Friday Jun 27, 2008

OpenDS reconciliation with Identity Manager

In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.

Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:

Original ldif file to create the suffix:
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

THIS SEARCH WORKS FOR DIRECTORY MANAGER:
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"


But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"
SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights

This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
aci:  (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

dn: ou=People,dc=identric,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=ldapadmin,ou=people,dc=identric,dc=com
givenName: Ldap
sn: Admin
mail: ldap.admin@identric.com
uid: ldapadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
cn: LDAP Admin
userPassword: Passw0rd



About

harcey

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today