PhenixID

PSD1085 – Search, Edit or Create objects in an external LDAP directory. MultiDB.

Fact

  • PhenixID Identity Manager 5.x or later
  • Filter: (Tab External Filter)
    • To create objects filter.ExternalCreate
    • To search objects filter.ExternalSearch

Situation

This document will describe how to search, edit or create objects in another LDAP directory than the one where the user is logged in.

Solution

1. Define policies for multidb

IM support scenarios where you can connect to several different LDAP directories. To do this there are a number of policies you configure to do the mapping. The first LDAP directory will have MULTIDB_1_NAME, the second MULTIDB_2_NAME and so on. See below for more policies.

1.1 Required policies

MULTIDB_1_NAME=[Unique name for the remote directory]
MULTIDB_1_HOST=[DNS or IP for the remote directory]
MULTIDB_1_PORT=[Port for the remote directory]
MULTIDB_1_SSL=[true or false]
MULTIDB_1_ADMINDN=[DN for an admin user in external directory]
MULTIDB_1_ADMINPWD=[Password for the admin user]

1.2 Optional policy

MULTIDB_DEBUG=[true or false]

Policy example

MULTIDB_1_NAME=External_Active_Directory
MULTIDB_1_HOST=192.168.10.10
MULTIDB_1_PORT=636
MULTIDB_1_SSL=true
MULTIDB_1_ADMINDN=cn=Admin,ou=Users,dc=company,dc=se
MULTIDB_1_ADMINPWD=SecretPassword
MULTIDB_DEBUG=true

2. Use a Predefined Search form with MultiDB

There are two mandatory step, see below, you must do to tell IM to connect elsewhere. (prior to this the policies must be configured for external LDAP explained above)

2.1 In the predefined search form, add the Tab External Filter filter.ExternalSearch.

2.2 Add a text field control to the predefined search form with following parameters:
Attribute Name: connection
Title: connection
Hidden – TRUE (checkbox is checked)
Display only – TRUE (checkbox is checked)
Default Value: External_Active_Directory (to use the example policy above)

3. Use an Edit form with MultiDB

3.1 Create the edit form

3.2 Make sure to use the object classes and attribute names that are used in the external directory.

3.3 You can use restriction filters to make sure the form is only available for the external LDAP.
If you have a form that you like to only to be viewed for a special number of user (in the same OU, have the same value in an attribute, only user object) then you can use restrictions filters in IM.
In our example here one form that will only be available if the DN is DC=ExternalAD and another form only available if DN is DC=LocalAD.

4. Use Create forms with MultiDB

4.1 Configure the create form for multidb

4.1.1 In the create form click Tools – Tab Properties

4.1.2 Configure values to the following parameters:
Containment Classes : *
Enable For Virtual View : true
Enabled DNs : BASEDN

4.2 Add two controls to the form

4.2.1 In the form, add the tab external filter filter.ExternalCreate

4.2.2 Add a text field control to the predefined search form with following parameters:
Attribute Name: connection
Title: connection
Hidden – TRUE (checkbox is checked)
Display only – TRUE (checkbox is checked)
Default Value: External_Active_Directory (to use the example policy above)

3.2.3 Add another text field control to the predefined search form with following parameters:
Attribute Name: location
Title: location
Hidden – TRUE (checkbox is checked)
Display only – TRUE (checkbox is checked)
Default Value: the DN where the objects should be created


				

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se