Document to configure an OpenSSO IDRepo DataStore to point to IBM Tivoli Directory Server.

[ Contributors ] [ Introduction ] [ Prerequisites ] [ Step-by-Step Guide to Configure the 'Generic LDAPv3' datastore to point to IBM Tivoli Directory Server. ] [ Generic LDAPv3 configuration changes to be made: ]

Contributors

UserEditsCommentsLabels
rsujatha 800

Introduction

Document about how to configure an Opensso IdRepo DataStore to point to IBM Tivoli Directory Server.

This doc explains how to configure an OpenSSO DatatStore to point to an IBM Tivoli Directory Server. This configuration got tested and verified against IBM Tivoli Directory Server - TDS 6.1.

Prerequisites

The OpenSSO related schema needs to be imported.
From the OpenSSO Workspace,
Load the following two ldif files onto your IBM Tivoli DS 6.1.
opensso/products/amserver/war/ldif/am_remote_tivolids_schema.ldif
opensso/products/federation/openfm/ldif/fam_tivolids_schema.ldif

or

Download these ldif files attached and load them. (Files are attached and can be found under Tools/Attachments).

'am_remote_tivolids_schema.ldif' contains ldap attributes and objectclasses used by OpenSSO internally.
'fam_tivolids_schema.ldif' contains ldap attributes and objectclasses used by fam.

Step-by-Step Guide to Configure the 'Generic LDAPv3' datastore to point to IBM Tivoli Directory Server.

Access the OpenSSO Server through console.

Select 'DataStores' tab.
Select the datastore type "Generic LDAPv3".

Generic LDAPv3 configuration changes to be made:

  • LDAP Server: nameOfTivoliDS:portNumber
    Enter the name of your IBM Tivoli DS 6.1 server, follow by a ":" and the port number.
  • LDAP Bind DN: cn=root
    Enter the dn to bind with.
  • LDAP Bind Password: password
    Enter the password of bind dn
  • LDAP Organization DN: dc=opensso,dc=java,dc=net
    Enter the base dn or starting point for this datastore.
  • LDAP SSL: uncheck
    Enter value based on the ssl connection or non-ssl connection.
  • LDAP Connection Pool Minimum Size: 1
  • LDAP Connection Pool Maximum Size: 10
  • Maximum Results Returned from Search: 1000
  • Search Timeout: 10
  • LDAP Follows Referral: Enabled
  • LDAPv3 Repository Plug-in Class Name: com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo
  • LDAPv3 Plug-in Supported Types and Operations:
    The operations this datastore can perform.
    Current Values:
    group: read,create,edit,delete
    realm: read,create,edit,delete,servce
    user: read,create,edit,delete,servce
  • LDAPv3 Plug-in Search Scope: SCOPE_ONE
  • LDAP Users Search Attribute: cn
  • LDAP Users Search Filter: (objectclass=organizationalPerson)
  • LDAP User Object Class
    When a user is created, the newly created user will be assigned these objectclasses. Depending on the objectclasses you have defined for your organization, some of the following default entries might not be necessary. if your organization have other objectclasses that are not on this list, then you should add it to this list.
    The objectclasses
    iplanet-am-user-service,
    iplanetPreferences,
    sunFederationManagerDataStore,
    sunFMSAML2nameIdentifier,
    sunIdentityServerLibertyPPService are required by OpenSSO and fam.
    eperson
    inetadmin
    inetorgperson
    inetUser
    iplanet-am-user-service
    iplanetPreferences
    organizationalperson
    person
    sunFederationManagerDataStore
    sunFMSAML2nameIdentifier
    sunIdentityServerLibertyPPService
    top
  • LDAP User Attributes
    List of attributes that can be assigned to a user. depending on how you have configured your directory server, you might have to add or remove some of the entries in this list. the attributes with "iplanet*" and "sun*" prefix are required by OpenSSO and fam
    adminRole
    authorityRevocationList
    caCertificate
    cn
    distinguishedName
    dn
    employeeNumber
    givenName
    inetUserHttpURL
    inetUserStatus
    iplanet-am-auth-configuration
    iplanet-am-user-auth-modules
    iplanet-am-session-add-session-listener-on-all-sessions
    iplanet-am-session-destroy-sessions
    iplanet-am-session-get-valid-sessions
    iplanet-am-session-max-caching-time
    iplanet-am-session-max-idle-time
    iplanet-am-session-max-session-time
    iplanet-am-session-quota-limit
    iplanet-am-session-service-status
    iplanet-am-user-admin-start-dn
    iplanet-am-user-account-life
    iplanet-am-user-alias-list
    iplanet-am-user-auth-config
    iplanet-am-user-failure-url
    iplanet-am-user-login-status
    iplanet-am-user-password-reset-force-reset
    iplanet-am-user-password-reset-options
    iplanet-am-user-password-reset-question-answer
    iplanet-am-user-success-url
    iplanet-am-static-group-dn
    mail
    manager
    memberOf
    objectClass
    postalAddress
    preferredlanguage
    preferredLocale
    preferredtimezone
    sn
    sunAMAuthInvalidAttemptsData
    sunIdentityMSISDNNumber
    telephoneNumber
    uid
    userPassword
    userCertificate
    iplanet-am-user-federation-info-key
    iplanet-am-user-federation-info
    sunIdentityServerDiscoEntries
    sunIdentityServerPPCommonNameCN
    sunIdentityServerPPCommonNameFN
    sunIdentityServerPPCommonNameSN
    sunIdentityServerPPCommonNameMN
    sunIdentityServerPPCommonNameAltCN
    sunIdentityServerPPCommonNamePT
    sunIdentityServerPPInformalName
    sunIdentityServerPPLegalIdentityLegalName
    sunIdentityServerPPLegalIdentityDOB
    sunIdentityServerPPLegalIdentityMaritalStatus
    sunIdentityServerPPLegalIdentityGender
    sunIdentityServerPPLegalIdentityAltIdType
    sunIdentityServerPPLegalIdentityAltIdValue
    sunIdentityServerPPLegalIdentityVATIdType
    sunIdentityServerPPLegalIdentityVATIdValue
    sunIdentityServerPPEmploymentIdentityJobTitle
    sunIdentityServerPPEmploymentIdentityOrg
    sunIdentityServerPPEmploymentIdentityAltO
    sunIdentityServerPPAddressCard
    sunIdentityServerPPMsgContact
    sunIdentityServerPPFacadeMugShot
    sunIdentityServerPPFacadeWebSite
    sunIdentityServerPPFacadeNamePronounced
    sunIdentityServerPPFacadeGreetSound
    sunIdentityServerPPFacadegreetmesound
    sunIdentityServerPPDemographicsDisplayLanguage
    sunIdentityServerPPDemographicsLanguage
    sunIdentityServerPPDemographicsAge
    sunIdentityServerPPDemographicsBirthDay
    sunIdentityServerPPDemographicsTimeZone
    sunIdentityServerPPSignKey
    sunIdentityServerPPEncryPTKey
    sunIdentityServerPPEmergencyContact
    sun-fm-saml2-nameid-infokey
    sun-fm-saml2-nameid-info
  • Create User Attribute Mapping
    Current Values
    cn
    sn
  • Attribute Name of User Status: inetuserStatus
  • User Status Active Value: Active
  • User Status Inactive Value: Inactive
  • LDAP Groups Search Attribute: cn
  • LDAP Groups Search Filter: (objectclass=groupOfNames)
    Filter to use when searching for group. you might have change this depending on which objectclass was used to denote a group.
  • LDAP Groups container Naming Attribute :
  • LDAP Groups Container Value:
  • LDAP Groups Object Class
    • IBM Tivoli DS 6.1 groups can be static, dynamic, and nested, but only static group is supported by idrepo datastore. A static group defines each member indiviually using the structural objectclass groupofNames, groupOfUniqueNames, accessGroup, or accessRole; or the auxilary objectclass ibm-staticgroup or ibm-globalAdminGroup. A static group using the structural objectclass groupOfNames and groupOfUniqueNames requireat least one member or uniquemember, respectively. ibm-staticgroup is the only class for which members is optional, all other object classes taking member require at least one member.
    • Only one type of group objectclass is supported by opensso. if you choose the type of group which requires at least one member, you will need to enter a user in "Default Group Member's
  • User DN: This user will automatically be added to the group when a group is created. you can remove this user from the group after if you don't want this user to be a member of the group.
    accessGroup
    ibm-staticGroup
    top
  • LDAP Groups Attributes
    cn
    description
    dn
    objectclass
    ou
    uniqueMember
  • Attribute Name for Group Membership:
  • Attribute Name of Unqiue Member: member
  • Attribute Name of Group Member URL: memberUri
  • Default Group Member's User DN: cn=auser1,dc=opensso,dc=java,dc=net
    (User automatically added when group is created.)
    This user will be automatically added to the group when the group is created. This is necessary because when you create a group in opensso console, no users are assigned to the group. But most of the tivoli's group required at least 1 member when the group is created.
  • LDAP People Container Naming Attribute :
  • LDAP People Container Value:
    Identity Types That Can Be Authenticated:
    User
  • Authentication Naming Attribute: uid
  • Persistent Search Base DN: ou=Austin,dc=iplanet,dc=com
  • Persistent Search Filter: (objectclass=*)
  • Persistent Search Maximum Idle Time Before Restart: 0
  • Maximum Number of Retries After Error Codes: 3
  • The Delay Time Between Retries: 1000
  • LDAPException Error Codes to Retry On
    80
    81
    91
  • Caching: enabled.
  • Maximum Age of Cached Items: 600
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact