Active Directory Attributes

When configuring Microsoft Active Directory to work with OpenSSO Enterprise, you have to map the predefined properties to properties defined in your instance of Active Directory; this is called attribute mapping. Following are the attributes that need to be defined when adding Active Directory as a data store to a realm.

LDAP Server

Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.

• serverID specifies a particular server as the primary LDAP server and others as secondary and tertiary (as defined) fallback servers. (If no number is specified, the LDAP server is primary.) The identifier is displayed in the OpenSSO console.

  1. Click the Configuration tab, click the Servers and Sites tab.

  2. Click the appropriate Server Name.

  3. Under the Advanced tab, see the value of the com.iplanet.am.lbcookie.value property — for example, 01.

  4. Click the Configuration tab, click the Servers and Sites tab.

• siteID is not currently displayed in the OpenSSO console. It is a two digit number generated internally by OpenSSO — for example, 02. To find this value, use an LDAP browser to find ou=accesspoint,ou=site_name,ou=com-sun-identity sites,ou=default,ou=GlobalConfig,ou=iPlanetAMPlatformService,ou=services,root-suffix. Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier.

---

Caution –

This configuration should not be changed for the OpenSSO embedded data store as it may cause inconsistent behavior.

---

LDAP Bind DN

Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected.

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

LDAP SSL

When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, Active Directory returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Active Directory returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive. The defaults are:

• employeeNumber=distinguishedName

• iplanet-am-user-alias-list=objectGUID

• mail=userPrincipalName

• portalAddress=sAMAccountName

• telephonenumber=displayName

• uid=sAMAccountName

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

• Agent: read, create, edit, delete

• Group: read, create, edit, delete

• Realm: read, create, edit, delete, service

• User: read, create, edit, delete, service

• Role: read, create, edit, delete

You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

LDAPv3 Plug-in Search Scope

Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:

• SCOPE_BASE: searches only the base DN.

• SCOPE_ONE: searches only the entries under the base DN.

• SCOPE_SUB (default): searched the base DN and all entries within its subtree.

LDAP Users Search Attribute

This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries.

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Create User Attribute Mapping

Specifies which attributes are required when a user is created. This attribute uses the following syntax:

DestinationAttributeName=SourceAttributeName

If the source attribute name is missing, the default is the user ID (uid). For example:

cn
sn=givenName

Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.

Attribute Name of User Status

Specifies the attribute name to indicate if the user is active or inactive.

User Status Active Value

This attribute value is assigned to the user when the user is created. For a user to be active, the Active Directory value is 544. For a user to be inactive, the Active Directory value is 546.

User Status Inactive Value

For Active Directory, this field is not used.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Group Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Classes

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Attribute Name for Group Membership

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Attribute Name of Unique Member

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Attribute Name of Group Member URL

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

LDAP People Container Value

Specifies the value of the people container. The default is people.

---

Caution –

The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).

---

Identity Types That Can be Authenticated

Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.

Authentication Naming Attribute

This value is currently not used.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Filter

Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.

Persistent Search Scope

Defines the scope to be used in a persistent search. The scope must be one of the following:

• SCOPE_BASE – searches only the base DN.

• SCOPE_ONE – searches only the entries under the base DN.

• SCOPE_SUB (default) – searched the base DN and all entries within its subtree.

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Code

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

Caching

If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.

Maximum Age of Cached Items

Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.

Maximum Size of the Cache

Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.