This appendix describes the special set up required in case the domain APM is running uses an OpenLDAP 2.2 identity store.
To use OpenLDAP 2.2 as a domain identity store with Authorization Policy Manager, proceed as follows:
Use the WebLogic Server administration console to create a new authenticator provider. For this new provider:
Select OpenLDAPAuthenticator from the list of authenticators.
Set the control flag of the OpenLDAPAuthenticator to SUFFICIENT.
Set the control flag of the DefaultAuthenticator to SUFFICIENT.
Change the order of authenticators to make the OpenLDAPAuthenticator the first in the list.
In the Provider Specific page for the OpenLDAPAuthenticator, enter User Base DN and Group Base DN, and set the value of the objectclass in the Group From Name Filter to something other than groupofnames.
From the Home directory of the OpenLDAP installation:
Open the file
slapd.conf for edit.
In that file, insert the following line in the "include" section at the top:
Save the file, and restart the OpenLDAP.
The above settings make possible adding the object class
inetorgperson to every new external role you create in the OpenLDAP; this object class is required to map the external role to an application role.