LDAP user registry synchronization

User registry synchronization simplifies Maximo® Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry.

User synchronization

Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at synchronization time.

If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.

If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.

During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users. When the user is synchronized from LDAP, the field name owner is set to scim in MongoDB, which means it is an externally managed user.

The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.

Generally, synced personal information cannot be updated in Maximo Application Suite. Only user entitlement and application access can be managed in Maximo Application Suite. If the user authentication is local, passwords can also be managed in Maximo Application Suite.

Important: Because the synchronization runs on a schedule, discrepancies might be temporarily introduced between synchronizations. For example, if a previously synced user ID is removed from LDAP, that user ID can still be used to log in to Maximo Application Suite until the user removal is synced. If the synced LDAP users are using local authentication, the user ID still has access. If LDAP or SAML authentication is used, the login fails because the user is no longer active in LDAP.

User and group synchronization operations

The following user and group synchronization operations are supported.

User operations

Table 1. User synchronization operations
Operation	Description
`Insert`	Adds a user if it does not exist in the Maximo Application Suite user registry. If the user was previously deactivated as a result of being removed from the LDAP server, but is now added back into the LDAP server then they are reactivated. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email.
`Update`	Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.
`Skip`	Skips user update if no changes in the LDAP server occurred since the last synchronization. The verified field is `ldap.meta.lastModified`.
`Delete`	Deactivates the user in Maximo Application Suite if the user is removed from the LDAP server.

Group operations

Table 2. Group synchronization operations
Operation	Description
`Insert`	Adds a group if it does not exist in the Maximo Application Suite user registry.
`Update`	Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.

Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.

LDAP configuration attributes

Maximo Application Suite LDAP filter configuration is based on IBM® Liberty.

The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.

Table 3. LDAP configuration attributes
Parameter	Details	Example
`URL`	The URL for the LDAP server is in the format: `protocol://<hostname>:<port>` Note: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not allowed.	`Example: ldaps://MSAD2021.fyre.ibm.com:636`
`Base DN`	The path in the object hierarchy of the directory server.	`Example: OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
`Bind DN`	Bind DN is used to bind to an LDAP server. Administrators must have sufficient privileges to search for users under user search DN or groups under group search DN.	`Example: CN=wilson,OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
`Bind PW`	LDAP admin password
`Certificate`	The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain.
`User Base DN`	The user-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default.	`Example: OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
`userFilter`	The query that is used to search the users in the directory.	`Example 1: (&(sAMAccountName=%v)(objectcategory=user))` `Example 2: (&(sAMAccountName=%v)(objectclass=user))`
`userIdMap`	The field that is used for user IDs	`Example: user:<sAMAccountName>`
`Group Base DN`	The group-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default.	`Example: OU=groups,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
`groupFilter`	The query that is used to search the groups in the directory.	`Example 1: (&(cn=%v)(objectcategory=group))` `Example 2: (&(cn=%v)(objectclass=group))`
`groupIdMap`	The field that is used for group ID.	`Example: *:cn`
`groupMemberIdMap`	An LDAP filter that identifies the group memberships for users.	`Example: memberOf:member`

Extensions

In Maximo Application Suite 8.11 and earlier versions, the extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.

The following table shows how the LDAP fields map to the Maximo Application Suite user object.

Table 4. LDAP extension fields
LDAP field	Details
`employeeNumber`	A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization.
`costCenter`	Identifies the name of a cost center.
`organization`	Identifies the name of an organization.
`division`	Identifies the name of a division.
`department`	Identifies the name of a department.
`manager`	The user's manager. A complex type that optionally allows service providers to represent an organizational hierarchy by referencing the "ID" attribute of another user.

Customizations in ScimCfg Custom Resource

Starting in Maximo Application Suite 8.9, you can change some configurations in the ScimCfg Custom Resource as the configurations are not available in the Maximo Application Suite user interface.

Add the following properties in spec.config of the ScimCfg Custom Resource:

customMaxSearchResults

Use the customMaxSearchResults to configure the maximum number of entries that can be returned in a search.

ldapType

Use the ldapType property to override the default Custom setting for ldapType in the server's <ldapRegistry> configuration. The following LDAP servers are supported::

Custom, which is the default value.
IBM Lotus® Domino®
IBM SecureWay Directory Server
IBM Tivoli® Directory Server
Microsoft Active Directory
Netscape Directory Server
Novell eDirectory
Sun Java™ System Directory Server

customLdapRegistryExtensions

Use the customLdapRegistryExtensions property to override the default settings for <ldapRegistry> configuration.

For more information about supported settings, see LDAP User Registry.

The exceptions are ldapType because this property is configurable in a separate stand-alone property, the properties that are exposed through the Scim Sync CRUD APIs, User Interface properties such as host, port, bindDN, bindPassword, baseDN, and some properties that cannot be changed such as id and realm.

The remaining properties can be added under customLdapRegistryExtensions. For more information about adding the properties, see the format that is specified by Websphere Liberty.

Note: The properties are not exposed through LDAP sync or User Interface. However, updating LDAP sync configuration through the API or UI does not override these extra settings.

Limitations

User synchronization is supported for a single LDAP server.
User and group sync are done in the same job.
Synchronization by using external SCIM APIs are not supported.