OpenLDAP

Last modified 14 Apr 2021 17:53 +02:00

Status

Works well, with some inherent OpenLDAP drawbacks.

Recommended connector

LDAP Connector

The connector is using a special user for accessing OpenLDAP, e.g. uid=idm,ou=Administrators,dc=example,dc=com. Access for this user is allowed by ACLs. The connector should not use root user. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.

Resource Configuration

Connector Configuration

Connector Configuration Example

   <connectorConfiguration
            xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
            xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
            xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
        <icfc:configurationProperties>
            <icfcldap:port>389</icfcldap:port>
            <icfcldap:host>localhost</icfcldap:host>
            <icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
            <icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
            <icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
            <icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
            <icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
            <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
            <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
            <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
            <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
            <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
            <icfcldap:lockoutStrategy>openldap</icfcldap:lockoutStrategy>
            <icfcldap:enableExtraTests>false</icfcldap:enableExtraTests> <!-- MID-3477 -->
        </icfc:configurationProperties>
        <icfc:resultsHandlerConfiguration>
            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
        </icfc:resultsHandlerConfiguration>
    </connectorConfiguration>

Limitations

  • OpenLDAP does not advertise the support for permissive modify control in root DSE, therefore the connector cannot detect it automatically. To use the permissive modify control in the connector it has to be explicitly enabled (usePermissiveModify=true)

  • Lockout status: LDAP connector can unlock OpenLDAP accounts if that functionality is enabled (lockoutStrategy=openldap). The connector can also read the lockout status. However, it cannot detect the status of expired locks correctly. See http://www.openldap.org/lists/openldap-technical/201606/msg00035.html and the follow-up messages.