--- title: Synchronize LDAP groups description: This sample demonstrates synchronization between an LDAP directory and an IDM repository. The sample synchronizes LDAP group objects (rather than LDAP group membership, demonstrated in Synchronize LDAP group membership). component: pingidm version: 8.1 page_id: pingidm:samples-guide:sync-with-ldap-groups canonical_url: https://docs.pingidentity.com/pingidm/8.1/samples-guide/sync-with-ldap-groups.html keywords: ["Samples", "Synchronization", "LDAP", "Groups"] section_ids: overview-sync-ldap-groups: Sample overview prepare-sync-with-ldap-groups: Prepare the sample run-sync-with-ldap-groups: Run the sample --- # Synchronize LDAP groups This sample demonstrates synchronization between an LDAP directory and an IDM repository. The sample synchronizes LDAP group objects (rather than LDAP group membership, demonstrated in [Synchronize LDAP group membership](sync-with-ldap-group-membership.html)). The sample has been tested with PingDS (DS) but should work with any LDAPv3-compliant server. The sample includes mappings from the LDAP server to the IDM repository, and from the IDM repository to the LDAP server. During reconciliation, user entries and group entries are synchronized. ## Sample overview The mapping configuration file, `conf/sync.json`, for this sample includes three mappings: * `systemLdapAccounts_managedUser` Synchronizes users from the source LDAP server with the target IDM repository. * `managedUser_systemLdapAccounts` Synchronizes users from the IDM repository to the LDAP server. * `systemLdapGroups_managedGroup` Synchronizes groups from the source LDAP server with the target IDM repository. This sample focuses only on the groups mapping, `systemLdapGroups_managedGroup`. ## Prepare the sample 1. [Set up DS](start-here.html#ldap-server-config) using `/path/to/openidm/samples/sync-with-ldap-groups/data/Example.ldif` . The import file includes a number of LDAP groups, including: ```ldif dn: ou=Groups,dc=example,dc=com ou: Groups objectClass: organizationalUnit objectClass: top dn: cn=openidm,ou=Groups,dc=example,dc=com uniqueMember: uid=jdoe,ou=People,dc=example,dc=com cn: openidm objectClass: groupOfUniqueNames objectClass: top dn: cn=openidm2,ou=Groups,dc=example,dc=com uniqueMember: uid=bjensen,ou=People,dc=example,dc=com cn: openidm2 objectClass: groupOfUniqueNames objectClass: top ``` The user with dn `uid=jdoe,ou=People,dc=example,dc=com` is also imported with the `Example.ldif` file. There is an additional user, `bjensen` in the sample LDIF file. This user is essentially a "dummy" user, provided for compliance with RFC 4519, which stipulates that every `groupOfUniqueNames` object must contain at least one `uniqueMember`. `bjensen` is not actually used in this sample. 2. [Prepare IDM](start-here.html#preparing-openidm), and start the server using the sample configuration: ``` cd /path/to/openidm/ ./startup.sh -p samples/sync-with-ldap-groups ``` ## Run the sample | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Starting with IDM 8.1, the [legacy admin UI is deprecated](../release-notes/deprecated-functionality.html#legacy-admin-ui-deprecated) and is no longer bundled with IDM. New deployments should use the [Platform admin UI](../setup-guide/platform-admin-ui.html), which is the replacement for the legacy admin UI.Both UIs are available as separate downloads from the [Backstage download site](https://backstage.forgerock.com/downloads):- To install the Platform admin UI, follow the steps in [Install the Platform admin UI for standalone IDM](../setup-guide/platform-admin-ui.html). - To continue using the legacy admin UI, follow the steps in [Install the legacy admin UI](../setup-guide/legacy-admin-ui.html). | You can run this sample using the command line or admin UI: > **Collapse: Use the command line** > > 1. Reconcile the group objects over the REST interface: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request POST \ > "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapGroups_managedGroup&waitForCompletion=true" > { > "_id": "83f5b34b-0ddd-4c39-9349-de24816487ff-1198", > "state": "SUCCESS" > } > ``` > > The reconciliation operation returns a reconciliation run ID along with operation status, and creates managed group objects for each group that exists in DS. > > 2. To list the managed groups, run the following command: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Accept-API-Version: resource=1.0" \ > --request GET \ > "http://localhost:8080/openidm/managed/group?_queryFilter=true" > { > "result": [ > { > "_id": "b6c4d7ce-2103-42c2-b5f2-74ca9309ad37", > "_rev": "000000001298f6a6", > "dn": "cn=Contractors,ou=Groups,dc=example,dc=com", > "description": null, > "uniqueMember": [], > "name": "Contractors" > }, > { > "_id": "2326b9ee-6975-4c19-aa3c-d228afc4ff71", > "_rev": "00000000dc6160c8", > "dn": "cn=openidm2,ou=Groups,dc=example,dc=com", > "description": null, > "uniqueMember": [ > "uid=bjensen,ou=People,dc=example,dc=com" > ], > "name": "openidm2" > }, > { > "_id": "035f6444-bce3-4931-96b7-e10b2301fe74", > "_rev": "000000004cab60c8", > "dn": "cn=Employees,ou=Groups,dc=example,dc=com", > "description": null, > "uniqueMember": [], > "name": "Employees" > }, > { > "_id": "65c8fb86-01e6-4fca-9237-e50c251f4575", > "_rev": "0000000050c62938", > "dn": "cn=Chat Users,ou=Groups,dc=example,dc=com", > "description": null, > "uniqueMember": [], > "name": "Chat Users" > }, > { > "_id": "5c3e4965-16d7-4a8f-af73-3ab165b66cf9", > "_rev": "000000004121fb7e", > "dn": "cn=openidm,ou=Groups,dc=example,dc=com", > "description": null, > "uniqueMember": [ > "uid=jdoe,ou=People,dc=example,dc=com" > ], > "name": "openidm" > } > ], > ... > } > ``` > **Collapse: Use the admin UI** > > 1. Log in to the admin UI. > > 2. From the navigation bar, click Configure > Mappings . > > The Mappings page displays three configured mappings: > > * From the `ldap` server user accounts to the IDM repository (`managed/user`). > > * From the IDM managed users back to the `ldap` accounts. > > * From the `ldap` server group entries to the IDM `managed/group` entries. > > 3. Select the LDAP groups to managed groups mapping, and click Reconcile . > > The reconciliation operation creates the two groups from the LDAP server in the IDM repository. > > 4. From the navigation bar, click Manage > Group . > > IDM displays the five groups from the LDAP server (source) that were reconciled to the IDM repository (target).