--- title: Two-way synchronization between LDAP and IDM description: This sample demonstrates bidirectional synchronization between an LDAP directory and an IDM repository. component: pingidm version: 8.1 page_id: pingidm:samples-guide:sync-with-ldap-bidirectional canonical_url: https://docs.pingidentity.com/pingidm/8.1/samples-guide/sync-with-ldap-bidirectional.html keywords: ["Samples", "Synchronization", "LDAP", "Bidirectional"] section_ids: prepare-sync-with-ldap-bidirectional: Prepare the sample run-sync-with-ldap-bidirectional: Run the sample --- # Two-way synchronization between LDAP and IDM This sample demonstrates bidirectional synchronization between an LDAP directory and an IDM repository. The sample has been tested with PingDS, but should work with any LDAPv3-compliant server. The configuration includes two mappings, one from the LDAP resource to the IDM repository, and one from IDM to LDAP. In this sample, you will start IDM and reconcile the two data sources. The mapping configuration file (`sync.json` ) for this sample includes two mappings, `systemLdapAccounts_managedUser`, which synchronizes users from the source LDAP server with the target repository, and `managedUser_systemLdapAccounts`, which synchronizes changes from the repository to the LDAP server. ## Prepare the sample 1. [Set up DS](start-here.html#ldap-server-config) using `/path/to/openidm/samples/sync-with-ldap-bidirectional/data/Example.ldif` . 2. [Prepare IDM](start-here.html#preparing-openidm), and start the server using the sample configuration: ``` cd /path/to/openidm/ ./startup.sh -p samples/sync-with-ldap-bidirectional ``` ## Run the sample | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Starting with IDM 8.1, the [legacy admin UI is deprecated](../release-notes/deprecated-functionality.html#legacy-admin-ui-deprecated) and is no longer bundled with IDM. New deployments should use the [Platform admin UI](../setup-guide/platform-admin-ui.html), which is the replacement for the legacy admin UI.Both UIs are available as separate downloads from the [Backstage download site](https://backstage.forgerock.com/downloads):- To install the Platform admin UI, follow the steps in [Install the Platform admin UI for standalone IDM](../setup-guide/platform-admin-ui.html). - To continue using the legacy admin UI, follow the steps in [Install the legacy admin UI](../setup-guide/legacy-admin-ui.html). | You can work through the sample using the command line or the admin UI: > **Collapse: Use the command line** > > 1. Reconcile the repository over the REST interface: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request POST \ > "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser&waitForCompletion=true" > { > "state": "SUCCESS", > "_id": "027e25e3-7a33-4858-9080-161c2b40a6bf-2" > } > ``` > > The reconciliation operation returns a reconciliation run ID and the status of the operation. Reconciliation creates user objects from LDAP in the IDM repository, assigning the new objects random unique IDs. > > 2. To retrieve the users from the repository, query their IDs: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request GET \ > "http://localhost:8080/openidm/managed/user?_queryFilter=true&_fields=_id" > { > "result": [ > { > "_id": "d460ed00-74f9-48fb-8cc1-7829be60ddac", > "_rev": "00000000792afa08" > }, > { > "_id": "74fe2d25-4eb1-4148-a3ae-ff80f194b3a6", > "_rev": "00000000a92657c7" > } > ], > ... > } > ``` > > 3. To retrieve individual user objects, include the ID in the URL, for example: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request GET \ > "http://localhost:8080/openidm/managed/user/d460ed00-74f9-48fb-8cc1-7829be60ddac" > { > "_id": "d460ed00-74f9-48fb-8cc1-7829be60ddac", > "_rev": "00000000792afa08", > "displayName": "Barbara Jensen", > "description": "Created for OpenIDM", > "givenName": "Barbara", > "mail": "bjensen@example.com", > "telephoneNumber": "1-360-229-7105", > "sn": "Jensen", > "userName": "bjensen", > "accountStatus": "active", > "effectiveRoles": [], > "effectiveAssignments": [] > } > ``` > > 4. To test the second mapping, create a user in the IDM repository: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --header "Content-Type: application/json" \ > --request POST \ > --data '{ > "mail": "fdoe@example.com", > "sn": "Doe", > "telephoneNumber": "555-1234", > "userName": "fdoe", > "givenName": "Felicitas", > "description": "Felicitas Doe", > "displayName": "fdoe"}' \ > "http://localhost:8080/openidm/managed/user?_action=create" > { > "_id": "90d1f388-d8c3-4438-893c-be4e498e7a1c", > "_rev": "00000000792afa08", > "mail": "fdoe@example.com", > "sn": "Doe", > "telephoneNumber": "555-1234", > "userName": "fdoe", > "givenName": "Felicitas", > "description": "Felicitas Doe", > "displayName": "fdoe", > "accountStatus": "active", > "effectiveRoles": [], > "effectiveAssignments": [] > } > ``` > > 5. By default, *implicit synchronization* is enabled for mappings *from* the `managed/user` repository *to* any external resource. This means that when you update a managed object, any mappings defined in the `sync.json` file that have the managed object as the source are automatically executed to update the target system. For more information, refer to [Resource mapping](../synchronization-guide/mappings.html). > > To test that the implicit synchronization has been successful, query the users in the LDAP directory over REST: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request GET \ > "http://localhost:8080/openidm/system/ldap/account?_queryId=query-all-ids" > { > "result": [ > { > "_id": "0da50512-79bb-3461-bd04-241ee4c785bf" > }, > { > "_id": "887732e8-3db2-31bb-b329-20cd6fcecc05" > }, > { > "_id": "2f03e095-ec81-4eb5-9201-a4df2f1f9add" > } > ], > ... > } > ``` > > Note the additional user entry. > > 6. To query the complete entry, include the `_id` in the URL: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request GET \ > "http://localhost:8080/openidm/system/ldap/account/2f03e095-ec81-4eb5-9201-a4df2f1f9add" > { > "_id": "2f03e095-ec81-4eb5-9201-a4df2f1f9add", > "givenName": "Felicitas", > "dn": "uid=fdoe,ou=People,dc=example,dc=com", > "mail": "fdoe@example.com", > "ldapGroups": [], > "uid": "fdoe", > "employeeType": [], > "aliasList": [], > "telephoneNumber": "555-1234", > "kbaInfo": [], > "cn": "fdoe", > "objectClass": [ > "person", > "organizationalPerson", > "inetOrgPerson", > "top" > ], > "sn": "Doe", > "description": "Felicitas Doe" > } > ``` > **Collapse: Use the admin UI** > > 1. Log in to the admin UI. > > 2. From the navigation bar, click Configure > Mappings . > > The Mappings page displays two configured mappings, one from the `ldap` server to the IDM repository (`managed/user`) and one from the repository to the `ldap` server. > > 3. Select the LDAP to managed user mapping, and click Reconcile . > > The reconciliation operation creates the two users from the LDAP server in the IDM repository. > > 4. To view the new users in the repository, from the navigation bar, click Manage > User . > > IDM displays the two users. > > 5. To add a user account, from the User List page, click + New User . > > 6. On the New User page, enter the user details, and click Save . > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | By default, *implicit synchronization* is enabled for mappings *from* the `managed/user` repository *to* any external resource. This means that when you update a managed object, any mappings defined in the `sync.json` file that have the managed object as the source are automatically executed to update the target system. For more information, refer to [Resource mapping](../synchronization-guide/mappings.html). | > > 7. To test for successful implicit synchronization, from the navigation bar, click Manage > User . > > * From the Users List page, click the new user you created in the previous step. > > * Click the Linked Systems tab. > > IDM displays the user's mapped external resource.