ForgeRock OpenIDM, the Identity Management solution from ForgeRock offers nice and easy way to perform most of the common scenarios one can think of in the Identity Management domain. Once such commonly occurring situations is to link an account of a User in IDM with his/her Multiple accounts in a resource such as LDAP Server like ForgeRock OpenDJ. Let’s try to understand how that’s achieved in OpenIDM using the illustration below:
As you can make out, OpenIDM is connected to an OpenDJ instance. You could also see two OpenIDM Roles defined namely ‘Agent’ and ‘Insurer’. Each of the Role is attached to a Managed Assignment. And the Managed Assignment in turn has Attributes and Link Qualifiers. The Attribute refers to a User Attribute in OpenDJ with a corresponding value (say cn=Chat Users, ou=Groups,dc=example,dc=com) and Link Qualifier is used to construct a DN (say uid=bjensen,ou=Customers,dc=example,dc=com).
So a Role that has the Managed Assignments with the said Attributes and Link Qualifier would (i) be a member of ‘cn=Chat Users, ou=Groups,dc=example,dc=com‘ and will belong to a branch that’s determined by the DN uid=bjensen,ou=Customers,dc=example,dc=com. Clearly, multiple OpenIDM Role assignments to a single OpenIDM User will link that User’s account with multiple DNs in the OpenDJ instance. Please note that the LDAP group is omitted from the illustration above for brevity. The following equation might give us a rough translation of the above statements:
OpenIDM User (bjensen) <---- OpenIDM Role (Insurer) <---- Managed Assignment (cn=Chat Users,ou=Groups,dc=example,dc=com Attribute && dn: uid=?,ou=Customers,dc=example,dc=com Link Qualifier) ===> bjensen user in the ou=Customers branch of OpenDJ instance DIT (uid=bjensen, ou=Customers,dc=example,dc=com) and the user’s subscription to a LDAP Group cn=Chat Users, ou=Groups,dc=example,dc=com)
Not clear? Have a screen-cast for you. Please take a look and see if it gives you a clearer picture.
Enjoy!