How To Create and Deploy a Custom LDAP Connector to Manage an Additional Symantec Identity Suite User Directory

Part One

Use Case

You have one or more LDAP repositories that you would like to manage within your Symantec Identity Manager infrastructure. Each LDAP directory has unique schemas and sets of attributes that need to be managed.

The Connector Xpress Utility within Symantec Identity Manager provides the mechanism to create custom connectors for individual LDAP repositories with unique schemas and attributes that need to be managed.

In this example, we will be working with the Symantec Identity Manager User Directory from another environment. The user management scenario is that a set of users managed within one Identity Management environment (IME) need to be created and managed within the User Directory for a different IME and set of customer applications (protected by SiteMinder and that other User Directory as the user repository for authentication and authorization). 

Note: any LDAP repository can be used. The object class and attribute names to be managed will differ from these steps, but the steps remain the same to define a custom connector for a LDAP repository.

Need to Know

These steps rely on the implementer having knowledge of Connector Xpress and creating and deploying new connectors generated with Connector Xpress. For full documentation (and clarification while creating a connector definition following these steps), please refer to this document.

Prerequisites 

Symantec Identity Manager is deployed, and the Connector Xpress tools are installed and available within the infrastructure.

Instructions

Create Datasource

When creating a new connector for LDAP (JNDI) the first step is to create a JNDI Datasource. For the  Dev environment (the first environment where Symantec Identity Manager is implemented and a non-production LDAP instance is available), the following is the required information.

Define Object Class(es) to be Managed

Next, create a new connector definition and use the “External User Store (DEV)” datasource created above. Set the mapped classes to (User Account: imUser and User Group: groupOfUniqueNames):

Note: For the remainder of this document, we are working with a connector named “ESI External User Store”. In your environment, you will name your connector according to the particular LDAP to be managed.

On the User Account class screen, add imUserAux as an Auxiliary class.

On the User Group class screen, add imGroupAux as an Auxiliary class.

Map Managed User Attributes

Now, map attributes. Pay special attention to strings, Flexi, etc datatypes.

Create Symantec Identity Manager Task Management Screen Definitions

Create the screens that will be loaded onto the Symantec Identity Manager task screens. Two tabs should suffice for this example connector.

Membership screen:

Map Managed Group Attributes

Define the User Group attributes. Again, pay special attention to datatypes.

Define the Associations

Direct Associations link user objects with group objects. In our case, whenever a user is added to a group, it will add the user’s DN to the group’s “unique member” attribute (physical attribute uniqueMember).

Group to User association:

Deploy this connector, connect to the endpoint, explore (no need to correlate) and then perform basic testing of functions.

Conclusion

At this point, the connector will create and manage users with imUser and imUserAux object classes within the LDAP repository. Since these object classes are auxiliaries of inetOrgPerson, new entries are technically correct within LDAP because the inheritance is assumed but not explicitly listed on the entries.

However, for SiteMinder Federation or other applications that absolutely require to see the inetOrgPerson object class on an entry to properly work, the user entries created by this connector will not work within those other applications. The users also need the object class inetOrgPerson specifically defined on each entry. Connector Xpress, out of the box, is not capable of forcing the inetOrgPerson object class to be written to an entry.

Please refer to the next article, Add inetOrgPerson objectClass to all Users Created with a Custom JNDI Connector, which details how to add inetOrgPerson as an object class to all users that are created via this connector. 

Looking for additional help with a custom LDAP connector or Symantec Identity Manager? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including identity management. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow To Create and Deploy a Custom LDAP Connector to Manage an Additional Symantec Identity Suite User Directory

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *