Forgerock Identity Cloud: password management of RCS LDAP users

By Mayane Maman - 05/01/2022

This article is also available in French here.

Previously, we managed to connect an on premise LDAP server and have all the users listed in FIC directory.

Users are imported but can't authenticate for now as we haven't configured the password yet. Let's do that.

We have 2 main ways of handling the password:

1. store the passwords in FIC and synchronize them with the LDAP service. It can be done in 2 ways:

   1. via a hash copy if FIC and LDAP share a common algorithm,

   2. or on the fly when the user does a first valid authentication

2. or we can decide to not store password in FIC at all and always delegate the password validation on the LDAP server.

We'll go the second way here.

Configuration of the Login Journey:

We'll have to add the passthrough node in the "Login" "Journey".

When a user authenticates, the credentials will first be tested in the FIC directory, if it doesn't match anything, the credentials will be sent to the RCS that will check it against the LDAP server.

The Passthrough Authentication node will need to have a few parameters filled in:

• System Endpoint : Nom du connecteur LDAP

• Identity Attribute : userName (IDM attribute grid)

• Password Attribute : password (IDM attribute grid)

We can now run the mapping and try to authenticate in an already configured application for instance in OIDC as we described ici ou là (in French - for now).