Sun OpenSSO Enterprise 8.0 Administration Guide

Configuring Multiple LDAP Authentication Modules (Legacy Mode)

As a form of failover or to configure multiple values for an attribute when the OpenSSO Enterprise console only provides one value field, an administrator can define multiple LDAP authentication module configurations under one realm. Although these additional configurations are not visible from the console, they work in conjunction with the primary configuration if an initial search for the requesting user’s authorization is not found. For example, one realm can define a search through LDAP servers for authentication in two different domains or it can configure multiple user naming attributes in one domain. For the latter, which has only one text field in the console, if a user is not found using the primary search criteria, the LDAP module will then search using the second scope. Following are the steps to configure additional LDAP configurations.

ProcedureTo Configure Multiple LDAP Authentication Modules

Any additional LDAP authentication module configurations created using this procedure can not be seen or modified using the OpenSSO Enterprise console.

  1. Write an XML file including the complete set of attributes and new values needed for a second (or third) LDAP authentication configuration.

    The available LDAP authentication module attributes are in the amAuthLDAP.xml file. Any or all of these attributes can be used for the additional LDAP configurations defined in this step. Following is an example of a sub-configuration file that includes values for all attributes available to the LDAP authentication configuration.


    >
    <!--
      Before adding subConfiguration load the schema with
    GlobalConfiguration defined and replace corresponding
     serviceName and subConfigID in this sample file OR load
     serviceConfigurationRequests.xml before loading this sample
    -->
    <Requests>
    <realmRequests DN="dc=iplanet,dc=com">
        <AddSubConfiguration subConfigName = "ssc"
            subConfigId = "serverconfig"
            priority = "0" serviceName="iPlanetAMAuthLDAPService">
                  <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-server"/>
                <Value>vbrao.red.iplanet.com:389</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-base-dn"/>
                <Value>dc=iplanet,dc=com</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="planet-am-auth-ldap-bind-dn"/>
                <Value>cn=amldapuser,ou=DSAME Users,dc=iplanet,dc=com</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-bind-passwd"/>
                <Value>plain text password</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-user-naming-attribute"/>
                <Value>uid</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-user-search-attributes"/>
                <Value>uid</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-search-scope"/>
                <Value>SUBTREE</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-ssl-enabled"/>
                <Value>false</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-return-user-dn"/>
                <Value>true</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-auth-level"/>
                <Value>0</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="iplanet-am-auth-ldap-server-check"/>
                <Value>15</Value>
            </AttributeValuePair>
        </AddSubConfiguration>
    </realmRequests>
    </Requests>
                   
  2. Load the XML file using the ssoadm command line tool.