LDAP Connector

You can access a variety of LDAP-based systems through the LDAP Connector. The Connector supports both LDAP version 2 and 3. It is built layered on top of JNDI connectivity.

This Connector can be used in conjunction with the IBM® Password Synchronization plug-ins. For more information about installing and configuring the IBM Password Synchronization plug-ins, please see the Password Synchronization Plug-ins.

Note that, unlike most Connectors, while inserting an object into an LDAP directory, you must specify the object class attribute, the $dn attribute as well as other attributes. The following code example, if inserted in the Prolog, defines an objectClass attribute that you can use later.

// This variable used to set the object class attribute 
var objectClass = system.newAttribute ("objectclass"); 
objectClass.addValue ("top"); 
objectClass.addValue ("person"); 
objectClass.addValue ("inetorgperson");
objectClass.addValue ("organizationalPerson");
Then your LDAP Connectors can have an attribute called objectclass with the following assignment: 
ret.value = objectClass

To see what kind of attributes the person class has, see http://java.sun.com/products/jndi/tutorial/ldap/schema/object.html

You see that you must supply an sn and cn attribute in your Update or Add Connector.

In the LDAP Connector, you also need the $dn attribute that corresponds to the distinguished name. When building $dn in the Attribute Map, assuming an attribute in the work object called iuid, you typically have code like the following fragment:

var tuid = work.getString("iuid"); 
ret.value = "uid= " + tuid + ",ou=people,o=example_name.com";
Note:
  1. The two special attributes, $dn and objectclass usually are not included in Modification in Update mode unless you want to move entries in addition to updating them.
  2. If you cannot connect to your directory, make sure the Use SSL flag in the Configuration is set according to what the directory expects.
  3. When doing a Lookup, you can use $dn as the Connector attribute, to look up using the distinguished name. Do not specify a Simple Link Criteria using both $dn and other attributes; in this case a simple lookup will be done with the DN using an Equals comparison.
  4. Certain servers have a size limit parameter to stop you from selecting all their data. This can be a nuisance as your Iterator only returns the first n entries. Some servers, for example, Netscape/iPlanet, enable you to exceed the size limit if you are authenticated as a manager.
  5. Those servers that return their whole directory in one go (for example, non-paged search) typically cause memory problems on the client side. See Handling memory problems in the LDAP Connector.
  6. When Connector Flags contains the value deleteEmptyStrings, then for each attribute, the LDAP Connector removes empty string values. This possibly leaves the attribute with no values (for example, empty value set). If an attribute has an empty value set then a modify operation deletes the attribute from the entry in the directory. An add operation never includes an empty attribute since this is not permitted. Otherwise, modify entry replaces the attribute values.
  7. When performing a rootdse search in Lookup mode using the "baselevel"search scope, you must add a Link Criteria specifying that the value of objectClass is * (objectClass equals * ) and leave the Search Base field blank. In Iterator mode the same thing is achieved by leaving the Search Base blank and setting the Search Filter to "objectClass=*".
  8. When performing a normal search in Lookup mode using the "baselevel"search scope, you need to add a valid Link Criteria in accordance with the specified Search Base (for example, Search Base: cn=MyName,o=MyOrganization,c=MyCountry ; Link Criteria: sn equals MySurName).
Parent topic: Connectors