Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 19 Using Active Directory as the User Data Store

Sun OpenSSO Enterprise supports Microsoft Active Directory as the user data store.

Contents

Overview of Using Active Directory as the User Data Store

By default, OpenSSO Enterprise defines a set of object classes and attributes. These object classes and attributes are required in your Active Directory server if you want OpenSSO Enterprise to manage your Active Directory server.

The OpenSSO Console provides user management functionality based on the OpenSSO Enterprise predefined set of object classes and attributes, as specified through the OpenSSO Enterprise XML files. If the Active Directory server you are trying to access does not have these required object classes or the attributes defined, access involving the missing object class or attributes will fail, unless you change the user XML files to match the attributes defined for your Active Directory server.

For example, when you create a user via the OpenSSO Console, the Console writes out to the Active Directory server the predefined set of OpenSSO Enterprise object classes and attributes for the user. If the Active Directory server is not configured with the same set of user object classes and attributes, the user create operation will fail. When you use the Console's user information page to edit a user's information, unless the Active Directory server has the same set of attributes and/or object classes defined for the user as OpenSSO Enterprise does, the operation will fail.

The Access Manager Identity Repository (IdRepo) LDAPv3 plug-in provides attribute name mapping. You can refer to an attribute name as one name in OpenSSO Enterprise and a different name in your Active Directory server. As a result, you need not have all OpenSSO Enterprise attributes defined in Active Directory if you use attribute name mapping. However, if OpenSSO Enterprise has more attributes than you have in your Active Directory server, you cannot do one-to-one mapping, and some OpenSSO Enterprise read or write operations will fail due to missing attributes in the Active Directory server.

Requirements For Active Directory as the User Data Store

To configure and use Active Directory as the user data store, your deployment must meet these requirements:

Configuring Active Directory With the OpenSSO Enterprise Schema Files

The Access Manager Identity Repository (IdRepo) LDAPv3 plug-in must be able to assign the service's object class name to the user's object class attribute, so it can tell if a user has been assigned a given service. The following procedure describes how to load the OpenSSO Enterprise schema files into Active Directory and then to configure OpenSSO Enterprise to enable the OpenSSO Enterprise services.

ProcedureTo Configure Active Directory with OpenSSO Enterprise Schema Files

  1. Back up the am_remote_ad_schema.ldif file.

    After you have unzipped opensso_enterprise_80.zip, this file is available in the following directory:

    zip-root/opensso/ldif

  2. In the am_remote_ad_schema.ldif file, replace @ROOT_SUFFIX@ with the root suffix of your Active Directory installation.

  3. Using Active Directory tools (or another tool of your choice), load the am_remote_ad_schema.ldif file from the previous step into Active Directory.

  4. Log in to the OpenSSO Administration Console. In the data store configuration page's LDAP User Attributes field, add the attribute names defined in the above LDIF file.

  5. If you are writing your own service with dynamic user attributes, the service.ldif file for Active Directory must NOT have the following lines:

    dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX
    changetype: modify
    add: auxiliaryClass
    auxiliaryClass: yourClassname
    

    Otherwise, OpenSSO Enterprise will not be able to assign the service's object class name to the user's object class attribute.

Configuring a Data Store For Active Directory

This section describes how to configure an Access Manager Identity Repository (IdRepo) LDAPv3 data store for Active Directory.

ProcedureTo Configure a Data Store For Active Directory

  1. Log in to the OpenSSO Admin Console.

  2. Click Access Control, realm-name, Data Sores, and then New.

  3. Enter the Name, check Active Directory, and then click Next.

  4. Set the following Active Directory attributes.

    LDAP Server: Active Directory server name and port number that you want to connect to. For example: myADServer.example.com:389

    LDAP Bind DN: CN=Administrator,CN=Users,DC=example,DC=com

    LDAP Bind Password: Password for CN=Administrator,CN=Users,DC=example,dc=com

    LDAP Organization DN: DC=example,DC=com — Organization DN that this datastore will map to. This will be the base DN of all operations performed in this data store.

    Enable LDAP SSL: Select if the Active Directory server is in SSL mode.

    LDAP Connection Pool Minimum Size: Initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

    LDAP Connection Pool Maximum Size: Maximum number of connections allowed.

    Maximum Results Returned from Search: Maximum number of search results to return. This value should be based on the size of your LDAP organization. The maximum number returned cannot exceed the ns size limit configured for the Active Directory server.

    Search Timeout: Maximum time in seconds to wait for results on a search operation.

    LDAP Follows Referral: Option specifying whether or not referrals to other LDAP servers are followed automatically.

    LDAPv3 Repository Plugin Class Name: Where to find the class file that implements the LDAPv3 repository.

    Attribute Name Mapping: Allows for common attributes known to the framework to be mapped to the native data store. Map the attributes as follows:

    • mail=userPrincipalName

    • iplanet-am-user-alias-list=objectGUID

    • employeeNumber=distinguishedName

    • uid=sAMAccountName

    • portalAddress=sAMAccountName

    • telephonenumber=displayName

    LDAPv3 Plugin Supported Types and Operations: No change is needed.

    LDAP Users Search Attribute: cn — Naming attribute of user.

    LDAP Users Search Filter: (objectclass=person)

    LDAP User Object Class: Object classes for user. When a user is created, this list of user object classes will be added to the user's attributes list. Therefore, it is important that the object classes you entered here actually exist in the Active Directory server; otherwise, you will get an object class violation (error=65).

    Enter the following object classes (names are not case sensitive):

    • top

    • person

    • organizationalPerson

    • user

    LDAP User Attributes: Definitive list of attributes associated with a user. If an attribute is not on this list, it will not be sent or read. Therefore, if there is any possibility that the user entry can contain this attribute, you should list it here. Or, if the attribute is not defined in the Active Directory server, you should not enter it here; otherwise, you will get an error when OpenSSO Enterprise tries to write this attribute to Active Directory. Enter the following attributes (names are not case sensitive):

    • cn, description, displayName, distinguishedName, dn, employeeNumber, givenName, mail, manager, memberOf, name, objectClass, objectGUID, postalAddress, sAMAccountName, sAMAccountType, sn, streetAddress, telephoneNumber, userAccountControl, userpassword, userPrincipalname

    • iplanet-am-auth-configuration, iplanet-am-auth-login-success-url, iplanet-am-auth-login-failure-url, iplanet-am-auth-post-login-process-class

    • iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status

    • iplanet-am-user-auth-modules, iplanet-am-user-login-status, iplanet-am-user-admin-start-dn, iplanet-am-user-auth-config, iplanet-am-user-alias-list, iplanet-am-user-success-url, iplanet-am-user-failure-url, iplanet-am-user-password-reset-options

    • iplanet-am-user-password-reset-question-answer, iplanet-am-user-password-reset-force-reset, sunIdentityServerDiscoEntries, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info sunIdentityMSISDNNumber

    • iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url

    • sunAMAuthInvalidAttemptsData

    • sunIdentityServerDeviceKeyValue, sunIdentityServerDeviceStatus, sunIdentityServerDeviceType, sunIdentityServerDeviceVersion, sunxmlkeyvalue

    • sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPSignKey, sunIdentityServerPPDemographicsBirthday, sunIdentityServerPPCommonNameFN, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPCommonNameMN, sunIdentityServerPPLegalIdentityAltIDType, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPAddressCard, sunIdentityServerPPLegalIdentityAltIDValue, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityVATIDValue, sunIdentityServerPPEncryptKey, sunIdentityServerPPMsgContact, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPCommonNamePT, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityVATIDType, sunIdentityServerPPDemographicsAge, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmergencyContact, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeGreetMeSound, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPInformalName, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPEmploymentIdentityAltO

    User Status Attribute: userAccountControl — Attribute to check to determine if a user is active or inactive. When a user is created, the default user's active or inactive status is assigned based on the value in this field:

    • User Status Active Value: 544

    • User Status Inactive Value: 546

    LDAP Groups Search Attribute: cn — Naming attribute of a group. This attribute name will be used to construct the group's dn and search filter.

    LDAP Groups Search Filter: (objectclass=group) — Filter employed when doing a search for groups. The LDAP Groups Search Attribute will be prepended to this field to form the actual group search filter.

    LDAP Groups Container Naming Attribute: cn — Naming attribute for a group container if groups resides in a container; otherwise, leave it blank.

    LDAP Groups Container Value: users — Value for the group container.

    LDAP Groups Object Class: objectclasses for group. When a group is created, this list of group object classes will be added to the group's attributes list. Enter the following object classes (names are not case sensitive):

    • group

    • top

    LDAP Groups Attributes: Definitive list of attributes associated with a group. Any attempt to read or write group attributes that are not on this list is not allowed. Therefore, you should enter all possible attributes. Enter the following attributes (names are not case sensitive):

    • objectClass

    • sAMAccountName

    • distinguishedName

    • member

    • objectCategory

    • dn

    • cn

    • sAMAccountType

    • name

    Attribute Name for Group Membership: memberOf — Name of the attribute whose values are the names of all the groups that this dn belongs to.

    Attribute Name of Unique Member: member — Attribute name whose value is a dn belonging to this group.

    Attribute Name of Group Member URL: memberUrl — Name of the attribute whose value is an LDAP URL that resolves to members belonging to this group.

    LDAP People Container Naming Attribute: cn — Naming attribute of people container if user resides in a people container.

    LDAP People Container Value: users

    LDAP Agents Search Attribute: cn — Naming attribute of an agent. This attribute name will be used to construct the agent's dn and search filter.

    LDAP Agents Container Naming Attribute: cn — Naming attribute of agent container if agent resides in an agent container.

    LDAP Agents Container Value: users — Value of the agent container.

    LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)— Filter employed when searching for an agent.

    LDAP Agents Object Class: ojectclasses for agents. When an agent is created, this list of user object classes will be added to the agent's attributes list. Enter the following object classes (names are not case sensitive):

    • person

    • organizationalPerson

    • sunIdentityServerDevice

    • top

    LDAP Agents Attributes: Definitive list of attributes associated with a user. Any attempt to read or write user attributes that are not on this list is not allowed. Enter the following attributes (names are not case sensitive):

    • cn

    • dn

    • name

    • objectClass

    • userPassword

    • sunIdentityServerDeviceVersion

    • sunIdentityServerDeviceType

    • sunIdentityServerDeviceKeyValue

    • sunIdentityServerDeviceStatus

    • sunxmlkeyvalue

    • description

    Persistent Search Base DN: DC=example,DC=com — Base DN to use for a persistent search. For Active Directory, this needs to be the root suffix.

    Persistent Search Maximum Idle Time Before Restart: Restart the persistence search if it has been idle for this maximum allowed time. Default value is OK.

    Maximum Number of Retries After Error Codes: Number of times to retry the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On. Default value is OK.

    Delay Time Between Retries: Time to wait before each retry. Applies only to a persistent search connection. Default value is OK.

    LDAP Exception Error Codes to Retry On: Retry the persistent search operations if these errors are encountered. Default value is OK.

  5. Click Finish.

Configuring an Authentication Module to Login Through Active Directory

ProcedureTo Configure an Authentication Module to Login Through Active Directory

  1. In the OpenSSO Administration Console, click realm for which you want to add the new authentication chain.

  2. Click the Authentication tab.

  3. Create a new module instance with the following data:

    • Primary Active Directory server: ADServer:ADServerPort

    • DN to Start User Search: dc=example,dc=com

    • DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com

    • Password for Root User Bind: AdministratorPassword

    • Attribute Used to Retrieve User Profile: sAMAccountName

    • Attributes Used to Search for a User to be Authenticated: sAMAccountName

    • Search Scope: SUBTREE

  4. Create a new Authentication chaining instance:

    1. Add a new instance for the authentication instance created in the previous step.

    2. Set the criteria to Sufficient.

  5. Change Default Authentication Chain to the new authentication chain you just created.

  6. Click Save.

Next Steps

To login using Active Directory for authentication, specify the following URL:

http://YourAccessManagerServer:port/amserver/UI/login?org=YourRealmName

Operational Notes

The above configuration will allow you to list users and groups. It will also allow you to perform some basic user profile operations. You should be able to change the following user profile information in the OpenSSO Console:

However, you cannot do the following operations because of missing attributes or object classes: