test

Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

ProcedureTo Change the Default User Data Store and Configure an Authentication Module for the Realm

Now we instantiate an authentication module and reconfigure the default ldapService authentication chain to use the new authentication module. Additionally, we will change the realm's User Profile attribute and delete the default authentication module instances. During this procedure, we also change the default user data store to the user data instance previously created.

Before You Begin

This procedure assumes you have just completed To Create a Realm and are still logged in to the Access Manager console.

  1. Under the Access Control tab, click the users realm.

  2. Click the Authentication tab.

  3. Click Advanced Properties in the General section.

  4. On the resulting page, change the value of the User Profile attribute to Ignored.

    This new value specifies that a user profile is not required by the Authentication Service to issue a token after successful authentication.

  5. Click Save.

    The profile is updated.

  6. Click Back to Authentication.

    You will return to the users realm Authentication page.

  7. Under Module Instances section, click New.

    These next steps instantiate the Data Store authentication module in the users sub-realm.

    1. On the New Module Instance page, set the following attribute values:

      Name:

      usersDataStore

      Type:

      Choose Data Store

    2. Click OK.

      You will return to the users realm Authentication page and the usersDataStore module is displayed in the list of Module Instances.

  8. Under Authentication Chaining, click on the default ldapService chain.

    These next steps reconfigure the default ldapService chain to use the new authentication module.

    1. On the resulting page, select usersDataStore in the Instance column.

    2. Set the Criteria attribute to Required.

    3. Click Save.

      The ldapService chain is updated.

    4. Click Back to Authentication.

      You will return to the users realm Authentication page.

  9. Under Module Instances, mark the checkbox for LDAP and Data Store.

    These modules are inherited from the default top-level realm and used to authenticate to the Access Manager configuration data instance of Directory Server. They are no longer needed now that the usersDataStore authentication module instance will be used.

  10. Click Delete

    The modules are deleted and the users realm Authentication page is displayed.

  11. Click Save.

  12. Click the Data Stores tab.

    1. Mark the checkbox for amConfigDS.

      This is the data store inherited from the parent realm.

    2. Click Delete.

    3. Click New.

    4. On the resulting page, set the following attributes:

      Name:

      usersLDAP

      Type:

      Choose Generic LDAPv3

    5. Click Next.

    6. On the resulting page, set the following attributes:

      LDAP Server

      • Enter the hostname and port number for the existing directory in the form LoadBalancer-2.example.com:489 and click Add.

      • Select the default LoadBalancer-1.example.com:389 and click Remove.

      LDAP Bind DN

      Enter cn=Directory Manager

      LDAP Bind Password

      Enter d1rm4n4ger

      LDAP Bind Password (confirm)

      Enter d1rm4n4ger

      LDAP Organization DN

      Replace dc=example,dc=com with dc=company,dc=com

      LDAP User Object Classes

      Add inetorgperson as a new value.

      LDAP People Container Value

      Replace people with users.

      Note –

      If this field is empty, the search for user entries will start from the root suffix.

      Persistent Search Base DN

      Replace dc=example,dc=com with dc=company,dc=com

    7. Click Finish.

  13. Log out of the Access Manager console.