Create a new realm that you can use to authenticate against only the existing Directory Server. The two Access Manager servers share configuration, so you configure the new realm on just one Access Manager server.
Use the following as your checklist for creating a user realm:
Start a new browser and log in to the first Access Manager server.
Go to the URL http://AccessManager-1.example.com:1080/amserver/console
Log in as a root user to the Access Manager console using the following information:
amadmin
4m4dmin1
Click the Access Control tab, and then click New.
In the New Realm page, in the Name field, enter users .
Click OK.
On the Access Control tab, under Realms, click the Realm Name users.
On the General tab for users-Properties, add users to the Realm/DNS/Aliases list.
In the Add field enter users, and then click Add.
Click Save.
Modify the User Profile.
Click Realms.
On the Access Control tab, under Realms, select the new realm users.
Click the Authentication tab.
In the General section, click Advanced Properties.
In the Core page, in the Realm Attributes section, change the User Profile attribute to Ignored.
Access Manager is configured to use only the existing Directory Server for authentication, and a full User Profile may not exist. That's why the attribute is set to Ignored in this example.
Click Save.
The changes are saved, and the Core > Realm Attributes page is displayed.
Create a new authentication module.
Configure the new realm.
In the users — Authentication page, in the New Module Instances section, click the New Instance named usersLDAP.
In the LDAP > Realm Attributes page, set the following attributes:
In the Add field, enter the hostname and port number for the load balancer for the user data store:LoadBalancer-2.example.com:489 .
In the server listbox, select the default server, then click Remove.
In the Add field, enter dc=company,dc=com and then click Add.
Select the default entry o=example.com, and then click Remove.
uid=userdbauthadmin,ou=users,dc=company,dc=com
4serd84uth4dmin
4serd84uth4dmin
These values were imported into the user data store in a previous task. See To Import Users into the User Data Store.
Click Save.
The changes are saved, and the users — Authentication page is displayed.
Configure the default ldapService chain to use the new authentication module.
Remove the LDAP authentication module.
This module is automatically inherited from the default realm and it authenticates against the Access Manager configuration directory. The module is no longer needed now that the usersLDAP module will be used for authentication.
On the users — Authentication page, click Save.
Changes you made in the previous steps are saved.
This procedure is not required to make Access Manager work in all scenarios because not all scenarios require role support. The procedure is required in this deployment example because policies are created in later procedures, and the policies will refer to roles.
On the Access Control tab, under Realms, click the users link.
Click the Data Stores tab, and then click the usersLDAP link.
On the Edit Data Store page, in the section “LDAPv3 Plugin Supported Types and Operations,” in the Add field, enter role=read,create,edit,delete, and then click Add.
In the section, “LDAP User Attributes,” in the Add field, enter nsrole, and then click Add.
In the Add field, enter nsroledn, and then click Add.
Click Save.
Edit the Top-Level Realm.
Click Edit Realm.
Click Subjects > Role.
Two roles employee and manager are in the Roles list.
Click the Users tab, and then click the testuser1 link.
Click on the Role tab.
Verify that testuser1 is added to the manager role. The role manager is displayed in the list of selected roles.
Click Edit Realm —users, and then click the testuser2 link.
Click on the Role tab.
Verify that testuser2 is added to the employee role. The role employee is displayed in the list of selected roles.
Click Edit Realm —users, and then click the testuser2 link.
Delete the default data store.
Create a new data store.
Click New .
In the “Step 1 of 2: Select Type of Data Store” page, set the following attributes:
Enter usersLDAP.
Choose “LDAPv3 Repository Plug-In.”
Click Next.
In the “Step 2 of 2: New Data Store” page, set the following attributes:
In the Add field, enter the hostname and port number for the existing directory. Use the form LoadBalancer-2.example.com:489
Select the default DirectoryServer-1.example.com:1389 , and then click Remove.
Enter uid=userdbadmin,ou=users,dc=company,dc=com .
4serd84dmin
4serd84dmin
Enter dc=company,dc=com.
users
When this field is empty, the search for users will start from the root suffix.
Enter dc=company,dc=com.
These values were imported into the user data store in a previous task. See To Import Users into the User Data Store.
Click Finish and log out of the Access Manager console.
Restart each Access Manager server for the changes to take place.
Log in to each Access Manager host system, and restart the Web Server on each host system.
Verify that in the Access Manager console you can see the users in the external user data store.
Go to the Access Manager URL.
http://AccessManager-1.example.com:1080/amserver/UI/Login
Log in to the Access Manager console using the following information:
amadmin
4m4dmin1
Click on Users Realm.
Click on Subjects tab.
You should see three new users: authuiadmin, userdbadmin, and userdbauthadmin.
Verify that a user can successfully authenticate against the new realm.
Start a new browser session and log in to Access Manager.
Go to the following URL:
http://AccessManager-1.example.com:1080/amserver/UI/Login?realm=users
The parameter realm=users specifies the new realm to use for authentication. Without the parameter, the default realm is used.
On the login page, provide a user login and password from the existing directory.
authuiadmin
4uthu14dmin
You should be able to log in successfully.
If the login is not successful, watch the existing Directory Server access log to troubleshoot the problem.
At this point, a user can log in against the existing Directory Server if he invokes the realm=users parameter. If such a parameter is absent, the default realm is used.
Administrators who want to access the Access Manager console should log in to the default realm.