Although creating and maintaining LDAP group hierarchies are not supported out-of-the box in ForgeRock’s OpenIDM 4 recent release, there is a not too complex way of implementing the functionality, using Relationships and a bit of custom Javascript.
OpenIDM 4 introduces a new type of Managed Object: Relationships (amongst other things). They enable the easy creation of relations between managed objects, and will surely be a key component in the newer field of Identity Relationship Management (IRM).
So what do we mean by “Group Hierarchy” here?
Simply that groups in LDAP can be defined under other groups, or rather, using other groups as parent containers in the LDAP DIT.
Example:
In this example, the DN of the “Payroll Admins” group is: “cn=Payroll Admins,cn=HR Admins,cn=Admins,ou=Groups,dc=example,dc=com”, it has 2 parent groups, as explicit in its DN.
So then to create Group hierarchies with OpenIDM 4, we can create “Parent” –> “Child” relationships between group Managed Objects and thus leverage all the out-of-the-box functionality surrounding relationships (including the new UI features. More on that later). Here’s how…
1. Update the Group Schema
2. onCreate Script
The next step is to specify how OpenIDM should build the new Group DNs, using the parent’s group DN as the container for the new group. Here is a Javascript that does that (add as an ‘onCreate’ even script on the managedGroup_systemLDAPGroups Mapping (i.e., it will only be triggered when a new group will actually be created in the target LDAP Directory):
3. Resulting UI Experience
Given the relationships defined above, OpenIDM will render the UI with the appropriate widgets to select Children and Parent groups.
The new UI also provides are real relationship graphical view of the same data:
4. Notes
