Generic LDAP Connector for FIM 2010 R2 Technical Reference
For feedback, click here.
The objective of this document is to provide you with the reference information that is required to deploy the Generic LDAP connector for Microsoft® Forefront® Identity Manager (FIM) 2010 R2.
When referring to IETF RFCs, this document is using the format (RFC <RFC number>/<section in RFC document>), e.g. (RFC 4512/4.3).
You can find more information at https://tools.ietf.org/html/rfc4500 (you need to replace 4500 with the correct RFC number).
Overview of the Generic LDAP Connector
The Generic LDAP connector enables you manage LDAP resources using FIM 2010. The connector is available as a download from the Microsoft Download Center.
From a high level perspective, the following features are supported by the current release of the connector:
FIM 2010 R2 hotfix 4.1.3461.0 or later (KB2870703)
Connect to data source
LDAP v3 server (RFC 4510 compliant)
Certain operations and schema elements, such as those needed to perform delta import, are not specified in the IETF RFCs. For these operations only LDAP directories explicitly specified are supported.
The Management Agent overview page lists LDAP directories this Connector has been tested with.
The following operations are supported on all LDAP directories:
The following operations are only supported on specified directories:
Supported Directories for Delta import and Password management:
Connected Data Source Requirements
In order to manage objects using a FIM 2010 connector, you need to make sure that all requirements of the connected data source are fulfilled.
This includes tasks such as opening the required network ports and granting the necessary permissions.
The objective of this section is to provide an overview of the requirements of a connected data source to perform the desired operations.
Detecting the LDAP server
The Connector relies upon a variety of techniques to detect and identify the LDAP server.
The Connector uses the Root DSE to find the vendor name and version and it inspects the schema to find unique objects and attributes known to exist in certain LDAP servers.
This data, if found, is used to pre-populate the configuration options in the Connector.
Connected Data Source Permissions
To perform import and export operations on the objects in the connected directory, the connector account must have sufficient permissions.
The connector will need write permissions to be able to export, and read permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself.
Ports and Protocols
The connector will use the port number specified in the configuration, which would by default be 389 for LDAP and 636 for LDAPS.
For LDAPS, you must use SSL 3.0 or TLS. SSL 2.0 is not supported and cannot be activated.
The following LDAP features are not supported:
LDAP referrals between servers (RFC 4511/4.1.10)
It is recommended that you configure a separate connection for each naming context
Required controls and features
The following LDAP controls/features must be available on the LDAP server for the connector to work properly:
- 188.8.131.52.4.1.4184.108.40.206 True/False filters
If you use a directory where a unique identifier is the anchor the following must also be available (see the Configure Anchors section later in this guide for more information):
- 220.127.116.11.4.1.418.104.22.168 All operational attributes
If the directory has more objects than what can fit in one call to the directory, then one of the following options must be supported for the connector to be able to retrieve all objects:
- 1.2.840.113522.214.171.1249 pagedResultsControl
If both options are enabled in the connector configuration, only pagedResultsControl will be used.
The connector tries to detect if the options are present on the server. If the options cannot be detected, a warning will be present on the Global page in the connector’s properties. Not all LDAP servers will present all controls/features they support and even if this warning is present, the connector might work without issues.
Delta import is only available when a support directory has been detected. The following methods are currently used:
LDAP Changelog (https://tools.ietf.org/html/draft-good-ldap-changelog-04 )
For Novell eDirectory the Connector will use last date/time to get created and updated objects. Novell eDirectory does not provide an equivalent means to retrieve deleted objects.
Before you can start with the installation of a connector, you need to make sure that the deployment prerequisites are satisfied. The objective of this section is to give you an overview of what these prerequisites are and to provide you with the required information to install and configure your Generic LDAP connector.
The following features must be installed on your FIM 2010 server:
Microsoft .NET 4.0 Framework
FIM Synchronization Service (FIM 2010 R2 hotfix 4.1.3461.0 or later)
Connector Installation and Configuration
The Generic LDAP connector is available as a downloadable MSI package from Microsoft Download Center.
This section provides an overview of the Generic LDAP connector installation and configuration.
The Generic LDAP connector is a standalone setup package available from Microsoft Download Center. The connector is installed at the location:
%Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions.
You configure your Generic LDAP connector by using the Management Agent Designer.
In the following sections, you will find configuration details for some of the designer’s configuration pages.
Create Management Agent
On this dialog page, you select the connector type (Generic LDAP (Microsoft)) and you provide the name of your connector:
On the Connectivity page, you must specify the Host, Port and Binding information.
Depending on which Binding is selected, additional information might be supplied in the following sections.
The Connection Timeout setting is only used for the first connection to the server when detecting the schema.
If Binding is Anonymous, then neither username / password nor certificate are used.
For other bindings, enter information either in username / password or select a certificate.
If you are using Kerberos to authenticate then also provide the Realm/Domain of the user.
The attribute aliases text box is used for attributes defined in the schema with RFC4522 syntax.
These cannot be detected during schema detection and the Connector needs help to identify those.
For example the following is needed to be entered in the attribute aliases box to correctly identify the userCertificate attribute as a binary attribute:
The following is an example for how this could look like:
Select the “include operational attributes in schema” checkbox to also include attributes created by the server. These include attributes such as when the object was created and last update time.
Select “Include extensible attributes in schema” if extensible objects (RFC4512/4.3) are used and will allow any attribute to be used on any object.
Selecting this option will make the schema very large so unless the connected directory is using this feature the recommendation is to keep the option unselected.
On the Global Parameters page, you configure the DN to the delta change log and additional LDAP features. The page will be pre-populated with the information provided by the LDAP server.
The top section shows information provided by the server itself, such as the name of the server.
The Connector will also verify that the mandatory controls are present in the Root DSE.
If these are not listed, a warning will be presented as in the picture above.
Some LDAP directories will not list all features in the Root DSE and it is possible that the Connector will work without issues even if this warning is present.
The supported controls checkboxes controls the behavior for certain operations:
With tree delete selected, a hierarchy will be deleted with one LDAP call. With tree delete unselected, the connector will do a recursive delete if needed.
With paged results selected the Connector will do paged imports with the size specified on the run steps.
The VLVControl and SortControl is an alternative to the pagedResultsControl to read data from the LDAP directory.
If all three options (pagedResultsControl, VLVControl, and SortControl) are unselected then the Connector will import all object in one operation, which might fail if it is a large directory.
The change log DN is the naming context used by the delta change log, e.g. cn=changelog. You need to specify this value to be able to do delta import.
The following is a list of default change log DNs:
|Directory||Delta change log|
Not available. The Connector will use last updated date/time to get add and updated records.
IBM Tivoli DS
Not automatically detected. Default value to use: cn=accesslog
The password attribute is the name of the attribute the Connector should use to set the password in password change and password set operations.
This is by default set to userPassword but can be changed if needed for a particular LDAP system.
In the additional partitions list it is possible to add additional namespaces not automatically detected.
This can, for example, be used if several servers make up a logical cluster which should all be imported at the same time.
Just as Active Directory can have multiple domains in one forest but all domains share one schema, the same can be simulated by entering the additional namespaces in this box.
Each namespace can import from different servers and will further be configured on the Configure Partitions and Hierarchies page.
Configure Provisioning Hierarchy
This page is used to map the DN component, e.g. OU, to the object type which should be provisioned, e.g. organizationalUnit.
By configuring provisioning hierarchy you can configure the Connector to automatically create a structure when needed. For example if there is a namespace dc=contoso,dc=com and a new object cn=Joe, ou=Seattle, c=US, dc=contoso, dc=com is provisioned, then the Connector can create a new object of type country for US and an organizationalUnit for Seattle if those are not already present in the directory.
Configure Partitions and Hierarchies
On the partitions and hierarchies page, select all namespaces with objects you plan to import and export.
For each namespace it is also possible to configure connectivity settings which would override the values specified on the Connectivity screen. If these values are left to their default blank value, the information from the Connectivity screen will be used.
It is also possible to select which containers and OUs the Connector should import from and export to.
This page does always have a preconfigured value and cannot be changed. If the server vendor and version has been identified then this might be populated with an immutable attribute, e.g. the GUID for an object. If it has not been detected or is known to not have an immutable attribute, then the connector will use dn (distinguished name) as the anchor.
The following is a list of LDAP servers and the anchor being used:
IBM Tivoli DS
Object Lifecycle Management
This section provides information of aspects which are specific to this Connector or for other reasons are important to know.
The delta watermark in Open LDAP is UTC date/time. For this reason, the clocks between FIM Synchronization Service and the Open LDAP must be synchronized. If not, some entries in the delta change log might be omitted.
For Novell eDirectory the delta import will not detect any object deletes. For this reason it is necessary to run a full import periodically to find all deleted objects.
For directories with a delta change log that is based on date / time, it is highly recommended to run a full import at periodic times to find and dissimilarities between the LDAP server and what is currently in the connector space.
For information on how to enable logging to troubleshoot the connector, see the How to Enable ETW Tracing for FIM 2010 R2 Connectors
Even if the Connector lists the feature “126.96.36.199.4.1.4188.8.131.52 OC AD Lists” as mandatory on the Global page it is actually not used.