You can access a variety of LDAP-based systems through
the LDAP Connector. The Connector supports both LDAP version 2 and
3. It is built layered on top of JNDI connectivity.
This Connector can be used in conjunction with the IBM® Password Synchronization plug-ins.
For more information about installing and configuring the IBM Password Synchronization plug-ins,
please see the Password Synchronization Plug-ins.
Note that, unlike most Connectors, while inserting an
object into an LDAP directory, you must specify the object class attribute,
the $dn attribute as well as other attributes. The following
code example, if inserted in the Prolog, defines an objectClass attribute
that you can use later.
// This variable used to set the object class attribute
var objectClass = system.newAttribute ("objectclass");
objectClass.addValue ("top");
objectClass.addValue ("person");
objectClass.addValue ("inetorgperson");
objectClass.addValue ("organizationalPerson");
Then your LDAP Connectors can have an attribute called
objectclass with
the following assignment:
ret.value = objectClass
To see what kind of attributes the person class
has, see http://java.sun.com/products/jndi/tutorial/ldap/schema/object.html
You see that you must supply an sn and cn attribute
in your Update or Add Connector.
In the LDAP Connector, you also need the $dn attribute
that corresponds to the distinguished name. When building $dn in
the Attribute Map, assuming an attribute in the work object called iuid,
you typically have code like the following fragment:
var tuid = work.getString("iuid");
ret.value = "uid= " + tuid + ",ou=people,o=example_name.com";
Note: - The two special attributes, $dn and objectclass usually
are not included in Modification in Update mode unless you want to
move entries in addition to updating them.
- If you cannot connect to your directory, make sure the Use
SSL flag in the Configuration is set according to what the directory
expects.
- When doing a Lookup, you can use $dn as the Connector attribute,
to look up using the distinguished name. Do not specify a Simple Link
Criteria using both $dn and other attributes; in this case
a simple lookup will be done with the DN using an Equals comparison.
- Certain servers have a size limit parameter to stop you from selecting
all their data. This can be a nuisance as your Iterator only returns
the first n entries. Some servers, for example, Netscape/iPlanet,
enable you to exceed the size limit if you are authenticated as a
manager.
- Those servers that return their whole directory in one go (for
example, non-paged search) typically cause memory problems on the
client side. See Handling memory problems in the LDAP Connector.
- When Connector Flags contains the value deleteEmptyStrings,
then for each attribute, the LDAP Connector removes empty string values.
This possibly leaves the attribute with no values (for example, empty
value set). If an attribute has an empty value set then a modify operation
deletes the attribute from the entry in the directory. An add operation
never includes an empty attribute since this is not permitted. Otherwise,
modify entry replaces the attribute values.
- When performing a rootdse search in Lookup mode using the
"baselevel"search scope, you must add a Link Criteria specifying that
the value of objectClass is * (objectClass equals * ) and leave
the Search Base field blank. In Iterator mode the same thing is achieved
by leaving the Search Base blank and setting the Search Filter to
"objectClass=*".
- When performing a normal search in Lookup mode using the "baselevel"search
scope, you need to add a valid Link Criteria in accordance with the
specified Search Base (for example, Search Base: cn=MyName,o=MyOrganization,c=MyCountry
; Link Criteria: sn equals MySurName).