To Enable LDAP Authentication

1. Log in to the OpenSSO Enterprise console as an administrator.

2. Click the Access Control tab.

3. Navigate to Top Level Realm > Authentication > Authentication Chaining.

4. In the Authentication Chaining section, click New.

5. Enter a name for the chain and click OK.

   For this example: idmauth.

6. On the new chain's Properties page, add the LDAP module as REQUIRED, and click Save.

7. Click Back to Authentication.

8. For the Organization Authentication Configuration property value, choose the service you just created.

9. In the Module Instances section, choose LDAP.

10. Provide the following information to about the LDAP user data store:

    Primary LDAP Server:

    Use the form server.domain:port

    DN to Start User Search:

    Branch of the LDAP tree from which the user-search begins

    DN for Root User Bind:

    DN to use when binding to the LDAP user data store

    Password for Root User Bind:

    Password for the user binding to the LDAP user data store

    Password for Root User Bind (confirm):

    Type the password again

11. Save the changes.

12. Log out of the OpenSSO Enterprise console.

Next Steps

After completing this configuration:

• Use /opensso/console to log in to the OpenSSO Enterprise console; do not /opensso/UI/Login. This ensures that the authentication module configured for the OpenSSO Enterprise administrator is used when logging into the administration console, and that the LDAP module just configured for realm users is not used.

• Make sure this configuration hasn't affected how you can view the objects inside the OpenSSO Enterprise resource inside Identity Manager.

  Log in to the Identity Manager console and expand the OpenSSO Enterprise resource listing to view the OpenSSO Enterprise roles and groups inside it. If you receive an error, you may need to reconfigure the OpenSSO Enterprise adaptor to use a delegated administrator instead of amadmin to connect to OpenSSO Enterprise. The Identity Manager adaptor for OpenSSO Enterprise authenticates to OpenSSO Enterprise using the authentication configuration for the realm which is now different from the configuration for the OpenSSO Enterprise console. The amadmin will no longer work.

  To create the delegated administrator:

  1. Create a user.

  2. Assign this user to a group.

  3. Assign administrator privileges to this group.

  See Delegating Administrator Privileges in Sun OpenSSO Enterprise 8.0 Administration Guide for detailed information on delegating administrative privileges to a group.