Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

7.5 (Optional) Enabling Access Manager to Manage Users in the Existing User Data Store

You can user the Access Manager console to create, edit, and delete user profiles in your existing data store. The procedures in this section are optional.

Access Manager typically is used more for policy management than for user management. In most cases, the user repository is a different repository than the one used by Access Manager to store its configuration. Administrators usually prefer to manage the user repository separately or differently from the Access Manager repository. However, at some times administrators find it necessary to manage the assignment of Access Manager services to users or roles. For convenience, administrators can to do this through the Access Manager console. The relevant AM objectclasses must be imported into the user repository so that Access Manager can read and write Access Manager service properties into the relevant entries in the user repository.

Use the following as your checklist for enabling Access Manager to manage users in the existing data store:

To Configure Access Manager to Manage Users in an Existing User Data Store

Copy Access Manager schema to Directory Server 1.
1. As a root user log into host DirectoryServer–1.
2. At the command line, run the following copy command:
  # cp /var/opt/mps/serverroot/slapd-am-config/config/schema/99user.ldif /var/opt/mps/serverroot/slapd-am-users/config/schema/98am-schema.ldif

Copy Access Manager schema to Directory Server 2.
1. As a root user, log into host DirectoryServer–2.
2. At the command line, run the following copy command:
  # cp /var/opt/mps/serverroot/slapd-am-config/config/schema/99user.ldif /var/opt/mps/serverroot/slapd-am-users/config/schema/98am-schema.ldif

Start the Directory Server 1 console.

# cd /var/opt/mps/serverroot
# ./startconsole &

Log in to the Directory Server 1 console using the following information:

Username

cn=Directory Manager

Password

d1rm4n4ger

Administration URL

http://DirectoryServer-1.example.com:1391

Create a new Access Control Instruction (ACI).
1. In the Directory Server console, in the navigation tree, expand the Server Group object and then click on the am-users instance.
2. On the Directory Server page for am-users, click Open.
3. Click the Directory tab.
4. In the navigation tree, click the dc=company, dc=com suffix.
5. Double-click the Directory Administrators group.
6. On the Edit Entry page for Directory Administrators, click Members.
7. On the Static Group page, click Add.
8. In the Search dialog, click Search.
9. In the results list, click the User ID userdbadmin.
  
  The Member User ID userdbadmin is now added to the Static Group list.
  
  Click OK.

Set access permissions.
1. On the Directory tab, in the navigation tree, right— click the dc=company, dc=com suffix, and the select Set Access Permissions.
2. In the Manage Access Control dialog, click New.
3. In the Edit ACI dialog, in the ACI name field, enter Directory Administrators.
4. In the list of Users/Groups, select All Users, and then click Remove.
5. Click Add.
6. In the Add Users and Groups, click Search.
7. In the Search results list, select Directory Administrators, and then click Add.
8. Click OK.
  
  The group Directory Administrators group is now displayed in the list of Users/Groups who have access permission.
9. Click the Target tab.
10. In the “Target directory entry,” click This Entry.
  
  The dc=company,dc=com suffix is displayed.
11. Click OK.
  
  The Directory Administrators group is displayed in the Manage Access Control dialog.
12. Click OK, and then log out of Directory Server 1.

Restart both Directory Server 1 and Directory Server 2.

Tip –

If you see errors such as the following on the command line:

[13/Oct/2006:12:43:39 -0700] - ERROR<5895> - Schema  - 
conn=-1 op=-1 msgId=-1 - 
User error:  Entry "cn=schema", single-valued attribute 
"modifyTimestamp" has multiple values

then run the following commands:

# cd config/schema # edit file 98am-schema.ldif 
# remove the entries:  
		modifiersName: cn=directory manager    
		modifyTimestamp: 20060913190551Z 
# cd ../.. 
# ./restart-slapd

Restart both Access Manager 1 and Access Manager 2.
1. Log in as a root user to the AccessManager-1 host.
  # cd /opt/SUNWwbsvr/https-AccessManager-1 # ./stop; ./start
2. Log in as a root user to the AccessManager-2 host.
  # cd /opt/SUNWwbsvr/https-AccessManager-2 # ./stop; ./start

To Verify that User Management with the Existing Data Store Works Properly

In a browser, go to the following Access Manager URL:

https://loadbalancer-3.example.com:9443/amserver/UI/Login

Add a new user.
1. On the Realms page, click the users link.
2. Click the Subjects tab.
3. On the User page, under User, click New.
4. On the New User page, provide the following information, and then click Create:
  
  ID:
  
  johndoe
  
  First Name:
  
  John
  
  Last Name:
  
  Doe
  
  Full Name:
  
  John Doe
  
  Password:
  
  password
  
  Password Confirm:
  
  password
  
  John Doe is now displayed in the list of Users. This indicates the user created in Access Manager was also created in Directory Server. Changes to the user profile were updated in Directory Server.
5. Modify the John Doe entry.
  1. Click the UserID for johndoe.
  2. In the Edit User dialog, in the Full Name field, enter John Michael Doe, and then click Save.
    
    You can see changes reflected in Access Manager. Changes to the user profile were also updated in Directory Server.

Log in as a root user to the host DirectoryServer-1.
1. Start the Directory Server console:
  # cd /var/opt/mps/serverroot # ./startconsole &
2. Log in to the Directory Server console using the following information:
  
  Username
  
  cn=Directory Manager
  
  Password
  
  d1rm4n4ger
  
  Administration URL
  
  http://DirectoryServer-1.example.com:1391
3. In the navigation tree, expand the DirectoryServer-1 node, and expand the Server Group.
4. Click the am-users instance.
5. On the Directory Server page for am-users , click Open.
6. Click the Directory tab.
7. Click the dc=company,dc=com suffix, and then click the users group.
8. In the list of users, double-click the johndoeentry.
  
  In the Edit User page, verify that the information is the same as the information you entered through the Access Manager console in the previous steps.
Leave the Directory Server console open.

In the Access Manager console, create a new role and add John Doe to the role.
1. In the Realms page for users, click the Subjects tab.
2. Click the Role tab.
3. Under Roles, click New Role.
4. In the Role page, in the Name field, enter testRole.
5. Click Create.
  
  The new role testRole is now displayed in the list of roles.
6. Click the testRole link.
7. Click the User tab.
8. In the Edit Role page for testRole, in the Available list, select johndoe.
9. Click Add.
  
  The user johndoe is added to the Selected list.
10. Click Save.
  
  John Doe is now added to the testRole role.

Verify that the new user and role are created in Directory Server.
1. In the am-users instance, on the Directory tab, click the dc=company,dc=com suffix.
  
  The role testRole is included in the right pane.
2. Double-click testRole.
3. In the Edit Role dialog, click Members.
  
  Verify that John Michael Doe is included in the list of members.