To Configure the Tivoli Directory Server Data Store
in the OpenSSO Console
-
Log in to the OpenSSO Administration Console.
-
Click Access Control, realm-name, Data Stores, and then New.
-
Enter the Name, check Generic LDAPv3, and then click Next.
-
On the New Data Store page, specify the following fields:
LDAP Server: Fully qualified name and port number of the Tivoli Directory Server. For example: tivolids.example.com:8080
LDAP Bind DN: User DN who has sufficient access rights to Tivoli Directory Server. For exemple: cn=root
LDAP Bind Password: Password of the “LDAP Bind DN” user.
LDAP Organization DN: Base DN or starting point for this data store. For example: dc=opensso,dc=java,dc=net
LDAP SSL: Check to use an SSL connection.
LDAP Connection Pool Minimum Size: Use the default value 1.
LDAP Connection Pool Maximum Size: Use the default value 10.
Maximum Results Returned from Search: Use the default value 1000.
Search Timeout: Use the default value 10.
LDAP Follows Referral: Check Enabled.
LDAPv3 Repository Plug-in Class Name: Use the default value: com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo
Attribute Name Mapping: Not required.
LDAPv3 Plug-in Supported Types and Operations: Operations that this data store can perform. Use the Current Values:
-
group=read,create,edit,delete
-
realm=read,create,edit,delete,service
-
user=read,create,edit,delete,servce
LDAPv3 Plug-in Search Scope: Use the default value: SCOPE_ONE
LDAP Users Search Attribute: cn
LDAP Users Search Filter: (objectclass=organizationalPerson)
LDAP User Object Class: When a user is created, the user will be assigned these object classes. Depending on the object classes you have defined for your organization, some of the following default entries might not be necessary. If your organization has other object classes that are not on this list, add them to the list.
OpenSSO Enterprise requires these object classes: iplanet-am-user-service, iplanetPreferences, sunFederationManagerDataStore, sunFMSAML2nameIdentifier, and sunIdentityServerLibertyPPService.
person, inetadmin, inetorgperson, inetUser iplanet-am-user-service, iplanetPreferences, organizationalperson, person sunFederationManagerDataStore, sunFMSAML2nameIdentifier, sunIdentityServerLibertyPPService, top
LDAP User Attributes: List of attributes that can be assigned to a user. Depending on how you have configured your directory server, you might have to add or remove some of the entries in this list. OpenSSO Enterprise requires the attributes with the “iplanet” and “sun” prefixes.
adminRole, authorityRevocationList, caCertificate, cn, distinguishedName, dn, employeeNumber, givenName, inetUserHttpURL, inetUserStatus, iplanet-am-auth-configuration, iplanet-am-user-auth-modules, iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-admin-start-dn, iplanet-am-user-account-life, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-failure-url, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, iplanet-am-static-group-dn, mail, manager, memberOf, objectClass, postalAddress, preferredlanguage, preferredLocale, preferredtimezone, sn, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, telephoneNumber, uid, userPassword, userCertificate, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info, sunIdentityServerDiscoEntries
sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameSN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPAddressCard, sunIdentityServerPPMsgContact, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay sunIdentityServerPPDemographicsTimeZone sunIdentityServerPPSignKey, sunIdentityServerPPEncryPTKey, sunIdentityServerPPEmergencyContact, sun-fm-saml2-nameid-infokey, sun-fm-saml2-nameid-info
Create User Attribute Mapping Current Values cn sn
Attribute Name of User Status: inetuserStatus
User Status Active Value: Active
User Status Inactive Value: Inactive
LDAP Groups Search Attribute: cn
LDAP Groups Search Filter: The filter to use when searching for a group. You might have change this value depending on which object class was used to denote a group: (objectclass=groupOfNames)
LDAP Groups container Naming Attribute:
LDAP Groups Container Value:
LDAP Groups Object Class Tivoli Directory Server 6.1 groups can be static, dynamic, and nested, but only a static group is supported by the Identity Repository (IdRepo) data store. A static group defines each member individually using the structural object class groupofNames, groupOfUniqueNames, accessGroup, or accessRole; or the auxilary object class ibm-staticgroup or ibm-globalAdminGroup. A static group using the structural object class groupOfNames and groupOfUniqueNames requires at least one member or uniquemember, respectively. ibm-staticgroup is the only class for which members is optional. All other object classes taking members require at least one member.
Only one type of group object class is supported by OpenSSO Enterprise. If you choose the type of group that requires at least one member, you must enter a user in “Default Group Member's User DN”. This user will automatically be added to the group when a group is created. You can remove this user from the group after if you don't want this user to be a member of the group. accessGroup ibm-staticGroup top
LDAP Groups Attributes ou dn objectclass cn uniqueMember description
Attribute Name for Group Membership:
Attribute Name of Unique Member: uniqueMember
Attribute Name of Group Member URL: memberUri
Default Group Member's User DN: This user will be automatically added to the group when the group is created. This is necessary because when you create a group in the OpenSSO console, no users are assigned to the group. But most of the Tivoli Directory Server groups require at least one member when the group is created. For example: cn=auser1,dc=opensso,dc=java,dc=net
LDAP People Container Naming Attribute:
LDAP People Container Value:
Identity Types That Can Be Authenticated: Check User.
Authentication Naming Attribute: uid
Persistent Search Base DN: For example: ou=company,dc=example,dc=com
Persistent Search Filter: (objectclass=*)
Persistent Search Maximum Idle Time Before Restart: 0
The Delay Time Between Retries: 1000
Maximum Number of Retries After Error Codes: 3
LDAP Exception Error Codes to Retry On 80 81 91
Caching: Check Enabled.
Maximum Age of Cached Items: 600
Maximum Size of the Cache: 10240
-
-
Click Finish.
- © 2010, Oracle Corporation and/or its affiliates