Embedded Files
By Mayane Maman - 05/01/2022
This article is also available in French here.
We are going to talk about how to set up a Remote Connector Server (RCS) in order to be able to rely on users stored in an external LDAP to authenticate apps connected on Forgerock Identity Cloud.
RCS will be a gateway between FIC and our LDAP directory. Once everything set up correctly, we’ll be able to list the users from the LDAP in FIC console (including all the attributes that we decided to synchronize).
As for passwords, multiple approaches can be used. For instance one can decide to sync passwords between FIC and the LDAP (or their hash), or to have no passwords stored in FIC at all and always rely on the password stored in the LDAP directory. We'll talk about that here.
As we are going to configure the RCS in « client mode », flows will only go one way (from RCS to FIC), which means that no external connection will get in our network. This is shown in this other picture still taken from Forgerock doc:
Prerequisites :
a FIC tenant and an admin account.
an external LDAP directory (we’ll be using Forgerock DS in evaluation mode)
a server with a JRE 11 where we’ll deploy the RCS. This server will need to be able to talk to the LDAP server (via LDAP and/or LDAPS) and to the FIC (outgoing HTTPS flow)
I) RCS init on the Forgerock Identity Cloud tenant
I) RCS init on the Forgerock Identity Cloud tenant
First, go to https://<tenant>.forgeblocks.com/platform/?realm=alpha#/connect
-then click on « New Connector Server », choose a name « rcs1 » for instance and enable SSL
-reset the « client secret » and don’t forget what you chose here
Status of the connector is "waiting to connect...", we now need to configure it.
Note that when we created the connector, it automatically created a “machine to machine” application called "RCSClient":
II) Installation du RCS
II) Installation du RCS
RCS installation
After having dowloaded the java Remote Connector Server we can now install it.
Of course, the server where we’ll install it needs to be able to talk to the LDAP server (in LDAPS in our case). It also needs to be able to do HTTPS calls to FIC.
Installation is easy :
$ cd /path/to/rcs
$ unzip openicf-zip-1.5.20.2.zip.
RCS will be available on this path : /path/to/rcs/openicf/
III) Configuration of the Remote Connector Server
III) Configuration of the Remote Connector Server
Let’s edit the RCS config file : /path/to/rcs/openicf/conf/ConnectorServer.properties with all the details below:
Add the oauth2 creds in order to get the tokens:
connectorserver.clientId=RCSClient
connectorserver.clientSecret=password
Uncomment the following lines and adapt it :
connectorserver.tokenEndpoint=https://<tenant>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token
connectorServerName=rcs1 #this is the name of the connector as defined earlier in FIC
connectorserver.scope=fr:idm:* #OAuth2 token scope
connectorserver.url=wss://<tenant>.forgeblocks.com/openicf/0 wss://<tenant>.forgeblocks.com/openicf/1 wss://<tenant>.forgeblocks.com/openicf/2
connectorserver.webSocketConnections=3 connectorserver.pingPongInterval=60
connectorserver.usessl=true
connectorserver.housekeepingInterval=20
connectorserver.groupCheckInterval=900
connectorserver.newConnectionsInterval=10
connectorserver.connectionTtl=3000
Let’s try to start the RCS:
$ cd /path/to/rcs/openicf
$ bin/ConnectorServer.sh /run
or:
$ bin/ConnectorServer.sh jpda /run #debug mode
Of course this will need to be made in daemon later on.
Connector should now have the "connected" status in FIC:
IV) SSL configuration for LDAP
IV) SSL configuration for LDAP
First step is to import SSL cert of the LDAP directory in the keystore.
Let's export DS certificate (I hope you kept you deploymentKeyPassword somewhere safe):
/path/to/opendj/bin/dskeymgr export-ca-cert \
--deploymentKey XXXXX \
--deploymentKeyPassword 'password' \
--alias ds-ca-cert \
--outputFile /path/to/ds-ca-cert.pem
We can now import the cert in RCS truststore:
$ keytool -import -file /path/to/ds-ca-cert.pem -alias server-cert -keystore /path/to/rcs/openicf/security/truststore.pkcs12
Uncomment the following lines from /path/to/rcs/openicf/conf/ConnectorServer.properties :
connectorserver.trustStoreFile=security/truststore.pkcs12
connectorserver.trustStoreType=PKCS12
connectorserver.trustStorePass=changeit
As we are lazy, we'll import all certificates from the default java truststore in the RCS truststore:
$ keytool -importkeystore -srckeystore /etc/pki/java/cacerts -destkeystore /path/to/rcs/openicf/security/truststore.pkcs12 -deststoretype jks -srcstorepass
changeit -deststorepass changeit -v -noprompt
V) Creation of the LDAP connector in FIC IdM console
V) Creation of the LDAP connector in FIC IdM console
We'll first add the LDAP connector in FIC IdM console. We'll need:
to give the connector a name (we were very original here and chose LDAP, but you should be more precise)
name of the "remote host" (this is the name of the connector we configured earlier)
connector type is LDAP (but you can enjoy and read what is available in the drop down menu)
We also need to specify how the RCS service will contact the LDAP directory
as we installed the RCS service on the same host as the LDAP directory server, we chose localhost here
port of the RCS and SSL
a service account (DN and password)
and all LDAP details (base DN, userfilter, group filter...)
As mentionned earlier, we installed our DS in evaluation mode, and when we tried going in the data tab to list the users found by the connector in
https://<tenant>.forgeblocks.com/admin/?realm=alpha#connectors/data/provisioner.openicf_ldap/
we got nothing but "Internal server error, please contact your administrator".
Issue was simply solved by updating the CN attributes in IdM FIC as multivalued attributes instead of monovalued
in Objets Types -> account
and set the cn flags to multivalued
Users are now shown!
But for now LDAP servers are only listed in the Connector => Data => Users
We now need to "really" import the users in FIC.
VI) Import directory data in the FIC directory with a mapping
We'll have to create a mapping to import the users in the FIC directory:
Source is LDAP and target will be the realm we used until now (alpha) in FIC.
We then need to set the attributes grid and adapt the behaviours to "Default-actions" for instance.
We'll not go in more details here about the mapping.
One of the ldap attributes that need to be taken care of is the password, we'll talk about it in more details in another post.
Going back to the FIC default screen, we should now be able to see our LDAP users:
We now have an RCS service working allowing our users stored in our on prem LDAP directory to be used by FIC.
Here, we only set up one RCS server but you really should go the cluster way to avoid SPOF. There is also many things to add such as daemon creation, log rotation...
Also, for now users are imported but can't authenticate as we haven't handled the passwords yet. Let's do that here.
Page updated
Report abuse