Sun OpenSSO Enterprise supports Microsoft Active Directory as the user data store.
Contents
Configuring Active Directory With the OpenSSO Enterprise Schema Files
Configuring an Authentication Module to Login Through Active Directory
By default, OpenSSO Enterprise defines a set of object classes and attributes. These object classes and attributes are required in your Active Directory server if you want OpenSSO Enterprise to manage your Active Directory server.
The OpenSSO Console provides user management functionality based on the OpenSSO Enterprise predefined set of object classes and attributes, as specified through the OpenSSO Enterprise XML files. If the Active Directory server you are trying to access does not have these required object classes or the attributes defined, access involving the missing object class or attributes will fail, unless you change the user XML files to match the attributes defined for your Active Directory server.
For example, when you create a user via the OpenSSO Console, the Console writes out to the Active Directory server the predefined set of OpenSSO Enterprise object classes and attributes for the user. If the Active Directory server is not configured with the same set of user object classes and attributes, the user create operation will fail. When you use the Console's user information page to edit a user's information, unless the Active Directory server has the same set of attributes and/or object classes defined for the user as OpenSSO Enterprise does, the operation will fail.
The Access Manager Identity Repository (IdRepo) LDAPv3 plug-in provides attribute name mapping. You can refer to an attribute name as one name in OpenSSO Enterprise and a different name in your Active Directory server. As a result, you need not have all OpenSSO Enterprise attributes defined in Active Directory if you use attribute name mapping. However, if OpenSSO Enterprise has more attributes than you have in your Active Directory server, you cannot do one-to-one mapping, and some OpenSSO Enterprise read or write operations will fail due to missing attributes in the Active Directory server.
To configure and use Active Directory as the user data store, your deployment must meet these requirements:
OpenSSO Enterprise 8.0 is installed on a supported web container.
Active Directory 2003 is installed on Windows Server 2003 R2 with “Windows Server forest functional level” enabled. For more information, see:
You have not made any changes to the OpenSSO Enterprise schema, attributes, or XML files.
The Access Manager Identity Repository (IdRepo) LDAPv3 plug-in must be able to assign the service's object class name to the user's object class attribute, so it can tell if a user has been assigned a given service. The following procedure describes how to load the OpenSSO Enterprise schema files into Active Directory and then to configure OpenSSO Enterprise to enable the OpenSSO Enterprise services.
Back up the am_remote_ad_schema.ldif file.
After you have unzipped opensso_enterprise_80.zip, this file is available in the following directory:
zip-root/opensso/ldif
In the am_remote_ad_schema.ldif file, replace @ROOT_SUFFIX@ with the root suffix of your Active Directory installation.
Using Active Directory tools (or another tool of your choice), load the am_remote_ad_schema.ldif file from the previous step into Active Directory.
Log in to the OpenSSO Administration Console. In the data store configuration page's LDAP User Attributes field, add the attribute names defined in the above LDIF file.
If you are writing your own service with dynamic user attributes, the service.ldif file for Active Directory must NOT have the following lines:
dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX changetype: modify add: auxiliaryClass auxiliaryClass: yourClassname
Otherwise, OpenSSO Enterprise will not be able to assign the service's object class name to the user's object class attribute.
This section describes how to configure an Access Manager Identity Repository (IdRepo) LDAPv3 data store for Active Directory.
Log in to the OpenSSO Admin Console.
Click Access Control, realm-name, Data Sores, and then New.
Enter the Name, check Active Directory, and then click Next.
Set the following Active Directory attributes.
LDAP Server: Active Directory server name and port number that you want to connect to. For example: myADServer.example.com:389
LDAP Bind DN: CN=Administrator,CN=Users,DC=example,DC=com
LDAP Bind Password: Password for CN=Administrator,CN=Users,DC=example,dc=com
LDAP Organization DN: DC=example,DC=com — Organization DN that this datastore will map to. This will be the base DN of all operations performed in this data store.
Enable LDAP SSL: Select if the Active Directory server is in SSL mode.
LDAP Connection Pool Minimum Size: Initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
LDAP Connection Pool Maximum Size: Maximum number of connections allowed.
Maximum Results Returned from Search: Maximum number of search results to return. This value should be based on the size of your LDAP organization. The maximum number returned cannot exceed the ns size limit configured for the Active Directory server.
Search Timeout: Maximum time in seconds to wait for results on a search operation.
LDAP Follows Referral: Option specifying whether or not referrals to other LDAP servers are followed automatically.
LDAPv3 Repository Plugin Class Name: Where to find the class file that implements the LDAPv3 repository.
Attribute Name Mapping: Allows for common attributes known to the framework to be mapped to the native data store. Map the attributes as follows:
mail=userPrincipalName
iplanet-am-user-alias-list=objectGUID
employeeNumber=distinguishedName
uid=sAMAccountName
portalAddress=sAMAccountName
telephonenumber=displayName
LDAPv3 Plugin Supported Types and Operations: No change is needed.
LDAP Users Search Attribute: cn — Naming attribute of user.
LDAP Users Search Filter: (objectclass=person)
LDAP User Object Class: Object classes for user. When a user is created, this list of user object classes will be added to the user's attributes list. Therefore, it is important that the object classes you entered here actually exist in the Active Directory server; otherwise, you will get an object class violation (error=65).
Enter the following object classes (names are not case sensitive):
top
person
organizationalPerson
user
LDAP User Attributes: Definitive list of attributes associated with a user. If an attribute is not on this list, it will not be sent or read. Therefore, if there is any possibility that the user entry can contain this attribute, you should list it here. Or, if the attribute is not defined in the Active Directory server, you should not enter it here; otherwise, you will get an error when OpenSSO Enterprise tries to write this attribute to Active Directory. Enter the following attributes (names are not case sensitive):
cn, description, displayName, distinguishedName, dn, employeeNumber, givenName, mail, manager, memberOf, name, objectClass, objectGUID, postalAddress, sAMAccountName, sAMAccountType, sn, streetAddress, telephoneNumber, userAccountControl, userpassword, userPrincipalname
iplanet-am-auth-configuration, iplanet-am-auth-login-success-url, iplanet-am-auth-login-failure-url, iplanet-am-auth-post-login-process-class
iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status
iplanet-am-user-auth-modules, iplanet-am-user-login-status, iplanet-am-user-admin-start-dn, iplanet-am-user-auth-config, iplanet-am-user-alias-list, iplanet-am-user-success-url, iplanet-am-user-failure-url, iplanet-am-user-password-reset-options
iplanet-am-user-password-reset-question-answer, iplanet-am-user-password-reset-force-reset, sunIdentityServerDiscoEntries, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info sunIdentityMSISDNNumber
iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url
sunAMAuthInvalidAttemptsData
sunIdentityServerDeviceKeyValue, sunIdentityServerDeviceStatus, sunIdentityServerDeviceType, sunIdentityServerDeviceVersion, sunxmlkeyvalue
sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPSignKey, sunIdentityServerPPDemographicsBirthday, sunIdentityServerPPCommonNameFN, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPCommonNameMN, sunIdentityServerPPLegalIdentityAltIDType, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPAddressCard, sunIdentityServerPPLegalIdentityAltIDValue, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityVATIDValue, sunIdentityServerPPEncryptKey, sunIdentityServerPPMsgContact, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPCommonNamePT, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityVATIDType, sunIdentityServerPPDemographicsAge, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmergencyContact, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeGreetMeSound, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPInformalName, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPEmploymentIdentityAltO
User Status Attribute: userAccountControl — Attribute to check to determine if a user is active or inactive. When a user is created, the default user's active or inactive status is assigned based on the value in this field:
User Status Active Value: 544
User Status Inactive Value: 546
LDAP Groups Search Attribute: cn — Naming attribute of a group. This attribute name will be used to construct the group's dn and search filter.
LDAP Groups Search Filter: (objectclass=group) — Filter employed when doing a search for groups. The LDAP Groups Search Attribute will be prepended to this field to form the actual group search filter.
LDAP Groups Container Naming Attribute: cn — Naming attribute for a group container if groups resides in a container; otherwise, leave it blank.
LDAP Groups Container Value: users — Value for the group container.
LDAP Groups Object Class: objectclasses for group. When a group is created, this list of group object classes will be added to the group's attributes list. Enter the following object classes (names are not case sensitive):
group
top
LDAP Groups Attributes: Definitive list of attributes associated with a group. Any attempt to read or write group attributes that are not on this list is not allowed. Therefore, you should enter all possible attributes. Enter the following attributes (names are not case sensitive):
objectClass
sAMAccountName
distinguishedName
member
objectCategory
dn
cn
sAMAccountType
name
Attribute Name for Group Membership: memberOf — Name of the attribute whose values are the names of all the groups that this dn belongs to.
Attribute Name of Unique Member: member — Attribute name whose value is a dn belonging to this group.
Attribute Name of Group Member URL: memberUrl — Name of the attribute whose value is an LDAP URL that resolves to members belonging to this group.
LDAP People Container Naming Attribute: cn — Naming attribute of people container if user resides in a people container.
LDAP People Container Value: users
LDAP Agents Search Attribute: cn — Naming attribute of an agent. This attribute name will be used to construct the agent's dn and search filter.
LDAP Agents Container Naming Attribute: cn — Naming attribute of agent container if agent resides in an agent container.
LDAP Agents Container Value: users — Value of the agent container.
LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)— Filter employed when searching for an agent.
LDAP Agents Object Class: ojectclasses for agents. When an agent is created, this list of user object classes will be added to the agent's attributes list. Enter the following object classes (names are not case sensitive):
person
organizationalPerson
sunIdentityServerDevice
top
LDAP Agents Attributes: Definitive list of attributes associated with a user. Any attempt to read or write user attributes that are not on this list is not allowed. Enter the following attributes (names are not case sensitive):
cn
dn
name
objectClass
userPassword
sunIdentityServerDeviceVersion
sunIdentityServerDeviceType
sunIdentityServerDeviceKeyValue
sunIdentityServerDeviceStatus
sunxmlkeyvalue
description
Persistent Search Base DN: DC=example,DC=com — Base DN to use for a persistent search. For Active Directory, this needs to be the root suffix.
Persistent Search Maximum Idle Time Before Restart: Restart the persistence search if it has been idle for this maximum allowed time. Default value is OK.
Maximum Number of Retries After Error Codes: Number of times to retry the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On. Default value is OK.
Delay Time Between Retries: Time to wait before each retry. Applies only to a persistent search connection. Default value is OK.
LDAP Exception Error Codes to Retry On: Retry the persistent search operations if these errors are encountered. Default value is OK.
Click Finish.
In the OpenSSO Administration Console, click realm for which you want to add the new authentication chain.
Click the Authentication tab.
Create a new module instance with the following data:
Primary Active Directory server: ADServer:ADServerPort
DN to Start User Search: dc=example,dc=com
DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com
Password for Root User Bind: AdministratorPassword
Attribute Used to Retrieve User Profile: sAMAccountName
Attributes Used to Search for a User to be Authenticated: sAMAccountName
Search Scope: SUBTREE
Create a new Authentication chaining instance:
Change Default Authentication Chain to the new authentication chain you just created.
Click Save.
To login using Active Directory for authentication, specify the following URL:
http://YourAccessManagerServer:port/amserver/UI/login?org=YourRealmName
The above configuration will allow you to list users and groups. It will also allow you to perform some basic user profile operations. You should be able to change the following user profile information in the OpenSSO Console:
emailaddress
employeeNumber
telephonenumber — Active Directory will add it.
postalAddress — Home address in the Console. Active Directory will add it.
user alias list
However, you cannot do the following operations because of missing attributes or object classes:
Cannot create firstname, lastname, fullname.
Cannot create a group.
Cannot change the user authentication (iplanet-am-user-auth-config). No attribute exists.
Cannot change the user status (inetUserStatus). No attribute exists.
Cannot change the success URL (iplanet-am-user-success-url). No attribute exists.
Cannot change the failure URL (iplanet-am-user-failure-url). No attribute exists.
Cannot change the MSISDN number (sunIdentityMSISDNNumber). No attribute exists.
Cannot create a user or agent in OpenSSO Console. The user must be created in Active Directory.
Cannot change the user or agent password. This change must be done in Active Directory.