz></a> wrote:
</span></pre>
<blockquote type="cite">
<pre>Hi Vincent,
use *ldapGroups* attribute to set group membership in LDAP. This
attribute should hold JSON array of group DNs.
Regards,
Pavel
------------------------------
*From: *"Vincent Koldenhof" <a href="mailto:vincent.koldenhof@everett.nl" \
target="_blank"><vincent.koldenhof@everett.nl></a>
*To: *<a href="mailto:openidm@forgerock.org" \
target="_blank">openidm@forgerock.org</a>
*Sent: *Wednesday, September 23, 2015 11:34:22 AM
*Subject: *[OpenIDM] adding group member ship to Active Directory user
Hi everyone,
I need some help and guidance towards a working solution. What I want to
achieve is adding a group membership to a user in Active Directory. I have
already setup OpenIDM 3.1.0 to work against a Windows 2012 Active Directory
using the Generic LDAP connector. I can create new users, enable them and
set a random password. The source of the users is a SQL Server 2012
database with a view providing the information to create a user.
So my next step is to add a group membership to this user.
I have the following user:
CN=vcorleon,OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com
I want to make this user member of this group:
CN=TestGroup,OU=Roles,OU=Accounts,DC=ad,DC=example,DC=com
However, I do not seem to be able to achieve this. Adding a value to the
*memberOf* attribute of the user does not seem to work. There is no error
message (or I am unable to find it) and the entry is not added. I did
investigate and apparently this approach is not correct for Active
Directory.
So I tried a different approach, namely adding the *dn* of the user to
the group's *member* attribute. However, this also does not seem to work
and does not provide any error message. I have set the debugging to finest.
Here is my setup, any help, suggestions would be nice. However, I do not
want to use the powershell connector or a remote connector. I want to be
able to use the generic LDAP connector.
in my Sync.json you can see I add the user dn directly to the member
attribute in the testrole object and expect this to be exported to the
Active Directory. But this is not happening and I do not see any error
message.
---------------- Sync.json -------------------
vincent@openidm:~/openidm/vincent/conf$ clear
vincent@openidm:~/openidm/vincent/conf$ cat sync.json
{
"mappings" : [
{
"target" : "managed/user",
"correlationQuery" : {
"type" : "text/javascript",
"expressionTree" : {
"any" : [
"uid"
]
},
"mapping" :
"sourcePersonenmetwerkrelatiesPersoon_managedUser",
"file" : "ui/correlateTreeToQueryFilter.js"
},
"properties" : [
{
"target" : "firstname",
"source" : "Roepnaam"
},
{
"target" : "lastname",
"source" : "Achternaam"
},
{
"target" : "userName",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "(source.Roepnaam.substring(0,1) +
source.Achternaam.substring(0,7)).toLowerCase();"
}
},
{
"target" : "mail",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" :
<div><div class="h5"><a \
href="mailto:(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();" \
target="_blank">"(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();"</a>
<a href="mailto:(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();" \
target="_blank"><(source.Roepnaam+'.'+source.Achternaam+'@example.com').toLowerCase();></a>
}
},
{
"target" : "givenName",
"source" : "Voornamen"
},
{
"target" : "sn",
"source" : "Achternaam"
},
{
"target" : "id",
"source" : "ID"
},
{
"target" : "bronid",
"source" : "BronID"
},
{
"target" : "uid",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "(source.Roepnaam.substring(0,1) +
source.Achternaam.substring(0,7)).toLowerCase();"
}
},
{
"target" : "description",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "'Created by OpenIDM on '+ \
new Date();" }
},
{
"target" : "telephoneNumber",
"source" : "Telefoonnummer"
},
{
"target" : "password",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "var
caps=\"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\nvar \
nums=\"1234567890\";\nvar par1=Math.random().toString(36).slice(-6);\nvar
par2=caps.substr(Math.round(Math.random()*(caps.length-1)),1);\nvar
par3=nums.substr(Math.round(Math.random()*(nums.length-1)),1);\npar1+par2+par3;\n"
}
},
{
"target" : "actief",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "var today = new Date();\n\nif (new
Date(source.StartDatum) < today && new Date(source.EindDatum) > today \
){\n 'Actief';\n}else{\n 'Inactief';\n}"
}
},
{
"target" : "eindDatum",
"source" : "EindDatum"
},
{
"target" : "startDatum",
"source" : "StartDatum"
}
],
"source" : "system/personenmetwerkrelaties/persoon",
"policies" : [
{
"action" : "CREATE",
"situation" : "ABSENT"
},
{
"action" : "IGNORE",
"situation" : "ALL_GONE"
},
{
"action" : "EXCEPTION",
"situation" : "AMBIGUOUS"
},
{
"action" : "UPDATE",
"situation" : "CONFIRMED"
},
{
"action" : "UPDATE",
"situation" : "FOUND"
},
{
"action" : "EXCEPTION",
"situation" : "FOUND_ALREADY_LINKED"
},
{
"action" : "EXCEPTION",
"situation" : "LINK_ONLY"
},
{
"action" : "DELETE",
"situation" : "MISSING"
},
{
"action" : "IGNORE",
"situation" : "SOURCE_IGNORED"
},
{
"action" : "DELETE",
"situation" : "SOURCE_MISSING"
},
{
"action" : "IGNORE",
"situation" : "TARGET_IGNORED"
},
{
"action" : "DELETE",
"situation" : "UNASSIGNED"
},
{
"action" : "DELETE",
"situation" : "UNQUALIFIED"
}
],
"name" : \
"sourcePersonenmetwerkrelatiesPersoon_managedUser" },
{
"target" : "system/ad/account",
"assignmentsToMap" : [
"ad"
],
"correlationQuery" : {
"type" : "text/javascript",
"expressionTree" : {
"any" : [
"mail"
]
},
"mapping" : "managedUser_sourceAdAccount",
"file" : "ui/correlateTreeToQueryFilter.js"
},
"properties" : [
{
"target" : "sn",
"source" : "lastname"
},
{
"target" : "givenName",
"source" : "firstname"
},
{
"target" : "mail",
"source" : "mail"
},
{
"target" : "sAMAccountName",
"source" : "userName"
},
{
"target" : "dn",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" :
"\"CN=\"+source.userName+\",OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com\";"
}
},
{
"target" : "telephoneNumber",
"source" : "telephoneNumber"
},
{
"target" : "description",
"source" : "description"
},
{
"target" : "userAccountControl",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "512"
}
},
{
"target" : "userPassword",
"source" : "password"
},
{
"target" : "cn",
"source" : "userName"
},
{
"target" : "memberOf",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" :
"'CN=Employees,OU=Roles,OU=Accounts,DC=ad,DC=example,DC=com'"
}
},
{
"target" : "company",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "'bla'"
}
}
],
"source" : "managed/user",
"policies" : [
{
"action" : "CREATE",
"situation" : "ABSENT"
},
{
"action" : "IGNORE",
"situation" : "ALL_GONE"
},
{
"action" : "EXCEPTION",
"situation" : "AMBIGUOUS"
},
{
"action" : "UPDATE",
"situation" : "CONFIRMED"
},
{
"action" : "UPDATE",
"situation" : "FOUND"
},
{
"action" : "EXCEPTION",
"situation" : "FOUND_ALREADY_LINKED"
},
{
"action" : "EXCEPTION",
"situation" : "LINK_ONLY"
},
{
"action" : "UNLINK",
"situation" : "MISSING"
},
{
"action" : "IGNORE",
"situation" : "SOURCE_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "SOURCE_MISSING"
},
{
"action" : "IGNORE",
"situation" : "TARGET_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "UNASSIGNED"
},
{
"action" : "DELETE",
"situation" : "UNQUALIFIED"
}
],
"name" : "managedUser_sourceAdAccount"
},
{
"target" : "system/ad/group",
"correlationQuery" : {
"type" : "text/javascript",
"expressionTree" : {
"any" : [
"dn"
]
},
"mapping" : "managedTestrole_sourceAdGroup",
"file" : "ui/correlateTreeToQueryFilter.js"
},
"properties" : [
{
"target" : "samAccountName",
"source" : "samAccountName"
},
{
"target" : "dn",
"source" : "dn"
},
{
"target" : "description",
"source" : "description"
},
{
"target" : "member",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" :
"'CN=vcorleon,OU=Actief,OU=Accounts,DC=ad,DC=example,DC=com'"
}
}
],
"source" : "managed/testrole",
"policies" : [
{
"action" : "CREATE",
"situation" : "ABSENT"
},
{
"action" : "IGNORE",
"situation" : "ALL_GONE"
},
{
"action" : "EXCEPTION",
"situation" : "AMBIGUOUS"
},
{
"action" : "UPDATE",
"situation" : "CONFIRMED"
},
{
"action" : "UPDATE",
"situation" : "FOUND"
},
{
"action" : "EXCEPTION",
"situation" : "FOUND_ALREADY_LINKED"
},
{
"action" : "EXCEPTION",
"situation" : "LINK_ONLY"
},
{
"action" : "EXCEPTION",
"situation" : "MISSING"
},
{
"action" : "IGNORE",
"situation" : "SOURCE_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "SOURCE_MISSING"
},
{
"action" : "IGNORE",
"situation" : "TARGET_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "UNASSIGNED"
},
{
"action" : "DELETE",
"situation" : "UNQUALIFIED"
}
],
"name" : "managedTestrole_sourceAdGroup"
},
{
"target" : "managed/testrole",
"correlationQuery" : {
"type" : "text/javascript",
"expressionTree" : {
"any" : [
"dn"
]
},
"mapping" : "sourceAdGroup_managedTestrole",
"file" : "ui/correlateTreeToQueryFilter.js"
},
"properties" : [
{
"target" : "dn",
"source" : "dn"
},
{
"target" : "description",
"source" : "",
"transform" : {
"type" : "text/javascript",
"source" : "'doei'"
}
},
{
"target" : "samAccountName",
"source" : "samAccountName"
}
],
"source" : "system/ad/group",
"policies" : [
{
"action" : "CREATE",
"situation" : "ABSENT"
},
{
"action" : "IGNORE",
"situation" : "ALL_GONE"
},
{
"action" : "EXCEPTION",
"situation" : "AMBIGUOUS"
},
{
"action" : "UPDATE",
"situation" : "CONFIRMED"
},
{
"action" : "UPDATE",
"situation" : "FOUND"
},
{
"action" : "EXCEPTION",
"situation" : "FOUND_ALREADY_LINKED"
},
{
"action" : "EXCEPTION",
"situation" : "LINK_ONLY"
},
{
"action" : "EXCEPTION",
"situation" : "MISSING"
},
{
"action" : "IGNORE",
"situation" : "SOURCE_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "SOURCE_MISSING"
},
{
"action" : "IGNORE",
"situation" : "TARGET_IGNORED"
},
{
"action" : "EXCEPTION",
"situation" : "UNASSIGNED"
},
{
"action" : "DELETE",
"situation" : "UNQUALIFIED"
}
],
"name" : "sourceAdGroup_managedTestrole"
}
]
--------------- Provisioner.openicf-ldap.json ---------------
vincent@openidm:~/openidm/vincent/conf$ cat provisioner.openicf-ldap.json
{
"name" : "ldap",
"connectorRef" : {
"bundleName" : \
"org.forgerock.openicf.connectors.ldap-connector", \
"bundleVersion" : "[1.4.0.0,2.0.0.0)",
"connectorName" : \
"org.identityconnectors.ldap.LdapConnector" },
"configurationProperties" : {
"host" : "192.168.249.164",
"port" : 636,
"ssl" : true,
"principal" : \
"cn=admin,cn=Users,DC=ad,DC=example,DC=com", "credentials" : {
"$crypto" : {
"value" : {
"iv" : "I4zpnzi9gWGuengIrk2fIw==",
"data" : "TSeKycZEDZCifOwzscRrlA==",
"cipher" : "AES/CBC/PKCS5Padding",
"key" : "openidm-sym-default"
},
"type" : "x-simple-encryption"
}
},
"baseContexts" : [
"ou=accounts,dc=ad,dc=example,dc=com"
],
"baseContextsToSynchronize" : [
"ou=accounts,dc=ad,dc=example,dc=com"
],
"accountSearchFilter" : null,
"accountSynchronizationFilter" : null,
"groupSearchFilter" : null,
"groupSynchronizationFilter" : null,
"passwordAttributeToSynchronize" : null,
"synchronizePasswords" : false,
"removeLogEntryObjectClassFromFilter" : true,
"modifiersNamesToFilterOut" : [ ],
"passwordDecryptionKey" : null,
"changeLogBlockSize" : 100,
"attributesToSynchronize" : [ ],
"changeNumberAttribute" : "changeNumber",
"passwordDecryptionInitializationVector" : null,
"filterWithOrInsteadOfAnd" : false,
"objectClassesToSynchronize" : [
"user"
],
"vlvSortAttribute" : "uid",
"passwordAttribute" : "unicodePwd",
"useBlocks" : false,
"maintainPosixGroupMembership" : false,
"failover" : [ ],
"readSchema" : true,
"accountObjectClasses" : [
"top",
"person",
"organizationalPerson",
"user"
],
"accountUserNameAttributes" : [
"sAMAccountName"
],
"groupMemberAttribute" : "uniqueMember",
"passwordHashAlgorithm" : "WIN-AD",
"usePagedResultControl" : false,
"blockSize" : 100,
"uidAttribute" : "dn",
"maintainLdapGroupMembership" : false,
"respectResourcePasswordPolicyChangeAfterReset" : false
},
"resultsHandlerConfig" : {
"enableNormalizingResultsHandler" : true,
"enableFilteredResultsHandler" : false,
"enableCaseInsensitiveFilter" : false,
"enableAttributesToGetSearchResultsHandler" : true
},
"poolConfigOption" : {
"maxObjects" : 10,
"maxIdle" : 10,
"maxWait" : 150000,
"minEvictableIdleTimeMillis" : 120000,
"minIdle" : 1
},
"operationTimeout" : {
"CREATE" : -1,
"VALIDATE" : -1,
"TEST" : -1,
"SCRIPT_ON_CONNECTOR" : -1,
"SCHEMA" : -1,
"DELETE" : -1,
"UPDATE" : -1,
"SYNC" : -1,
"AUTHENTICATE" : -1,
"GET" : -1,
"SCRIPT_ON_RESOURCE" : -1,
"SEARCH" : -1
},
"syncFailureHandler" : {
"maxRetries" : 5,
"postRetryAction" : "logged-ignore"
},
"objectTypes" : {
"account" : {
"$schema" : <a href="http://json-schema.org/draft-03/schema" \
target="_blank">"http://json-schema.org/draft-03/schema"</a> <a \
href="http://json-schema.org/draft-03/schema" \
target="_blank"><http://json-schema.org/draft-03/schema></a>, "id" : \
"__ACCOUNT__", "type" : "object",
"nativeType" : "__ACCOUNT__",
"properties" : {
"cn" : {
"type" : "string",
"nativeName" : "cn",
"nativeType" : "string"
},
"description" : {
"type" : "string",
"nativeName" : "description",
"nativeType" : "string"
},
"givenName" : {
"type" : "string",
"nativeName" : "givenName",
"nativeType" : "string"
},
"mail" : {
"type" : "string",
"nativeName" : "mail",
"nativeType" : "string"
},
"telephoneNumber" : {
"type" : "string",
"nativeName" : "telephoneNumber",
"nativeType" : "string"
},
"sn" : {
"type" : "string",
"nativeName" : "sn",
"nativeType" : "string"
},
"uid" : {
"type" : "string",
"nativeName" : "uid",
"nativeType" : "string"
},
"sAMAccountName" : {
"type" : "string",
"nativeName" : "sAMAccountName",
"nativeType" : "string"
},
"dn" : {
"type" : "string",
"nativeName" : "__NAME__",
"nativeType" : "string",
"required" : true
},
"userAccountControl" : {
"type" : "string",
"nativeName" : "userAccountControl",
"required" : true,
"nativeType" : "string"
},
"userPassword" : {
"type" : "string",
"nativeName" : "__PASSWORD__",
"nativeType" : "JAVA_TYPE_GUARDEDSTRING",
"flags" : [
"NOT_READABLE",
"NOT_RETURNED_BY_DEFAULT"
]
},
"ldapGroups" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "ldapGroups",
"nativeType" : "string"
}
}
},
"group" : {
"$schema" : <a href="http://json-schema.org/draft-03/schema" \
target="_blank">"http://json-schema.org/draft-03/schema"</a> <a \
href="http://json-schema.org/draft-03/schema" \
target="_blank"><http://json-schema.org/draft-03/schema></a>, "id" : \
"__GROUP__", "type" : "object",
"nativeType" : "__GROUP__",
"properties" : {
"seeAlso" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "seeAlso",
"nativeType" : "string"
},
"description" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "description",
"nativeType" : "string"
},
"uniqueMember" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "uniqueMember",
"nativeType" : "string"
},
"dn" : {
"type" : "string",
"required" : true,
"nativeName" : "__NAME__",
"nativeType" : "string"
},
"o" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "o",
"nativeType" : "string"
},
"ou" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "ou",
"nativeType" : "string"
},
"businessCategory" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "businessCategory",
"nativeType" : "string"
},
"owner" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "owner",
"nativeType" : "string"
},
"cn" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"required" : true,
"nativeName" : "cn",
"nativeType" : "string"
}
}
}
},
"operationOptions" : {
"DELETE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
},
"UPDATE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
},
"CREATE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
}
},
"_id" : "provisioner.openicf/ldap"
}vincent@openidm:~/openidm/</div></div>vincent/conf$
--
Vincent Koldenhof
everett
MAKING IDENTITY *MATTER*
Wiersedreef 5-7, 3433 ZX Nieuwegein, the Netherlands
P.O. Box 1487, 3430 BL Nieuwegein, the Netherlands
Tel: +31 6 462 33 666
Office: +31 30 659 22 55
Email: <a href="mailto:vincent.koldenhof@everett.nl" \
target="_blank"><vincent.koldenhof@everett.nl></a><a \
href="mailto:vincent.koldenhof@everett.nl" \
target="_blank">vincent.koldenhof@everett.nl</a>
Website: <a href="http://www.everett.nl" \
target="_blank"><http://www.everett.nl></a><a href="http://www.everett.nl" \
target="_blank">http://www.everett.nl</a><span class="">
Skype: vincent.koldenhof.everett
_______________________________________________
OpenIDM mailing list
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a>
_______________________________________________
OpenIDM mailing list
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a>
</span></pre>
</blockquote>
<pre>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a href="http://lists.forgerock.org/pipermail/openidm/attachments/20150923/836defc9/attachment.html" \
target="_blank"><http://lists.forgerock.org/pipermail/openidm/attachments/20150923/836defc9/attachment.html></a>
------------------------------
_______________________________________________
OpenIDM mailing list
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a>
End of OpenIDM Digest, Vol 64, Issue 22
***************************************
</pre>
</blockquote><span class="">
<br>
<div>-- <br>
<font face="Verdana"><small>Vincent Koldenhof</small></font><br>
<div>
<div style="font-variant:normal;letter-spacing:normal;line-height:normal;text- \
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> \
<div style="margin:0px"><font style="color:rgb(0,0,0);font-size:12pt" face="Lucida \
Sans Unicode"><span style="font-size:12pt"><span \
style="font-size:21pt;color:gray">evere</span></span><span \
style="font-size:12pt"><span \
style="font-size:21pt;color:rgb(255,128,0)">t</span></span></font><span><span \
style="color:gray;font-size:21pt"><font face="Lucida Sans \
Unicode">t</font></span><span style="font-style:normal;font-weight:normal"><font \
face="Lucida Sans Unicode, sans-serif" color="#808080"><span style="font-size:21pt"> \
</span></font><span style="white-space:pre-wrap"> \
</span></span></span></div>
<div style="margin:0px;font-style:normal;font-weight:normal"><span><span>
</span></span><span style="color:rgb(255,128,0);font-family:'Lucida \
Sans Unicode',sans-serif;font-size:7.5pt">
MAKING IDENTITY <b>MATTER</b></span><font \
size="3"><span></span></font></div>
<div style="color:rgb(0,0,0);font-size:12px;font-style:normal;font-weight:normal;font-family:Helvetica">
<div style="font-size:16px;font-family:'times new roman','new \
york',times,serif">
<p style="margin:0px;font-size:12pt;font-family:'Times New \
Roman',serif"><span style="font-size:9pt"> </span></p> </div>
<div style="font-size:12pt;margin:0px;font-family:'Times New \
Roman',serif"><span \
style="font-size:7.5pt;font-family:Verdana,sans-serif">Wiersedreef 5-7, 3433 ZX \
Nieuwegein, the Netherlands<br>
P.O. Box 1487, 3430 BL Nieuwegein, the Netherlands</span></div>
<div style="font-size:12pt;margin:0px;font-family:'Times New \
Roman',serif"><span style="font-size:7.5pt;font-family:Verdana,sans-serif"><br> \
</span></div> <div style="font-size:12pt;margin:0px;font-family:'Times New \
Roman',serif"><span style="font-size:7.5pt;font-family:Verdana,sans-serif">Tel: \
+31 6 462 33 666</span></div> <div \
style="font-size:12pt;margin:0px;font-family:'Times New Roman',serif"><span \
style="font-size:7.5pt;font-family:Verdana,sans-serif">Office: +31 30 659 \
22 55</span></div> <div style="margin:0px"><span \
style="font-size:7.5pt;font-family:Verdana,sans-serif">Email:</span><font \
face="Verdana" size="1"><span> <span></span></span><a \
href="mailto:vincent.koldenhof@everett.nl" target="_blank"></a><a \
href="mailto:vincent.koldenhof@everett.nl" \
target="_blank">vincent.koldenhof@everett.nl</a></font></div> </div>
</div>
<div style="color:rgb(0,0,0);font-size:12px;font-variant:normal;letter-spacing \
:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white- \
space:normal;word-spacing:0px;margin:0px;font-style:normal;font-weight:normal;font-family:Helvetica"><font \
face="Verdana" size="1">Website: </font><a href="http://www.everett.nl" \
target="_blank"><font face="Verdana" size="1"></font></a><font face="Verdana" \
size="1"><a href="http://www.everett.nl" \
target="_blank">http://www.everett.nl</a></font></div> <div \
style="color:rgb(0,0,0);font-size:12px;font-variant:normal;letter-spacing:normal;line- \
height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal; \
word-spacing:0px;margin:0px;font-style:normal;font-weight:normal;font-family:Helvetica"><font \
face="Verdana" size="1">Skype: vincent.koldenhof.everett</font> <b> \
</b></div> </div>
<br>
<br>
<br>
</div>
</span></div>
<br>_______________________________________________<br>
OpenIDM mailing list<br>
<a href="mailto:OpenIDM@forgerock.org">OpenIDM@forgerock.org</a><br>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" rel="noreferrer" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a><br> \
<br></blockquote></div><br></div>
_______________________________________________
OpenIDM mailing list
OpenIDM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openidm
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic