Child pages
  • Synchronize Users, Passwords and KBA Between Two Instances of OpenIDM
Skip to end of metadata
Go to start of metadata

Overview

This guide will outline how to synchronise users between two (or more) instances of OpenIDM. Including all of their user data including passwords and KBA questions and answers. This is achieved through the use of the Scripted CREST connector.

Prerequisites

  1. Two instances of OpenIDM up and running with the managed user object configured according to your requirements.
  2. KBA should be configured on both instances.

1. Configuring the Scripted CREST Connector

  1. Examine the provisioner file below. This will be used as the basis for our integration.
  2. Copy the contents of the provisioner file into a new provisioner e.g. /openidm/conf/provisioner.openicf-openidm.json

    provisioner.openicf-openidm.json
    {
        "name" : "openidm",
        "connectorRef" : {
            "connectorHostRef" : "#LOCAL",
            "connectorName" : "org.forgerock.openicf.connectors.scriptedcrest.ScriptedCRESTConnector",
            "bundleName" : "org.forgerock.openicf.connectors.groovy-connector",
            "bundleVersion" : "1.4.2.0"
        },
        "poolConfigOption" : {
            "maxObjects" : 10,
            "maxIdle" : 10,
            "maxWait" : 150000,
            "minEvictableIdleTimeMillis" : 120000,
            "minIdle" : 1
        },
        "operationTimeout" : {
            "CREATE" : -1,
            "UPDATE" : -1,
            "DELETE" : -1,
            "TEST" : -1,
            "SCRIPT_ON_CONNECTOR" : -1,
            "SCRIPT_ON_RESOURCE" : -1,
            "GET" : -1,
            "RESOLVEUSERNAME" : -1,
            "AUTHENTICATE" : -1,
            "SEARCH" : -1,
            "VALIDATE" : -1,
            "SYNC" : -1,
            "SCHEMA" : -1
        },
        "resultsHandlerConfig" : {
            "enableNormalizingResultsHandler" : true,
            "enableFilteredResultsHandler" : true,
            "enableCaseInsensitiveFilter" : false,
            "enableAttributesToGetSearchResultsHandler" : true
        },
        "configurationProperties" : {
            "serviceAddress" : "http://localhost.localdomain.com:18080/openidm/managed",
            "proxyAddress" : null,
            "username" : "openidm-admin",
            "password" : "openidm-admin",
            "defaultAuthMethod" : "BASIC_PREEMPTIVE",
            "defaultRequestHeaders" : [
                null
            ],
            "defaultContentType" : "application/json",
            "scriptExtensions" : [
                "groovy"
            ],
            "sourceEncoding" : "UTF-8",
            "authenticateScriptFileName" : "AuthenticateScript.groovy",
            "customizerScriptFileName" : "CustomizerScript.groovy",
            "createScriptFileName" : "CreateScript.groovy",
            "deleteScriptFileName" : "DeleteScript.groovy",
            "resolveUsernameScriptFileName" : "ResolveUsernameScript.groovy",
            "schemaScriptFileName" : "SchemaScript.groovy",
            "scriptOnResourceScriptFileName" : "ScriptOnResourceScript.groovy",
            "searchScriptFileName" : "SearchScript.groovy",
            "syncScriptFileName" : "SyncScript.groovy",
            "testScriptFileName" : "TestScript.groovy",
            "updateScriptFileName" : "UpdateScript.groovy",
            "scriptBaseClass" : null,
            "recompileGroovySource" : false,
            "minimumRecompilationInterval" : 100,
            "debug" : true,
            "verbose" : true,
            "warningLevel" : 1,
            "tolerance" : 10,
            "disabledGlobalASTTransformations" : null,
            "targetDirectory" : null,
            "classpath" : [
                "/usr/local/env/box/openidm_a/tools/scriptedcrest"
            ],
            "scriptRoots" : [
                "/usr/local/env/box/openidm_a/tools/scriptedcrest"
            ]
        },
        "objectTypes" : {
            "user" : {
                "$schema" : "http://json-schema.org/draft-03/schema",
                "id" : "user",
                "type" : "object",
                "nativeType" : "user",
                "properties" : {
                    "userName" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "userName",
                        "required" : false
                    },
                    "_id" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "__NAME__",
                        "required" : false,
                        "flags" : [
                            "NOT_UPDATEABLE"
                        ]
                    },
                    "password" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "password",
                        "required" : false
                    },
    				"givenName" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "givenName",
                        "required" : false
                    },
                    "sn" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "sn",
                        "required" : false
                    },
    				"mail" : {
                        "type" : "string",
                        "nativeType" : "string",
                        "nativeName" : "mail",
                        "required" : false
                    },
    				"kbaInfo" : {
                        "type" : "array",
                        "nativeType" : "object",
                        "nativeName" : "kbaInfo",
                        "required" : false,
                        "items" : {
                            "type" : "object"
                        }
    				}
                }
            }
        }
    }
  3. Ensure the following configuration properties are set according to your environment:

    "serviceAddress" : "http://localhost.localdomain:18080/openidm/managed" - This is the IDM instance you want to sync users TO
    "username" : "openidm-admin" - The username of the admin user for the IDM instance you want to sync users TO
    "password" : "openidm-admin" - The password of the admin user for the IDM instance you want to sync users TO
     
    
    "classpath" : [
                "/usr/local/env/box/openidm_a/tools/scriptedcrest" - The directory where the Scripted CREST connector scripts will be copied to in the next step. 
            ],
    "scriptRoots" : [
                "/usr/local/env/box/openidm_a/tools/scriptedcrest" - The directory where the Scripted CREST connector scripts will be copied to in the next step. 
            ]
    
    
  4. Ensure the directory specified above has been created: mkdir  /usr/local/env/box/openidm_a/tools/scriptedcrest
  5. Copy the Scripted CREST connector scripts from the samples dir: cp -r /usr/local/env/box/openidm_a/samples/scriptedcrest2dj/tools/ /usr/local/env/box/openidm_a/tools/scriptedcrest
  6. Open the following file in an editor: /usr/local/env/box/openidm_a/tools/scriptedcrest/SchemaScript.groovy and edit the following to ensure it matches the name of your provisioner file (provisioner.openicf-openidm.json or whatever you called it above):

    def file = new File(System.getProperty("launcher.project.location") + "/conf/provisioner.openicf-scriptedcrest.json")

2. Create new mapping

  1. Navigate to Configure -> Mappings
  2. Create a new mapping from the Managed User object to the new OpenIDM connector configured above in section 1.
  3. The mapping should look like this:
  4. Add a transformation script to decrypt the password ( note the password is decrypted for transmission, the transport used should be secured with TLS or equivalent ):
  5. Change Behaviours -> Policy to "Default Action" so that new users are actually created in the target.

The sync.json extract for this mapping is below if you just want to copy it:

{
    "mappings" : [
        {
            "target" : "system/openidm/user",
            "source" : "managed/user",
            "name" : "managedUser_sourceOpenidmUser",
            "properties" : [
                {
                    "target" : "userName",
                    "source" : "userName"
                },
                {
                    "target" : "givenName",
                    "source" : "givenName"
                },
                {
                    "target" : "sn",
                    "source" : "sn"
                },
                {
                    "target" : "password",
                    "source" : "password",
                    "transform" : {
                        "type" : "text/javascript",
                        "globals" : { },
                        "source" : "openidm.decrypt(source);"
                    }
                },
                {
                    "target" : "kbaInfo",
                    "source" : "kbaInfo"
                },
                {
                    "target" : "mail",
                    "source" : "mail"
                }
            ],
            "policies" : [
                {
                    "action" : "EXCEPTION",
                    "situation" : "AMBIGUOUS"
                },
                {
                    "action" : "EXCEPTION",
                    "situation" : "SOURCE_MISSING"
                },
                {
                    "action" : "EXCEPTION",
                    "situation" : "MISSING"
                },
                {
                    "action" : "EXCEPTION",
                    "situation" : "FOUND_ALREADY_LINKED"
                },
                {
                    "action" : "DELETE",
                    "situation" : "UNQUALIFIED"
                },
                {
                    "action" : "EXCEPTION",
                    "situation" : "UNASSIGNED"
                },
                {
                    "action" : "EXCEPTION",
                    "situation" : "LINK_ONLY"
                },
                {
                    "action" : "IGNORE",
                    "situation" : "TARGET_IGNORED"
                },
                {
                    "action" : "IGNORE",
                    "situation" : "SOURCE_IGNORED"
                },
                {
                    "action" : "IGNORE",
                    "situation" : "ALL_GONE"
                },
                {
                    "action" : "UPDATE",
                    "situation" : "CONFIRMED"
                },
                {
                    "action" : "UPDATE",
                    "situation" : "FOUND"
                },
                {
                    "action" : "CREATE",
                    "situation" : "ABSENT"
                }
            ],
            "recon" : {
                "_id" : "55d41d98-6d3c-4d9c-8f4a-2f2bdcad0214-1160",
                "mapping" : "managedUser_sourceOpenidmUser",
                "state" : "SUCCESS",
                "stage" : "COMPLETED_SUCCESS",
                "stageDescription" : "reconciliation completed.",
                "progress" : {
                    "source" : {
                        "existing" : {
                            "processed" : 1,
                            "total" : "1"
                        }
                    },
                    "target" : {
                        "existing" : {
                            "processed" : 0,
                            "total" : "0"
                        },
                        "created" : 0
                    },
                    "links" : {
                        "existing" : {
                            "processed" : 0,
                            "total" : "0"
                        },
                        "created" : 0
                    }
                },
                "situationSummary" : {
                    "SOURCE_IGNORED" : 0,
                    "UNASSIGNED" : 0,
                    "AMBIGUOUS" : 0,
                    "CONFIRMED" : 0,
                    "FOUND_ALREADY_LINKED" : 0,
                    "UNQUALIFIED" : 0,
                    "ABSENT" : 1,
                    "TARGET_IGNORED" : 0,
                    "SOURCE_MISSING" : 0,
                    "MISSING" : 0,
                    "FOUND" : 0
                },
                "statusSummary" : {
                    "SUCCESS" : 0,
                    "FAILURE" : 1
                },
                "parameters" : {
                    "sourceQuery" : {
                        "resourceName" : "managed/user",
                        "queryId" : "query-all-ids"
                    },
                    "targetQuery" : {
                        "resourceName" : "system/openidm/user",
                        "queryId" : "query-all-ids"
                    }
                },
                "started" : "2016-04-27T09:21:56.797Z",
                "ended" : "2016-04-27T09:21:56.942Z",
                "duration" : 145
            }
        }
    ]
}

3. Test synchronization

  1. Try reconciling users.
  2. Users that exist in the first IDM instance should be created in the second. With KBA and passwords intact:

 

  • No labels