LDAP user registry synchronization

User registry synchronization simplifies Maximo® Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry. 

User synchronization

Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at synchronization time.

If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.

If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.

During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users. When the user is synchronized from LDAP, the field name owner is set to scim in MongoDB, which means it is an externally managed user.

The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.

Generally, synced personal information cannot be updated in Maximo Application Suite. Only user entitlement and application access can be managed in Maximo Application Suite. If the user authentication is local, passwords can also be managed in Maximo Application Suite.

Important: Because the synchronization runs on a schedule, discrepancies might be temporarily introduced between synchronizations. For example, if a previously synced user ID is removed from LDAP, that user ID can still be used to log in to Maximo Application Suite until the user removal is synced. If the synced LDAP users are using local authentication, the user ID still has access. If LDAP or SAML authentication is used, the login fails because the user is no longer active in LDAP.

User and group synchronization with SCIM 2.0

Starting in Maximo Application Suite 9.0, you can synchronize users and groups from an external identity provider (IdP) by using the System for Cross-domain Identity Management (SCIM) 2.0 protocol. For more information, see User synchronization with SCIM 2.0

User and group synchronization operations

The following user and group synchronization operations are supported.

User operations
Table 1. User synchronization operations
Operation Description
Insert Adds a user if it does not exist in the Maximo Application Suite user registry. If the user was previously deactivated as a result of being removed from the LDAP server, but is now added back into the LDAP server then they are reactivated. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email.
Update Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.
Skip Skips user update if no changes in the LDAP server occurred since the last synchronization. The verified field is ldap.meta.lastModified.
Delete Deactivates the user in Maximo Application Suite if the user is removed from the LDAP server.
Group operations
Table 2. Group synchronization operations
Operation Description
Insert Adds a group if it does not exist in the Maximo Application Suite user registry.
Update Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.

Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.

LDAP configuration attributes

Maximo Application Suite LDAP filter configuration is based on IBM® Liberty.

The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.

Table 3. LDAP configuration attributes
Parameter Details Example
URL The URL for the LDAP server is in the format: protocol://<hostname>:<port>
Note: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not allowed.
Example: ldaps://MSAD2021.fyre.ibm.com:636
Base DN The path in the object hierarchy of the directory server. Example: OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
Bind DN Bind DN is used to bind to an LDAP server. Administrators must have sufficient privileges to search for users under user search DN or groups under group search DN. Example: CN=wilson,OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
Bind PW LDAP admin password
Certificate The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain.
User Base DN The user-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. Example: OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
userFilter The query that is used to search the users in the directory.

Example 1: (&(sAMAccountName=%v)(objectcategory=user))

Example 2: (&(sAMAccountName=%v)(objectclass=user))

userIdMap The field that is used for user IDs Example: user:<sAMAccountName>
Group Base DN The group-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. Example: OU=groups,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
groupFilter The query that is used to search the groups in the directory.

Example 1: (&(cn=%v)(objectcategory=group))

Example 2: (&(cn=%v)(objectclass=group))

groupIdMap The field that is used for group ID. Example: *:cn
groupMemberIdMap An LDAP filter that identifies the group memberships for users. Example: memberOf:member

User and group registry mapping

The Maximo Application Suite user data model is based on the custom mapping of the user data that synchronizes with the LDAP server.

Starting in Maximo Application Suite 9.0, you can configure user registry synchronization to map data for users from LDAP with Maximo Application Suite in the user interface.

To map user or group data, on the Suite administration page, select Configurations from the side navigation menu and then click User registry synchonization. You can also use a default value that is set by the system. If you don't specify custom field values, then default values are used.

User mapping
You can use the following user properties to map between Maximo Application Suite and LDAP by specifying the field in LDAP that maps to the property field in Maximo Application Suite.
Standard user properties
  • id
  • username
  • displayName
  • title
  • familyName
  • givenName
  • email
  • phoneNumber
Extensions
  • employeeNumber
  • costCenter
  • organization
  • division
  • department
  • manager
Extensions support custom property names that you can map to LDAP attributes.
Group mapping

You can use the following group properties to map between Maximo Application Suite and LDAP by specifying the field in LDAP that maps to the property field in Maximo Application Suite.

Standard user properties
  • id
  • displayName
Extensions properties support custom property names that you can map to LDAP attributes.

If you are mapping the following properties, review the following considerations:

Note:

When you use custom mapping, field values must be unique in LDAP. Allowed characters for id and username are letters and numbers, -, @, ., _ without spacing.

id

After the initial synchronization, if you configure the property mapping for id, you must manually delete the existing SCIM owned users who have the SCIM value in the owner property from the Maximo Application Suite database.

You can delete the existing SCIM owned users by running the following command in MongoDB
db.getCollection("User").deleteMany({"owner": "scim"})

Deleting existing SCIM owned users is required because users who are included in the next scheduled synchronization cron job are considered new users with different IDs. Otherwise, the synchronization of those users will fail since existing users in the database have the same username and email.

username
Configuring the property mapping for username might affect the user's ability to authenticate.
email and phoneNumber

When email or phoneNumber properties are not mapped, one or more LDAP emails and one or more LDAP phone numbers are copied into Maximo Application Suite user records. This synchronization is based on the definition of phone numbers and emails that is available for each user in the LDAP server.

If you specify the mapping for the email or the phoneNumber property, then only one email and only one phone number that is specified by the mapped value is copied from the LDAP user into the Maximo Application Suite.

If users have multiple emails or phone numbers that might be duplicated, then the synchronization might fail. To make sure that the data synchronizes correctly, use email and phoneNumber information that is unique to each user.

For information and examples about mapping user and group data, see Mapping LDAP users from Microsoft Active Directory and Mapping groups from LDAP to display group descriptions.

Extensions

In Maximo Application Suite 8.11 and earlier versions, the extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.

The following table shows how the LDAP fields map to the Maximo Application Suite user object.

Table 4. LDAP extension fields
LDAP field Details
employeeNumber A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization.
costCenter Identifies the name of a cost center.
organization Identifies the name of an organization.
division Identifies the name of a division.
department Identifies the name of a department.
manager The user's manager. A complex type that optionally allows service providers to represent an organizational hierarchy by referencing the "ID" attribute of another user.

Customizations in ScimCfg Custom Resource

Starting in Maximo Application Suite 8.9, you can change some configurations in the ScimCfg Custom Resource as the configurations are not available in the Maximo Application Suite user interface.

Add the following properties in spec.config of the ScimCfg Custom Resource:
customMaxSearchResults
Use the customMaxSearchResults to configure the maximum number of entries that can be returned in a search.
ldapType
Use the ldapType property to override the default Custom setting for ldapType in the server's <ldapRegistry> configuration. The following LDAP servers are supported::
  • Custom, which is the default value.
  • IBM Lotus® Domino®
  • IBM SecureWay Directory Server
  • IBM Tivoli® Directory Server
  • Microsoft Active Directory
  • Netscape Directory Server
  • Novell eDirectory
  • Sun Java™ System Directory Server
customLdapRegistryExtensions
Use the customLdapRegistryExtensions property to override the default settings for <ldapRegistry> configuration.

For more information about supported settings, see LDAP User Registry.

The exceptions are ldapType because this property is configurable in a separate stand-alone property, the properties that are exposed through the Scim Sync CRUD APIs, User Interface properties such as host, port, bindDN, bindPassword, baseDN, and some properties that cannot be changed such as id and realm.

The remaining properties can be added under customLdapRegistryExtensions. For more information about adding the properties, see the format that is specified by Websphere Liberty.

Note: The properties are not exposed through LDAP sync or User Interface. However, updating LDAP sync configuration through the API or UI does not override these settings.

Limitations

  • User synchronization is supported for a single LDAP server.
  • User and group sync are done in the same job.
  • Synchronization by using external SCIM APIs are not supported.