Chapter 6 Data Stores

A data store is a database where you can store user attributes and user configuration data.

Access Manager provides an identity repository plug-in that connects to an identity repository framework. This new model enables you to view and retrieve Access Manager user information without having to make changes in your existing user database. The Access Manager framework integrates data from the identity repository plug-in with data from other Access Manager plug-ins to form a virtual identity for each user. Access Manager can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user's session ends.

LDAPv3 Data Store

You can create a new, data store instance for any generic LDAPv3 repository when Access Manager is installed in both Realms and Legacy mode. You should choose the LDAPv3 repository type under the following conditions:

• When roles, class of service (CoS), and compatibility with previous versions of Access Manager are not required.

• When you want to use an existing directory.

• When you want to use a directory server other than Sun Java System Directory Server for the identity repository.

• When you do not want Access Manager to write to identity repositories.

• When you want to use a flat Directory Information Tree (DIT).

To Create a New LDAPv3 Data Store

The following section describes the steps to connect a generic LDAPv3 data store.

1. Select the realm to which you wish to add a new data store.

2. Click the Data Store tab.

3. Click New from the Data Stores list.

4. Enter a name for the data store.

5. Define the attributes for the LDAPv3 repository plug-in.

6. Click Finish.

LDAPv3 Repository Plug-in Attributes

The following attributes are used to configure a LDAPv3 repository plug-in:

• Primary LDAP Server

• LDAP Bind DN

• LDAP Bind Password

• LDAP Bind Password (confirm)

• LDAP Organization DN

• Enable LDAP SSL

• LDAP Connection Pool Minimum Size

• LDAP Connection Pool Maximum Size

• Maximum Results Returned from Search

• Search Timeout

• LDAP Follows Referral

• LDAPv3 Repository Plugin Class Name

• Attribute Name Mapping

• LDAPv3 Plugin Supported Types and Operations

• LDAP Users Search Attribute

• LDAP Users Search Filter

• LDAP User Object Class

• LDAP User Attributes

• LDAP Groups Search Attribute

• LDAP Groups Search Filter

• LDAP Groups Container Naming Attribute

• LDAP Groups Container Value

• LDAP Groups Object Class

• LDAP Groups Attributes

• Attribute Name for Group Membership

• Attribute Name of Group Member

• Attribute Name of Group Member URL

• LDAP People Container Naming Attribute

• LDAP People Container Value

• LDAP Agents Search Attribute

• LDAP Agents Container Naming Attribute

• LDAP Agents Container Value

• LDAP Agents Search Filter

• LDAP Agents Object Class

• LDAP Agents Attributes

• Persistent Search Base DN

• Persistent Search Maximum Idle Time Before Restart

• Maximum Number of Retries After Error Codes

• The Delay Time Between Retries

• LDAPException Error Codes to Retry On

Primary LDAP Server

Enter the name of the LDAP server to which you will be connection. The format should be hostname.domainname:portnumber.

If more than one host:portnumber entries are entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

LDAP Bind DN

Specifies the DN name that Access Manager will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that Access Manager will use to authenticate to the LDAP server to which you are currently connected

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

Enable LDAP SSL

When enabled, Access Manager will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, Directory Server returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

• group — read, create, edit, delete

• realm — read, create, edit, delete, service

• user — read, create, edit, delete, service

• agent — read, create, edit, delete

You can remove permissions

from the above based on your LDAP server settings and the tasks, but you can not add more permissions.

LDAP Users Search Attribute

This field defines the attribute type for which to conduct a search on a user. For example, if the user's dn is uid=k user5,ou=people,dc=iplanet,dc=com, then the naming attribute is uid. (uid=*) will be appended to the search filter for user.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries. for example, if LDAP Users Search Attribute is uid and LDAP Users Search Filter is (objectClass=inetorgperson), then the actual user search filter will be: (&(uid=*)(objectClass=inetorgperson)).

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. For example, if the group dn is cn=group1,ou=groups,dc=iplanet,dc=com, the naming attribute for group is cn and (cn=*) will be appended to the group search filter.

LDAP Groups Search Filter

Specifies the search filter to be used to find group entries. for example, if "LDAP Groups Search Attribute" is cn and "LDAP Groups Search Filter" is (objectclass=groupOfUniqueNames), the actual group search filter will be (&(cn=*)(objectclass=groupOfUniqueNames)).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Class

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Attribute Name for Group Membership

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Attribute Name of Group Member

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Attribute Name of Group Member URL

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container. For example, given a user dn uid=kuser5,ou=people,dc=iplanet,dc=com, if ou=people is the name of the people container, then the naming attribute isou.

LDAP People Container Value

Specifies the value of the people container. The default is people. For example, given a user dn uid=kuser5,ou=people,dc=iplanet,dc=com, if ou=people is the name of the people container, then the naming attribute is ou and people is the "LDAP People Container Value."

LDAP Agents Search Attribute

This field defines the attribute type for which to conduct a search on an agent. The default is uid. For example, if the agent's dn is uid=kagent1,ou=agents,dc=iplanet,dc=com, then the agent's naming attribute is uid. (uid=*) will be appended to the search filter for the agent.

LDAP Agents Container Naming Attribute

The naming attribute of the agent container if the agent resides in a agent container. This field is left blank if the agent does not reside in agent container. For example, given a user dn uid=kagent1,ou=agents,dc=iplanet,dc=com, the agent naming attribute is ou.

LDAP Agents Container Value

Specifies the value of the agent container. It is left blank if the agent does not reside in agent container. In the previous example, the agents container value would be agents.

LDAP Agents Search Filter

Defines the filter used to search for an agent. The LDAP Agent Search attribute is prepended to this field to form the actual agent search filter.

For example, if the LDAP Agents Search Attribute is uid and LDAP Users Search Filter is (objectClass=sunIdentityServerDevice), then the actual user search filter will be: (&(uid=*)(objectClass=sunIdentityServ erDevice))

LDAP Agents Object Class

Defines the object classes for agents. When an agent is created, the list of user object classes will be added to the agent's attributes list

LDAP Agents Attributes

Defines the list of attributes associated with an agent. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be greater than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If Access Manager is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Codes

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry On

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

AMSDK Repository Plug-in

The AMSDK identity repositories is automatically intermingled with the Access Manager information tree when Access Manager is installed in Legacy mode. In Realms mode, you can choose to install the AMSDK repository, but the identity repositories are not intermingled with the Access Manager information tree. You should choose the AMSDK repository type under the following conditions:

• To exploit Sun Java System Directory Server-specific features, such as roles and CoS.

• To obtain compatibility with previous versions of Access Manager.

To Create a New AMSDK Repository Plugin

1. Select the realm in which you wish to configure the Access Manager repository plug-in.

2. Click the Data Store tab.

3. Click New from the Data Stores list.

4. Enter a name for the repository plug-in.

5. Select Access Manager Repository Plugin.

6. Click Next.

7. Define the following fields:

   Access Manager Plugin Class Name

   Specifies the location of the class file which implements the Access Manager repository plug-in.

   Access Manager Organization

   The DN that points an organization in the Directory Server to be managed by Access Manager. This will be the base DN of all operations performed in this data store.

8. Click Finish.