Skip to end of metadata
Go to start of metadata

Out of the box OpenIDM uses the  local "openidm-admin" account to make REST calls. This user in the "openidm-admin" role, and has extended privileges. 

To use LDAP instead of a local account you must first create an LDAP group that contains OpenIDM administrators. Any member of this group will have admin rights. This sample uses the  group:


There are three files that you will need to enable pass through authentication. They are included here as attachments that you can download into your OpenIDM conf/ and scripts/ directories. Click on the link to download the attachment.


This is the ICF connector to the LDAP directory that you will authenticate against. Edit this to match your environment. The provided sample uses localhost:389. If you are modifying an existing provisioner It is essential that  your "account" object has ldapGroups mapped. For example:

 "ldapGroups" : { "type" : "array",

                    "items" : {

                        "type" : "string",

                        "nativeType" : "string"


                    "nativeName" : "ldapGroups",                   

"nativeType" : "string"


You can validate that the connector is returning groups by doing a GET on the system/ldap url. For example:




  "_id": "uid%3Didmadmin%2Cou%3DPeople%2Cdc%3Dexample%2Cdc%3Dcom",

  "uid": [



  "ou": [],

  "ldapGroups": [


  ], ....

[Note: The command is from]



This configuration file defines how OpenIDM authenticates RESTful users. The relevant changes made to this file are:


 "passThroughAuth" : "system/ldap/account",   <- Points to your ldap endpoint

"propertyMapping" : {

        "userId" : "_id",

        "userCredential" : "password",

        "userRoles" : "ldapGroups"      <- note mapping to ldapGroups      

 "allowedGroups" : [

 Allowed groups are the list of ldap groups that define whether a user is an administrator or not. 




This script is executed to evaluate the security context of the user. Put this in your scripts/ directory (or whatever path authentication.json points to).

Updates made to this file include:

 userDetail = openidm.query(resource, {

            'query' : {

                'Contains' : {

                    'field' : 'uid',  <-- Note query looks up uid instead of cn

                    'values' : [






if (security.userid.component === "system/ldap/account") {

            security["openidm-roles"] = isMemberOfAllowedGroups(userDetail.result[0].ldapGroups) ? ["openidm-admin","openidm-authorized"] : ["openidm-authorized"];



The userDetail object references "ldapGroups" instead of the default "memberOf"



  • No labels