Multi-LDAP Authentication Module Configuration In Legacy Mode
As a form of failover or to configure multiple values for an attribute when the Access Manager console only provides one value field, an administrator can define multiple LDAP authentication module configurations under one realm. Although these additional configurations are not visible from the console, they work in conjunction with the primary configuration if an initial search for the requesting user’s authorization is not found. For example, one realm can define a search through LDAP servers for authentication in two different domains or it can configure multiple user naming attributes in one domain. For the latter, which has only one text field in the console, if a user is not found using the primary search criteria, the LDAP module will then search using the second scope. Following are the steps to configure additional LDAP configurations.
To Add An Additional LDAP Configuration
-
Write an XML file including the complete set of attributes and new values needed for second (or third) LDAP authentication configuration.
The available attributes can be referenced by viewing the amAuthLDAP.xml located in etc/opt/SUNWam/config/xml. This XML file created in this step though, unlike the amAuthLDAP.xml, is based on the structure of the amadmin.dtd. Any or all attributes can be defined for this file. Code Example 1-2 is an example of a sub-configuration file that includes values for all attributes available to the LDAP authentication configuration.
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun ONE Access Manager 6.0 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" > <!-- Before adding subConfiguration load the schema with GlobalConfiguration defined and replace corresponding serviceName and subConfigID in this sample file OR load serviceConfigurationRequests.xml before loading this sample --> <Requests> <realmRequests DN="dc=iplanet,dc=com"> <AddSubConfiguration subConfigName = "ssc" subConfigId = "serverconfig" priority = "0" serviceName="iPlanetAMAuthLDAPService"> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-server"/> <Value>vbrao.red.iplanet.com:389</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-base-dn"/> <Value>dc=iplanet,dc=com</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="planet-am-auth-ldap-bind-dn"/> <Value>cn=amldapuser,ou=DSAME Users,dc=iplanet,dc=com</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-bind-passwd"/> <Value> plain text password</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-user-naming-attribute"/> <Value>uid</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-user-search-attributes"/> <Value>uid</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-search-scope"/> <Value>SUBTREE</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-ssl-enabled"/> <Value>false</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-return-user-dn"/> <Value>true</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-auth-level"/> <Value>0</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-auth-ldap-server-check"/> <Value>15</Value> </AttributeValuePair> </AddSubConfiguration> </realmRequests> </Requests> -
Copy the plain text password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file created in Step 1.
The value of this attribute is formatted in bold in the code example.
-
Load the XML file using the amadmin command line tool.
./amadmin -u amadmin -w administrator_password -v -t name_of_XML_file.
Note that this second LDAP configuration can not be seen or modified using the console.
Tip –There is a sample available for multi-LDAP configuration. See the serviceAddMultipleLDAPConfigurationRequests .xml command line template in /AccessManager-base /SUNWam/samples/admin/cli/bulk-ops/. Instructions can be found in Readme.html at /AccesManager-base /SUNWam/samples/admin/cli/.
- © 2010, Oracle Corporation and/or its affiliates