Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 20 Using IBM Tivoli Directory Server as the User Data Store

This chapter describes how to configure IBM Tivoli Directory Server as the Sun OpenSSO Enterprise user data store.


Requirements For Using Tivoli Directory Server as the User Data Store

To configure and use Tivoli Directory Server as the user data store, your deployment must meet these requirements:

Loading LDIF Files for Tivoli Directory Server

Load the following LDIF files into IBM Tivoli Directory Server using your preferred directory server utility. These files contain LDAP attributes and object classes used by OpenSSO Enterprise for Tivoli Directory Server.

These files are available in the zip-root/opensso/ldif directory, where zip-root is where you unzipped the OpenSSO Enterprise distribution file.

Configuring the Tivoli Directory Server Data Store in the OpenSSO Console

ProcedureTo Configure the Tivoli Directory Server Data Store in the OpenSSO Console

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Data Stores, and then New.

  3. Enter the Name, check Generic LDAPv3, and then click Next.

  4. On the New Data Store page, specify the following fields:

    LDAP Server: Fully qualified name and port number of the Tivoli Directory Server. For example:

    LDAP Bind DN: User DN who has sufficient access rights to Tivoli Directory Server. For exemple: cn=root

    LDAP Bind Password: Password of the “LDAP Bind DN” user.

    LDAP Organization DN: Base DN or starting point for this data store. For example: dc=opensso,dc=java,dc=net

    LDAP SSL: Check to use an SSL connection.

    LDAP Connection Pool Minimum Size: Use the default value 1.

    LDAP Connection Pool Maximum Size: Use the default value 10.

    Maximum Results Returned from Search: Use the default value 1000.

    Search Timeout: Use the default value 10.

    LDAP Follows Referral: Check Enabled.

    LDAPv3 Repository Plug-in Class Name: Use the default value: com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo

    Attribute Name Mapping: Not required.

    LDAPv3 Plug-in Supported Types and Operations: Operations that this data store can perform. Use the Current Values:

    • group=read,create,edit,delete

    • realm=read,create,edit,delete,service

    • user=read,create,edit,delete,servce

    LDAPv3 Plug-in Search Scope: Use the default value: SCOPE_ONE

    LDAP Users Search Attribute: cn

    LDAP Users Search Filter: (objectclass=organizationalPerson)

    LDAP User Object Class: When a user is created, the user will be assigned these object classes. Depending on the object classes you have defined for your organization, some of the following default entries might not be necessary. If your organization has other object classes that are not on this list, add them to the list.

    OpenSSO Enterprise requires these object classes: iplanet-am-user-service, iplanetPreferences, sunFederationManagerDataStore, sunFMSAML2nameIdentifier, and sunIdentityServerLibertyPPService.

    person, inetadmin, inetorgperson, inetUser iplanet-am-user-service, iplanetPreferences, organizationalperson, person sunFederationManagerDataStore, sunFMSAML2nameIdentifier, sunIdentityServerLibertyPPService, top

    LDAP User Attributes: List of attributes that can be assigned to a user. Depending on how you have configured your directory server, you might have to add or remove some of the entries in this list. OpenSSO Enterprise requires the attributes with the “iplanet” and “sun” prefixes.

    adminRole, authorityRevocationList, caCertificate, cn, distinguishedName, dn, employeeNumber, givenName, inetUserHttpURL, inetUserStatus, iplanet-am-auth-configuration, iplanet-am-user-auth-modules, iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, iplanet-am-static-group-dn, mail, manager, memberOf, objectClass, postalAddress, preferredlanguage, preferredLocale, preferredtimezone, sn, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, telephoneNumber, uid, userPassword, userCertificate, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info, sunIdentityServerDiscoEntries

    sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPAddressCard, sunIdentityServerPPMsgContact, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay sunIdentityServerPPDemographicsTimeZone sunIdentityServerPPSignKey, sunIdentityServerPPEncryPTKey, sunIdentityServerPPEmergencyContact, sun-fm-saml2-nameid-infokey, sun-fm-saml2-nameid-info

    Create User Attribute Mapping Current Values cn sn

    Attribute Name of User Status: inetuserStatus

    User Status Active Value: Active

    User Status Inactive Value: Inactive

    LDAP Groups Search Attribute: cn

    LDAP Groups Search Filter: The filter to use when searching for a group. You might have change this value depending on which object class was used to denote a group: (objectclass=groupOfNames)

    LDAP Groups container Naming Attribute:

    LDAP Groups Container Value:

    LDAP Groups Object Class Tivoli Directory Server 6.1 groups can be static, dynamic, and nested, but only a static group is supported by the Identity Repository (IdRepo) data store. A static group defines each member individually using the structural object class groupofNames, groupOfUniqueNames, accessGroup, or accessRole; or the auxilary object class ibm-staticgroup or ibm-globalAdminGroup. A static group using the structural object class groupOfNames and groupOfUniqueNames requires at least one member or uniquemember, respectively. ibm-staticgroup is the only class for which members is optional. All other object classes taking members require at least one member.

    Only one type of group object class is supported by OpenSSO Enterprise. If you choose the type of group that requires at least one member, you must enter a user in “Default Group Member's User DN”. This user will automatically be added to the group when a group is created. You can remove this user from the group after if you don't want this user to be a member of the group. accessGroup ibm-staticGroup top

    LDAP Groups Attributes ou dn objectclass cn uniqueMember description

    Attribute Name for Group Membership:

    Attribute Name of Unique Member: uniqueMember

    Attribute Name of Group Member URL: memberUri

    Default Group Member's User DN: This user will be automatically added to the group when the group is created. This is necessary because when you create a group in the OpenSSO console, no users are assigned to the group. But most of the Tivoli Directory Server groups require at least one member when the group is created. For example: cn=auser1,dc=opensso,dc=java,dc=net

    LDAP People Container Naming Attribute:

    LDAP People Container Value:

    Identity Types That Can Be Authenticated: Check User.

    Authentication Naming Attribute: uid

    Persistent Search Base DN: For example: ou=company,dc=example,dc=com

    Persistent Search Filter: (objectclass=*)

    Persistent Search Maximum Idle Time Before Restart: 0

    The Delay Time Between Retries: 1000

    Maximum Number of Retries After Error Codes: 3

    LDAP Exception Error Codes to Retry On 80 81 91

    Caching: Check Enabled.

    Maximum Age of Cached Items: 600

    Maximum Size of the Cache: 10240

  5. Click Finish.