Free trial

Connecting OpenIdM with Microsoft Active Directory – How to set it up!

This article is about setting up ForgeRock’s Open Identity Management with Microsoft Active Directory using standalone .NET Connector Server.

About OpenIDM & OpenICF

OpenIDM communicates with various kinds of resources from simple files (XML, CSV) to more complex ones, like various LDAP implementations and SQL databases. This communication is provided via Open Identity Connector Framework and Toolkit (OpenICF). If, for some reason, access libraries cannot be build-in to OpenIDM (cannot be included inside Java Virtual Machine) an external connector server is needed. This article covers deployment of OpenIDM on one machine and external .NET Connector Server where remote connector is implemented on second remote machine. In this deployment .Net Connector Server provides a way to connect OpenIDM with Microsoft Active Directory as depicted in below diagram:

Prerequisites

  • Windows 2003 or 2008
  • .NET Framework 4.0
  • Microsoft Active Directory – In this setup I used the AD bundled with Windows 2008 RC2 SP1
  • OpenIDM 2.1.0. revision 1395

Installing .NET Connector Server on Windows

  1. Download connector server from here (tested on build #23 )
  2. Execute the downloaded .msi file. Just follow the wizard. It will walk you through the whole process step by step. Upon completion, the Connector Server will be installed as a windows service called “Connector Server”.

Starting and Stopping the Connector Server

  1. You can start or stop the server using Microsoft Services Console. Start -> type Services -> Services
  2. Also you can start the server from command prompt. Start -> type cmd -> cmd. Change the directory to where the Connector Server has been installed, by defaultProgram FilesIdentity ConnectorsConnector Server
    C:> cd “Program Files (x86)Identity ConnectorsConnector Server”

    and run the following command:

    ./ConnetorServer.exe /run

Configuring the .NET Connector Server

  1. Start the Microsoft Services Console (Start -> type Services -> Services ). Check to see if the Connector Server is currently running. If so, stop it. From a command prompt (Start -> type cmd), set the key for the connector Server. This is done by changing to the directory where the connector server was installed and executing the following command:
    ./ConnectorServer.exe /setkey <newkey>

    where

    <newkey>

    is the string value. This key is required by any client that connects to this Connector Server.

  2. See the ConnectorServer.exe.config for addtional configuration. The port, address, and SSL settings are in the tag called AppSettings, and look like this:
    <add key="connectorserver.port" value="8759" />
    <add key="connectorserver.usessl" value="false" />
    <add key="connectorserver.certificatestorename"
                  value="ConnectorServerSSLCertificate" />
    <add key="connectorserver.ifaddress" value="0.0.0.0" />
    • connectorserver.port – Sets the port
    • connectorserver.ifaddress – Accepting connections from particular address or all (0.0.0.0)
    • connectorserver.usessl – Turns on/off the SSL
    • connectorserver.certifacatestorename – If using certificates, put there your certificate store name

    Any configuration changes will require the connector server to be stopped and restarted.

  3. Now, you need to add the active directory connector. Do it so by downloading active directory connector (tested on build #15) and simply unzipping it to Connector Server folder.
  4. Start the Connector Server service (from Microsoft Service Console).
  5. Make sure you have your firewall either turned off or add rule to your firewall to open port which you have set in ConnectorServer.exe.config

Configuring OpenIDM

  1. When you configure remote connectors, you must use the connector info provider service to connect through remote connector servers. The configuration is stored in the configuration file, openidm/conf/provisioner.openicf.connectorinfoprovider.json. A sample can be found in openidm/samples/provisioners/.
  2. Make sure the openidm is running and copy the provisioner.openicf.connectorinfoprovider.json to /path/to/openidm/conf and edit it according to your needs. In my case the file is provisioner.openicf.connectioninfoprovider.json
    $ cd path/to/openidm
    $ cp samples/provisioners/provisioner.openicf.connectorinfoprovider.json conf/
  3. As next step you need to create connector file provisioner.openicf-ad.json in conf/ directory. The file should look like the following one provisioner.openicf-ad.json
  4. Edit the configurationProperties according to your Active Directory setup and also make sure that the bundleVersion is the SAME version as ActioveDirectory.Connector.dll in Windows Connector Server folder. (Right click on the dll -> properties -> tab details -> Product version)
  5. Check if the connector was installed properly. In openIDM console run following command:
    scr list

    among the all installed modules you should see (number can differ):
    [ 24] [active ] org.forgerock.openidm.provisioner.openicf
    see the content of this connector by:

    scr info 24

    (use the number from your list)

    and you should see the content of connector.

  6. Now, you need to create sync.json where you define mappings of various attributes and behavior during reconciliation. A simple sync.json could look like this: sync.json
    After configuring sync.json and placing it to conf/ directory the system should be ready.

Testing the setup

  1. Verify installed connectors (following command has to be on one line):
    curl --header "X-OpenIDM-Username: openidm-admin"  
         --header "X-OpenIDM-Password: openidm-admin" 
         --request POST "http://localhost:8080/openidm/  
           system?_action=CREATECONFIGURATION"  
           | python -mjson.tool

    this command lists all installed connectors. In the list you should see an Active Directory connector.


    {
    “bundleName”: “ActiveDirectory.Connector”,
    “bundleVersion”: “1.0.0.0”,
    “connectorHostRef”: “dotnet”,
    “connectorName”: “Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector”,
    “displayName”: “Windows Active Directory Connector”
    }

  2. Running reconciliation (following command has to be on one line):
    $ curl --header "X-OpenIDM-Username: openidm-admin" 
           --header "X-OpenIDM-Password: openidm-admin" 
           --request POST "http://localhost:8080/openidm/recon?_action=recon&
             mapping=systemADAccounts_managedUser"

    and as result you should get reconciliation id.
    {“_id”:”0629d920-e29f-4650-889f-4423632481ad”}

  3. Check in OpenIDM internal repository (OrientDB or MySQL) if the users were reconciled. How to connect to repo is described here (OrientDB) or here (MySQL).
    Here is an example of output from OrientDB after reconciling. The red marked user has been reconciled from Active Directory.
ad forgerock idm ldap openicf openidm

Leave a Reply

Related articles

JSON

Let’s make LLMs generate JSON!

In this article, we are going to talk about three tools that can, at least in theory, force any local LLM to produce structured output: LM Format Enforcer, Outlines, and Guidance. After a short description of each tool, we will evaluate their performance on a few test cases ranging from book recommendations to extracting information from HTML. And the best for the end, we will show you how forcing LLMs to produce a structured output can be used to solve a very common problem in many businesses: extracting structured records from free-form text.

Notiondipity: What I learned about browser extension development

Me and many of my colleagues at profiq use Notion for note-taking and work organization. Our workspaces contain a lot of knowledge about our work, plans, or the articles or books we read. At some point, a thought came to my mind: couldn’t we use all this knowledge to come up with project ideas suited to our skills and interests?

From ChatGPT to Smart Agents: The Next Frontier in App Integration

It has been over a year since OpenAI introduced ChatGPT and brought the power of AI and large language models (LLMs) to the average consumer. But we could argue that introducing APIs for seamlessly integrating large language models into apps developed by companies and independent hackers all over the world can be the true game changer in the long term. Developers are having heated discussions about how we can utilize this technology to develop truly useful apps that provide real value instead of just copying what OpenAI does. We want to contribute to this discussion by showing you how we think about developing autonomous agents at profiq. But first a bit of background.

Tags