Connecting to External Resources

Connecting to External Resources Connectors Resources OpenICF This chapter describes how to connect to external resources such as LDAP, Active Directory, flat files, and others. Configurations shown here are simplified to show essential aspects. Not all resources support all OpenIDM operations, however the resources shown here support most of the CRUD operations, and also reconciliation and LiveSync. In OpenIDM, resources are external systems, databases, directory servers, and other sources of identity data to be managed and audited by the identity management system. OpenIDM connects to resources through the identity connector framework, OpenICF. OpenICF aims to avoid the need to install agents to access resources, instead using the resources' native protocols. For example, OpenICF connects to database resources using the database's Java connection libraries or JDBC driver. It connects to directory servers over JNDI. It connects to UNIX systems by using ssh. Connectors are configured through files named openidm/conf/provisioner.openicf-name where name corresponds to the name of the connector. Do not include dash characters ( - ) in the connector name.

About OpenIDM & OpenICF The following figure shows how OpenIDM can connect to resources through an OpenICF server. In most cases, the OpenICF server runs as part of OpenIDM. OpenICF architecture The figure shows the basic architecture of OpenIDM with three connector servers, one built-in local Java connector server, and two remote, Java and .NET connector servers. OpenICF provides a common service provider interface to allow identity services access to the resources containing user information. OpenICF uses a connection server that can run as a local connector server inside OpenIDM, or as a remote connector server that is a stand-alone process. A remote connector server is needed when access libraries that cannot be included as part of the OpenIDM process are needed. If a resource, such as Microsoft ADSI, does not provide a connection library that can be included inside the Java Virtual Machine, then OpenICF can use the native .dll with a remote .NET connector server. (OpenICF connects to ADSI through a remote connector server implemented as a .NET service.) Not only .NET connector servers but also Java connector servers can be run as stand alone, remote services. Run them as remote services for scalability, or to have the service run in the cloud. By default and for convenience, OpenIDM includes a Java connector server that runs as a "#LOCAL" service.

Accessing Remote Connectors Connectors Remote When configuring remote connectors, the connector info provider service to connect through remote connector servers must be used. The configuration is stored in the the configuration file, openidm/conf/provisioner.openicf.connectorinfoprovider.json. A sample can be found under openidm/samples/provisioners/. The connector info provider service takes this configuration. { "connectorsLocation" : string, "remoteConnectorServers" : [remoteConnectorServer objects] } Connector Info Provider Properties connectorsLocation string, optional Specifies the directory where OpenICF connectors are located. The default location is openidm/connectors. remoteConnectorServers array of RemoteConnectorServer objects, optional A list of remote connector servers managed by this service. Remote Connector Server Properties The following example shows a remoteConnectorServer object configuration. { "name" : "testServer", "host" : "127.0.0.1", "port" : 8759, "useSSL" : false, "timeout" : 0, "key" : "Passw0rd", "trustManagers" : [ "X509TrustManager", "BlindTrustManager" ] } OpenIDM supports the following remote connector server object properties. name string, required The name of the remote connector server object. Used to identify the remote connector server in connector reference objects. host string, required Remote host to connect to. port string, optional Remote port to connect to. Default value: 8759 useSSL boolean, optional Specifies to use or not SSL to connect. Default value: false timeout integer, optional Specifies the timeout (in milliseconds) to use for the connection. Default value: 0 key string, required The secret key to use to authenticate to the remote connector server. trustManagers not specified Not implemented yet. The service uses the default JVM TrustManager.

Configuring Connectors Connectors are configured through the OpenICF provisioner service. Each configuration is stored in an extra file/object in the openidm/conf/ folder or under the same URL respectively. The file name convention is provisioner.openicf-name.json. Though the name part of the file name is free text, it must not contain any "-" character! The following example shows an OpenICF provisioner service configuration. { "name" : "xml", "connectorRef" : connector-ref-object, "poolConfigOption" : pool-config-option-object, "operationTimeout" : operation-timeout-object, "configurationProperties" : configuration-properties-object, "objectTypes" : object-types-object, "operationOptions" : operation-options-object } Connector Reference The following example shows a connector reference object. { "bundleName" : "org.forgerock.openicf.connectors.file.xml", "bundleVersion" : "", "connectorName" : "com.forgerock.openicf.xml.XMLConnector", "connectorHostRef" : "host" } bundleName string, required The ConnectorBundle-Name of the OpenICF connector. bundleVersion string, required The ConnectorBundle-Version of the OpenICF connector. connectorName string, required The Connector implementation class name. connectorHostRef string, optional The name of the RemoteConnectorServer object. If the connector server is local and the connector .jar is installed in openidm/bundle/ (currently not recommended), then the value must be "osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager". If the connector server is local and the connector .jar is installed in openidm/connectors/, then the value must be "#LOCAL". This is currently the default location. Pool Configuration Option The following example shows a pool configuration option object for the connection pool between OpenIDM and the OpenICF connector server. { "maxObjects" : 10, "maxIdle" : 10, "maxWait" : 150000, "minEvictableIdleTimeMillis" : 120000, "minIdle" : 1 } maxObjects Maximum number of idle and active objects. maxIdle Maximum number of idle objects maxWait The maximum time in milliseconds which the pool waits for an object before timing out. Zero means never time out. minEvictableIdleTimeMillis Maximum time in milliseconds an object can be idle before it is removed. Zero means never time out. minIdle The minimum number of idle objects. Operation Timeout This configuration sets the timeout per operation type. { "CREATE" : -1, "TEST" : -1, "AUTHENTICATE" : -1, "SEARCH" : -1, "VALIDATE" : -1, "GET" : -1, "UPDATE" : -1, "DELETE" : -1, "SCRIPT_ON_CONNECTOR" : -1, "SCRIPT_ON_RESOURCE" : -1, "SYNC" : -1, "SCHEMA" : -1 } operation-name Timeout in milliseconds A value of -1 disables the timeout. Configuration Properties This object contains the configuration for the connection between the connection server and the resource, and is therefore resource specific. The following example shows a configuration properties object for the default XML sample resource connector. { "xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd", "xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd", "xmlFilePath": "samples/sample1/data/xmlConnectorData.xml" } property Individual properties depend on the type of connector. Object Types Connectors Object types This configuration object specifies the supported object types. The property name defines the objectType used in the URI: system/$systemName/$objectType The configuration is based on JSON Schema with extensions described below. Attribute names which start and/or end with __ are resource type specific attributes used by OpenICF for particular purposes, such as __NAME__ as the naming attribute for objects on a resource. { "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "name" : { "type" : "string", "nativeName" : "__NAME__", "nativeType" : "JAVA_TYPE_PRIMITIVE_LONG", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE", "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, "groups" : { "type" : "array", "items" : { "type" : "string", "nativeType" : "string" }, "nativeName" : "__GROUPS__", "nativeType" : "string", "flags" : [ "NOT_RETURNED_BY_DEFAULT" ] }, "givenName" : { "type" : "string", "nativeName" : "givenName", "nativeType" : "string" }, } } } Object Level Extensions nativeType string, optional The native OpenICF object type. Property Level Extensions nativeType string, optional The native OpenICF attribute type. nativeName string, optional The native OpenICF attribute name. flags string, optional The native OpenICF attribute flags. The required and multivalued flags are defined by the JSON schema. required = "required" : true multivalued = "type" : "array" Avoid using the dash character ( - ) in property names, like last-name, as dashes in names make JavaScript syntax more complex. If you cannot avoid the dash, then write source['last-name'] instead of source.last-name in the java script scripts. Operation Options Operation options define how to act on specified operations. You can for example deny operations on specific resources to avoid OpenIDM accidentally updating a read-only resource during a synchronization operation. { "SYNC" : { "denied" : true, "onDeny" : "DO_NOTHING", "objectFeatures" : { "__ACCOUNT__" : { "denied" : true, "onDeny" : "THROW_EXCEPTION", "operationOptionInfo" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "FIX_ME", "type" : "object", "properties" : { "_OperationOption-float" : { "type" : "number", "nativeType" : "JAVA_TYPE_PRIMITIVE_FLOAT" } } } }, "__GROUP__" : { "denied" : false, "onDeny" : "DO_NOTHING" } } } } The list of operations is as follows. AUTHENTICATE: AuthenticationApiOp CREATE: CreateApiOp DELETE: DeleteApiOp GET: GetApiOp RESOLVEUSERNAME: ResolveUsernameApiOp SCHEMA: SchemaApiOp SCRIPT_ON_CONNECTOR: ScriptOnConnectorApiOp SCRIPT_ON_RESOURCE: ScriptOnResourceApiOp SEARCH: SearchApiOp SYNC: SyncApiOp TEST: TestApiOp UPDATE: UpdateApiOp VALIDATE: ValidateApiOp denied boolean, optional This property prevents operation execution if the value is true. onDeny string, optional If denied is true, then the service uses this value. Default value: DO_NOTHING. DO_NOTHING: On operation the service does nothing. THROW_EXCEPTION: On operation the service throws a ForbiddenException exception.

Connector Configuration Examples Connectors Examples This section explains provisioner configurations for common connectors. Also see for instructions on interactively building connector configurations.

XML File Connector The following example shows an excerpt of the provisioner configuration for an XML file connector. { "connectorRef": { "connectorHostRef": "#LOCAL", "bundleName": "org.forgerock.openicf.connectors.file.file.openicf-xml-connector", "bundleVersion": "", "connectorName": "com.forgerock.openicf.xml.XMLConnector" } } The connectorHostRef is optional if the connector server is local. The configuration properties for the XML file connector set the relative path to the file containing the identity data, and also the paths to the XML schemas required. { "configurationProperties": { "xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd", "xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd", "xmlFilePath": "samples/sample1/data/xmlConnectorData.xml" } } xmlFilePath References the XML file containing account entries xsdIcfFilePath References the XSD file defining schema common to all XML file resources. Do not change the schema defined in this file. xsdFilePath References custom schema defining attributes specific to your project

Generic LDAP Connector The following excerpt shows the connectorRef configuration property for connection to an LDAP server. When using the connect .jar provided in openidm/connectors, and when using a local connector server, the connectorHostRef property is optional. { "connectorRef": { "connectorHostRef": "#LOCAL", "connectorName": "org.identityconnectors.ldap.LdapConnector", "bundleName": "org.forgerock.openicf.connectors.ldap.openicf-ldap-connector", "bundleVersion": "" } } The following excerpt shows settings for many connector configuration properties. { "accountSynchronizationFilter": null, "passwordAttributeToSynchronize": null, "synchronizePasswords": false, "removeLogEntryObjectClassFromFilter": true, "modifiersNamesToFilterOut": [], "passwordDecryptionKey": null, "credentials": "Passw0rd", "changeLogBlockSize": 100, "baseContextsToSynchronize": [ "ou=People,dc=example,dc=com" ], "attributesToSynchronize": [ "uid", "sn", "cn", "givenName", "mail", "description" ], "changeNumberAttribute": "changeNumber", "passwordDecryptionInitializationVector": null, "filterWithOrInsteadOfAnd": false, "objectClassesToSynchronize": [ "inetOrgPerson" ], "port": 1389, "vlvSortAttribute": "uid", "passwordAttribute": "userPassword", "useBlocks": true, "maintainPosixGroupMembership": false, "failover": [], "ssl": false, "principal": "cn=Directory Manager", "baseContexts": [ "dc=example,dc=com" ], "readSchema": true, "accountObjectClasses": [ "top", "person", "organizationalPerson", "inetOrgPerson" ], "accountUserNameAttributes": [ "uid", "cn" ], "host": "localhost", "groupMemberAttribute": "uniqueMember", "accountSearchFilter": null, "passwordHashAlgorithm": null, "usePagedResultControl": false, "blockSize": 100, "uidAttribute": "entryUUID", "maintainLdapGroupMembership": false, "respectResourcePasswordPolicyChangeAfterReset": false } accountSynchronizationFilter Used during synchronization actions to filter out LDAP accounts accountObjectClasses The object classes used when creating new LDAP user objects. When specifying more than one object class, add each object class as its own property. For object classes that inherit from parents other than top, such as inetOrgPerson, specify all object classes in the class hierarchy. accountSearchFilter Search filter that accounts must match accountUserNameAttributes Attributes holding the account's user name. Used during authentication to find the LDAP entry matching the user name. attributesToSynchronize List of attributes used during object synchronization. OpenIDM ignores change log updates that do not include any of the specified attributes. If empty, OpenIDM considers all changes. baseContexts Base DNs for operations on the LDAP server baseContextsToSynchronize Base DNs for entries taken into account during synchronization blockSize Block size for simple paged results and VLV index searches, reflecting the maximum number of accounts retrieved at any one time changeLogBlockSize Block size used when fetching change log entries changeNumberAttribute Change log attribute containing the last change number credentials Password to connect to the LDAP server failover LDAP URLs specifying alternative LDAP servers to connect to if OpenIDM cannot connect to the primary LDAP server specified in the host and port properties filterWithOrInsteadOfAnd In most cases, the filter to fetch change log entries is AND-based. If this property is set, the filter ORs the required change numbers instead. groupMemberAttribute LDAP attribute holding members for non-POSIX static groups host Primary LDAP server host name maintainLdapGroupMembership If true, OpenIDM modifies group membership when entries are renamed or deleted. maintainPosixGroupMembership If true, OpenIDM modifies POSIX group membership when entries are renamed or deleted. modifiersNamesToFilterOut Use to avoid loops caused by OpenIDM's own changes objectClassesToSynchronize OpenIDM synchronizes only entries having these object classes. passwordAttribute Attribute to which OpenIDM writes the predefined PASSWORD attribute passwordAttributeToSynchronize OpenIDM synchronizes password values on this attribute. passwordDecryptionInitializationVector Initialization vector used to decrypt passwords when performing password synchronization passwordDecryptionKey Key used to decrypt passwords when performing password synchronization passwordHashAlgorithm Hash password values with the specified algorithm if the LDAP server stores them in clear text port Primary LDAP server port number principal Bind DN used to connect to the LDAP server readSchema If true, read LDAP schema from the LDAP server. removeLogEntryObjectClassFromFilter If true, the filter to fetch change log entries does not contain the changeLogEntry object class, and OpenIDM expects no entries with other object types in the change log. Default: true respectResourcePasswordPolicyChangeAfterReset If true, bind with the Password Expired and Password Policy controls, and throw PasswordExpiredException and other exceptions appropriately. ssl If true, the specified port listens for LDAPS connections. synchronizePasswords If true, synchronize passwords. uidAttribute OpenIDM maps uid to the specified attribute. useBlocks If true, use block-based LDAP controls like simple paged results and virtual list view. usePagedResultControl If true, use simple paged results rather than virtual list view when both are available. vlvSortAttribute Attribute used as the sort key for virtual list view

Active Directory Connector In contrast to most other connectors, the Active Directory connector is written not in Java, but instead in .NET. OpenICF should connect to Active Directory over ADSI, the native connection protocol for Active Directory. The connector therefore requires a connector server that has access to the ADSI .dll files. See the OpenICF Connnector Server page for instructions on installing a .NET connector server. Take care to set the key as described in the instructions. The following excerpt shows the configuration for the connector. { "connectorHostRef": "dotnet", "connectorName": "Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector", "bundleName": "ActiveDirectory.Connector", "bundleVersion": "1.0.0.6109" } The connectorHostRef must point by name to an existing connector info provider configuration, that you store in openidm/conf/provisioner.openicf.connectorinfoprovider.json. The connectorHostRef property is required as the Active Directory connector must be installed on a .NET connector server, which is always "remote" relative to OpenIDM. The following excerpt shows the configuration for the connector info provider. { "connectorsLocation": "connectors", "remoteConnectorServers": [ { "name": "dotnet", "host": "10.0.0.10", "port": 8759, "useSSL": false, "timeout": 0, "key": "Passw0rd" } ] } The following excerpt shows typical configuration properties. { "DirectoryAdminName": "EXAMPLE\\Administrator", "DirectoryAdminPassword": "passw0rd", "ObjectClass": "User", "Container": "dc=example,dc=com", "CreateHomeDirectory": true, "LDAPHostName": "127.0.0.1", "SearchChildDomains": false, "DomainName": "example", "SyncGlobalCatalogServer": null, "SyncDomainController": null, "SearchContext": "dc=example,dc=com" } DirectoryAdminName Account used to authenticate. This can be a domainname\user combination, or simply the user name. DirectoryAdminPassword Password used to authenticate ObjectClass Object class for user objects Container Base context for all searches CreateHomeDirectory When true, create a home directory for new users. LDAPHostName Use to enforce connection to a particular Active Directory server. SearchChildDomains When set to true or false, apply SyncGlobalCatalogServer and SyncDomainController settings DomainName Windows domain name SyncGlobalCatalogServer Global catalog server to use when searching child domains SyncDomainController Domain controller to use during synchronization when not searching child domains SearchContext Reserved for future use

CSV File Connector The CSV file connector often serves when importing users, either for initial provisioning or for ongoing updates. When used continuously in production, a CSV file serves as a change log, often containing only user records that changed. The following example shows an excerpt of the provisioner configuration. The default connector-jar location is now, like all other connectors, in openidm/connectors. Therefore the connectorHostRef must point to "#LOCAL". { "connectorRef": { "connectorHostRef": "#LOCAL", "connectorName": "org.forgerock.openicf.csvfile.CSVFileConnector", "bundleName": "org.forgerock.openicf.connectors.file.openicf-csvfile-connector", "bundleVersion": "" } } The following excerpt shows required configuration properties. { "configurationProperties": { "filePath": "data/hr.csv", "uniqueAttribute": "uid" } } The CSV file connector also supports a number of optional configuration properties, in addition to the required properties. encoding (optional) Default: "utf-8" fieldDelimiter (optional) Default: "," filePath (required) References the CSV file containing account entries multivalueDelimiter (optional) Used with multi-valued attributes. Default: ";" passwordAttribute (optional) Attribute containing the password. Use when password-based authentication is required. uniqueAttribute (required) Primary key used for the CSV file usingMultivalue (optional) Whether attributes can have multiple values. Default: false

Scripted SQL Connector The Scripted SQL Connector uses customizable Groovy scripts to interact with the database. The connector uses one script for each of the following actions on the external database. Create Delete Search Sync Test Update See the openidm/samples/sample3/tools/ directory for example scripts.

Creating Default Connector Configurations Connectors Generating configurations Rather than creating provisioner files by hand, use the service that OpenIDM exposes through the REST interface to create basic connector configuration files named provisioner-openicf-Connector Name.json file. You create a new connector configuration file in three stages. List available connectors. Generate the core configuration. Connect to the target system and generate the final configuration. List available connectors using the following command. $ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION" Available connectors are installed in openidm/connectors. OpenIDM bundles the following connectors. csvfile ldap scriptedsql xml The command above therefore should return the following output (formatted here with lines folded to make it easier to read.) { "connectorRef": [ { "connectorName": "org.identityconnectors.ldap.LdapConnector", "bundleName": "org.forgerock.openicf.connectors.ldap.openicf-ldap-connector", "bundleVersion": "" }, { "connectorName": "com.forgerock.openicf.xml.XMLConnector", "bundleName": "org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion": "" }, { "connectorHostRef": "osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager", "connectorName": "org.forgerock.openicf.scriptedsql.ScriptedSQLConnector", "bundleName": "org.forgerock.openicf.connectors.db.openicf-scriptedsql-connector", "bundleVersion": "" }, { "connectorHostRef": "osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager", "connectorName": "org.forgerock.openicf.csvfile.CSVFileConnector", "bundleName": "org.forgerock.openicf.connectors.file.openicf-csvfile-connector", "bundleVersion": "" } ] } To generate the core configuration, choose one of the available connectors by copying JSON objects from the list into the body of the REST command, as shown below for the XML connector. $ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" -d '{"connectorRef": {"connectorName":"com.forgerock.openicf.xml.XMLConnector", "bundleName":"org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion":""}}' --request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION" The command returns a core connector configuration. The core connector configuration returned is not yet functional. It does not contain system specific "configurationProperties" such as the host name and port for web based connectors, or the "xmlFilePath" for the XML file based connectors as can be seen below. In addition, the configuration returned does not include complete "objectTypes" and "operationOptions" parts. { "connectorRef": { "connectorName": "com.forgerock.openicf.xml.XMLConnector", "bundleName": "org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion": "" }, "poolConfigOption": { "maxObjects": 10, "maxIdle": 10, "maxWait": 150000, "minEvictableIdleTimeMillis": 120000, "minIdle": 1 }, "resultsHandlerConfig": { "enableNormalizingResultsHandler": true, "enableFilteredResultsHandler": true, "enableCaseInsensitiveFilter": false, "enableAttributesToGetSearchResultsHandler": true }, "operationTimeout": { "CREATE": -1, "UPDATE": -1, "DELETE": -1, "TEST": -1, "SCRIPT_ON_CONNECTOR": -1, "SCRIPT_ON_RESOURCE": -1, "GET": -1, "RESOLVEUSERNAME": -1, "AUTHENTICATE": -1, "SEARCH": -1, "VALIDATE": -1, "SYNC": -1, "SCHEMA": -1 }, "configurationProperties": { "xmlFilePath": null, "xsdFilePath": null, "xsdIcfFilePath": null } } To generate the final configuration, add the missing "configurationProperties" to the core configuration, and use the updated core configuration as the body for the next command. $ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --data '{ "connectorRef" : { "connectorName" : "com.forgerock.openicf.xml.XMLConnector", "bundleName" : "org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion" : "" }, "poolConfigOption" : { "maxObjects" : 10, "maxIdle" : 10, "maxWait" : 150000, "minEvictableIdleTimeMillis" : 120000, "minIdle" : 1 }, "resultsHandlerConfig" : { "enableNormalizingResultsHandler" : true, "enableFilteredResultsHandler" : true, "enableCaseInsensitiveFilter" : false, "enableAttributesToGetSearchResultsHandler" : true }, "operationTimeout" : { "CREATE" : -1, "UPDATE" : -1, "DELETE" : -1, "TEST" : -1, "SCRIPT_ON_CONNECTOR" : -1, "SCRIPT_ON_RESOURCE" : -1, "GET" : -1, "RESOLVEUSERNAME" : -1, "AUTHENTICATE" : -1, "SEARCH" : -1, "VALIDATE" : -1, "SYNC" : -1, "SCHEMA" : -1 }, "configurationProperties" : { "xsdIcfFilePath" : "samples/sample1/data/resource-schema-1.xsd", "xsdFilePath" : "samples/sample1/data/resource-schema-extension.xsd", "xmlFilePath" : "samples/sample1/data/xmlConnectorData.xml" } }' --request POST "http://localhost:8080/openidm/system?_action=CREATECONFIGURATION" Notice the single quotes around the argument to the option in the command above. For most UNIX shells, single quotes around a string prevent the shell from executing the command when encountering a newline in the content. You can therefore pass the option on a single line or including line feeds. OpenIDM attempts to read the schema, if available, from the external resource in order to generate output. OpenIDM then iterates through schema objects and attributes, creating JSON representations for "objectTypes" and "operationOptions" for supported objects and operations. { "connectorRef": { "connectorHostRef": "#LOCAL", "connectorName": "com.forgerock.openicf.xml.XMLConnector", "bundleName": "org.forgerock.openicf.connectors.file.openicf-xml-connector", "bundleVersion": "-EA" }, "poolConfigOption": { "maxObjects": 10, "maxIdle": 10, "maxWait": 150000, "minEvictableIdleTimeMillis": 120000, "minIdle": 1 }, "resultsHandlerConfig": { "enableNormalizingResultsHandler": true, "enableFilteredResultsHandler": true, "enableCaseInsensitiveFilter": false, "enableAttributesToGetSearchResultsHandler": true }, "operationTimeout": { "CREATE": -1, "UPDATE": -1, "DELETE": -1, "TEST": -1, "SCRIPT_ON_CONNECTOR": -1, "SCRIPT_ON_RESOURCE": -1, "GET": -1, "RESOLVEUSERNAME": -1, "AUTHENTICATE": -1, "SEARCH": -1, "VALIDATE": -1, "SYNC": -1, "SCHEMA": -1 }, "configurationProperties": { "xmlFilePath": "samples/sample1/data/xmlConnectorData.xml", "xsdFilePath": "samples/sample1/data/resource-schema-extension.xsd", "xsdIcfFilePath": "samples/sample1/data/resource-schema-1.xsd" }, "objectTypes": { "OrganizationUnit": { "...": "..." }, "__GROUP__": { "$schema": "http://json-schema.org/draft-03/schema", "id": "__GROUP__", "type": "object", "nativeType": "__GROUP__", "properties": { "__DESCRIPTION__": { "type": "string", "required": true, "nativeName": "__DESCRIPTION__", "nativeType": "string" }, "__NAME__": { "type": "string", "required": true, "nativeName": "__NAME__", "nativeType": "string" } } }, "__ACCOUNT__": { "$schema": "http://json-schema.org/draft-03/schema", "id": "__ACCOUNT__", "type": "object", "nativeType": "__ACCOUNT__", "properties": { "firstname": { "type": "string", "nativeName": "firstname", "nativeType": "string" }, "__DESCRIPTION__": { "type": "string", "nativeName": "__DESCRIPTION__", "nativeType": "string" }, "__UID__": { "type": "string", "nativeName": "__UID__", "nativeType": "string" }, "__NAME__": { "type": "string", "required": true, "nativeName": "__NAME__", "nativeType": "string" } } } }, "operationOptions": { "CREATE": { "objectFeatures": { "OrganizationUnit": { "...": "..." }, "__GROUP__": { "...": "..." }, "__ACCOUNT__": { "denied": false, "onDeny": "DO_NOTHING", "operationOptionInfo": { "$schema": "http://json-schema.org/draft-03/schema", "id": "FIX_ME", "type": "object", "properties": { "...": "..." } } } } }, "UPDATE": { "objectFeatures": { "__ACCOUNT__": { "denied": false, "onDeny": "DO_NOTHING", "operationOptionInfo": { "$schema": "http://json-schema.org/draft-03/schema", "id": "FIX_ME", "type": "object", "properties": { "...": "..." } } } } } } } As OpenIDM produces a full property set for all attributes and all object types in the schema from the external resource, the resulting configuration can be large. For an LDAP server, OpenIDM can generate a configuration containing several tens of thousands of lines, for example. You might therefore want to reduce the schema to a minimum on the external resource before you run the final command.