Appendix C Using Active Directory as the User Data Store
This appendix describes how to use Microsoft Active Directory as the
user data store for Access Manager 7.1. First review the Overview of Using Active Directory as the User Data Store and check
the Requirements to Use Active Directory as the User Data Store. Then follow the steps in these sections:
Overview of Using Active Directory as the User Data
Store
By default, Access Manager 7.1 defines a set of object classes and attributes.
These object classes and attributes are required in your Active Directory
server if you want Access Manager to manage your Active Directory server.
The Access Manager Console provides user management functionality based
on the Access Manager's predefined set of object classes and attributes, as
specified through the Access Manager XML files. If the Active Directory server
you are trying to access does not have these required object classes or the
attributes defined, access involving the missing object class or attributes
will fail, unless you change the user XML files to match the attributes defined
for your Active Directory server.
For example, when you create a user via the Access Manager Console,
the Console writes out to the Active Directory server the predefined set of
Access Manager object classes and attributes for the user. If the Active Directory
server is not configured with the same set of user object classes and attributes,
the user create operation will fail. When you use the Console's user information
page to edit a user's information, unless the Active Directory server has
the same set of attributes and/or object classes defined for the user as Access
Manager does, the operation will fail.
The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in provides
attribute name mapping. You can refer to an attribute name as one name in
Access Manager and a different name in your Active Directory server. As a
result, you need not have all Access Manager attributes defined in Active
Directory if you use attribute name mapping. However, if Access Manager has
more attributes than you have in your Active Directory server, you cannot
do one-to-one mapping, and some Access Manager read or write operations will
fail due to missing attributes in the Active Directory server.
Requirements to Use Active Directory as the User
Data Store
To use Active Directory as the user data store, your deployment must
meet these requirements:
Configuring Active Directory With Access Manager
Schema Files
The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in must
be able to assign the service's object class name to the user's object class
attribute, so it can tell if a user has been assigned a given service. The
following procedure describes how to load the Access Manager schema files
into Active Directory and then to configure Access Manager to enable the Access
Manager services.
To Configure Active Directory with Access Manager
Schema Files
-
Make sure that Active Directory has “Windows Server 2003
forest functional level” enabled.
-
Edit the am_remote_ad_schema.ldif file by
replacing @ROOT_SUFFIX@ with the actual root suffix of
your Active Directory installation.
After you have installed Access
Manager 7.1 patch 1, this file is available in the following directory, depending
on your platform:
-
Solaris systems: /etc/opt/SUNWam/config/ldif
-
Linux systems: /etc/opt/sun/identity/config/ldif
-
Windows systems: C:\Program Files\Sun\JavaES5\identity\config\ldif
-
Using Active Directory tools (or another tool of your choice),
load the am_remote_ad_schema.ldif file from
the previous step into Active Directory.
-
In the Access Manager Administration Console:
-
Under Attribute Name Mapping,
remove iplanet-am-user-alias-list=objectGUID and portalAddress=sAMAccountName.
-
In the datastore configuration page's LDAP
User Attributes field, add the attribute names defined in the above
LDIF files.
-
If you are writing your own service with dynamic user attributes,
the service.ldif file for Active Directory must NOT have
the following lines:
dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX
changetype: modify
add: auxiliaryClass
auxiliaryClass: yourClassname
Otherwise, Access Manager will not be able to assign the service's object
class name to the user's object class attribute.
Configuring an Access Manager Identity Repository
LDAPv3 Data Store For Active Directory
Using an example, this section shows how you can configure an Access
Manager 7.1 Identity Repository (IdRepo) LDAPv3 data store to point a freshly
installed Active Directory, including:
Configuration Example
The following configuration example assumes:
-
You have a freshly installed Active Directory.
-
You have not made any changes to the Access Manager 7.1 patch
1 schema, attributes, or XML files.
Note –
This section shows an example. Some additional modifications might
be required for your actual environment.
In the Access Manager Administration Console, set the following Active
Directory attributes. For information about an attribute, refer to the Console
online Help.
Primary LDAP Server: Active Directory
server name and port number that you want to connect to. For example: myADServer.example.com:389
LDAP Bind DN: CN=Administrator,CN=Users,DC=example,DC=com
LDAP Bind Password: Password for CN=Administrator,CN=Users,DC=example,dc=com
LDAP Organization DN: DC=example,DC=com — Organization DN that this datastore
will map to. This will be the base DN of all operations
performed in this data store.
Enable LDAP SSL: Select if the Active
Directory server is in SSL mode.
LDAP Connection Pool Minimum Size:
Initial number of connections in the connection pool. The use of connection
pool avoids having to create a new connection each time.
LDAP Connection Pool Maximum Size:
Maximum number of connections allowed.
Maximum Results Returned from Search:
Maximum number of search results to return. This value should be based on
the size of your LDAP organization. The maximum number returned cannot exceed
the ns size limit configured for the Active Directory server.
Search Timeout: Maximum time in seconds
to wait for results on a search operation.
LDAP Follows Referral: Option specifying
whether or not referrals to other LDAP servers are followed automatically.
LDAPv3 Repository Plugin Class Name:
Where to find the class file that implements the LDAPv3 repository.
Attribute Name Mapping: Allows for
common attributes known to the framework to be mapped to the native data store.
Map the attributes as follows:
-
mail=userPrincipalName
-
iplanet-am-user-alias-list=objectGUID
-
employeeNumber=distinguishedName
-
uid=sAMAccountName
-
portalAddress=sAMAccountName
-
telephonenumber=displayName
LDAPv3 Plugin Supported Types and Operations:
No change is needed.
LDAP Users Search Attribute: cn — Naming attribute of user.
LDAP Users Search Filter: (objectclass=person)
LDAP User Object Class: Object classes
for user. When a user is created, this list of user object classes will be
added to the user's attributes list. Therefore, it is important that the object
classes you entered here actually exist in the Active Directory server; otherwise,
you will get an object class violation (error=65).
Enter the following object classes (names are not case sensitive):
-
top
-
person
-
organizationalPerson
-
user
LDAP User Attributes: Definitive
list of attributes associated with a user. If an attribute is not on this
list, it will not be sent or read. Therefore, if there is any possibility
that the user entry can contain this attribute, you should list it here. Or,
if the attribute is not defined in the Active Directory server, you should
not enter it here; otherwise, you will get an error when Access Manager tries
to write this attribute to Active Directory. Enter the following attributes
(names are not case sensitive):
-
cn, description, displayName, distinguishedName, dn, employeeNumber, givenName, mail, manager, memberOf, name, objectClass, objectGUID, postalAddress, sAMAccountName, sAMAccountType, sn, streetAddress, telephoneNumber, userAccountControl, userpassword, userPrincipalname
-
iplanet-am-auth-configuration, iplanet-am-auth-login-success-url, iplanet-am-auth-login-failure-url, iplanet-am-auth-post-login-process-class
-
iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status
-
iplanet-am-user-auth-modules, iplanet-am-user-login-status, iplanet-am-user-admin-start-dn, iplanet-am-user-auth-config, iplanet-am-user-alias-list, iplanet-am-user-success-url, iplanet-am-user-failure-url, iplanet-am-user-password-reset-options
-
iplanet-am-user-password-reset-question-answer, iplanet-am-user-password-reset-force-reset, sunIdentityServerDiscoEntries, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info sunIdentityMSISDNNumber
-
iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url
-
sunAMAuthInvalidAttemptsData
-
sunIdentityServerDeviceKeyValue, sunIdentityServerDeviceStatus, sunIdentityServerDeviceType, sunIdentityServerDeviceVersion, sunxmlkeyvalue
-
sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPSignKey, sunIdentityServerPPDemographicsBirthday, sunIdentityServerPPCommonNameFN, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPCommonNameMN, sunIdentityServerPPLegalIdentityAltIDType, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPAddressCard, sunIdentityServerPPLegalIdentityAltIDValue, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityVATIDValue, sunIdentityServerPPEncryptKey, sunIdentityServerPPMsgContact, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPCommonNamePT, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityVATIDType, sunIdentityServerPPDemographicsAge, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmergencyContact, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeGreetMeSound, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPInformalName, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPEmploymentIdentityAltO
User Status Attribute: userAccountControl — Attribute to check to determine if a user is active or
inactive. When a user is created, the default user's active or inactive status
is assigned based on the value in this field:
LDAP Groups Search Attribute: cn — Naming attribute of a group. This attribute name will be
used to construct the group's dn and search filter.
LDAP Groups Search Filter: (objectclass=group) — Filter employed when doing a search for groups. The LDAP
Groups Search Attribute will be prepended to this field to form the actual
group search filter.
LDAP Groups Container Naming Attribute:
cn — Naming attribute for a group container if groups
resides in a container; otherwise, leave it blank.
LDAP Groups Container Value: users — Value for the group container.
LDAP Groups Object Class: objectclasses for group. When a group is created, this list of group object classes
will be added to the group's attributes list. Enter the following object classes
(names are not case sensitive):
LDAP Groups Attributes: Definitive
list of attributes associated with a group. Any attempt to read or write group
attributes that are not on this list is not allowed. Therefore, you should
enter all possible attributes. Enter the following attributes (names are not
case sensitive):
-
objectClass
-
sAMAccountName
-
distinguishedName
-
member
-
objectCategory
-
dn
-
cn
-
sAMAccountType
-
name
Attribute Name for Group Membership: memberOf — Name of the attribute whose values are the names
of all the groups that this dn belongs to.
Attribute Name of Unique Member: member — Attribute name whose value is a dn belonging
to this group.
Attribute Name of Group Member URL: memberUrl — Name of the attribute whose value is an LDAP URL
that resolves to members belonging to this group.
LDAP People Container Naming Attribute: cn — Naming attribute of people container if user resides
in a people container.
LDAP People Container Value: users
LDAP Agents Search Attribute: cn — Naming attribute of an agent. This attribute name will
be used to construct the agent's dn and search filter.
LDAP Agents Container Naming Attribute: cn — Naming attribute of agent container if agent resides
in an agent container.
LDAP Agents Container Value: users — Value of the agent container.
LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)— Filter employed when searching for an agent.
LDAP Agents Object Class: ojectclasses for agents. When an agent is created, this list of user object
classes will be added to the agent's attributes list. Enter the following
object classes (names are not case sensitive):
-
person
-
organizationalPerson
-
sunIdentityServerDevice
-
top
LDAP Agents Attributes: Definitive
list of attributes associated with a user. Any attempt to read or write user
attributes that are not on this list is not allowed. Enter the following
attributes (names are not case sensitive):
-
cn
-
dn
-
name
-
objectClass
-
userPassword
-
sunIdentityServerDeviceVersion
-
sunIdentityServerDeviceType
-
sunIdentityServerDeviceKeyValue
-
sunIdentityServerDeviceStatus
-
sunxmlkeyvalue
-
description
Persistent Search Base DN: DC=example,DC=com — Base DN to use for a persistent search.
For Active Directory, this needs to be the root suffix.
Persistent Search Maximum Idle Time Before Restart:
Restart the persistence search if it has been idle for this maximum allowed
time. Default value is OK.
Maximum Number of Retries After Error Codes:
Number of times to retry the persistent search operation if it encounters
the error codes specified in LDAP Exception Error Codes to Retry On. Default
value is OK.
Delay Time Between Retries: Time
to wait before each retry. Applies only to a persistent search connection.
Default value is OK.
LDAP Exception Error Codes to Retry On:
Retry the persistent search operations if these errors are encountered.
Default value is OK.
Operational Notes
The above configuration will allow you to list users and groups. It
will also allow you to perform some basic user profile operations. You should
be able to change the following user profile information in the Access Manager
Console:
However, you cannot do the following operations because of missing attributes
or object classes:
-
Cannot create firstname, lastname, fullname.
-
Cannot create a group.
-
Cannot change the user authentication (iplanet-am-user-auth-config). No attribute exists.
-
Cannot change the user status (inetUserStatus).
No attribute exists.
-
Cannot change the success URL (iplanet-am-user-success-url). No attribute exists.
-
Cannot change the failure URL (iplanet-am-user-failure-url). No attribute exists.
-
Cannot change the MSISDN number (sunIdentityMSISDNNumber). No attribute exists.
-
Cannot create a user or agent in Access Manager Console. The
user must be created in Active Directory.
-
Cannot change the user or agent password. This change must
be done in Active Directory.
Configuring an Authentication Module to Login Through
Active Directory
To Configure an Authentication Module to Login Through
Active Directory
-
In the Access Manager 7.1 Administration Console, click realm
for which you want to add the new authentication chain.
-
Click the Authentication tab.
-
Create a new module instance with the following data:
-
Primary Active Directory server: ADServer:ADServerPort
-
DN to Start User Search: dc=example,dc=com
-
DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com
-
Password for Root User Bind: AdministratorPassword
-
Attribute Used to Retrieve User Profile: sAMAccountName
-
Attributes Used to Search for a User to be Authenticated: sAMAccountName
-
Search Scope: SUBTREE
-
Create a new Authentication chaining instance:
-
Add a new instance for the authentication instance created in
the previous step.
-
Set the criteria to Sufficient.
-
Change Default Authentication Chain to the new authentication
chain you just created.
-
Click Save.
Next Steps
To login using Active Directory for authentication, specify the following
URL:
http://YourAccessManagerServer:port/amserver/UI/login?org=YourRealmName
Download this book in PDF (1704 KB)