LDAP user registry synchronization
User registry synchronization simplifies Maximo® Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry.
User synchronization
Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at synchronization time.
If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.
If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.
During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users. When the user is synchronized from LDAP, the field name owner is set to scim in MongoDB, which means it is an externally managed user.
The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.
Generally, synced personal information cannot be updated in Maximo Application Suite. Only user entitlement and application access can be managed in Maximo Application Suite. If the user authentication is local, passwords can also be managed in Maximo Application Suite.
User and group synchronization with SCIM 2.0
Starting in Maximo Application Suite 9.0, you can synchronize users and groups from an external identity provider (IdP) by using the System for Cross-domain Identity Management (SCIM) 2.0 protocol. For more information, see User synchronization with SCIM 2.0
User and group synchronization operations
The following user and group synchronization operations are supported.
- User operations
-
Table 1. User synchronization operations Operation Description Insert
Adds a user if it does not exist in the Maximo Application Suite user registry. If the user was previously deactivated as a result of being removed from the LDAP server, but is now added back into the LDAP server then they are reactivated. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email. Update
Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated. Skip
Skips user update if no changes in the LDAP server occurred since the last synchronization. The verified field is ldap.meta.lastModified
.Delete
Deactivates the user in Maximo Application Suite if the user is removed from the LDAP server.
- Group operations
-
Table 2. Group synchronization operations Operation Description Insert
Adds a group if it does not exist in the Maximo Application Suite user registry. Update
Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated. Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.
LDAP configuration attributes
Maximo Application Suite LDAP filter configuration is based on IBM® Liberty.
The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.
Parameter | Details | Example |
---|---|---|
URL |
The URL for the LDAP server is in the format:
protocol://<hostname>:<port>
Note: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not
allowed.
|
Example: |
Base DN |
The path in the object hierarchy of the directory server. | Example: |
Bind DN |
Bind DN is used to bind to an LDAP server. Administrators must have sufficient privileges to search for users under user search DN or groups under group search DN. | Example:
|
Bind PW |
LDAP admin password |
|
Certificate |
The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain. |
|
User Base DN |
The user-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. | Example:
|
userFilter |
The query that is used to search the users in the directory. |
|
userIdMap |
The field that is used for user IDs | Example: |
Group Base DN |
The group-level path in the object hierarchy of the directory server. If not provided, the baseDN is used by default. | Example:
|
groupFilter |
The query that is used to search the groups in the directory. |
|
groupIdMap |
The field that is used for group ID. | Example: |
groupMemberIdMap |
An LDAP filter that identifies the group memberships for users. | Example: |
User and group registry mapping
The Maximo Application Suite user data model is based on the custom mapping of the user data that synchronizes with the LDAP server.
Starting in Maximo Application Suite 9.0, you can configure user registry synchronization to map data for users from LDAP with Maximo Application Suite in the user interface.
To map user or group data, on the Suite administration page, select Configurations from the side navigation menu and then click User registry synchonization. You can also use a default value that is set by the system. If you don't specify custom field values, then default values are used.
- User mapping
-
You can use the following user properties to map between Maximo Application Suite and LDAP by specifying the field in LDAP that maps to the property field in Maximo Application Suite.
- Standard user properties
-
- id
- username
- displayName
- title
- familyName
- givenName
- phoneNumber
- Extensions
-
- employeeNumber
- costCenter
- organization
- division
- department
- manager
- Group mapping
You can use the following group properties to map between Maximo Application Suite and LDAP by specifying the field in LDAP that maps to the property field in Maximo Application Suite.
- Standard user properties
-
- id
- displayName
If you are mapping the following properties, review the following considerations:
When you use custom mapping, field values must be unique in LDAP. Allowed characters for id and username are letters and numbers, -, @, ., _ without spacing.
- id
-
After the initial synchronization, if you configure the property mapping for id, you must manually delete the existing SCIM owned users who have the SCIM value in the owner property from the Maximo Application Suite database.
You can delete the existing SCIM owned users by running the following command in MongoDBdb.getCollection("User").deleteMany({"owner": "scim"})
Deleting existing SCIM owned users is required because users who are included in the next scheduled synchronization cron job are considered new users with different IDs. Otherwise, the synchronization of those users will fail since existing users in the database have the same username and email.
username
- Configuring the property mapping for username might affect the user's ability to authenticate.
- email and phoneNumber
-
When email or phoneNumber properties are not mapped, one or more LDAP emails and one or more LDAP phone numbers are copied into Maximo Application Suite user records. This synchronization is based on the definition of phone numbers and emails that is available for each user in the LDAP server.
If you specify the mapping for the email or the phoneNumber property, then only one email and only one phone number that is specified by the mapped value is copied from the LDAP user into the Maximo Application Suite.
If users have multiple emails or phone numbers that might be duplicated, then the synchronization might fail. To make sure that the data synchronizes correctly, use email and phoneNumber information that is unique to each user.
For information and examples about mapping user and group data, see Mapping LDAP users from Microsoft Active Directory and Mapping groups from LDAP to display group descriptions.
Extensions
In Maximo Application Suite 8.11 and earlier versions, the extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.
The following table shows how the LDAP fields map to the Maximo Application Suite user object.
LDAP field | Details |
---|---|
employeeNumber |
A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization. |
costCenter |
Identifies the name of a cost center. |
organization |
Identifies the name of an organization. |
division |
Identifies the name of a division. |
department |
Identifies the name of a department. |
manager |
The user's manager. A complex type that optionally allows service providers to represent an organizational hierarchy by referencing the "ID" attribute of another user. |
Customizations in ScimCfg Custom Resource
Starting in Maximo Application Suite 8.9, you can change some configurations
in the ScimCfg
Custom Resource as the configurations are not available in the
Maximo Application Suite user interface.
spec.config
of the
ScimCfg
Custom Resource:- customMaxSearchResults
- Use the
customMaxSearchResults
to configure the maximum number of entries that can be returned in a search. - ldapType
- Use the
ldapType
property to override the defaultCustom
setting forldapType
in the server's <ldapRegistry> configuration. The following LDAP servers are supported::- Custom, which is the default value.
- IBM Lotus® Domino®
- IBM SecureWay Directory Server
- IBM Tivoli® Directory Server
- Microsoft Active Directory
- Netscape Directory Server
- Novell eDirectory
- Sun Java™ System Directory Server
- customLdapRegistryExtensions
- Use the
customLdapRegistryExtensions
property to override the default settings for <ldapRegistry> configuration.For more information about supported settings, see LDAP User Registry.
The exceptions are
ldapType
because this property is configurable in a separate stand-alone property, the properties that are exposed through theScim Sync
CRUD APIs, User Interface properties such ashost
,port
,bindDN
,bindPassword
,baseDN
, and some properties that cannot be changed such asid
andrealm
.The remaining properties can be added under
customLdapRegistryExtensions
. For more information about adding the properties, see the format that is specified by Websphere Liberty.
Limitations
- User synchronization is supported for a single LDAP server.
- User and group sync are done in the same job.
- Synchronization by using external SCIM APIs are not supported.