The following table summarizes the user management operations supported through the IDRepo interface for various user data stores. An interface has been implemented specifically for Sun Directory Server and Microsoft Active Directory. The default implementation of this interface can be used and supported for any LDAPv3 user repository.
Feature |
Sun Directory Server LDAPv3 |
OpenDS |
Microsoft Active Directory LDAPv3 |
IBM Tivoli Directory |
AMSDK (Legacy) |
---|---|---|---|---|---|
Create User |
Yes |
Yes |
Yes* |
Yes |
Yes |
Modify User |
Yes |
Yes |
Yes* |
Yes |
Yes |
Delete User |
Yes |
Yes |
Yes* |
Yes |
Yes |
Create Role |
Yes |
No |
No |
No |
Yes |
Modify Role |
Yes |
No |
No |
No |
Yes |
Delete Role |
Yes |
No |
No |
No |
Yes |
Assign Role |
Yes |
No |
No |
No |
Yes |
Evaluate Role for Membership |
Yes |
No |
No |
No |
Yes |
Create Group |
Yes |
Yes |
Yes* |
Yes** |
Yes |
Modify Group |
Yes |
Yes |
Yes* |
Yes** |
Yes |
Delete Group |
Yes |
Yes |
Yes* |
Yes** |
Yes |
Evaluate Group for Membership |
Yes |
Yes |
Yes* |
Yes** |
Yes |
Federation Attributes |
Yes |
Yes |
Yes |
Yes |
Yes |
*Some limitations exist, or additional configuration is required. **See the limitations described in the next section. |
IBM Tivoli Directory Server's groups can be Static, Dynamic, and Nested. However, the OpenSSO Enterprise IDRepo framework (IDRepo DataStore) supports only the
Static group. A Static group defines each member individually using either of the following:
Structural ObjectClass: groupofNames, groupOfUniqueNames, accessGroup, or accessRole
Auxilary ObjectClass: ibm-staticgroup or ibm-globalAdminGroup
A Static group using the Structural ObjectClass groupOfNames and groupOfUniqueNames requires at least one member for ObjectClass groupOfNames or one uniquemember for groupOfUniqueNames. The Static group using the ObjectClass ibm-staticgroup does not have this requirement. The ObjectClass ibm-staticgroup is the only ObjectClass for which members are optional; all other object classes require at least one member.
OpenSSO Enterprise supports only one ObjectClass for groups. If you choose a type of group with an ObjectClass that requires at leas one member, then a user value must be present. This user will automatically be added to the group when a group is created. You can remove this user from the group afterward if you don't
want this user to be a member of the group.
The value for the filter for searching of groups must the value specified by the chosen LDAP Group ObjectClass.
Most IBM Tivoli groups require at least one member when the group is created. When a group is created using the OpenSSO Enterprise console, no users are assigned to the group by default. Since IBM Tivoli has this restriction, when a group is created, the default user or member cn=auser1,dc=opensso,dc=java,dc=net is always automatically created and added to the group.