Wiki Spaces


Get Help from Others

Q&A: Ask OpenMRS
Discussion: OpenMRS Talk »
Real-Time: IRC Chat


Page tree
Skip to end of metadata
Go to start of metadata


Conversation about "OpenMRS ID" refers to two major components:

  • OpenMRS ID Dashboard—the web application that facilitates creation of new OpenMRS IDs, profile editing, and authentication for other community applications
  • OpenLDAP—the server and that stores all OpenMRS ID data, syncs it to other services (like Crowd), and provides a protocol for accessing and manipulating the user data.

While data on users exist in some other places, the user data represented in OpenLDAP is the master record. All other OpenMRS ID-backed services, through some manner or another, must sync their user data with those data in OpenLDAP.

The collective "OpenMRS ID" refers to this system of user management used by the OpenMRS community. An individual user in the system (a person with a username and password) is said to have a single "OpenMRS ID".

LDAP Objects

Entries are objects that make up the entirety of the LDAP database. Each entry has a position in the hierarchy of objects, and contains a set of attributes that hold the information represented by that object. For example user entries have attributes such as first name, username, and email address, and are children of an "organizational unit" object for users. Entries are identified by their DN (Distinguished name), which is a combination of an attribute from that entry (called the RDN), and the parent entry's DN.

For more information, read the Directory Structure section from Wikipedia's LDAP article.



The diagram below visualizes the hierarchy formed by all OpenMRS ID LDAP entries. Remember that all nodes in the diagram are LDAP entries—each entry is simply the child of another (excluding the top-level root entry, which all other entries descend from).

LDAP Hierarchy

Access and Modification

The LDAP protocol specifies operations that can be performed on entries in the system. Example operations include 'add', 'delete', and 'modify'. Operations like 'add' and 'modify' are sent along with a list of attributes that are used to construct or change an entry in the system. 

In the OpenMRS Community, direct access to the LDAP server is restricted. Only a few applications—namely, the ID Dashboard and Atlassian Crowd—are able to read the database and modify entries. These applications identify themselves to the LDAP server by authenticating as a system account. Because most other applications (JIRA, Confluence, Discourse, etc.) get user data from Crowd or the Dashboard, there's no need to expose the LDAP server to them.

  • No labels


  1. Robby O'Connor, could you update this page to reflect the role of mongodb in the ID architecture?

      1. Robby O'Connor did you remember to update this page as Burke Mamlin suggested above? (smile)