Generic LDAP Connector technical reference

  • Article
  • 12 minutes to read

This commodity describes the Generic LDAP Connector. The commodity applies to the post-obit products:

  • Microsoft Identity Manager 2016 (MIM2016)
  • Forefront Identity Director 2010 R2 (FIM2010R2)
    • Must use hotfix 4.ane.3671.0 or later.

For MIM2016 and FIM2010R2, the Connector is available as a download from the Microsoft Download Center.

When referring to IETF RFCs, this certificate is using the format (RFC [RFC number]/[section in RFC document]), for case (RFC 4512/iv.3). You can notice more data at https://tools.ietf.org/. In the left panel, enter an RFC number in the Physician fetch dialog box and test it to brand sure it is valid.

Overview of the Generic LDAP Connector

The Generic LDAP Connector enables you to integrate the synchronization service with an LDAP v3 server.

Certain operations and schema elements, such as those needed to perform delta import, are not specified in the IETF RFCs. For these operations, only LDAP directories explicitly specified are supported.

For connecting to the directories, we examination using the root/admin account. To use a different business relationship to utilise more granular permissions, you lot may need to review with your LDAP directory team.

From a high-level perspective, the following features are supported past the current release of the connector:

Characteristic Support
Connected information source The Connector is supported with all LDAP v3 servers (RFC 4510 compliant). Information technology has been tested with the following:
  • Microsoft Active Directory Lightweight Directory Services (Advertising LDS)
  • Microsoft Active Directory Global Catalog (AD GC)
  • 389 Directory Server
  • Apache Directory Server
  • IBM Tivoli DS
  • Isode Directory
  • NetIQ eDirectory
  • Novell eDirectory
  • Open DJ
  • Open DS
  • Open LDAP (openldap.org)
  • Oracle (previously Lord's day) Directory Server Enterprise Edition
  • RadiantOne Virtual Directory Server (VDS)
  • Sun One Directory Server
  • Microsoft Active Directory Domain Services (AD DS)
    • For most scenarios, you must utilize the built-in Active Directory Connector instead equally some features may not work
    Notable known directories or features not supported:
  • Microsoft Active Directory Domain Services (Advertizement DS)
    • Password Modify Notification Service(PCNS)
    • Exchange provisioning
    • Delete of Agile Sync Devices
    • Support for nTDescurityDescriptor
  • Oracle Net Directory (OID)
    		•
    Scenarios
  • Object Lifecycle Management
  • Group Management
  • Password Management
    		•
    Operations The following operations are supported on all LDAP directories:
  • Full Import
  • Export
    • The following operations are only supported on specified directories:
  • Delta import
  • Prepare Password, Alter Password
    		•
    Schema
  • Schema is detected from the LDAP schema (RFC3673 and RFC4512/4.2)
  • Supports structural classes, aux classes, and extensibleObject object class (RFC4512/iv.three)
    		•

    Delta import and password management support

    Supported Directories for Delta import and Password management:

    • Microsoft Active Directory Lightweight Directory Services (AD LDS)
      • Supports all operations for delta import
      • Supports Set Password
    • Microsoft Active Directory Global Itemize (AD GC)
      • Supports all operations for delta import
      • Supports Set up Password
    • 389 Directory Server
      • Supports all operations for delta import
      • Supports Set Password and Change Countersign
    • Apache Directory Server
      • Does not back up delta import since this directory does not have a persistent alter log
      • Supports Set Countersign
    • IBM Tivoli DS
      • Supports all operations for delta import
      • Supports Prepare Password and Change Password
    • Isode Directory
      • Supports all operations for delta import
      • Supports Set up Password and Modify Password
    • Novell eDirectory and NetIQ eDirectory
      • Supports Add, Update, and Rename operations for delta import
      • Does not support Delete operations for delta import
      • Supports Set Password and Alter Password
    • Open up DJ
      • Supports all operations for delta import
      • Supports Set up Password and Change Password
    • Open up DS
      • Supports all operations for delta import
      • Supports Set Countersign and Modify Countersign
    • Open LDAP (openldap.org)
      • Supports all operations for delta import
      • Supports Set Password
      • Does not back up change countersign
    • Oracle (previously Sun) Directory Server Enterprise Edition
      • Supports all operations for delta import
      • Supports Prepare Countersign and Change Countersign
    • RadiantOne Virtual Directory Server (VDS)
      • Must exist using version 7.i.1 or college
      • Supports all operations for delta import
      • Supports Ready Password and Change Password
    • Sun One Directory Server
      • Supports all operations for delta import
      • Supports Prepare Countersign and Change Password

    Prerequisites

    Before you use the Connector, make sure you have the following on the synchronization server:

    • Microsoft .Internet 4.5.two Framework or afterward

    Deploying this connector may require changes to the configuration of the directory server too as configuration changes to MIM. For deployments involving integrating MIM with a 3rd-political party directory server in a product environment, we recommend customers work with their directory server vendor, or a deployment partner for assistance, guidance, and support for this integration.

    Detecting the LDAP server

    The Connector relies upon various techniques to discover and identify the LDAP server. The Connector uses the Root DSE, vendor proper name/version, and it inspects the schema to find unique objects and attributes known to exist in certain LDAP servers. This data, if found, is used to pre-populate the configuration options in the Connector.

    Connected Data Source permissions

    To perform import and export operations on the objects in the continued directory, the connector business relationship must accept sufficient permissions. The connector needs write permissions to exist able to export, and read permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself.

    Ports and protocols

    The connector uses the port number specified in the configuration, which by default is 389 for LDAP and 636 for LDAPS.

    For LDAPS, you must use SSL three.0 or TLS. SSL 2.0 is not supported and cannot be activated.

    Required controls and features

    The following LDAP controls/features must be available on the LDAP server for the connector to work properly:
    1.three.6.1.4.ane.4203.1.v.iii True/Fake filters

    The True/False filter is frequently not reported as supported by LDAP directories and might evidence upwardly on the Global Page under Mandatory Features Non Found. It is used to create OR filters in LDAP queries, for example when importing multiple object types. If you can import more than one object type, then your LDAP server supports this characteristic.

    If you apply a directory where a unique identifier is the anchor the following must too be available (For more information, see the Configure Anchors section):
    1.3.six.1.4.one.4203.ane.five.i All operational attributes

    If the directory has more objects than what can fit in 1 call to the directory, then it is recommended to apply paging. For paging to work, you lot demand one of the following options:

    Choice 1:
    ane.2.840.113556.1.iv.319 pagedResultsControl

    Option 2:
    2.xvi.840.1.113730.3.4.nine VLVControl
    ane.2.840.113556.1.4.473 SortControl

    If both options are enabled in the connector configuration, pagedResultsControl is used.

    ane.2.840.113556.1.4.417 ShowDeletedControl

    ShowDeletedControl is but used with the USNChanged delta import method to be able to see deleted objects.

    The connector tries to detect the options nowadays on the server. If the options cannot exist detected, a alarm is present on the Global page in the connector backdrop. Non all LDAP servers present all controls/features they support and even if this warning is nowadays, the connector might work without issues.

    Delta import

    Delta import is but bachelor when a directory that supports information technology has been detected. The following methods are currently used:

    • LDAP Accesslog. See http://world wide web.openldap.org/doc/admin24/overlays.html#Admission Logging
    • LDAP Changelog. Encounter http://tools.ietf.org/html/draft-good-ldap-changelog-04
    • TimeStamp. For Novell/NetIQ eDirectory, the Connector uses final date/time to go created and updated objects. Novell/NetIQ eDirectory does not provide an equivalent means to retrieve deleted objects. This option can besides be used if no other delta import method is active on the LDAP server. This pick is not able to import deleted objects.
    • USNChanged. Meet: https://msdn.microsoft.com/library/ms677627.aspx

    Not supported

    The post-obit LDAP features are non supported:

    • LDAP referrals between servers (RFC 4511/4.1.ten)

    Create a new Connector

    To Create a Generic LDAP connector, in Synchronization Service select Management Agent and Create. Select the Generic LDAP (Microsoft) Connector.

    MIM Sync UI to Create a new Connector

    Connectivity

    On the Connectivity page, yous must specify the Host, Port, and Bounden information. Depending on which Binding is selected, additional information might be supplied in the post-obit sections.

    MIM Sync connector configuration Connectivity page

    • The Connection Timeout setting is simply used for the first connexion to the server when detecting the schema.
    • If Binding is Anonymous, and so neither username / password nor document are used.
    • For other bindings, enter data either in username / countersign or select a certificate.
    • If y'all are using Kerberos to authenticate, then also provide the Realm/Domain of the user.

    The attribute aliases text box is used for attributes defined in the schema with RFC4522 syntax. These attributes cannot be detected during schema detection and the Connector needs help to identify those attributes. For example the following must be entered in the attribute aliases box to correctly place the userCertificate attribute as a binary attribute:

    userCertificate;binary

    The post-obit is an example for how this configuration could look like:

    MIM Sync connector configuration Connectivity page with attributes

    Select the include operational attributes in schema checkbox to also include attributes created by the server. These include attributes such as when the object was created and last update fourth dimension.

    Select Include extensible attributes in schema if extensible objects (RFC4512/4.3) are used and enabling this option allows every attribute to be used on all object. Selecting this selection makes the schema very big and then unless the connected directory is using this characteristic the recommendation is to continue the option unselected.

    Global Parameters

    On the Global Parameters page, you configure the DN to the delta change log and additional LDAP features. The page is pre-populated with the information provided by the LDAP server.

    MIM Sync connector configuration global parameters page

    The height department shows information provided by the server itself, such every bit the proper name of the server. The Connector also verifies that the mandatory controls are present in the Root DSE. If these controls are not listed, a warning is presented. Some LDAP directories exercise non list all features in the Root DSE and information technology is possible that the Connector works without bug even if a alarm is nowadays.

    The supported controls checkboxes control the behavior for certain operations:

    • With tree delete selected, a hierarchy is deleted with one LDAP call. With tree delete unselected, the connector does a recursive delete if needed.
    • With paged results selected, the Connector does a paged import with the size specified on the run steps.
    • The VLVControl and SortControl is an alternative to the pagedResultsControl to read data from the LDAP directory.
    • If all three options (pagedResultsControl, VLVControl, and SortControl) are unselected then the Connector imports all object in one performance, which might fail if information technology is a large directory.
    • ShowDeletedControl is only used when the Delta import method is USNChanged.

    The change log DN is the naming context used by the delta change log, for example cn=changelog. This value must be specified to be able to do delta import.

    The post-obit is a listing of default change log DNs:

    Directory Delta change log
    Microsoft Advertising LDS and Advertising GC Automatically detected. USNChanged.
    Apache Directory Server Not available.
    Directory 389 Alter log. Default value to use: cn=changelog
    IBM Tivoli DS Change log. Default value to use: cn=changelog
    Isode Directory Alter log. Default value to use: cn=changelog
    Novell/NetIQ eDirectory Not bachelor. TimeStamp. The Connector uses concluding updated engagement/time to get added and updated records.
    Open DJ/DS Change log. Default value to use: cn=changelog
    Open up LDAP Access log. Default value to utilize: cn=accesslog
    Oracle DSEE Alter log. Default value to use: cn=changelog
    RadiantOne VDS Virtual directory. Depends on the directory connected to VDS.
    Sunday One Directory Server Change log. Default value to use: cn=changelog

    The password attribute is the name of the attribute the Connector should use to gear up the password in password alter and password set operations. This value is by default set to userPassword but tin exist changed when needed for a particular LDAP system.

    In the additional partitions listing, it is possible to add boosted namespaces not automatically detected. For case, this setting can exist used if several servers brand up a logical cluster, which should all be imported at the same time. Just every bit Agile Directory can take multiple domains in one forest merely all domains share i schema, the same can be simulated past entering the additional namespaces in this box. Each namespace can import from unlike servers and is farther configured on the Configure Partitions and Hierarchies page. Use Ctrl+Enter to get a new line.

    Configure Provisioning Hierarchy

    This folio is used to map the DN component, for example OU, to the object type that should be provisioned, for example organizationalUnit.

    Provisioning Hierarchy

    By configuring provisioning bureaucracy, y'all can configure the Connector to automatically create a structure when needed. For example, if there is a namespace dc=contoso,dc=com and a new object cn=Joe, ou=Seattle, c=US, dc=contoso, dc=com is provisioned, and so the Connector can create an object of type land for US and an organizationalUnit for Seattle if those are not already present in the directory.

    Configure Partitions and Hierarchies

    On the partitions and hierarchies page, select all namespaces with objects you programme to import and export.

    MIM Sync connector configuration Partitions page

    For each namespace, information technology is also possible to configure connectivity settings that would override the values specified on the Connectivity screen. If these values are left to their default bare value, the information from the Connectivity screen is used.

    It is also possible to select which containers and OUs the Connector should import from and export to.

    When performing a search this is done across all containers in the partition. In cases where there are large numbers of containers this behavior leads to performance deposition.

    Note

    Starting in the March 2017 update to the Generic LDAP connector searches can be express in scope to only the selected containers. This can exist washed by selecting the checkbox 'Search only in selected containers' as shown in the prototype below.

    Search only selected containers

    Configure Anchors

    This page always accept a preconfigured value and cannot be changed. If the server vendor has been identified, and then the anchor might be populated with an immutable attribute, for example the GUID for an object. If it has not been detected or is known to not have an immutable aspect, and then the connector uses dn (distinguished name) as the ballast.

    MIM Sync connector configuration anchors page

    The post-obit is a listing of LDAP servers and the ballast beingness used:

    Directory Anchor attribute
    Microsoft Advertisement LDS and AD GC objectGUID
    389 Directory Server dn
    Apache Directory dn
    IBM Tivoli DS dn
    Isode Directory dn
    Novell/NetIQ eDirectory GUID
    Open DJ/DS dn
    Open LDAP dn
    Oracle ODSEE dn
    RadiantOne VDS dn
    Lord's day One Directory Server dn

    Other notes

    This section provides information of aspects that are specific to this Connector or for other reasons are important to know.

    Delta import

    The delta watermark in Open LDAP is UTC date/time. For this reason, the clocks between FIM Synchronization Service and the Open LDAP must be synchronized. If not, some entries in the delta change log might be omitted.

    For Novell eDirectory, the delta import is not detecting whatever object deletes. For this reason, it is necessary to run a full import periodically to find all deleted objects.

    For directories with a delta change log that is based on date/fourth dimension, it is highly recommended to run a full import at periodic times. This procedure allows the sync engine to notice and dissimilarities between the LDAP server and what is currently in the connector space.

    Troubleshooting

    • For information on how to enable logging to troubleshoot the connector, run into the How to Enable ETW Tracing for Connectors.