4. Import Existing Directory Users and Groups

This section describes to how import existing Groups, followed by existing Users and their group memberships from Active Directory into OpenIAM. This is an important step in manyIdentity Governance projects as we need to:

The concepts described here apply to virtually all systems for which OpenIAM provides a connector.

This section assumes that you have already established a connection to your directory using the steps described here

4.1 Import Existing Groups

OpenIAM provides a feature called Synchronization which enables both:

To import existing groups from your Active Directory or LDAP, follow the procedures outlined below to configure a group synchronization process.

4.1.1 Validate Connector configuration for Groups

The first step in importing groups from your directory is to ensure that our connector configuration exposes the appropriate parameter. We can validate this using the steps below:

You should see the screen below. This screen allows you to configure which fields should be exposed for a given connector. All fields are not appropriate for all connectors. For example, the JDBC parameter has no relevance for the LDAP connector. The fields which are enabled on this screen will be exposed on the Managed System configuration screen.

On the screen shown above, ensure that the following fields have been enabled:


4.1.2 Update managed system configuration

The next step is to define the group search parameters in the managed system configuration that was defined earlier. Follow the steps below:

Configuration parameter Description
Object Primary Key for Group Unique AD/LDAP attribute to identify this object
Base DN for Group OU under which the connector will create new objects
Search Base DN Group OU under which the connector will look up objects
Search Filter for Group LDAP Filter which will be used to look up objects under the Search Base DN Group parameter



4.1.3 Define Synchronization Configuration

The final step to import the Groups in the directory is to setup a Synchronization task. Synchronization tasks can be scheduled to run at regular intervals and they can synch either incrementally or the full list of groups based on the search filters. These features are useful if the directory is to act as an authoritative source for this information. In this case, the goal is to simply import existing groups. To implement this, follow the steps below:

Configuration Parameter Description
Name Any user friendly name that you want to assign this configuration to help you identify it later
Number Of Threads: Set this to 1 for now. This parameter defines how many threads do you want to running in parallel to process this task. If you are synchronizing a large amount of data your can increase this number to reduce the amount of time needed to process this. Note: Use caution in increasing the number of threads as having several threads running for a long duration could negatively impact the performance of the system in other areas.
Is Active? Enable this checkbox. The synchronization task will not run uness the "Is Active" field has been checked.
Provision to target systems? (if unchecked, please take care about identities creation in transformation script) For importing groups, this field should NOT BE CHECKED for importing groups.
Synchronization Source This field determines if the source of data will be coming through a CSV File or some of the other built in adapters. You should select "Connector" from the dropdown to indicate that a connector will be used for this operation.
Managed System This value should represent the managed system configuration that was defined earlier. Its provides the connectivity details to the directory.
Synchronize Object Determines the type of object (User, Group, Role Org) that will be synched. Select "Groups" for this value since we are importing Grous.
Synch Type Determines if this is a complete or incremental synch. A complete synch will import all groups into OpenIAM. An incremental synch will import all the changes from the last time the synch was executed. For LDAP / AD the incremental changes are detected based on the whenChanged attribute.
Validation Rule Select AdGroupSampleValidationScript.groovy. The synchronization process has two scripts which are executed for each record that is that imported - Validation and Transformation. The validation script "validates" the data and can be used to detect data issues reject incoming data.
Transformation Implementation This parameter determines if the transformation should be occur using the policy map on the managed system or in the transformation script. Select "Transformation Script"
Transformation Rule The transformation script, is executed for each record which pass the validation checks. The script assigns incoming data to OpenIAM objects which can later be persisted. Selected the AdGroupSampleTransformationScript.groovy
IDM Repository Field The IDM repository field define which field in the OpenIAM repository should be used to capture the primary key / Unique Identifier for the objects. For non-user objects, such as Groups, select the "Name" field.
Source Attribute Name The source attribute name is the field in the directory which will be used to uniquely identify this object. For LDAP and Active Directory, this can CN, sAMAccountName, uid, etc. Enter "cn" into this field.
SQL Query / Directory Filter This is the query or filter which will be use to determine which group objects will bring back. This search will be limited by the Group Search Base DN which was defined on the managed system. To retrieve all the group, you can use the following filter in Active Directory: (&(objectClass=group)) You can validate your filter using an LDAP browser such as Apache Directory Studio
Attribute Names Lookup

This attribute defines which fields the connector should retrieve from the directory. You can change the list of fields by editing the script and modifying the following line to include the directory attributes which you need:

return ["cn","sn","givenName","sAMAccountName","dn","distingusihedName","modifyTimestamp","createTimestamp","mail","userPrincipalName", "memberOf"];

At this point the group import configuration is done. Save this configuration and execute the task using the "Synch now" button You can review the new groups which have been imported by going to Access Control -> Group in the Webconsole.




© 2020 OpenIAM LLC. All rights reserved.