You can create a new, data store instance for any generic LDAPv3 repository when Access Manager is installed in both Realms and Legacy mode. You should choose the LDAPv3 repository type under the following conditions:
When roles, class of service (CoS), and compatibility with previous versions of Access Manager are not required.
When you want to use an existing directory.
When you want to use a directory server other than Sun Java System Directory Server for the identity repository.
When you do not want Access Manager to write to identity repositories.
When you want to use a flat Directory Information Tree (DIT).
The following section describes the steps to connect a generic LDAPv3 data store.
Click the Data Store tab.
Click New from the Data Stores list.
Enter a name for the data store.
Define the attributes for the LDAPv3 repository plug-in.
Click Finish.
The following attributes are used to configure a LDAPv3 repository plug-in:
Enter the name of the LDAP server to which you will be connection. The format should be hostname.domainname:portnumber.
If more than one host:portnumber entries are entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.
Specifies the DN name that Access Manager will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Supported Types and Operations attribute.
Specifies the DN password that Access Manager will use to authenticate to the LDAP server to which you are currently connected
Confirm the password.
The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
When enabled, Access Manager will connect to the primary server using the HTTPS protocol.
Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
Specifies the maximum number of connections to allowed.
Specifies the maximum number of entries returned from a search operation. If this limit is reached, Directory Server returns any entries that match the search request.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any search entries that match the search request.
If enabled, this option specifies that referrals to other LDAP servers are followed automatically.
Specifies the location of the class file which implements the LDAPv3 repository.
Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.
Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
group — read, create, edit, delete
realm — read, create, edit, delete, service
user — read, create, edit, delete, service
agent — read, create, edit, delete
You can remove permissions
from the above based on your LDAP server settings and the tasks, but you can not add more permissions.
This field defines the attribute type for which to conduct a search on a user. For example, if the user's dn is uid=k user5,ou=people,dc=iplanet,dc=com, then the naming attribute is uid. (uid=*) will be appended to the search filter for user.
Specifies the search filter to be used to find user entries. for example, if LDAP Users Search Attribute is uid and LDAP Users Search Filter is (objectClass=inetorgperson), then the actual user search filter will be: (&(uid=*)(objectClass=inetorgperson)).
Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.
Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
This field defines the attribute type for which to conduct a search on a group. For example, if the group dn is cn=group1,ou=groups,dc=iplanet,dc=com, the naming attribute for group is cn and (cn=*) will be appended to the group search filter.
Specifies the search filter to be used to find group entries. for example, if "LDAP Groups Search Attribute" is cn and "LDAP Groups Search Filter" is (objectclass=groupOfUniqueNames), the actual group search filter will be (&(cn=*)(objectclass=groupOfUniqueNames)).
Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.
Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.
Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container. For example, given a user dn uid=kuser5,ou=people,dc=iplanet,dc=com, if ou=people is the name of the people container, then the naming attribute isou.
Specifies the value of the people container. The default is people. For example, given a user dn uid=kuser5,ou=people,dc=iplanet,dc=com, if ou=people is the name of the people container, then the naming attribute is ou and people is the "LDAP People Container Value."
This field defines the attribute type for which to conduct a search on an agent. The default is uid. For example, if the agent's dn is uid=kagent1,ou=agents,dc=iplanet,dc=com, then the agent's naming attribute is uid. (uid=*) will be appended to the search filter for the agent.
The naming attribute of the agent container if the agent resides in a agent container. This field is left blank if the agent does not reside in agent container. For example, given a user dn uid=kagent1,ou=agents,dc=iplanet,dc=com, the agent naming attribute is ou.
Specifies the value of the agent container. It is left blank if the agent does not reside in agent container. In the previous example, the agents container value would be agents.
Defines the filter used to search for an agent. The LDAP Agent Search attribute is prepended to this field to form the actual agent search filter.
For example, if the LDAP Agents Search Attribute is uid and LDAP Users Search Filter is (objectClass=sunIdentityServerDevice), then the actual user search filter will be: (&(uid=*)(objectClass=sunIdentityServ erDevice))
Defines the object classes for agents. When an agent is created, the list of user object classes will be added to the agent's attributes list
Defines the list of attributes associated with an agent. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
Defines the maximum idle time before restarting the persistence search. The value must be greater than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.
If Access Manager is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.
Specifies the time to wait before each retry. This only applies to persistent search connection.
Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.