test

Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

7.4 Configuring a User Realm

Create a new realm that you can use to authenticate against only the existing Directory Server. The two Access Manager servers share configuration, so you configure the new realm on just one Access Manager server.

Use the following as your checklist for creating a user realm:

  1. Create a new realm.

  2. Configure a realm alias .

  3. Configure the realm authentication.

  4. Configure Access Manager to use roles from the user data store.

  5. Configure the user data stores.

ProcedureTo Create a New Realm

  1. Start a new browser and log in to the first Access Manager server.

    Go to the URL http://AccessManager-1.example.com:1080/amserver/console

  2. Log in as a root user to the Access Manager console using the following information:

    User Name:

    amadmin

    Password:

    4m4dmin1

  3. Click the Access Control tab, and then click New.

  4. In the New Realm page, in the Name field, enter users .

  5. Click OK.

ProcedureTo Configure a Realm Alias

  1. On the Access Control tab, under Realms, click the Realm Name users.

  2. On the General tab for users-Properties, add users to the Realm/DNS/Aliases list.

    In the Add field enter users, and then click Add.

  3. Click Save.

ProcedureTo Configure the Realm Authentication

  1. Modify the User Profile.

    1. Click Realms.

    2. On the Access Control tab, under Realms, select the new realm users.

    3. Click the Authentication tab.

    4. In the General section, click Advanced Properties.

    5. In the Core page, in the Realm Attributes section, change the User Profile attribute to Ignored.

      Access Manager is configured to use only the existing Directory Server for authentication, and a full User Profile may not exist. That's why the attribute is set to Ignored in this example.

    6. Click Save.

      The changes are saved, and the Core > Realm Attributes page is displayed.

  2. Create a new authentication module.

    1. Click Edit Realm to return to the users — Authentication page.

    2. In the Module Instances section, click New.

    3. In the New Module Instance page set the following attributes:

      Name

      Enter usersLDAP.

      Type

      Choose LDAP.

    4. Click Create.

      The new module is created, and the users — Authentication page is displayed.

  3. Configure the new realm.

    1. In the users — Authentication page, in the New Module Instances section, click the New Instance named usersLDAP.

    2. In the LDAP > Realm Attributes page, set the following attributes:

      Primary LDAP Server

      1. In the Add field, enter the hostname and port number for the load balancer for the user data store:LoadBalancer-2.example.com:489 .

      2. In the server listbox, select the default server, then click Remove.

      DN to Start User Search

      1. In the Add field, enter dc=company,dc=com and then click Add.

      2. Select the default entry o=example.com, and then click Remove.

      DN for Root User Bind

      uid=userdbauthadmin,ou=users,dc=company,dc=com

      Password for Root User Bind

      4serd84uth4dmin

      Password for Root User Bind (confirm)

      4serd84uth4dmin

      These values were imported into the user data store in a previous task. See To Import Users into the User Data Store.

    3. Click Save.

      The changes are saved, and the users — Authentication page is displayed.

  4. Configure the default ldapService chain to use the new authentication module.

    1. In the Authentication Chaining section, click on the default ldapService chain to configure it.

    2. On the ldapService - Edit Authentication Chain page, in the Instance column, choose usersLDAP.

    3. In the Criteria column, set the attribute to Required .

    4. Click Save.

  5. Remove the LDAP authentication module.

    This module is automatically inherited from the default realm and it authenticates against the Access Manager configuration directory. The module is no longer needed now that the usersLDAP module will be used for authentication.

    1. Click Edit Realm > users.

    2. Under Module Instances section, mark the checkbox for the existing realm named LDAP.

    3. Click Delete.

      The LDAP authentication module is deleted, and the users — Authentication page is displayed.

  6. On the users — Authentication page, click Save.

    Changes you made in the previous steps are saved.

ProcedureTo Configure Access Manager to Use Roles from the User Data Store

This procedure is not required to make Access Manager work in all scenarios because not all scenarios require role support. The procedure is required in this deployment example because policies are created in later procedures, and the policies will refer to roles.

  1. On the Access Control tab, under Realms, click the users link.

  2. Click the Data Stores tab, and then click the usersLDAP link.

  3. On the Edit Data Store page, in the section “LDAPv3 Plugin Supported Types and Operations,” in the Add field, enter role=read,create,edit,delete, and then click Add.

  4. In the section, “LDAP User Attributes,” in the Add field, enter nsrole, and then click Add.

  5. In the Add field, enter nsroledn, and then click Add.

  6. Click Save.

  7. Edit the Top-Level Realm.

    Click Edit Realm.

    1. Click Subjects > Role.

      Two roles employee and manager are in the Roles list.

    2. Click the Users tab, and then click the testuser1 link.

    3. Click on the Role tab.

      Verify that testuser1 is added to the manager role. The role manager is displayed in the list of selected roles.

    4. Click Edit Realm —users, and then click the testuser2 link.

    5. Click on the Role tab.

      Verify that testuser2 is added to the employee role. The role employee is displayed in the list of selected roles.

    6. Click Edit Realm —users, and then click the testuser2 link.

ProcedureTo Configure the User Data Stores

  1. Delete the default data store.

    1. In the sub-realm users Authentication page, click the Data Stores tab.

    2. In the sub-realm users Data Stores page, mark the checkbox for amSDK1, the default data store.

    3. Click Delete.

  2. Create a new data store.

    1. Click New .

    2. In the “Step 1 of 2: Select Type of Data Store” page, set the following attributes:

      Name

      Enter usersLDAP.

      Type

      Choose “LDAPv3 Repository Plug-In.”

    3. Click Next.

    4. In the “Step 2 of 2: New Data Store” page, set the following attributes:

      Primary LDAP Server

      1. In the Add field, enter the hostname and port number for the existing directory. Use the form LoadBalancer-2.example.com:489

      2. Select the default DirectoryServer-1.example.com:1389 , and then click Remove.

      LDAP Bind DN

      Enter uid=userdbadmin,ou=users,dc=company,dc=com .

      Password for Root User Bind

      4serd84dmin

      Password for Root User Bind (confirm)

      4serd84dmin

      LDAP Organization DN

      Enter dc=company,dc=com.

      LDAP People Container Value

      users

      When this field is empty, the search for users will start from the root suffix.

      Persistent Search Base DN

      Enter dc=company,dc=com.

      These values were imported into the user data store in a previous task. See To Import Users into the User Data Store.

    5. Click Finish and log out of the Access Manager console.

  3. Restart each Access Manager server for the changes to take place.

    Log in to each Access Manager host system, and restart the Web Server on each host system.

  4. Verify that in the Access Manager console you can see the users in the external user data store.

    1. Go to the Access Manager URL.

      http://AccessManager-1.example.com:1080/amserver/UI/Login

    2. Log in to the Access Manager console using the following information:

      Username

      amadmin

      Password

      4m4dmin1

    3. Click on Users Realm.

    4. Click on Subjects tab.

      You should see three new users: authuiadmin, userdbadmin, and userdbauthadmin.

  5. Verify that a user can successfully authenticate against the new realm.

    1. Start a new browser session and log in to Access Manager.

      Go to the following URL:

      http://AccessManager-1.example.com:1080/amserver/UI/Login?realm=users

      The parameter realm=users specifies the new realm to use for authentication. Without the parameter, the default realm is used.

    2. On the login page, provide a user login and password from the existing directory.

      User Name:

      authuiadmin

      Password:

      4uthu14dmin

      You should be able to log in successfully.

      If the login is not successful, watch the existing Directory Server access log to troubleshoot the problem.

    At this point, a user can log in against the existing Directory Server if he invokes the realm=users parameter. If such a parameter is absent, the default realm is used.

    Administrators who want to access the Access Manager console should log in to the default realm.