LDAP Connector
Introduction
Description
This connector implements the LDAP standard and it is used to connect the Sync-Server with every server that allows this communication protocol.
Managed System
There are a lot of servers and products that use this standard, for instance, the most known systems are:
-
389 Directory Server.
-
Apache Directory Server.
-
OpenLDAP.
-
OpenDJ.
-
Active Directory.
-
Oracle Directory Server.
For more information: List of LDAP software.
If your system is not in the previous list, it's possible to include it easily!
For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form
Prerequisites
It is needed a user with full administrator access.
Download and Install
This addon is located in the Connectors section and its name is LDAP plugin.
For more information about the installation process you can visit the Addons Getting started page.
Agent Configuration
Basic
Generic parameters
After the installation of the addon, you may create and configure agent instances.
To configure this LDAP Connector you must select "LDAP-Custom (with triggers)" in the attribute "Type" of the generic parameters section in the agent's page configuration.
For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration
Custom parameters
Below there are the specific parameters for this agent implementation:
Parameter |
Description |
---|---|
User name |
User name in DN format, including base name if needed |
Password |
Password |
Host name |
Host name of the server |
Enable SSL |
|
Base DN |
LDAP Base name |
PasswordAttribute |
|
Password hash algorithm |
The algorithm is used to encrypt the password. For instance SHA-1, SHA-256, MD5, etc |
Password hash prefix |
|
LDAP Query page size |
|
Enable debug |
Two options: Yes, No. When it is enabled more log traces are printed in the Synchronization Server log |
Attribute mapping
This connector can manage users, accounts, roles, groups, and grants.
As a limitation, it cannot detect password changes to be propagated to other systems.
Properties
Some agents require to configure some custom attributes, you will use the properties section to do that.
Renaming
To support object renaming, Soffid needs to store the Soffid account name on a specific LDAP attribute. It's highly recommended to index such a field. To enable it, add the following properties to each object mapping:
Property
|
Value
|
---|---|
rename |
true |
key |
<LDAP attribute where Soffid account name is stored> |
modificationTimestamp |
LDAP attribute |
If a key value is set, LDAP connector will search for objects based on this LDAP attribute value, rather than its DN. Thus, an index on this attributed is highly recommended.
At any time, object renaming can be disabled by setting the property rename to false.
Property
|
Value
|
---|---|
rename |
false |
Attributes
You can customize attribute mappings, you only need to select system objects and the Soffid objects related, manage their attributes, and make either inbound andor outbound attribute mappings.
Using a windows connector you can map users, groups, and role objects. Active Directory membership is automatically managed based on user and group mappings.
You can map users, groups, and role objects. User membership must be managed on the role members' attribute expression.
Any object mapping must have the following system attributes:
System attribute
|
Value
|
---|---|
objectClass |
LDAP Object Class. It can evaluate to an array of objects |
dn |
Full qualified object name |
For more information about how you may configure attribute mapping, see the following link: Soffid Attribute Mapping Reference
For instance:
Triggers
You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop.
Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects.
To view some examples, visit the Outgoing triggers examples page.
Load triggers
You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop.
Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.
To view some examples, visit the Incoming triggers examples page.
Account metadata
Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings.The additional data can be used in both mappings and triggers.
The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page.
Operational
Monitoring
After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to:
Authoritative
If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to:
And you will something like "Import authoritative data from <AGENT_NAME>".
You can also run the Authoritative load from the Massive actions tab in the Agent
Reconcile
If you are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to:
And you will do something like "Reconcile all accounts from <AGENT_NAME>".
You can also run the Reconcile from the Massive actions tab in the Agent:
Synchronization
Regarding the synchronization of the objects, there are two possible options:
If the "Read Only" attribute is checked in the "Basics" tab (select Yes option), only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested.If the "Read Only" attribute is not checked in the "Basics" tab (select No option), all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Basic" tab correctly.
For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration