Tuesday, August 3, 2010

AD and LDAP group management through OIM

Provisioning systems are often initially brought in to provision the basic resources such as AD accounts, email and perhaps a basic ERP account. Once that functionality is in place it is common to start looking at handling group memberships in the target application. In some cases you then go on to manage not only the group memberships but also the groups themselves.

A very common example are groups in Active Directory and/or the corporate LDAP. I have written down some thoughts about how to best leverage OIM in this capacity.

Take a look and feel free to comment if you find the document useful:.
AD and LDAP group management through OIM

2 comments:

  1. Hi Martin,

    This post was perfect, this is exactly what I need to do at a client site and your post was very helpful. I was wondering how you'd implement the "One resource object per group" pattern? Trying to figure out what process task you'd use to add the user to the group.

    I attempted to use the AD's Add User to Group adapter, but that requires parameters specific to the AD process form.

    I know you can create a custom adapter using JNDI and pass username and group there, is this what you had in mind?

    Great blog,
    Alex

    ReplyDelete
  2. I wrote to new articles to address the points that you brought up.

    http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html tells you how to do a pure rule, group and ap setup and http://iamreflections.blogspot.com/2010/09/oim-howto-one-resource-object-per.html talks about the one RO per group design pattern.

    Hope this helps

    ReplyDelete