7.3 Modifying the Directory Server Schema

This deployment will be used to test SAML v2 communications. Towards this end, modify the LDAP schema used by the Directory Server user data instances on the service provider side to recognize and store SAML v2 attributes.

To Modify the Directory Server LDAP Schema for SAML v2 User Data

1. Log in to the ds2.sp-example.com host machine as a root user.

2. Create an LDIF file with the following information and save it as /tmp/saml.ldif.

   This file includes SAML v2 LDAP attributes.

   dn: CN=schema changetype:modify add:attributeTypes attributeTypes: ( 1.3.6.1.4.1.42.2.27.9.1.500 NAME 'sun-fm-saml2-nameid-infokey' DESC 'SAML 2.0 Name Identifier Information Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Sun Java System Access Management' ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.9.1.501 NAME 'sun-fm-saml2-nameid-info' DESC 'SAML 2.0 Name Identifier Information' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Sun Java System Access Management' ) - add:objectClasses objectClasses: ( 1.3.6.1.4.1.42.2.27.9.2.200 NAME 'sunFMSAML2NameIdentifier' DESC 'SAML 2.0 name identifier objectclass' SUP top AUXILIARY MAY ( sun-fm-saml2-nameid-infokey $ sun-fm-saml2-nameid-info ) X-ORIGIN 'Sun Java System Access Management' )

3. Run ldapmodify on the ds1.sp-example.com host machine using /tmp/saml.ldif as input.

   # cd /var/opt/mps/serverroot/dsrk6/bin # ldapmodify -a -h ds2.sp-example.com -p 1489 -D "cn=Directory Manager" -w dsmanager -f /tmp/saml.ldif modifying entry CN=schema

4. Log out of the ds1.idp-example.com host machine.