2. Table of Contents
Training Agenda...............................................................................................................................8
PART I) OpenIDM hands-on......................................................................................................8
Part II) Building all the different connector................................................................................9
Part III) Reconciliation................................................................................................................9
Part IV) SQL connectors...........................................................................................................11
Part V) Rule and Role Provisioning..........................................................................................12
Part 6) WorkFlow......................................................................................................................12
Part 7) Hardening – Security.....................................................................................................13
1) Getting Started with with OpenIDM.........................................................................................15
1.1) Presentation........................................................................................................................15
Prerequisites..............................................................................................................................15
1.2) Installing openIDM............................................................................................................15
1.3) OpenIDM Directory hierarchy...........................................................................................15
1.4) Starting openIDM..............................................................................................................16
1.5) OpenIDM useful Information............................................................................................17
Exercises :.................................................................................................................................17
Exercise 1 : openIDM infrastructure....................................................................................17
Exercise 2 : openIDM installation........................................................................................17
Exercise 3 : Starting openIDM.............................................................................................18
2) Discovering openIDM World....................................................................................................19
2.1) Overview - What is OpenIDM all about ?.........................................................................19
2.2)Managed Objects................................................................................................................19
2.3) Connectors.........................................................................................................................19
2.5) Mappings.......................................................................................................................20
2.6) Accessing to openIDM as administrative user...................................................................20
2.6.1) Dashboard..................................................................................................................20
2.6.2) Configure Tab.............................................................................................................21
2.6.3) Manage Tab................................................................................................................22
2.7) Accessing to openIDM as normal user..............................................................................24
Exercises :.................................................................................................................................25
Exercise 1 : Using the admin user........................................................................................25
Exercise 2 : Creating a new User.........................................................................................25
3) OpenIDM Architecture..............................................................................................................26
3.1) Overview............................................................................................................................26
3.2) OpenIDM infrastructure using OSGI Framework.............................................................26
3.2) OpenIDM Modules............................................................................................................27
3.3) OpenIDM Core Services....................................................................................................27
3.3.1) Managed Objects :.....................................................................................................27
3.3.2) Object Model..............................................................................................................28
3.3.3) Mappings....................................................................................................................28
3.3.4) Synchronization and Reconciliation..........................................................................28
3.3.5) Workflow....................................................................................................................28
4) Connector – Using an XML Connector.....................................................................................29
4.1) Overview............................................................................................................................29
4.2) Exercise..............................................................................................................................29
5) Connector – Using an LDAP Connector...................................................................................34
5.1) Overview............................................................................................................................34
openDJ installation...............................................................................................................34
2
3. 5.2) Bringing up DJ LDAP Connector......................................................................................34
5.3) Viewing the connector Data...............................................................................................37
5.4) Rest command to query ldap connector data.....................................................................38
6) Connector - using an SQL connector using groovy..................................................................39
6.1) Overview............................................................................................................................39
6.2) Prerequisite........................................................................................................................39
6.2.1) maven and mysql.......................................................................................................39
6.2.2) mysql-connector-java-5.1.41-bin.jar driver...............................................................39
6.3) Exercise..............................................................................................................................39
6.3.1) Connecting to mysql database....................................................................................39
6.3.2) mysql hrdb database preparation....................................................................................40
7) Connector – Using an AD connector.........................................................................................45
7.1) Overview............................................................................................................................45
7.2) Prerequisite........................................................................................................................45
7.3) Test to access to AD machine............................................................................................45
7.4) AD provisioning file..........................................................................................................46
7.5) Display AD data within AD connector..............................................................................46
7.6) Other way to bring up AD connector.................................................................................49
8) Mapping and Reconciliation......................................................................................................50
8.1) Overview............................................................................................................................50
8.2) Mapping - XML to Managed User....................................................................................50
8.2.1) Sync.json file – Mapping File....................................................................................50
8.2.2) Creating an XML mapping to Managed User Object Mapping File..........................50
Properties :............................................................................................................................53
Association :.........................................................................................................................53
Behaviors..............................................................................................................................53
8.2.3) Adding properties to the Mapping..................................................................................55
8.2.3.1) adding new attribute property.............................................................................55
8.2.3.2) Adding transformation script to the authzroles..................................................55
8.2.3.6) Adding a default password.................................................................................57
8.3) Running Reconciliation.....................................................................................................57
8.3.1) Creating a Managed User object................................................................................57
8.3.2) Running « Read-Only Reconciliation ».....................................................................58
8.3.3) Running Reconciliation using the default policy.......................................................60
8.4) Creating a synchronization mapping (OpenIDM – LDAP)...............................................61
8.4.1) Overview....................................................................................................................61
8.4.1) Prerequisite.................................................................................................................61
8.4.3) OpenDJ installation and Configuration......................................................................61
8.4.4) Creating a mapping from IDM to LDAP...................................................................62
8.4.5) Mapping attribute Grid Properties.............................................................................65
8.4.6) Add onCreate – Situtional Event Script.....................................................................66
8.5) openIDM – OpenDJ Reconciliation..................................................................................67
8.5.1) Checking openIDM – OpenDJ reconciliation............................................................67
8.5.2) openIDM – OpenDJ Implicit Sync............................................................................68
8.6) Adding some new XML users............................................................................................68
8.6.1) Adding 2 new users to the XML file..........................................................................68
8.6.2) Running the Reconciliation........................................................................................69
8.7) Managed User - Linked System........................................................................................71
8.7.1) Managed Users...........................................................................................................71
8.7.2) Checking Managed User............................................................................................72
3
4. 8.8) Adding description field to Managed User Object............................................................74
8.8.1) Adding attribute description to the Managed User Object.........................................74
8.8.2) Make Attribute viewable............................................................................................75
8.8.3) Check that description property on Managed User....................................................76
8.8.4) Check the description attribute value on LDAP........................................................76
8.9 Using the CLI......................................................................................................................77
8.9.1) Running the Reconciliation command from the CLI.................................................77
8.9.2) Accessing to the Managed Users using the CLI........................................................77
9) AD - IDM - OpenDJ..................................................................................................................79
9.1) Presentation........................................................................................................................79
9.2) Requirements.....................................................................................................................79
9.3) AD provisioning connector configuration.........................................................................80
9.4) AD connector user data verification..................................................................................81
9.5) Synchronization file sync.json...........................................................................................82
9.6) Reconciliation on AD mapping.........................................................................................82
9.7) Understanding reconciliation error message......................................................................84
9.8) Fixing the errors – Running Reconciliation.......................................................................85
9.9) Propagation of AD User to LDAP.....................................................................................87
9.10) Performing an update on an AD user – Implicit Synchronization...................................88
10) OpenIDM – AD Mapping........................................................................................................90
11) Scripted SQL Connector - Reconciliation...............................................................................91
11.1) Overview..........................................................................................................................91
11.2) MySQL environment.......................................................................................................91
11.3) Mysql Database Preparation............................................................................................91
11.3.1) Checking mysql database.........................................................................................91
11.3.2) Creating hrdb database.............................................................................................92
11.3.3) MySQL Connector...................................................................................................92
11.4) Scripted SQL connector creation.....................................................................................92
11.5) Run the example..............................................................................................................94
11.5.1) Reset the SQL database............................................................................................94
11.5.2) Checking data at SQL Level.........................................................................................94
11.5.3) Verify data at SQL connector level...............................................................................95
11.6) Performing Reconciliation..........................................................................................95
11.7) REST API Queries...........................................................................................................96
11.7.1) _queryId= query-all-ids............................................................................................96
11.7.2) QueryFilter – Global query......................................................................................96
11.8) QueryFilter – Filtering the request...................................................................................98
12) Using the SQL database table connector – Running reconciliation........................................99
12.1) Create a contractor database ;..........................................................................................99
12.2) Database Table Connector.............................................................................................100
12.3) Creating a mapping........................................................................................................105
12.4)Performing a REST Query on Database Table connector..............................................106
12.5) Performing Reconciliation (Read only mode)...............................................................106
12.6) Run Reconciliation « Default Actions ».......................................................................109
12.7) Adding a new attribute to User Managed Object...........................................................111
13) LiveSync Process...................................................................................................................115
13.1) Overview........................................................................................................................115
13.2) Using LiveSync..............................................................................................................116
13.2.1) Configuring LiveSync............................................................................................116
13.2.2) Enabling Auto-sync on MySql Database ..............................................................118
4
5. 13.2.3) Modification of SQL attribute................................................................................118
13.2.4 LiveSync configuration on OpenIDM using Admin UI interface..........................119
13.2.5 Querying LiveSync on OpenIDM using Rest API call...........................................119
13.2.6 displaying LiveSync on OpenIDM information......................................................120
13.2.6 Enabling LiveSync on OpenIDM using REST API................................................120
13.2.7 Verification that LiveSync is enabled......................................................................121
13.2.8) LiveSync in action.................................................................................................121
13.3) Using the scheduler to run liveSync..............................................................................123
13.3.1) LiveSync Scheduler file..............................................................................................123
13.3.2) Example of LiveSync Update................................................................................124
13.4) Checking Log files upon LiveSync...........................................................................125
13.5) Using LiveSync with openDJ........................................................................................126
4.3.1. Setting Up OpenDJ.......................................................................................................126
14) Custom endpoint....................................................................................................................127
14.1) Overview........................................................................................................................127
14.2) openidm instance................................................................................................................127
14.3) Construction of the custom endpoint.............................................................................128
14.3.1 Curl custom query...................................................................................................128
14.3.2 Providing a test script..............................................................................................128
14.3.3 endpoint recording verification – cli.sh validate.....................................................129
14.3.4 test of the custom endpoint URL.............................................................................129
15) Rule Provisioning..................................................................................................................131
15.1) Overview...................................................................................................................131
15.2) openidm instance...........................................................................................................131
15.3) Adding new attributes to Managed User schema...........................................................132
15.4) adding a transformation script.......................................................................................133
15.4.1) adding new custom grid attribute...........................................................................133
15.4.2) adding transformation script..................................................................................135
15.5) Reconciliation – user Provisioning................................................................................138
16) Role and assignments............................................................................................................140
16.1) Overview........................................................................................................................140
16.2) Role in more details.......................................................................................................140
16.3) Assignment in more details............................................................................................141
16.4) Use case example...........................................................................................................143
16.4.1) LDAP ICF connector password.............................................................................143
16.4.2) Requirements.........................................................................................................144
16.4.3) Run Reconciliation.....................................................................................................145
16.5) Assignment creation (EmployeeType)...........................................................................145
16.6) Definition of a Role (Employee Role)...........................................................................146
16.7) adding an assignment to the role employe Role............................................................147
16.8) Adding a user to a role...................................................................................................147
16.8.1) Getting the value _Id of bjensen............................................................................147
16.8.2) Assigning role to bjensen.......................................................................................148
16.8.3) Display of Managed user object bjensen...............................................................148
16.9) LDAP provisioning........................................................................................................149
16.10) Adding new assignment attributes (Employee Assignment).......................................150
16.11 Adding a new managed user to the role employee........................................................152
16.12) Removing a role from a user.......................................................................................154
16.12.1) Getting the _id......................................................................................................154
16.12.2) Removing the Role from bjensen.........................................................................155
5
6. 16.12.3) Verification...........................................................................................................155
17) Sample Provisioning WorkFlow............................................................................................157
17.1) Presentation....................................................................................................................157
17.1 ) start the workflow example..........................................................................................157
17.2) Configure FakeSMTP Email server...............................................................................157
17.3) Configure openIDM email settings...............................................................................157
17.4) Run reconciliation for users and roles...........................................................................158
17.4.1) Reconciling Roles..................................................................................................158
17.4.2) Reconciling Users – (Manager First).....................................................................158
17.4.3) Reconciling Users (Employees).............................................................................159
17.5) View the newly-created data..........................................................................................160
17.6) Check the workflow process definition.........................................................................161
17.7) Initiate Workflow Process..............................................................................................162
17.8) Observing administrative tasks and workflow created..................................................163
17.8.1) Task assignment.....................................................................................................163
17.8.2) Observing workflow tasks.....................................................................................163
17.8.3) observing Workflow process..................................................................................164
17.9) Workflow approval task.................................................................................................165
17.9) User1 Notification dashboard...................................................................................165
17.10) Workflow approval – Authorization Roles..................................................................167
17.11 Difference between Provisioning Role and Authorization Role...................................168
17.12) Some important files (conf directory)..........................................................................169
sync.json.............................................................................................................................169
workflow.json.....................................................................................................................169
process-access.json.............................................................................................................170
18) Workflow – Running a workflow from the reconciliation Process.......................................171
18.1) Presentation....................................................................................................................171
18.2) Starting openIDM with samples/sample9......................................................................171
18.3) Contractor on boarding process.....................................................................................171
18.4) Running reconciliation...................................................................................................171
18.4) Examining Active Workflows........................................................................................172
18.5 Checking MyTask user list (using admin CLI)..........................................................173
18.6) Performing approval process using CLI........................................................................174
18.7) Checking user Provisionniong.......................................................................................174
18.8) Some specific points to be noticed................................................................................175
19) Activiti designer.....................................................................................................................176
19.1) Overview........................................................................................................................176
19.2) Installing activi designer plugin into eclipse.................................................................176
19.3) Creating a simple Project workflow..............................................................................176
19.4) Using the palette (first steps).........................................................................................176
19.5) Producing a bar file........................................................................................................177
19.6) Testing new workflow in openIDM...............................................................................177
20) Hardening for Production......................................................................................................178
20.1) Using a Sql Database.....................................................................................................178
20.2) Running Health monitoring Check................................................................................180
20.3) Starting openIDM as a background process.......................................................................180
20.3.1) starting openIDM as background process on the command line...........................180
20.3.2) using create-openidm-rc.sh....................................................................................180
20.4) Security...............................................................................................................................180
20.4.1) openidm keystore........................................................................................................181
6
7. 20.4.2) conf/boot/boot.properties file.....................................................................................181
20.5) Performing regular backups...........................................................................................183
20.6) Additional security measure..........................................................................................183
Annex 1 – SMTP Client configuration........................................................................................184
Annex 2 : Useful Rest Calls........................................................................................................186
Annex 3 - Installing OpenDJ.......................................................................................................187
Annex 4 - How to deploy windows 2012 AD on virtualbox.......................................................191
Annex 5 – AD connector : differences with template provisioning file......................................193
Annex 6: References....................................................................................................................194
Annex 7: Building Scripted SQL Connector file examples.........................................................195
Overview ................................................................................................................................195
Building samples/sample3 connector......................................................................................195
Adding the grovy connector to the own internal maven repository........................................195
Compiling successfully...........................................................................................................196
Annex 8: Requirements...............................................................................................................198
Software..................................................................................................................................198
Hardware:................................................................................................................................198
Pointers :......................................................................................................................................199
7