To Migrate the Federation Manager User Data
to the Directory Server User Data Store
-
Go to the Federation Manager 1 URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”
-
Log in to the Federation Manager 1 console:
- User Name
-
amadmin
- Password
-
11111111
-
Add a new authentication service.
-
Click the Organization tab.
-
Click the Authentication subtab, and then click Add.
-
In the list of Authentication Modules, select LDAP, and then click Next.
-
On the LDAP page, provide the following information:
- Primary LDAP Server List:
-
Add LoadBalancer-8.siroe.com:1389.
- DN to Start User Search List:
-
Add o=siroeusers.com.
- DN for Root User Bind:
-
cn=fmldapuser,ou=People,o=siroeusers.com
This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
- Password for Root User Bind:
-
00000000
- Password for Root User Bind (confirm):
-
00000000
- Attribute used to Retrieve User Profile:
-
uid
- Attribute User do Search for a User to be Authenticated:
-
uid
-
Click Assign.
-
-
On the Authentication page, locate the module named Core, and click its Edit link.
-
On the Core page, provide the following information:
- Organization Authentication Modules:
-
Choose Flatfile, LDAP and SAMLv2.
- People Container for All Users:
-
Add to the list ou=People,o=sirousers.com.
Click Save.
-
Verify that LDAP is included as an Organizational Attribute.
Click the Configuration tab. On the Configuration tab, under Authentication, click Core.
On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.
-
In the Directory Server, create a user named fmldapuser.
This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.
-
Create an LDIF file named fmldapuser.ldif with the following entries:
dn: cn=fmldapuser,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: fmldapuser sn: fmldapuser userPassword: 00000000 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///o=siroeusers.com")(targetattr="*") (version 3.0; acl "FM special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; )
-
Load ./fmldapuser.ldif into Directory Server 1.
# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr -h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif
-
-
Change the default authentication module from Flat File to LDAP.
-
Log in to the Federation Manager 1 host.
-
Go to the following directory:
/opt/SUNWam/fm/bin
-
Create a file named ldap.xml file that contains the following entries:
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="o=siroe.com"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> Attribute name="iplanet-am-auth-org-config" /> <Value><AttributeValuePair><Value> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED< /Value></AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests>The attributes and AttributeValuePair in bold are the significant changes made to the configuration.
-
Load ldap.xml.
# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml
-
- © 2010, Oracle Corporation and/or its affiliates