Configuring a correlated LDAP data view - PingDirectory

Configuring a correlated LDAP data view - PingDirectory - 9.0

PingDirectory

bundle

pingdirectory-90

ft:publication_title

PingDirectory

Product_Version_ce

PingDirectory 9.0

category

Product

pd-90

pingdirectory

ContentType_ce

Page created: 26 Jul 2021 |

Page updated: 27 Feb 2023

| 4 min read

9.0 Product PingDirectory

The following example shows how to add a correlated LDAP data view to a LDAP mapping SCIM resource type on a PingDirectory server. The SCIM resource type will be a user, and the correlated LDAP data view will allow access to a document that matches their user ID.

In this example, a new PingDirectory server is set up using custom sample data. When configuring the correlation, administrators should use attributes that are inherently either immutable or non-volatile, such as uid or entryUUID. This prevents errors produced by a conflict between the values of primary and secondary correlation attributes.

Note:

Administrators can make the correlation SCIM attributes immutable by setting the --set mutability:read-only property when defining an attribute in the SCIM schema configuration. That way, SCIM requests cannot modify the values of those attributes.

Copy the following text into the server root directory and save it as entries.ldif.template:

define suffix=dc=example,dc=com
define maildomain=example.com
define numusers=101

branch: [suffix]
subordinateTemplate: admin:1
aci: (targetattr="*")(version 3.0; acl "Grant full access for the scim2allaccess OAuth 2 scope"; allow (all) oauthscope="scim2allaccess";)

branch: ou=People,[suffix]
subordinateTemplate: person:[numusers]

branch: ou=Documents,[suffix]
subordinateTemplate: document:[numusers]

template: admin
rdnAttr: uid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: admin
givenName: Admin
sn: User
cn: Admin User
userPassword: password

template: person
rdnAttr: uid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
employeeNumber: <sequential:0>
uid: user.{employeeNumber}
sn: {uid}
cn: {uid}
userPassword: password

template: document
rdnAttr: documentIdentifier
objectClass: top
objectClass: document
documentIdentifier: user.<sequential:0>
description: This is the description for the document {documentIdentifier} under ou=Documents,dc=example,dc=com.

Run the following command:

$ bin/make-ldif --templateFile entries.ldif.template --ldifFile entries.ldif

Run setup for the PingDirectory server.

Make sure to import the created entries.ldif file and set up encryption settings. After this is done, set up the SCIM resource type and the Correlated LDAP Data View.

Run the following command to define the SCIM schema:

"dsconfig create-scim-schema --schema-name urn:example:Users \
  --set "description:Users schema" --set display-name:Users
dsconfig create-scim-attribute --schema-name urn:example:Users \
  --attribute-name email --set required:true --set multi-valued:true
dsconfig create-scim-attribute --schema-name urn:example:Users \
  --attribute-name uid --set required:true --set mutability:read-only
dsconfig create-scim-attribute --schema-name urn:example:Users \
  --attribute-name documentId 
dsconfig create-scim-attribute --schema-name urn:example:Users \
  --attribute-name documentDescription"

Run the following command to create the SCIM resource type:

dsconfig create-scim-resource-type \
  --type-name Users \
  --type ldap-mapping \
  --set core-schema:urn:example:Users \
  --set enabled:true \
  --set endpoint:Users \
  --set structural-ldap-objectclass:inetOrgPerson \
  --set include-base-dn:ou=people,dc=example,dc=com \
  --set create-dn-pattern:entryUUID=generated,ou=people,dc=example,dc=com

Run the following command to create the Correlated LDAP Data View:

dsconfig create-correlated-ldap-data-view \
  --type-name Users \
  --view-name Document \
  --set structural-ldap-objectclass:document \
  --set include-base-dn:ou=documents,dc=example,dc=com \
  --set create-dn-pattern:entryUUID=generated,ou=documents,dc=example,dc=com \
  --set primary-correlation-attribute:uid \
  --set secondary-correlation-attribute:documentIdentifier

Run the following command to create the attribute mappings for the SCIM resource type attributes.

Note that the correlated-ldap-data-view property is not set.

# The uid attribute, provided by the base SCIM Resource Type
dsconfig create-scim-attribute-mapping --type-name Users \
  --mapping-name uid \
  --set scim-resource-type-attribute:uid --set ldap-attribute:uid \
  --set writable:false --set searchable:true

# The email attribute, provided by the base SCIM Resource Type
dsconfig create-scim-attribute-mapping --type-name Users \
  --mapping-name email \
  --set scim-resource-type-attribute:email --set ldap-attribute:mail \
  --set searchable:true

Run the following command to create the DocumentId attribute mapping for the correlated LDAP data view attributes.

Note:

The only meaningful difference between mappings for SCIM resource type attributes and correlated LDAP data view attributes is the value of the correlated-ldap-data-view property.

# The documentId attribute
dsconfig create-scim-attribute-mapping --type-name Users \
  --mapping-name document.id \
  --set correlated-ldap-data-view:Document \
  --set scim-resource-type-attribute:documentId --set ldap-attribute:documentIdentifier

# The documentDescription attribute
dsconfig create-scim-attribute-mapping --type-name Users \
  --mapping-name description \
  --set correlated-ldap-data-view:Document \
  --set scim-resource-type-attribute:documentDescription \
  --set ldap-attribute:description

Run the following command to send a SCIM request:

curl -k -X GET \
  https://localhost:8443/scim/v2/Users \
  -H 'Authorization: Bearer {"active":true, "scope":"scim2allaccess"}'

The response should look similar to the following. Notice that 'uid' and 'documentId' have the same value, as they are in a correlation attribute pair.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 101,
    "Resources": [
        {
            "uid": "user.8",
            "id": "3715c022-1f34-36d9-bebc-7e74912106ec",
            "documentDescription": "This is the description \
            for the document user.8 under ou=Documents,dc=example,dc=com.,
            "documentId": "user.8",
            "meta": {
                "resourceType": "Users",
                "location": "https://localhost:8443/scim/v2/Users/3715c022-1f34-36d9-bebc-7e74912106ec"
            },
            "schemas": [
                "urn:example:Users"
            ]
        },
    ... 
}