Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure to change the default authentication module from Flat File to Active Directory is different from the procedure described in Changing the Default Authentication Module from Flat File to LDAP. The following sections describe the procedures:
To Set Active Directory as the Default Authentication Module for an Organization
To Enable an Organization to Use the Active Directory Authentication Module
Use ldapsearch in the following format to find values that begin with iplanet-am-auth-org-config.
/usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX -D admin-dn -w admin-password -s base -h AD-host -p AD-port "(objectclass=*)" sunkeyvalue |
The search result would look like this:
sunkeyvalue=iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules.flatfile. FlatFileREQUIRED</Value></AttributeValuePair> |
Save the search result as it will be used in the following step as the value for the Delete entry.
Save the following text as an Lightweight Directory Interchange Format (LDIF) file.
dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify delete:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. flatfile.FlatFileREQUIRED</Value> </AttributeValuePair> dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify add:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. ldap.LDAPREQUIRED</Value></AttributeValuePair> |
Type the found values from the previous step into the Delete section of the saved LDIF file.
Type the new values into the Add section of the saved LDIF file.
Run ldapmodify using the LDIF file as input.
/usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file
In the Federation Manager Console, select the Organization tab.
Under Organization, select the Authentication tab.
Click Add.
A list of Authentication Modules is displayed.
Select Active Directory from the list and click Next.
Configure the attributes for the Active Directory authentication module and click Assign.
Under Organization, select the Authentication tab.
Click the Edit button next to the Core authentication service.
The Core attributes are displayed.
Add Active Directory to the Organization Authentication Modules attribute by holding down the Control key and selecting Active Directory.
Click Save.
Active Directory is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the Active Directory module, use a URL in the format protocol://host:port/deploy_URI/something?module=AD.