LDAP user registry synchronization
User registry synchronization simplifies Maximo® Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry.
User synchronization
Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at synchronization time.
If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.
If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.
During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users. When the user is synchronized from LDAP, the field name owner is set to scim in MongoDB, which means it is an externally managed user.
The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.
Generally, synced personal information cannot be updated in Maximo Application Suite. Only user entitlement and application access can be managed in Maximo Application Suite. If the user authentication is local, passwords can also be managed in Maximo Application Suite.
User and group synchronization operations
The following user and group synchronization operations are supported.
- User operations
-
Table 1. User synchronization operations Operation Description Insert
Adds a user if it does not exist in the Maximo Application Suite user registry. If the user was previously deactivated as a result of being removed from the LDAP server, but is now added back into the LDAP server then they are reactivated. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email. Update
Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated. Skip
Skips user update if no changes in the LDAP server occurred since the last synchronization. The verified field is ldap.meta.lastModified
.Delete
Deactivates the user in Maximo Application Suite if the user is removed from the LDAP server.
- Group operations
-
Table 2. Group synchronization operations Operation Description Insert
Adds a group if it does not exist in the Maximo Application Suite user registry. Update
Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated. Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.
LDAP configuration attributes
Maximo Application Suite LDAP filter configuration is based on IBM® Liberty.
The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.
Parameter | Details | Example |
---|---|---|
URL |
The URL for the LDAP server is in the format:
protocol://<hostname>:<port>
Note: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not
allowed.
|
Example: |
Base DN |
The path in the object hierarchy of the directory server. | Example: |
Bind DN |
Bind DN is used to bind to an LDAP server. Administrators must have sufficient privileges to search for users under user search DN or groups under group search DN. | Example:
|
Bind PW |
LDAP admin password |
|
Certificate |
The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain. |
|
User Base DN |
The user-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. | Example:
|
userFilter |
The query that is used to search the users in the directory. |
|
userIdMap |
The field that is used for user IDs | Example: |
Group Base DN |
The group-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. | Example:
|
groupFilter |
The query that is used to search the groups in the directory. |
|
groupIdMap |
The field that is used for group ID. | Example: |
groupMemberIdMap |
An LDAP filter that identifies the group memberships for users. | Example: |
Extensions
In Maximo Application Suite 8.11 and earlier versions, the extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.
The following table shows how the LDAP fields map to the Maximo Application Suite user object.
LDAP field | Details |
---|---|
employeeNumber |
A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization. |
costCenter |
Identifies the name of a cost center. |
organization |
Identifies the name of an organization. |
division |
Identifies the name of a division. |
department |
Identifies the name of a department. |
manager |
The user's manager. A complex type that optionally allows service providers to represent an organizational hierarchy by referencing the "ID" attribute of another user. |
Customizations in ScimCfg Custom Resource
Starting in Maximo Application Suite 8.9, you can change some configurations
in the ScimCfg
Custom Resource as the configurations are not available in the
Maximo Application Suite user interface.
spec.config
of the
ScimCfg
Custom Resource:- customMaxSearchResults
- Use the
customMaxSearchResults
to configure the maximum number of entries that can be returned in a search. - ldapType
- Use the
ldapType
property to override the defaultCustom
setting forldapType
in the server's <ldapRegistry> configuration. The following LDAP servers are supported::- Custom, which is the default value.
- IBM Lotus® Domino®
- IBM SecureWay Directory Server
- IBM Tivoli® Directory Server
- Microsoft Active Directory
- Netscape Directory Server
- Novell eDirectory
- Sun Java™ System Directory Server
- customLdapRegistryExtensions
- Use the
customLdapRegistryExtensions
property to override the default settings for <ldapRegistry> configuration.For more information about supported settings, see LDAP User Registry.
The exceptions are
ldapType
because this property is configurable in a separate stand-alone property, the properties that are exposed through theScim Sync
CRUD APIs, User Interface properties such ashost
,port
,bindDN
,bindPassword
,baseDN
, and some properties that cannot be changed such asid
andrealm
.The remaining properties can be added under
customLdapRegistryExtensions
. For more information about adding the properties, see the format that is specified by Websphere Liberty.
Limitations
- User synchronization is supported for a single LDAP server.
- User and group sync are done in the same job.
- Synchronization by using external SCIM APIs are not supported.