Once you have configured OpenDS, you can configure OpenSSO to work with OpenDS. Complete the following steps. Detailed instructions are provided in the following sections.
Create a new LDAPv3-compliant user data store.
You can use the command-line interface or use the OpenSSO Administration Console.
Add OpenSSO object classes and user attributes to the user data store.
(Optional) Remove the OpenSSO schema from OpenDS.
The ssoadm command line tool must already be configured in the OpenSSO server.
Log into the OpenSSO host.
Download the text from Example 9–1 to a local file named datastore_opends_attrs.txt on you system. Modify the file as needed for your deployment. Be sure to replace the default OpenDS server name and port number with your OpenDS server name and port number. In the following example, the root suffix is dc=opensso,dc-Java,dc=net
Run the following command:
ssoadm create-datastore -m "OpenDS User Store" -t "LDAPv3" -D datastore_opends_attrs.txt -u amadmin -f /tmp/.pass_of_amadmin -e / |
The file .pass_of_amadmin contains the amadmin user's password in plain text.
(Optional) To use this server as the LDAP authentication data store:
Configure the LDAP authentication instance with the bind user cn=ldapuser.
Configure the policy configuration service with the bind user cn=ldapuser
For more information, see the Sun OpenSSO Enterprise 8.0 Administration Reference.
com.iplanet.am.ldap.connection.delay.between.retries=1000 RequiredValueValidator= sun-idrepo-ldapv3-config-active=Active sun-idrepo-ldapv3-config-auth-naming-attr=uid sun-idrepo-ldapv3-config-authenticatable-type=User sun-idrepo-ldapv3-config-authid=cn=openssouser,ou=opensso adminusers,dc=opensso,dc=java,dc=net sun-idrepo-ldapv3-config-authpw=amsecret12 sun-idrepo-ldapv3-config-cache-enabled=false sun-idrepo-ldapv3-config-cache-size=10240 sun-idrepo-ldapv3-config-cache-ttl=600 sun-idrepo-ldapv3-config-connection_pool_max_size=10 sun-idrepo-ldapv3-config-connection_pool_min_size=1 sun-idrepo-ldapv3-config-createuser-attr-mapping=cn sun-idrepo-ldapv3-config-createuser-attr-mapping=sn sun-idrepo-ldapv3-config-dftgroupmember= sun-idrepo-ldapv3-config-errorcodes=80 sun-idrepo-ldapv3-config-errorcodes=81 sun-idrepo-ldapv3-config-errorcodes=91 sun-idrepo-ldapv3-config-filterrole-attributes= sun-idrepo-ldapv3-config-filterrole-objectclass= sun-idrepo-ldapv3-config-group-attributes=cn sun-idrepo-ldapv3-config-group-attributes=description sun-idrepo-ldapv3-config-group-attributes=dn sun-idrepo-ldapv3-config-group-attributes=iplanet-am-group-subscribable sun-idrepo-ldapv3-config-group-attributes=objectclass sun-idrepo-ldapv3-config-group-attributes=ou sun-idrepo-ldapv3-config-group-attributes=uniqueMember sun-idrepo-ldapv3-config-group-container-name=ou sun-idrepo-ldapv3-config-group-container-value=groups sun-idrepo-ldapv3-config-group-objectclass=groupofuniquenames sun-idrepo-ldapv3-config-group-objectclass=iplanet-am-managed-group sun-idrepo-ldapv3-config-group-objectclass=iplanet-am-managed-static-group sun-idrepo-ldapv3-config-group-objectclass=top sun-idrepo-ldapv3-config-groups-search-attribute=cn sun-idrepo-ldapv3-config-groups-search-filter=(objectclass=groupOfUniqueNames) sun-idrepo-ldapv3-config-idletimeout=0 sun-idrepo-ldapv3-config-inactive=Inactive sun-idrepo-ldapv3-config-isactive=inetuserstatus sun-idrepo-ldapv3-config-ldap-server=<hostName.domain:portNumber> sun-idrepo-ldapv3-config-max-result=1000 sun-idrepo-ldapv3-config-memberof= sun-idrepo-ldapv3-config-memberurl=memberUrl sun-idrepo-ldapv3-config-nsrole= sun-idrepo-ldapv3-config-nsroledn= sun-idrepo-ldapv3-config-nsrolefilter= sun-idrepo-ldapv3-config-numretires=3 sun-idrepo-ldapv3-config-organization_name=dc=opensso,dc=java,dc=net sun-idrepo-ldapv3-config-people-container-name=ou sun-idrepo-ldapv3-config-people-container-value=people sun-idrepo-ldapv3-config-psearch-filter=(objectclass=*) sun-idrepo-ldapv3-config-psearch-scope=SCOPE_SUB sun-idrepo-ldapv3-config-psearchbase=dc=opensso,dc=java,dc=net sun-idrepo-ldapv3-config-referrals=true sun-idrepo-ldapv3-config-search-scope=SCOPE_ONE sun-idrepo-ldapv3-config-service-attributes= sun-idrepo-ldapv3-config-ssl-enabled=false sun-idrepo-ldapv3-config-time-limit=10 sun-idrepo-ldapv3-config-uniquemember=uniqueMember sun-idrepo-ldapv3-config-user-attributes=adminRole sun-idrepo-ldapv3-config-user-attributes=authorityRevocationList sun-idrepo-ldapv3-config-user-attributes=caCertificate sun-idrepo-ldapv3-config-user-attributes=cn sun-idrepo-ldapv3-config-user-attributes=distinguishedName sun-idrepo-ldapv3-config-user-attributes=dn sun-idrepo-ldapv3-config-user-attributes=employeeNumber sun-idrepo-ldapv3-config-user-attributes=facsimileTelephoneNumber sun-idrepo-ldapv3-config-user-attributes=givenName sun-idrepo-ldapv3-config-user-attributes=homePhone sun-idrepo-ldapv3-config-user-attributes=homePostalAddress sun-idrepo-ldapv3-config-user-attributes=inetUserHttpURL sun-idrepo-ldapv3-config-user-attributes=inetUserStatus sun-idrepo-ldapv3-config-user-attributes=iplanet-am-auth-configuration sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-add-session-listener-on-all-sessions sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-destroy-sessions sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-get-valid-sessions sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-max-caching-time sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-max-idle-time sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-max-session-time sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-quota-limit sun-idrepo-ldapv3-config-user-attributes=iplanet-am-session-service-status sun-idrepo-ldapv3-config-user-attributes=iplanet-am-static-group-dn sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-account-life sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-admin-start-dn sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-alias-list sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-auth-config sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-auth-modules sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-failure-url sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-federation-info sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-federation-info-key sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-login-status sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-password-reset-force-reset sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-password-reset-options sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-password-reset-question-answer sun-idrepo-ldapv3-config-user-attributes=iplanet-am-user-success-url sun-idrepo-ldapv3-config-user-attributes=mail sun-idrepo-ldapv3-config-user-attributes=manager sun-idrepo-ldapv3-config-user-attributes=memberOf sun-idrepo-ldapv3-config-user-attributes=mobile sun-idrepo-ldapv3-config-user-attributes=ds-pwp-account-disabled sun-idrepo-ldapv3-config-user-attributes=objectClass sun-idrepo-ldapv3-config-user-attributes=pager sun-idrepo-ldapv3-config-user-attributes=postalAddress sun-idrepo-ldapv3-config-user-attributes=postofficebox sun-idrepo-ldapv3-config-user-attributes=preferredlanguage sun-idrepo-ldapv3-config-user-attributes=preferredLocale sun-idrepo-ldapv3-config-user-attributes=preferredtimezone sun-idrepo-ldapv3-config-user-attributes=secretary sun-idrepo-ldapv3-config-user-attributes=sn sun-idrepo-ldapv3-config-user-attributes=street sun-idrepo-ldapv3-config-user-attributes=sun-fm-saml2-nameid-info sun-idrepo-ldapv3-config-user-attributes=sun-fm-saml2-nameid-infokey sun-idrepo-ldapv3-config-user-attributes=sunAMAuthInvalidAttemptsData sun-idrepo-ldapv3-config-user-attributes=sunIdentityMSISDNNumber sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerDiscoEntries sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPAddressCard sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNameAltCN sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNameCN sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNameFN sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNameMN sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNamePT sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPCommonNameSN sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPDemographicsAge sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPDemographicsBirthDay sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPDemographicsDisplayLanguage sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPDemographicsLanguage sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPDemographicsTimeZone sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPEmergencyContact sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPEmploymentIdentityAltO sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPEmploymentIdentityJobTitle sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPEmploymentIdentityOrg sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPEncryPTKey sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPFacadegreetmesound sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPFacadeGreetSound sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPFacadeMugShot sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPFacadeNamePronounced sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPFacadeWebSite sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPInformalName sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityAltIdType sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityAltIdValue sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityDOB sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityGender sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityLegalName sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityMaritalStatus sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityVATIdType sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPLegalIdentityVATIdValue sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPMsgContact sun-idrepo-ldapv3-config-user-attributes=sunIdentityServerPPSignKey sun-idrepo-ldapv3-config-user-attributes=telephoneNumber sun-idrepo-ldapv3-config-user-attributes=uid sun-idrepo-ldapv3-config-user-attributes=userCertificate sun-idrepo-ldapv3-config-user-attributes=userPassword sun-idrepo-ldapv3-config-user-objectclass=inetadmin sun-idrepo-ldapv3-config-user-objectclass=inetorgperson sun-idrepo-ldapv3-config-user-objectclass=inetUser sun-idrepo-ldapv3-config-user-objectclass=iplanet-am-managed-person sun-idrepo-ldapv3-config-user-objectclass=iplanet-am-user-service sun-idrepo-ldapv3-config-user-objectclass=iPlanetPreferences sun-idrepo-ldapv3-config-user-objectclass=organizationalPerson sun-idrepo-ldapv3-config-user-objectclass=person sun-idrepo-ldapv3-config-user-objectclass=sunFederationManagerDataStore sun-idrepo-ldapv3-config-user-objectclass=sunFMSAML2NameIdentifier sun-idrepo-ldapv3-config-user-objectclass=sunIdentityServerLibertyPPService sun-idrepo-ldapv3-config-user-objectclass=top sun-idrepo-ldapv3-config-users-search-attribute=uid sun-idrepo-ldapv3-config-users-search-filter=(objectclass=inetorgperson) sun-idrepo-ldapv3-ldapv3Generic= sunIdRepoAttributeMapping= sunIdRepoClass=com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo sunIdRepoSupportedOperations=group=read,create,edit,delete sunIdRepoSupportedOperations=realm=read,create,edit,delete,service sunIdRepoSupportedOperations=user=read,create,edit,delete,service |
Log in to the OpenSSO administration console.
Click Access, Top-level Realm, and Data Stores.
On the Data Stores tab, click the Generic LDAP v3 user data store.
On the Generic LDAP v3 data store page, add the LDAP User object classes and attributes.
If they do not already exist, add the following LDAP User Object Classes:
inetadmin inetorgperson inetUser iplanet-am-managed-person iplanet-am-user-service iPlanetPreferences organizationalPerson person sunFederationManagerDataStore sunFMSAML2NameIdentifier sunIdentityServerLibertyPPService top |
If they do not already exist, add the following LDAP User Attributes:
adminRole authorityRevocationList caCertificate cn distinguishedName dn ds-pwp-account-disabled employeeNumber facsimileTelephoneNumber givenName homePhone homePostalAddress inetUserHttpURL inetUserStatus iplanet-am-auth-configuration iplanet-am-session-add-session-listener-on-all-sessions iplanet-am-session-destroy-sessions iplanet-am-session-get-valid-sessions iplanet-am-session-max-caching-time iplanet-am-session-max-idle-time iplanet-am-session-max-session-time iplanet-am-session-quota-limit iplanet-am-session-service-status iplanet-am-static-group-dn iplanet-am-user-account-life iplanet-am-user-admin-start-dn iplanet-am-user-alias-list iplanet-am-user-auth-config iplanet-am-user-auth-modules iplanet-am-user-failure-url iplanet-am-user-federation-info iplanet-am-user-federation-info-key iplanet-am-user-login-status iplanet-am-user-password-reset-force-reset iplanet-am-user-password-reset-options iplanet-am-user-password-reset-question-answer iplanet-am-user-success-url mail manager memberOf mobile objectClass pager postalAddress postofficebox preferredlanguage preferredLocale preferredtimezone secretary sn street sunAMAuthInvalidAttemptsData sun-fm-saml2-nameid-info sun-fm-saml2-nameid-infokey sunIdentityMSISDNNumber sunIdentityServerDiscoEntries sunIdentityServerPPAddressCard sunIdentityServerPPCommonNameAltCN sunIdentityServerPPCommonNameCN sunIdentityServerPPCommonNameFN sunIdentityServerPPCommonNameMN sunIdentityServerPPCommonNamePT sunIdentityServerPPCommonNameSN sunIdentityServerPPDemographicsAge sunIdentityServerPPDemographicsBirthDay sunIdentityServerPPDemographicsDisplayLanguage sunIdentityServerPPDemographicsLanguage sunIdentityServerPPDemographicsTimeZone sunIdentityServerPPEmergencyContact sunIdentityServerPPEmploymentIdentityAltO sunIdentityServerPPEmploymentIdentityJobTitle sunIdentityServerPPEmploymentIdentityOrg sunIdentityServerPPEncryPTKey sunIdentityServerPPFacadegreetmesound sunIdentityServerPPFacadeGreetSound sunIdentityServerPPFacadeMugShot sunIdentityServerPPFacadeNamePronounced sunIdentityServerPPFacadeWebSite sunIdentityServerPPInformalName sunIdentityServerPPLegalIdentityAltIdType sunIdentityServerPPLegalIdentityAltIdValue sunIdentityServerPPLegalIdentityDOB sunIdentityServerPPLegalIdentityGender sunIdentityServerPPLegalIdentityLegalName sunIdentityServerPPLegalIdentityMaritalStatus sunIdentityServerPPLegalIdentityVATIdType sunIdentityServerPPLegalIdentityVATIdValue sunIdentityServerPPMsgContact sunIdentityServerPPSignKey telephoneNumber uid userCertificate userPassword |
Click Save.
At some point if you want to remove the schema you added to OpenDS in these instructions, log into the OpenDS host and run the following command
ldapmodify -h opends-host -p opends_port -D"cn=directory manager" / -w password -c -f remove_am_remote_opends_schema.ldif |
This will remove the OpenSSO user schema.