Chapter 9. Identity Management - Working with LDAP
9.1. Overview
The LDAP Identity Store allows a LDAP Directory to be used as a source of identity data. Most organizations rely on a LDAP Directory to store users, groups, roles and relationships between those entities. Some of them only store users and groups, others only users and so forth. The point is that each organization has its own structure, how data is organized on the server and policies to govern all that. That said, is very hard to get all different use cases satisfied given all those nuances.
To try to overcome that, the LDAP Identity Store provides a simple and easy mapping between the entries in your LDAP tree and the PicketLink types (
IdentityType
, Relationship
and so forth), plus some additional configuration options that give you more control how the store should integrate with your server.
The store can be used in read-only or read-write mode. Depending on your permissions on the server, you should consider one of these alternatives, otherwise you can get errors when, for example, trying to add, update or remove entries from the server.
The list below summarizes some of the most important capabilities provided by this store:
-
Mapping
IdentityType
types to their corresponding LDAP entries and attributes. -
Mapping
Relationship
types to their corresponding LDAP entries and attributes. -
Mapping of parent/child relationships between the LDAP entries mapped to the same type.
-
Authentication of users based on username/password credentials.
-
Use of LDAP UUID attributes as the identifier for identity types. For each identity type in PicketLink we need to provide a single/unique identifier. The LDAP store uses the
entryUUID
andobjectGUID
(depending on your server implementation, of course) to identify each type. You can also specify a different attribute name if your LDAP server does not support any of these none attributes.
But the LDAP Directory has also some limitations (schema limitations, restrictive usage policies) and because of that the LDAP Identity Store does not supports all the feature set provided by PicketLink. The table below lists what is not supported by the LDAP Identity Store:
-
Complex relationship mappings such as
GroupRole
. -
Relationships can not be updated directly using the
IdentityManager
. -
Limited support for credential types. Only username/password is available.
-
Partition Management.
-
Permission Management.