Child pages
  • 7.2 LDAP Directory Servers
Skip to end of metadata
Go to start of metadata

Example connectorRef

Example connectorRef for an LDAP connector configuration (provisioner-json)
   "connectorRef" :
         "connectorHostRef" : "#LOCAL",
         "connectorName" : "org.identityconnectors.ldap.LdapConnector",
         "bundleName" : "org.forgerock.openicf.connectors.ldap.openicf-ldap-connector",
         "bundleVersion" : ""

In case of a local or built in connector server the connectorHostRef is optional.

Typical configurationProperties configuration

configurationProperties of an LDAP connector configuration (provisioner-json)
   "configurationProperties" :
         "accountSynchronizationFilter" : null,
         "passwordAttributeToSynchronize" : null,
         "synchronizePasswords" : false,
         "removeLogEntryObjectClassFromFilter" : true,
         "modifiersNamesToFilterOut" : [...],
         "passwordDecryptionKey" : null,
         "credentials" : "Passw0rd",
         "changeLogBlockSize" : 100,
         "baseContextsToSynchronize" : [...],
         "attributesToSynchronize" : [...],
         "changeNumberAttribute" : "changeNumber",
         "passwordDecryptionInitializationVector" : null,
         "filterWithOrInsteadOfAnd" : false,
         "objectClassesToSynchronize" : ["inetOrgPerson"],
         "port" : 1389,
         "vlvSortAttribute" : "uid",
         "passwordAttribute" : "userPassword",
         "useBlocks" : true,
         "maintainPosixGroupMembership" : false,
         "failover" : [...],
         "ssl" : false,
         "principal" : "cn=Directory Manager",
         "baseContexts" : ["dc=example,dc=com"],
         "readSchema" : true,
         "accountObjectClasses" : ["top","person","organizationalPerson","inetOrgPerson"],
         "accountUserNameAttributes" : ["uid","cn"],
         "host" : "localhost",
         "groupMemberAttribute" : "uniqueMember",
         "accountSearchFilter" : null,
         "passwordHashAlgorithm" : null,
         "usePagedResultControl" : false,
         "blockSize" : 100,
         "uidAttribute" : "entryUUID",
         "maintainLdapGroupMembership" : false,
         "respectResourcePasswordPolicyChangeAfterReset" : false


  • "accountSynchronizationFilter" : null
    • A filter used during synchronization actions to filter out ldap accounts
  • "accountObjectClasses" : "top","person","organizationalPerson","inetOrgPerson"
    • The object class or classes that will be used when creating new user objects in the LDAP tree. When entering more than one object class, each entry should be on its own line; do not use commas or semi-colons to separate multiple object classes. Some object classes may require that you specify all object classes in the class hierarchy.
  • "accountSearchFilter" : null
    • A search filter that any account needs to match in order to be returned.
  • "accountUserNameAttributes" : "uid","cn"
    • Attribute or attributes which holds the account''s user name. They will be used when authenticating to find the LDAP entry for the user name to authenticate.
  • "attributesToSynchronize" : ...
    • List of attributes which should be used during object synchronization.This ignores updates from the change log if they do not update any of the named attributes. If empty, all changes will be used.
  • "baseContexts" : "dc=example,dc=com"
    • The base DNs for operations on the server.
  • "baseContextsToSynchronize" : ...
    • the base contexts which will be taken into account durning synchronization
  • "blockSize" : 100
    • The block size for simple paged results and VLV index searches. It is the maximum number of accounts that can be in a block when retrieving accounts in blocks.
  • "changeLogBlockSize" : 100
    • The number of change log entries to fetch per query.
  • "changeNumberAttribute" : "changeNumber"
    • The name of the attribute which contains the last change number in the change log.
  • "credentials" : "Passw0rd"
    • The password of the user which is used to connect to the ldap server
  • "failover" : ...
    • LDAP URL's to connect to if the main server specified through the host and port properties is not available.
  • "filterWithOrInsteadOfAnd" : false
    • Normally the the filter used to fetch change log entries is an and-based filter retrieving an interval of change entries. If this property is set, the filter will "or together" the required change numbers instead.
  • "groupMemberAttribute" : "uniqueMember"
    • The LDAP attribute holding the member for non-POSIX static groups.
  • "host" : "localhost"
    • The LDAP host server to connect to.
  • "maintainLdapGroupMembership" : false
    • If true, will modify group membership of renamed/deleted entries.
  • "maintainPosixGroupMembership" : false
    • If true, will modify POSIX group membership of renamed/deleted entries.
  • "modifiersNamesToFilterOut" : ...
    • Useful to avoid loops caused by own changes.
  • "objectClassesToSynchronize" : "inetOrgPerson"
    • ObjectClasses to be used during synchronization. I.e. only objects with this objectClasses will be synchronized.
  • "passwordAttribute" : "userPassword"
    • The name of the attribute which the predefined PASSWORD attribute will be written to.
  • "passwordAttributeToSynchronize" : null
    • See above.
  • "passwordDecryptionInitializationVector" : null
    • Password Decryption Initialization Vector
  • "passwordDecryptionKey" : null
    • The key to decrypt passwords with when performing password synchronization.
  • "passwordHashAlgorithm" : null
    • If the server stores passwords in clear text, we will hash them with the algorithm specified here.
  • "port" : 1389
    • The port the ldap server is listening on.
  • "principal" : "cn=Directory Manager"
    • The bind DN for performing operations on the server.
  • "readSchema" : true
    **Whether to read the schema from the server.
  • "removeLogEntryObjectClassFromFilter" : true
    • If this property is set (the default), the filter used to fetch change log entries does not contain the "changeLogEntry" object class, expecting that there are no entries of other object types in the change log.
  • "respectResourcePasswordPolicyChangeAfterReset" : false
    • If true, when binding check for the Password Expired control (and also Password Policy control) and throw exceptions (PasswordExpiredException, etc.) appropriately.
  • "ssl" : false
    • Whether the port is a secure SSL port.
  • "synchronizePasswords" : false
    • Whether passwords should be synchronized
  • "uidAttribute" : "entryUUID"
    • The LDAP attribute to map Uid to.
  • "useBlocks" : true
    • Whether to use block-based LDAP controls like simple paged results or VLV control.
  • "usePagedResultControl" : false
    • If true, simple paged search will be preferred over VLV index search when both are available.
  • "vlvSortAttribute" : "uid"
    • The attribute used as the sort key for the VLV index.

Example Provisioner Configurations

A one fits almost all example of an LDAP provisioner-json can be found in the openidm/sample/provisioner of OpenIDM.
In opposite to that a version which is stripped down to the almost minimum is given here: openidm/sample/sample2/conf

  • No labels