Sun Java System Access Manager 7.1 Postinstallation Guide

Configuring an Access Manager Identity Repository LDAPv3 Data Store For Active Directory

Using an example, this section shows how you can configure an Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 data store to point a freshly installed Active Directory, including:

Configuration Example

The following configuration example assumes:


Note –

This section shows an example. Some additional modifications might be required for your actual environment.


In the Access Manager Administration Console, set the following Active Directory attributes. For information about an attribute, refer to the Console online Help.

Primary LDAP Server: Active Directory server name and port number that you want to connect to. For example: myADServer.example.com:389

LDAP Bind DN: CN=Administrator,CN=Users,DC=example,DC=com

LDAP Bind Password: Password for CN=Administrator,CN=Users,DC=example,dc=com

LDAP Organization DN: DC=example,DC=com — Organization DN that this datastore will map to. This will be the base DN of all operations performed in this data store.

Enable LDAP SSL: Select if the Active Directory server is in SSL mode.

LDAP Connection Pool Minimum Size: Initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size: Maximum number of connections allowed.

Maximum Results Returned from Search: Maximum number of search results to return. This value should be based on the size of your LDAP organization. The maximum number returned cannot exceed the ns size limit configured for the Active Directory server.

Search Timeout: Maximum time in seconds to wait for results on a search operation.

LDAP Follows Referral: Option specifying whether or not referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name: Where to find the class file that implements the LDAPv3 repository.

Attribute Name Mapping: Allows for common attributes known to the framework to be mapped to the native data store. Map the attributes as follows:

LDAPv3 Plugin Supported Types and Operations: No change is needed.

LDAP Users Search Attribute: cn — Naming attribute of user.

LDAP Users Search Filter: (objectclass=person)

LDAP User Object Class: Object classes for user. When a user is created, this list of user object classes will be added to the user's attributes list. Therefore, it is important that the object classes you entered here actually exist in the Active Directory server; otherwise, you will get an object class violation (error=65).

Enter the following object classes (names are not case sensitive):

LDAP User Attributes: Definitive list of attributes associated with a user. If an attribute is not on this list, it will not be sent or read. Therefore, if there is any possibility that the user entry can contain this attribute, you should list it here. Or, if the attribute is not defined in the Active Directory server, you should not enter it here; otherwise, you will get an error when Access Manager tries to write this attribute to Active Directory. Enter the following attributes (names are not case sensitive):

User Status Attribute: userAccountControl — Attribute to check to determine if a user is active or inactive. When a user is created, the default user's active or inactive status is assigned based on the value in this field:

LDAP Groups Search Attribute: cn — Naming attribute of a group. This attribute name will be used to construct the group's dn and search filter.

LDAP Groups Search Filter: (objectclass=group) — Filter employed when doing a search for groups. The LDAP Groups Search Attribute will be prepended to this field to form the actual group search filter.

LDAP Groups Container Naming Attribute: cn — Naming attribute for a group container if groups resides in a container; otherwise, leave it blank.

LDAP Groups Container Value: users — Value for the group container.

LDAP Groups Object Class: objectclasses for group. When a group is created, this list of group object classes will be added to the group's attributes list. Enter the following object classes (names are not case sensitive):

LDAP Groups Attributes: Definitive list of attributes associated with a group. Any attempt to read or write group attributes that are not on this list is not allowed. Therefore, you should enter all possible attributes. Enter the following attributes (names are not case sensitive):

Attribute Name for Group Membership: memberOf — Name of the attribute whose values are the names of all the groups that this dn belongs to.

Attribute Name of Unique Member: member — Attribute name whose value is a dn belonging to this group.

Attribute Name of Group Member URL: memberUrl — Name of the attribute whose value is an LDAP URL that resolves to members belonging to this group.

LDAP People Container Naming Attribute: cn — Naming attribute of people container if user resides in a people container.

LDAP People Container Value: users

LDAP Agents Search Attribute: cn — Naming attribute of an agent. This attribute name will be used to construct the agent's dn and search filter.

LDAP Agents Container Naming Attribute: cn — Naming attribute of agent container if agent resides in an agent container.

LDAP Agents Container Value: users — Value of the agent container.

LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)— Filter employed when searching for an agent.

LDAP Agents Object Class: ojectclasses for agents. When an agent is created, this list of user object classes will be added to the agent's attributes list. Enter the following object classes (names are not case sensitive):

LDAP Agents Attributes: Definitive list of attributes associated with a user. Any attempt to read or write user attributes that are not on this list is not allowed. Enter the following attributes (names are not case sensitive):

Persistent Search Base DN: DC=example,DC=com — Base DN to use for a persistent search. For Active Directory, this needs to be the root suffix.

Persistent Search Maximum Idle Time Before Restart: Restart the persistence search if it has been idle for this maximum allowed time. Default value is OK.

Maximum Number of Retries After Error Codes: Number of times to retry the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On. Default value is OK.

Delay Time Between Retries: Time to wait before each retry. Applies only to a persistent search connection. Default value is OK.

LDAP Exception Error Codes to Retry On: Retry the persistent search operations if these errors are encountered. Default value is OK.

Operational Notes

The above configuration will allow you to list users and groups. It will also allow you to perform some basic user profile operations. You should be able to change the following user profile information in the Access Manager Console:

However, you cannot do the following operations because of missing attributes or object classes:

Configuring an Authentication Module to Login Through Active Directory

ProcedureTo Configure an Authentication Module to Login Through Active Directory

  1. In the Access Manager 7.1 Administration Console, click realm for which you want to add the new authentication chain.

  2. Click the Authentication tab.

  3. Create a new module instance with the following data:

    • Primary Active Directory server: ADServer:ADServerPort

    • DN to Start User Search: dc=example,dc=com

    • DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com

    • Password for Root User Bind: AdministratorPassword

    • Attribute Used to Retrieve User Profile: sAMAccountName

    • Attributes Used to Search for a User to be Authenticated: sAMAccountName

    • Search Scope: SUBTREE

  4. Create a new Authentication chaining instance:

    1. Add a new instance for the authentication instance created in the previous step.

    2. Set the criteria to Sufficient.

  5. Change Default Authentication Chain to the new authentication chain you just created.

  6. Click Save.

Next Steps

To login using Active Directory for authentication, specify the following URL:

http://YourAccessManagerServer:port/amserver/UI/login?org=YourRealmName