Using OpenLDAP as user data store for the OpenSSO

I have tried to use the account expiry and account lockout features of openSSO with OpenLDAP as my user data repository. The problem is these features heavily rely on the Access Manager specific schema , so unless you extend the Access manager schema to OpenLDAP these features cannot be used in the OpenSSO.

I did extend the Access Manager schema to OpenLDAP and tested the following features, You can download the schema file here
  • Account expiry
  • Account lockout
Few Quick steps


Create a new LDAPv3 generic data store

Add the following objectclasses(if not already added) to the 'LDAP User Object Classes'
inetadmin
inetorgperson
inetuser
iplanet-am-managed-person
iplanet-am-user-service
iplanet-am-session-service
iPlanetPreferences
organizationalperson
person
sunAMAuthAccountLockout
top

Under the 'LDAP User Attributes'
cn
dn
employeeNumber
givenName
inetUserStatus
iplanet-am-static-group-dn
iplanet-am-user-account-life
iplanet-am-user-alias-list
iplanet-am-user-auth-config
iplanet-am-user-failure-url
iplanet-am-user-success-url
iplanet-am-user-login-status
mail
objectClass
postalAddress
preferredLocale
sn
sunAMAuthInvalidAttemptsData
sunIdentityMSISDNNumber
telephoneNumber
uid
userPassword

make sure your OpenLDAP has following entries  created already inthe database.

dn: ou=People,o=sun.com
objectClass: top
objectClass: organizationalunit
objectClass: iplanet-am-managed-people-container
ou:people

dn: ou=Groups,o=sun.com
objectClass: top
objectClass: organizationalunit
objectclass: iplanet-am-managed-group-container
ou:groups

dn: ou=agents,o=sun.com
objectClass: top
objectClass: organizationalunit
objectclass: iplanet-am-managed-org-unit
ou:agents

if not you can quickly add them by using ldapmodify with input file contents shown above.  Now you are set to create users from openSSO console.  you can test the account expiry and account lockout  features for the users stored in the OpenLDAP directory.  You should be able to store all the user type attributes in this data store including the SAML,Federation related user attributes.(for OpenFM things are different, there is a different schema, which I have not tried yet against openLDAP)


Limitations:

  • Persistent search not supported(hence immediate notification not possible) has to wait until the cache expiry . It appears persistent search is supported by OpenLDAP, We need to see how opensso can leverage this
  • No Roles support
  • Groups supported by OpenLDAP but the AM/OpenSSO console is not ready to mange them but you can use the group memberships to evaluate policies




Posted on: Nov 03, 2006

Posted by: indira

Category: opensso

Permanent link to this entry

Comments:

Hi Its good one.. Can i Know the case with OpenDS instead of OpenLDAP. I want the Sequence of steps to do the UserLock and SessionTimeOut. I tried the same but its not working with OpenDS.. plz provide that info also... Thanx in Advance

Posted by anil on February 01, 2007 at 03:08 PM PST #

Do these limitations apply to all generic LDAPv3 data stores (OpenDS, ApacheDS, etc.)? I am having problems managing roles through the AM/OpenSSO console with OpenDS as my data store.

Posted by Chad Zezula on March 16, 2007 at 12:52 PM PDT #

Indira,
Thanks for the above instructions. We can create users in openldap from opensso interface using the OpenLDAP schema and the changes you suggested.
We are facing a problem while trying to create an agent.
The error we are getting is:
Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered a ldap exception. LDAP Error 64: A naming violation has occurred.

Here's our opensso agent configuration:
LDAP Agents Search Filter:(objectClass=sunIdentityServerDevice)

LDAP Agents Object class:
top
sunIdentityServerDevice

LDAP Agent attributes:
cn
uid
description
userPassword

Any suggestions are appreciated.

Thanks,
Dharmesh

Posted by Dharmesh on October 05, 2007 at 06:45 AM PDT #

Hi,
I am new to opensso/openfm. I want to work on openfm.
I am not able to connect openfm to datastore other than file system.
Can you plz help me out to overcome my problem.
I am also new to directory server. So if you can help me out how to configure openfm with directory server (openDS) and what are all the changes i need to do from schema point of view.

Thanks in advance.

Posted by Gaurav Sharma on January 02, 2008 at 06:49 AM PST #

If sappose i want to add my own object class like sampleGroup and in my own object class shall i put my own attribute. How to put my own object class in opensso?

Posted by praveena on February 05, 2009 at 03:10 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by indira