The following attributes are used to configure a LDAPv3 repository plug-in:
Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.
Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.
serverID specifies a particular server as the primary LDAP server and others as secondary and tertiary (as defined) fallback servers. (If no number is specified, the LDAP server is primary.) The identifier is displayed in the OpenSSO console.
Click the Configuration tab, click the Servers and Sites tab.
Click the appropriate Server Name.
Under the Advanced tab, see the value of the com.iplanet.am.lbcookie.value property — for example, 01.
Click the Configuration tab, click the Servers and Sites tab.
siteID is not currently displayed in the OpenSSO console. It is a two digit number generated internally by OpenSSO — for example, 02. To find this value, use an LDAP browser to find ou=accesspoint,ou=site_name,ou=com-sun-identity sites,ou=default,ou=GlobalConfig,ou=iPlanetAMPlatformService,ou=services,root-suffix. Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier.
This configuration should not be changed for the OpenSSO embedded configuration data store as it may cause inconsistent behavior.
Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.
Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected
Confirm the password.
The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.
Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
Specifies the maximum number of connections to allowed.
Specifies the maximum number of entries returned from a search operation. If this limit is reached, the data store returns any entries that match the search request.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, the data store returns any search entries that match the search request.
If enabled, this option specifies that referrals to other LDAP servers are followed automatically.
Specifies the location of the class file which implements the LDAPv3 repository.
Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.
Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
agent: read, create, edit, delete
group: read, create, edit, delete
realm: read, create, edit, delete, service
user: read, create, edit, delete, service
role: read, create, edit, delete
You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.
If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.
The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.
Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:
SCOPE_BASE: searches only the base DN.
SCOPE_ONE: searches only the entries under the base DN.
SCOPE_SUB (default): searched the base DN and all entries within its subtree.
This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.
Specifies the search filter to be used to find user entries.
Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.
Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies which attributes are required when a user is created. This attribute uses the following syntax:
DestinationAttributeName=SourceAttributeName
If the source attribute name is missing, the default is the user ID (uid). For example:
cn sn=givenName
Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.
Specifies the attribute name to indicate the user's status.
Specifies the attribute name for an active user status. The default is active.
Specifies the attribute name for an inactive user status. The default is inactive.
This field defines the attribute type for which to conduct a search on a group. The default is cn.
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.
Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.
Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
The DN value specified in this attribute automatically adds users to the group when it is created.
Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.
Specifies the value of the people container. The default is people.
The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).
Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.
Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.
Defines the scope to be used in a persistent search. The scope must be one of the following:
SCOPE_BASE – searches only the base DN.
SCOPE_ONE – searches only the entries under the base DN.
SCOPE_SUB (default) – searched the base DN and all entries within its subtree.
Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.
If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.
Specifies the time to wait before each retry. This only applies to persistent search connection.
Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.
If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.
Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.
Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.