In the Quick start, you see that the root user is stored in LDAP as an entry like uid=root,ou=People,o=portal,o=gatein,dc=example,dc=com.
The eXo Platform users are stored in LDAP because the readOnly option is omitted (or set to "false") in the configuration.
If you do not want eXo Platform users to be stored in LDAP, set this option to "true" in picketlink-idm-ldap-config.xml
:
<repository>
<id>PortalRepository</id>
<identity-store-mappings>
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
<options>
<option>
<name>readOnly</name>
<value>true</value>
</option>
</options>
</identity-store-mapping>
Now let's see how you can change the pre-configured identity type USER in a real case.
User attributes
The following attributes are mandatory in the attribute mapping:
Platform | OpenLDAP | MSAD |
---|---|---|
firstName | cn | givenName |
lastName | sn | sn |
See the full list of Platform user attributes. For example, if you want to map Platform attribute user.jobtitle to LDAP attribute title, the configuration looks like below:
<attributes>
<attribute>
<name>user.jobtitle</name>
<mapping>title</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
<isUnique>false</isUnique>
</attribute>
</attributes>
The user identifier in Platform is username, and needs to be mapped definitively. Therefore, do not include it in the attributes mapping. Instead, define the LDAP attribute that should match it (uid in the following example):
<options>
<option>
<name>idAttributeName</name>
<value>uid</value>
</option>
</options>
context DNs (user divisions)
The ctxDNs (context DNs) is the location in LDAP tree where you want to store Platform users. It accepts multiple values but only the first value is used in the Platform-to-LDAP mapping:
<option>
<name>ctxDNs</name>
<value>ou=PlatformUsers,dc=example,dc=com</value>
<value>ou=People,o=acme,dc=example,dc=com</value>
<value>ou=People,o=emca,dc=example,dc=com</value>
</option>
If ou=PlatformUsers
does not exist in the tree, it will be created automatically.
createEntryAttributeValues
Required by LDAP, a user entry should have fixed objectClasses and attributes that could not be mapped from Platform user attributes. You can provide such objectClasses/attributes in createEntryAttributeValues like below:
<options>
<option>
<name>createEntryAttributeValues</name>
<value>objectClass=top</value>
<value>objectClass=inetOrgPerson</value>
<value>sn= </value>
<value>cn= </value>
</option>
</options>
The samples of this option are different between OpenLDAP/MSAD and others, so you need to review it in the sample configuration file you are using.