Use case overview
ForgeRock provides a wide range of identity connectors that allow you to synchronize identity data to and from external data stores.
Connectors can access data in your ForgeRock Identity Cloud tenant as well as from an app or service that operates on a server external to your tenant. They can convert identity profiles and user accounts into a compatible format that can be used by both data stores.
In this simple use case, we’ll demonstrate how to configure a connector for an LDAP data store. With the LDAP connector, you can connect to any LDAPv3-compliant directory server, such as ForgeRock Directory Services (DS), Active Directory, SunDS, Oracle Directory Server Enterprise Edition, IBM Security Directory Server, and OpenLDAP.
Steps to achieve this use case
This use case has two stages:
-
Configure the Remote Server Connector (RCS)
-
Configure the LDAP connector
The use case assumes that you already have an LDAP directory data store.
Configure the Remote Server Connector (RCS)
Identity Cloud includes a Remote Server Connector (RCS) component that allows you to access data across a security boundary, for example on an LDAP or other on-premises target system that requires a connection to Identity Cloud.
Before you can configure the LDAP connector you must configure the RCS.
Install and configure the RCS by following steps 1 through 3 in the Synchronization > Before you begin section of the documentation:
- Register a remote server
- Download a remote server
- Configure a remote server to connect to Identity Cloud
Once the RCS server is installed and configured, check the status of the RCS server:
-
Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format
https://<tenant-name>/am/XUI/?realm=/#/. -
Go to Identities > Connect. The Connector Server should be
Connected.
Configure the LDAP Connector
-
Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format
https://<tenant-name>/am/XUI/?realm=/#/. -
Go to Native Consoles > Identity Management > Configure > Connectors.
-
Click New Connector.
-
Complete the following connector details:
-
Connector Name: Enter a name to identify this connector. In our example, we’ve named it
PreviousCIAM. -
Remote Host: Enter the name of the RCS you created previously.
-
Connector Type: Select
LDAP Connector - <version number> -
LDAP Type: Select the LDAP Type, for example,
Generic LDAP Configuration. -
Host Name or IP: Enter the host name or IP address of the server on which the LDAP instance is running - this MUST be resolvable and reachable from the RCS.
-
Port: Enter the port on which the LDAP server listens for LDAP requests. Our example configuration specifies a default port of
1389. -
Account Distinguished Name (DN): Enter the bind user for LDAP. In our example, this is
cn=Directory. -
Password: Enter the bind password for the above account.
-
Base DN: Enter the Base Distinguished Name where users can be found.
In our example, this isdc=previousCiam,dc=net. -
Object Classes for users: Enter the list of object classes for the user objects you want to see. For example,
top,personorganizationalPerson,inetOrgPerson -
Object Classes for groups: Enter the list of object classes for the group objects you want to see. For example,
top,groupOfUniqueNames.
-
-
Click Save.
-
Click the Data tab and check that users are being populated. If they are, the connector is successfully set up.
Examine the object types
To view the object types for the connector:
-
Click the Object Types tab.
-
Click Edit (pencil) icon next to an object to view the object properties.
In our example, we have an Object Type called account.
Note that the userPassword property of the account object type is a string. This allows us to do credential synchronization for bulk or trickle migration.
Additional resources
Documentation:
- LDAP connector
- Sync identities
- Register a remote server with your tenant
- Identity Mappings
- Synchronization
Training videos:
- Identity Cloud Deep Dive: Identity Management: Managing Connectors
- Demo: Add Connector Configuration for External LDAP Resource
Other resources: