Overview of Using Active Directory as the User Data Store

By default, OpenSSO Enterprise defines a set of object classes and attributes. These object classes and attributes are required in your Active Directory server if you want OpenSSO Enterprise to manage your Active Directory server.

The OpenSSO Console provides user management functionality based on the OpenSSO Enterprise predefined set of object classes and attributes, as specified through the OpenSSO Enterprise XML files. If the Active Directory server you are trying to access does not have these required object classes or the attributes defined, access involving the missing object class or attributes will fail, unless you change the user XML files to match the attributes defined for your Active Directory server.

For example, when you create a user via the OpenSSO Console, the Console writes out to the Active Directory server the predefined set of OpenSSO Enterprise object classes and attributes for the user. If the Active Directory server is not configured with the same set of user object classes and attributes, the user create operation will fail. When you use the Console's user information page to edit a user's information, unless the Active Directory server has the same set of attributes and/or object classes defined for the user as OpenSSO Enterprise does, the operation will fail.

The Access Manager Identity Repository (IdRepo) LDAPv3 plug-in provides attribute name mapping. You can refer to an attribute name as one name in OpenSSO Enterprise and a different name in your Active Directory server. As a result, you need not have all OpenSSO Enterprise attributes defined in Active Directory if you use attribute name mapping. However, if OpenSSO Enterprise has more attributes than you have in your Active Directory server, you cannot do one-to-one mapping, and some OpenSSO Enterprise read or write operations will fail due to missing attributes in the Active Directory server.