8.1.4. Platform users mapped into LDAP

In the Quick start, you see that the root user is stored in LDAP as an entry like uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com.

The eXo Platform users are stored in LDAP because the readOnly option is omitted (or set to "false") in the configuration. If you do not want eXo Platform users to be stored in LDAP, set this option to "true" in picketlink-idm-ldap-config.xml:


<repository>
    <id>PortalRepository</id>
    <identity-store-mappings>
        <identity-store-mapping>
            <identity-store-id>PortalLDAPStore</identity-store-id>
            <options>
                <option>
                    <name>readOnly</name>
                    <value>true</value>
                </option>
            </options>
        </identity-store-mapping>

Now let's see how you can change the pre-configured identity type USER in a real case.

User attributes

context DNs (user divisions)

The ctxDNs (context DNs) is the location in LDAP tree where you want to store Platform users. It accepts multiple values but only the first value is used in the Platform-to-LDAP mapping:


<option>
    <name>ctxDNs</name>
    <value>ou=PlatformUsers,dc=example,dc=com</value>
    <value>ou=People,o=acme,dc=example,dc=com</value>
    <value>ou=People,o=emca,dc=example,dc=com</value>
</option>

createEntryAttributeValues

Required by LDAP, a user entry should have fixed objectClasses and attributes that could not be mapped from Platform user attributes. You can provide such objectClasses/attributes in createEntryAttributeValues like below:


<options>
    <option>
        <name>createEntryAttributeValues</name>
        <value>objectClass=top</value>
        <value>objectClass=inetOrgPerson</value>
        <value>sn= </value>
        <value>cn= </value>
    </option>
</options>

Note

The samples of this option are different between OpenLDAP/MSAD and others, so you need to review it in the sample configuration file you are using.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus