Specifying a User Naming Attribute Other Than the User ID (uid)
If you are using the Access Manager SDK to create users, you might want to specify an attribute other than the default user ID (uid) as the naming attribute. For example, you might want to use the user's email (mail) or common name (cn) attribute. Or, you might want to use a different attribute altogether, such as an application generated user ID. This section describes these topics:
Changing the Naming Attribute Before Running the amconfig Script
In this scenario, you install Access Manager with the Java ES installer Configure Later option and then run the amconfig script to set the user naming attribute (as well as other attributes). You want to change the user naming attribute before you run the amconfig script.
To Specify a User Naming Attribute Other Than the
User ID (uid)
-
In the amsamplesilent file (or copy of the file), set the USER_NAMING_ATTR variable to the new attribute you want to use.
For example, for the mail attribute: USER_NAMING_ATTR=mail
Specify a valid naming attribute supported by Directory Server and in the default Access Manager supported naming attribute list. Or, if the naming attribute you want to use is not in the list of Access Manager supported attributes, add the attribute to the ums.xml and amUser.xml files, as described in the following steps.
-
In the ums.xml file, add the attribute to the list in the CreationTemplate for the BasicUser. For example, to use the mail attribute:
<SubConfiguration name="CreationTemplates" > <SubConfiguration name="BasicUser" id="CreationUmsObjects"> <AttributeValuePair> <Attribute name="name" /> <Value>BasicUser</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="javaclass" /> <Value>com.iplanet.ums.User</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="required" /> <Value>objectClass=top</Value> <Value>objectClass=person</Value> <Value>objectClass=organizationalPerson</Value> <Value>objectClass=inetOrgPerson</Value> <Value>objectClass=iPlanetPreferences</Value> <Value>objectClass=iplanet-am-user-service</Value> <Value>objectClass=inetuser</Value> <Value>objectClass=inetAdmin</Value> <Value>objectClass=iplanet-am-managed-person</Value> <Value>objectClass=sunAMAuthAccountLockout</Value> <Value>cn=default</Value> <Value>sn=default</Value> <Value>uid</Value> <Value>inetuserstatus=Active</Value> <Value>mail</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="optional" /> <Value>*</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="namingattribute" /> <Value>uid</Value> </AttributeValuePair> </SubConfiguration> -
Also in the ums.xml file, add the attribute to the BasicUserSearch template.
-
In the amUser.xml file, add the attribute (such as mail) to the <User> schema (if it is not already in the schema).
-
Run the amconfig script with the amsamplesilent file (or copy of the file) from Step 1.
Changing the Naming Attribute After Installation
In this scenario, you have installed and configured Access Manager and you want to change the user naming attribute. You must modify the ums.xml file and then reload the DAI service using the amadmin utility.
To Change the Naming Attribute After Installation
-
In the ums.xml file (used for the DAI service), add the attribute to the list in the CreationTemplate for the BasicUser. For example, to use the mail attribute:
<SubConfiguration name="CreationTemplates" > <SubConfiguration name="BasicUser" id="CreationUmsObjects"> <AttributeValuePair> <Attribute name="name" /> <Value>BasicUser</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="javaclass" /> <Value>com.iplanet.ums.User</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="required" /> <Value>objectClass=top</Value> <Value>objectClass=person</Value> <Value>objectClass=organizationalPerson</Value> <Value>objectClass=inetOrgPerson</Value> <Value>objectClass=iPlanetPreferences</Value> <Value>objectClass=iplanet-am-user-service</Value> <Value>objectClass=inetuser</Value> <Value>objectClass=inetAdmin</Value> <Value>objectClass=iplanet-am-managed-person</Value> <Value>objectClass=sunAMAuthAccountLockout</Value> <Value>cn=default</Value> <Value>sn=default</Value> <Value>uid</Value> <Value>inetuserstatus=Active</Value> <Value>mail</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="optional" /> <Value>*</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="namingattribute" /> <Value>uid</Value> </AttributeValuePair> </SubConfiguration> -
Delete the DAI service using the amadmin command. For example, on Solaris systems:
# # cd /opt/SUNWam/bin # ./amadmin -u amadmin -w amadminpassword -r DAI
-
Reload the DAI service, again using the amadmin command. For example:
# ./amadmin -u amadmin -w amadminpassword -s /etc/opt/SUNWam/config/xml/ums.xml
-
Restart the Access Manager web container.
- © 2010, Oracle Corporation and/or its affiliates