ConnId Improvements in Galileo

Development of midPoint 3.9 “Galileo” is already in full swing. And first improvements are already nearing completion. There is an interesting group of improvements that are all related to the ConnId connector framework.

ConnId connector framework is the workhorse of provisioning in midPoint. This framework is used to manage identity connectors in midPoint. All the operations pulling data from source systems or changing anything on target system go through the ConnId framework. Therefore, ConnId is one of the crucial midPoint components. However, the framework has quite an interesting history. The open source project to create identity connector framework was originally created by Sun Microsystems – just to be abandoned few years later. The code was then adopted by several independent groups, it diverged, converged and slightly diverged again. But now there is a solid open source project to maintain the code. The project name is ConnId. And recent improvements are a proof that this project is alive and well.

The original Identity Connector Framework was quite limited. But it has been improved during the years by several developers from independent companies. This is an advantage of open source. And of course, Evolveum has one of the most active development groups participating in ConnId development. There were many improvements that we introduced during the years: subtype support to enable automatic use of matching rules, delta update operation for advanced connectors, diagnostic improvements, password management improvements, flexibility improvements and so on. And the latest batch of ConnId improvements landed in the master branch during the development of midPoint 3.9.

One of the important improvements to ConnId framework is introduction of a native type for date/time data (timestamps). It may seem almost unbelievable that identity connector framework could survive without native timestamp support for such a long time. But it is finally there. Now the connectors may declare a particular attribute is a timestamp. And of course, midPoint will immediately recognize that and render appropriate input field in the user interface. This improvement can save a lot of hacking with numeric or string-based date formats that were often very painful issues during the IDM deployment. This is also followed by changes in our LDAP and Active Directory connectors. New versions of those connectors will support native timestamps out of the box.

Speaking about deployment pain, there was another hardly believable “feature” of identity connector design. It was very difficult to distinguish individual connector instances in the framework. All instances of the same connector were shown as being the same. Therefore, if you had 10 LDAP servers or 100 linux boxes it was very difficult to distinguish operations on a particular server in midPoint logfiles. All of them were classified by a connector type, e.g. as “LDAP” or “Unix”. But now there is a small improvement that makes the diagnostics easier. Connector instance name is part of the log messages:

2018-06-25 09:52:32,598 TRACE (o.i.framework.spi.operations.SearchOp): method: executeQuery msg:instance=’LDAP server ldap.example.com’ Enter: executeQuery(ObjectClass: inetOrgPerson …..)

This is a small improvement, but is has potential to save huge amount of time during IDM deployment and operation. And that is exactly the goal of midPoint development from the very beginning: make IDM deployment efficient and practical.

Now there is a bunch of smaller improvements to ConnId and also in midPoint code that integrates with the ConnId framework. For example the “delta update” operation that we have added to ConnId some time ago is now fully supported by midPoint. This makes some connectors more efficient and reliable (such as LDAP). But it is a necessary condition for some connectors to work at all – and that was the primary motivation to implement this. Simply speaking, midPoint 3.9 will support the full scale of improved ConnId functionality. And this will also be followed by connector improvement in a near future.

The ConnId identity connector framework project is undoubtedly a success of cooperation. ConnId is perhaps the only open multi-vendor identity connector framework in existence. That won’t be possible without the power of open source. And we at Evolveum try to participate in the framework development as much as we can.

Leave a Reply