Changing the Default Authentication Module from Flat File to Active Directory (Sun Java System Federation Manager 7.0 User's Guide)

Sun Java System Federation Manager 7.0 User's Guide

Previous: Changing the Default Authentication Module from Flat File to LDAP
Next: Changing the Default Administrator Authentication Module from a Flat File to LDAP

Changing the Default Authentication Module from Flat File to Active Directory

Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure to change the default authentication module from Flat File to Active Directory is different from the procedure described in Changing the Default Authentication Module from Flat File to LDAP. The following sections describe the procedures:

To Set Active Directory as the Default Authentication Module for an Organization

Use ldapsearch in the following format to find values that begin with iplanet-am-auth-org-config.

/usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0,
OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX 
-D admin-dn -w admin-password 
-s base -h AD-host -p AD-port 
"(objectclass=*)" sunkeyvalue

The search result would look like this:

sunkeyvalue=iplanet-am-auth-org-config=<AttributeValuePair>
<Value>com.sun.identity.authentication.modules.flatfile.
FlatFileREQUIRED</Value></AttributeValuePair>

Save the search result as it will be used in the following step as the value for the Delete entry.

Save the following text as an Lightweight Directory Interchange Format (LDIF) file.

dn: OU=default,OU=OrganizationConfig,OU=1.0,
OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX
changetype:modify
delete:sunkeyvalue
sunkeyvalue:
iplanet-am-auth-org-config=<AttributeValuePair>
<Value>com.sun.identity.authentication.modules.
flatfile.FlatFileREQUIRED</Value>
</AttributeValuePair>

dn: OU=default,OU=OrganizationConfig,OU=1.0,
OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX
changetype:modify
add:sunkeyvalue
sunkeyvalue:
iplanet-am-auth-org-config=<AttributeValuePair>
<Value>com.sun.identity.authentication.modules.
ldap.LDAPREQUIRED</Value></AttributeValuePair>

Type the found values from the previous step into the Delete section of the saved LDIF file.

Type the new values into the Add section of the saved LDIF file.

Run ldapmodify using the LDIF file as input.

/usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file

To Enable an Organization to Use the Active Directory Authentication Module

In the Federation Manager Console, select the Organization tab.

Under Organization, select the Authentication tab.

Click Add.

A list of Authentication Modules is displayed.

Select Active Directory from the list and click Next.

Configure the attributes for the Active Directory authentication module and click Assign.

Under Organization, select the Authentication tab.

Click the Edit button next to the Core authentication service.

The Core attributes are displayed.

Add Active Directory to the Organization Authentication Modules attribute by holding down the Control key and selecting Active Directory.

Click Save.

Active Directory is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the Active Directory module, use a URL in the format protocol://host:port/deploy_URI/something?module=AD.