Go to the Federation Manager 1 URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”
Log in to the Federation Manager 1 console:
amadmin
11111111
Add a new authentication service.
Click the Organization tab.
Click the Authentication subtab, and then click Add.
In the list of Authentication Modules, select LDAP, and then click Next.
On the LDAP page, provide the following information:
Add LoadBalancer-8.siroe.com:1389.
Add o=siroeusers.com.
cn=fmldapuser,ou=People,o=siroeusers.com
This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
00000000
00000000
uid
uid
Click Assign.
On the Authentication page, locate the module named Core, and click its Edit link.
On the Core page, provide the following information:
Choose Flatfile, LDAP and SAMLv2.
Add to the list ou=People,o=sirousers.com.
Click Save.
Verify that LDAP is included as an Organizational Attribute.
Click the Configuration tab. On the Configuration tab, under Authentication, click Core.
On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.
In the Directory Server, create a user named fmldapuser.
This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.
Create an LDIF file named fmldapuser.ldif with the following entries:
dn: cn=fmldapuser,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: fmldapuser sn: fmldapuser userPassword: 00000000 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///o=siroeusers.com")(targetattr="*") (version 3.0; acl "FM special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; ) |
Load ./fmldapuser.ldif into Directory Server 1.
# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr -h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif |
Change the default authentication module from Flat File to LDAP.
Log in to the Federation Manager 1 host.
Go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named ldap.xml file that contains the following entries:
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="o=siroe.com"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> Attribute name="iplanet-am-auth-org-config" /> <Value><AttributeValuePair><Value> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED< /Value></AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
The attributes and AttributeValuePair in bold are the significant changes made to the configuration.
Load ldap.xml.
# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml |