Using OpenLDAP accesslog for SPML and SCIM based provisioning

A session at LDAPCon 2013

Monday 18th November, 2013

1:30pm to 2:15pm (PMT)

The OpenLDAP access log overlay provides detailed information on entry changes that can be used by replication mechanisms. This information can also be used for a more general provisioning system, e.g. based on SPML (Service Provisioning Markup Language) or SCIM ( System for Cross-domain Identity Management) .
The OpenLDAP a ccess log fits well the SPML approach to provision changes made to entries to other systems. SPML assumes the presence of the following modules:
• Requesting Authority (RA), that generates SPML documents when data changes
• Provisioning Service Target (PST), the target system to be provisioned
• Provisioning Service Point (PSP), a module that receives the SPML documents and that modifies data on the PSTs accordingly
DAASI International GmbH has implemented a python-based provisioning system which deploys the DSML v2 profile for SPML and which is based on the OpenLDAP access log. Up to now PSP s for Microsoft Active Directory, Novell eDirectory, and Kerberos have been developed with Tivoli, MySQL and Adabas on the roadmap.
The RA is constantly reading the OpenLDAP access log entries and transforms them into SPML documents that are sent to the PSPs that in turn make respective changes in the PST. The fact that SPML is based on XML allows a flexible transformation of the data using XSLT templates on RA or PSP side.
In order to assure a reliable provisioning even in error situations, DAASI has ex panded the standard SPML with the following SPML extensions :
• Identify to identify the corresponding dataset in the target system. This function is used, when a dataset has been manually created or moved at the target system. It is also used to identify entries when connecting a PSP to a system already filled with data.
• Sync to perform an overall synchronization of the target system entry in case data inconsistency has occurred at the target system e.g. caused by manual data modification.
SCIM is a new provisioning technology currently being standardized within the IETF, which tries to create a more simple solution than SPML. It is a core schema (defined for JSON and XML) and a simple web service API that allows for different HTTP operations:
• POST to create new entries
• PUT to modify an entry via a complete replace
• PATCH to modify an entry via specific changes
• DELETE to delete an entry
DAASI is currently investigating how to implement a SCIM service based on OpenLDAP where we see two approaches:
• implement a SCIM only solution based on OpenLDAP access log that could either perform PATCH operations based on the accesslog info or perform a PUT operation after being triggered by the accesslog to retrieve the whole LDAP entry
• Reuse the stable SPML implementation and create a SPML PSP for SCIM using the PATCH method for modifications.
The 45 minute talk wants to give an introduction to the provisioning technologies, present the SPML implementation based on OpenLDAP accesslog and discuss the pros and cons of the two SCIM implementation options. It also will give an overview on the current SCIM standardization activities and its relation to LDAP.

About the speaker

This person is speaking at this event.
Peter Gietz

LDAP geek interested in open source identity management and founder/CEO of DAASI International GmbH

Sign in to add slides, notes or videos to this session

LDAPCon 2013

France France, Paris

18th19th November 2013

Tell your friends!


Time 1:30pm2:15pm PMT

Date Mon 18th November 2013

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session