Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

7.2 Creating and Configuring a Realm for Test Users

At this point, the root realm is configured to authenticate against the Directory Server configuration data instances. We use the root realm to authenticate special Access Manager accounts (like amadmin and agents) but, we now create a sub-realm to authenticate end users against the Directory Server user data instances. This creates a demarcation between Access Manager configuration and administrative account data, and the end-user profiles.

With the following procedures, we create a sub-realm to which we add our text subjects, and then configure the realm properties to suit the needs of this deployment example.

To Create a Realm

Access http://LoadBalancer-3.example.com:7070/ from a web browser.

This is the Access Manager load balancer.

Click the Access Control tab.

Click New to create a new realm.

On the New Realm page, enter users in the Name field.

Enter users in the New Value field of the Realm/DNS Aliases list and click Add.

Click OK.

The users realm is listed as a sub-realm of the top-level realm, example.

To Change the Default User Data Store and Configure an Authentication Module for the Realm

Now we instantiate an authentication module and reconfigure the default ldapService authentication chain to use the new authentication module. Additionally, we will change the realm's User Profile attribute and delete the default authentication module instances. During this procedure, we also change the default user data store to the user data instance previously created.

Before You Begin

This procedure assumes you have just completed To Create a Realm and are still logged in to the Access Manager console.

Under the Access Control tab, click the users realm.

Click the Authentication tab.

Click Advanced Properties in the General section.

On the resulting page, change the value of the User Profile attribute to Ignored.

This new value specifies that a user profile is not required by the Authentication Service to issue a token after successful authentication.

Click Save.

The profile is updated.

Click Back to Authentication.

You will return to the users realm Authentication page.

Under Module Instances section, click New.

These next steps instantiate the Data Store authentication module in the users sub-realm.
1. On the New Module Instance page, set the following attribute values:
  
  Name:
  
  usersDataStore
  
  Type:
  
  Choose Data Store
2. Click OK.
  
  You will return to the users realm Authentication page and the usersDataStore module is displayed in the list of Module Instances.

Under Authentication Chaining, click on the default ldapService chain.

These next steps reconfigure the default ldapService chain to use the new authentication module.
1. On the resulting page, select usersDataStore in the Instance column.
2. Set the Criteria attribute to Required.
3. Click Save.
  
  The ldapService chain is updated.
4. Click Back to Authentication.
  
  You will return to the users realm Authentication page.

Under Module Instances, mark the checkbox for LDAP and Data Store.

These modules are inherited from the default top-level realm and used to authenticate to the Access Manager configuration data instance of Directory Server. They are no longer needed now that the usersDataStore authentication module instance will be used.

Click Delete

The modules are deleted and the users realm Authentication page is displayed.

Click Save.

Click the Data Stores tab.
1. Mark the checkbox for amConfigDS.
  
  This is the data store inherited from the parent realm.
2. Click Delete.
3. Click New.
4. On the resulting page, set the following attributes:
  
  Name:
  
  usersLDAP
  
  Type:
  
  Choose Generic LDAPv3
5. Click Next.
6. On the resulting page, set the following attributes:
  LDAP Server
  - Enter the hostname and port number for the existing directory in the form LoadBalancer-2.example.com:489 and click Add.
  - Select the default LoadBalancer-1.example.com:389 and click Remove.
  LDAP Bind DN
  
  Enter cn=Directory Manager
  
  LDAP Bind Password
  
  Enter d1rm4n4ger
  
  LDAP Bind Password (confirm)
  
  Enter d1rm4n4ger
  
  LDAP Organization DN
  
  Replace dc=example,dc=com with dc=company,dc=com
  
  LDAP User Object Classes
  
  Add inetorgperson as a new value.
  
  LDAP People Container Value
  
  Replace people with users.
  
  Note –
  If this field is empty, the search for user entries will start from the root suffix.
  
  Persistent Search Base DN
  
  Replace dc=example,dc=com with dc=company,dc=com
7. Click Finish.

Log out of the Access Manager console.

To Verify That Access Manager Recognizes the External User Data Store

Access http://AccessManager-1.example.com:1080/amserver/console from a web browser.

Click on the Access Control tab

Click on the users sub-realm.

Click on the Subjects tab.

You should see Test User1 and Test User2.

Log out of the Access Manager console.

To Verify That a Realm Subject Can Successfully Authenticate

Access http://AccessManager-1.example.com:1080/amserver/UI/Login?realm=users from a web browser.

The parameter realm=users specifies the realm to use for authentication. At this point, a user can log in against Directory Server only if the realm parameter is defined in the URL.

Log in to Access Manager with a user name and password from the am-users directory.

User Name

testuser1

Password

password

You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.

Log out of the Access Manager console.