Sun Java System Federation Manager 7.0 User's Guide

ProcedureTo Change the Default Administrator Authentication Module from Flat File to Microsoft Active Directory

  1. Use ldapsearch in the following format to find values in Active Directory that begin with iplanet-am-auth-admin-auth-module.


    /usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0,
    OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX 
    -D admin-dn -w admin-password 
    -s base -h AD-host -p AD-port 
    "(objectclass=*)" sunkeyvalue

    The search result would look like this:


    sunkeyvalue=iplanet-am-auth-admin-auth-module=
    <AttributeValuePair><Value>com.sun.identity.authentication.
    modules.flatfile.FlatFileREQUIRED</Value></AttributeValuePair>

    Save the search result as it will be used in the following step as the value for the Delete entry.

  2. Save the following text as a Lightweight Directory Interchange Format (LDIF) file.


    dn: OU=default,OU=OrganizationConfig,OU=1.0,
    OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX>
    changetype:modify
    delete:sunkeyvalue
    sunkeyvalue:
    iplanet-am-auth-admin-auth-module=<AttributeValuePair>
    <Value>com.sun.identity.authentication.modules.
    flatfile.FlatFileREQUIRED</Value>
    </AttributeValuePair>
    
    dn: OU=default,OU=OrganizationConfig,OU=1.0,
    OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX>
    changetype:modify
    add:sunkeyvalue
    sunkeyvalue:
    iplanet-am-auth-admin-auth-module=<AttributeValuePair>
    <Value>com.sun.identity.authentication.modules.
    ldap.LDAPREQUIRED</Value></AttributeValuePair>
  3. Type the found values from the previous step into the Delete section of the saved LDIF file.

  4. Type the new values into the Add section of the saved LDIF file.

  5. Run ldapmodify using the LDIF file as input.

    /usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file

  6. Make the following changes in the AMConfig.properties file.

    AMConfig.properties is located in /FederationManager-base/web-src/WEB-INF/. Multiple entries are pipe-separated.

    1. Add the distinguished name (DN) of the administrator to the com.sun.identity.authentication.special.users property.

    2. (Optional) Change the DN of the administrator in the com.sun.identity.authentication.super.user property.

      This step is included if you want to use an administrator who already exists in your directory and not the default Federation Manager administrator amadmin. To use the default amadmin, create the user in Directory Server and make sure the user is given read, write and search permissions to the ou=services branch of the directory information tree (DIT).

    3. Change the value of the admin.auth.classname property to com.sun.identity.authentication.internal.server.LocalLdapAuthModule.

  7. In the serverconfig.xml file, change the value of the server group internalauthentication property to reflect the administrator DN, password and correct baseDN.

    serverconfig.xml is located in /FederationManager-base/web-src/WEB-INF/.

  8. Regenerate and redeploy the WAR.

  9. Restart the web container, if applicable.