Chapter 3 Data Stores

A data store is a database where you can store user attributes and user configuration data. Access Manager provides identity repository plug-ins that connect to an LDAPv3 identity repository framework. These plug-ins enable you to view and retrieve Access Manager user information without having to make changes in your existing user database. The Access Manager framework integrates data from the identity repository plug-in with data from other Access Manager plug-ins to form a virtual identity for each user. Access Manager can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user's session ends.

Access Manager Data Store Types

This section explains the types of data stores that you can configure, and also provides the steps to create new data store types and how to configure them.

You can create a new, data store instance for any of the following data store types:

Access Manager Repository Plug-in

This data store type resides in a Sun Java System Directory Server instance and holds the Access Manager information tree. This data store type makes use of Directory Server features that are not part of the LDAP version 3 specification, such as roles and class of service, and is compatible with previous versions of Access Manager.

Active Directory

This data store type uses the LDAP version 3 specification to write identity data to an instance of Microsoft Active Directory.

Flat Files Repository

This repository allows you to store data and identities in a flat DIT structure on the local installation instance of Access Manager without having to create a separate data store. This is generally used for testing or proof of concept deployments.

Generic LDAPv3

This data store type allows identity data to written to any LDAPv3–compliant database. If the LDAPv3 database you are using does not support Persistent Search, then you can not use the caching feature.

Sun Directory Server With Access Manager Schema

This data store type resides in a Sun Java System Directory Server instance and holds the Access Manager information tree. It differs from the Access Manager Repository Plug-in, in that more configuration attributes allow you to better customize the data store.

To Create a New Data Store

The following section describes the steps to connect a data store.

1. Select the realm to which you wish to add a new data store.

2. Click the Data Store tab.

3. Click New from the Data Stores list.

4. Enter a name for the data store.

5. Select the type of data store you wish to create.

6. Click Next.

7. Configure the data store by entering the appropriate attribute values.

8. Click Finish.

Data Store Attributes

This section defines the attributes for configuring each new Access Manager data store. The data store attributes are:

• Access Manager Repository Attributes

• Flat Files Repository Attributes

• LDAPv3 Attributes

---

Note –

The Active Directory, Generic LDAPv3, and Sun Directory Server with Access Manager Schema data store types share the same underlying plug—in, so the configuration attributes are the same. However, the default values for some of the attributes are different for each datastore type and are displayed accordingly in the Access Manager console.

---

Access Manager Repository Attributes

The following attributes are used to configure an Access Manager Repository plug-in:

Class Name

Specifies the location of the class file which implements the Access Manager repository plug-in.

Access Manager Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

• group — read, create, edit, delete

• user — read, create, edit, delete, service

• agent — read, create, edit, delete

You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.

If the configured LDAPv3 Repository plug—in is pointing to an instance of Sun Java Systems Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles. The permission for the type 'role' is:

• role — read, create, edit, delete

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, edit, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets Access Manager services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations areassignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

Organization DN Value

Defines the DN that points to an organization in the Directory Server to be managed by Access Manager. This will be the base DN of all operations performed in the data store.

People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

People Container Value

Specifies the value of the people container. The default is people.

Agent Container Naming Attribute

The naming attribute of agent container if the agent resides in a agent container. This field is left blank if the agent does not reside in agent container.

Agent Container Value

Specifies the value of the agent container. The default is agents.

Recursive Search

If enabled, the search performed in the Access Manager repository will conduct a recursive search for the specified identities. For example, a recursive search performed on the following data structure:

root
realm1
    subrealm11
        user5
    subrealm12
        user6
realm2
    user1
    user2
    subrealm21
        user3
        user4

will produce the following results:

• If a search is performed from the root and no users are defined at this level (aside from amadmin and anonymous), the search will return users 1–6.

• If a search is performed from realm1 and no users are defined, the search will return user5 and user6.

• If a search is performed from realm2 (two users defined), the search will return users 1–4.

Copy Realm Configuration

When this attribute is enabled in a realm-mode installation, Access Manager will create an equivalent organization and sub-organization for each realm and sub-realm that exists in the repository. In addition, the services that are registered to the realm/sub-realm will be registered to the new created organization/sub-organization. Both the realm DIT and the organization DIT exist within the datastore.

Flat Files Repository Attributes

The following attributes are used to configure a flat file repository:

Files Repository Plug-in Classname

This attribute specifies the Java class file that provides the implementation for flat files. This attribute should not be modified.

Files Repository Directory

Defines the base directory where the identities and their attributes are stored.

Cache

When enabled (default), the identities and their attributes will be cached. Subsequent requests will not access the file system.

Time to Update Cache

When caching is enabled, this attribute determines the time interval (in minutes) after which the entries in the cache are checked for any changes made to the file system. The checking mechanism is based on timestamps.

File User Object Classes

Defines the object classes that are automatically added to the users when they are created.

Password Attribute

Provides the attribute name that contains the password used for authentication. This attribute is used to authenticate the user when the Data Store authentication module is enabled.

Status Attribute

Provides the attribute name that stores the identity's status. Values for the status attribute are either active or inactive. This is used during the authentication of the identity. If an identity is inactive, the use will not be authenticated.

Hashed Attributes

Provides a list of attributes whose values will be hashed and stored in the files. Once hashed, the original values cannot be obtained. Only hashed values are retrieved. This is used to ensure privacy where certain attributes should not be permanently stored, but are used for verification. An identity's password attribute, is an example of this type of attribute.

Encrypted Attributes

Provides a list of attributes whose values will be encrypted and stored in the files. Although they are encrypted and stored, calling the Identity Repository APIs would return the original decrypted values. This is prevent users from accessing the file system directly and reading sensitive attributes.

LDAPv3 Attributes

The following attributes are used to configure a LDAPv3 repository plug-in:

LDAP Server

Enter the name of the LDAP server to which you will be connection. The format should be hostname.domainname:portnumber.

If more than one host:portnumber entries are entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

LDAP Bind DN

Specifies the DN name that Access Manager will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in theLDAPv3 Plugin Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that Access Manager will use to authenticate to the LDAP server to which you are currently connected

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

LDAP SSL

When enabled, Access Manager will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, Directory Server returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

General Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

• group — read, create, edit, delete

• user — read, create, edit, delete, service

• agent — read, create, edit, delete

You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.

If the configured LDAPv3 Repository plug—in is pointing to an instance of Sun Java Systems Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles. The permission for the type 'role' is:

• role — read, create, edit, delete

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, edit, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets Access Manager services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations areassignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

LDAPv3 Plug-in Search Scope

Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

LDAP Users Search Attribute

This field defines the attribute type for which to conduct a search on a user. For example, if the user's DN is uid=user1,ou=people,dc=iplanet,dc=com , then the naming attribute is uid.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries.

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

LDAP User Creation Attribute Mappings

Specifies which attributes are required when a user is created. This attribute uses the following syntax:

DestinationAttributeName=SourceAttributeName

If the source attribute name is missing, the default is the user ID (uid). For example:

cn
sn=givenName

Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.

User Status Attribute

Specifies the attribute name to indicate the user's status.

User Status Active Value

Specifies the attribute name for an active user status. The default is active.

User Status Inactive Value

Specifies the attribute name for an inactive user status. The default is inactive.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Group Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Classes

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Group Membership Attribute

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Unique Member Attribute

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Group Member URL Attribute

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

LDAP People Container Value

Specifies the value of the people container. The default is people.

LDAP Agents Search Attribute

This field defines the attribute type for which to conduct a search on an agent. The default is uid.

LDAP Agents Container Naming Attribute

The naming attribute of agent container if the agent resides in a agent container. This field is left blank if the agent does not reside in agent container.

LDAP Agents Container Value

Specifies the value of the agent container. The default is agents.

LDAP Agents Search Filter

Defines the filter used to search for an agent. The LDAP Agent Search attribute is prepended to this field to form the actual agent search filter.

For example, if the LDAP Agents Search Attribute is uid and LDAP Users Search Filter is (objectClass=sunIdentityServerDevice) , then the actual user search filter will be: (&(uid=*)(objectClass=sunIdentityServ erDevice))

LDAP Agents Object Class

Defines the object classes for agents. When an agent is created, the list of user object classes will be added to the agent's attributes list

LDAP Agents Attributes

Defines the list of attributes associated with an agent. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Identity Types that can be Authenticated

Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Filter

Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If Access Manager is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Code

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

Caching

If enabled, this allows Access Manager to cache data retrieved from the data store.

Maximum Age of Cached Items

Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.

Maximum Size of the Cache

Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.