ldap-scim-bridge: See README for synopsis

ldap-scim-bridge

intro

This is a small command line tool to pull data from an LDAP server and push it to a SCIM peer. It is currently used in production togethre with wire-server, but is designed as a more general tool.

It supports fields externalId, userName, displayName, emails, in the User schema. It may not support any other fields, and it does not support scim Groups.

If you extend this to other fields, groups, or other use cases and setups, we would highly appreciate pull requests, tickets, or emails (no matter how half-baked).

There is a yaml config file that describes both how to reach the LDAP server (including the desired directory object(s)) and the SCIM peer, how to map attributes between the two worlds, and anything else that's needed like log level.

Every communication is logged to stdout. When called without arguments, the tool will print out usage info:

*** Exception: bad number of arguments: []

usage: ldap-scim-bridge <config.yaml>
see https://github.com/wireapp/ldap-scim-bridge for a sample config.

See ldif for a few sample user records to play with. A working example can be found in ./examples/wire-server.

use via docker

If you have gotten here as a wire-server administrator and want to use this to populate your teams, you can use the docker image we're building from this repo (append version with : if you want to pin it):

docker pull quay.io/wire/ldap-scim-bridge

You need to create a config file that contains your setup. If in doubt, you can start with this example, or this one. Name the file config.yaml and place it into /config-path. Let's say you want to work on release 0.5. (You can check if there is a :latest, but at the time of writing this paragraph, we still have to add that.)

docker run -it --network=host \
  --mount type=bind,src=/config-path,target=/mnt \
  quay.io/wire/ldap-scim-bridge \
  ldap-scim-bridge /mnt/config.yaml

This should work fine for Windows if you make sure the file path under src points to the right place. You may need to you \ instead of /.

The connection to wire is not encrypted. This tool is made for running inside the trusted network the backend is running in. If you need to protect this connection you can use an off-the-shelf tls tunnel or vpn solution.

The connection to the LDAP source is TLS-encrypted. If you need to add trusted certificates to the store in /etc/ssl/certs/, you can just mount it:

docker run -it --network=host \
  --mount type=bind,src=/config-path,target=/mnt \
  --mount type=bind,src=/etc/ssl/certs,target=/etc/ssl/certs \
  quay.io/wire/ldap-scim-bridge \
  ldap-scim-bridge /mnt/config.yaml

future work

See https://github.com/wireapp/ldap-scim-bridge/issues

further reading

• [https://devconnected.com/how-to-setup-openldap-server-on-debian-10/](https://devconnected.com/how-to-setup-openldap-server-on-debian-10/)
• [https://www.lepide.com/how-to/restore-deleted-objects-in-active-directory.html](https://www.lepide.com/how-to/restore-deleted-objects-in-active-directory.html)