Contributors

Introduction

• This doc explains how to configure an IdRepo LDAPv3 DataStore to point a newly installed Active Directory Server.

• OpenSSO out of the box defines a set of object classes and attributes. These object classes and attributes are required on your Active Directory Server, if you want OpenSSO to manage your DS. Alternately, you can modify OpenSSO's object classes and attributes to match what you have in your DS. OpenSSO console out of the box provides user management functionality based on it's pre-defined set of object classes and attributes as specified in the xml files. If the DS you are trying to access does not have the necessary object classes or the attributes defined, then access involving the missing objectclass or attributes will fail. Unless you change the user xml
  files to match the attributes defined for your DS. For instance, when you create a user via OpenSSO console, the console writes out to the DS the predefined set of OpenSSO object classes and attributes for the user. If the DS is not configured with the same set of user object classes and attributes, the 'user create' operation will fail. When you use the console's user information page to edit a user's info, unless the DS has the same set of attributes and/or object classes defined for the user as OpenSSO, the operation will fail.

• IdRepo LDAPv3 has a feature which provides attribute name mapping. This feature allows you to refer to an attribute name as X on OpenSSO and Y on your DS. As a result, you need not have all of OpenSSO's attribute defined in AD if you use attribute mapping. But if OpenSSO has more attributes than you have on your DS, then there is no way to do 1 to 1 mapping and some OpenSSO read/write opeation will fail due to missing attributes on the DS.

Step-by-Step Guide to Configure the 'Generic LDAPv3' datastore to point to Microsoft Active Directory Server.

For the configuration example below, it assumes you have a newly install Active Directory and you have not made any changes to your AD's schema or attributes.

Access the OpenSSO Server through console.

Select 'DataStores' tab.
Select the datastore type "Generic LDAPv3".

Generic LDAPv3 configuration changes to be made:

• Primary LDAP Server: enter the name of the Active Directory server and its port number that you want to connect to.
  example: myADServer.sun.com:389

• LDAP Bind DN: CN=Administrator,CN=Users,DC=sun,dc=com

• LDAP Bind Password: entered the password for CN=Administrator,CN=Users,DC=sun,dc=com

• LDAP Organization DN: DC=sun,DC=com
  The organizaton dn that this datastore will map to. This will be the base dn of all operations performed in this data store.

• Enable LDAP SSL: select if the DS is in ssl mode or not.

• LDAP Connection Pool Minimum Size: specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

• LDAP Connection Pool Maximum Size: the maximum number of connections allowed.

• Maximum Results Returned from Search: the maximum number of search results to return. This should be based on the size of your LDAP Organization. The max returned cannot exceed the ns-size-limit configured at the DS.

• Search Timeout: the maximum time in seconds to wait for results on a search operation.

• LDAP Follows Referral: Option specifying whether or not referrals to other LDAP servers are followed automatically.

• LDAPv3 Repository Plugin Class Name: where to find the class file which implements the LDAPv3 Repository.

• Attribute Name Mapping: allows for common attributes known to the framework to be mapped to the native data store.
  mail=userPrincipalName
  iplanet-am-user-alias-list=objectGUID
  employeeNumber=distinguishedName
  uid=sAMAccountName
  portalAddress=sAMAccountName
  telephonenumber=displayName

• LDAPv3 Plugin Supported Types and Operations: no need to change this for Active Directory user datastore configuration.

• LDAP Users Search Attribute: cn
  (the naming attribute of user.)

• LDAP Users Search Filter: (objectclass=person)

• LDAP User Object Class: ojectclasses for user. when a user is created, this list of user objectclasses will be added to the user's attributes list. So it is important that the objectclasses you entered here actually exist on the Active Directory server otherwise you will
  get object class violation, error=65.
  the following object classes should be entered: (case does not matter)
  top
  person
  organizationalPerson
  user

• LDAP User Attributes: definitive list of attributes associated with the user. if it is not on this list, the attribute will not be sent or read.
  If there is any possibility that the user entry can contain this attribute then you should list it here.
  If the attribute is not defined in AD, then you should not enter it here otherwise you will get an error when OpenSSO tries to write this attribute to AD.

the following attributes should be entered: (case does not matter)
employeeNumber
objectClass
sAMAccountName
userpassword
mail
distinguishedName
userPrincipalname
objectGUID
sAMAccountType
name
displayName

• Attribute Name of User Status: name of attribute to check to see if user is
  active/inactive. inetUserStatus
  (there is no corresponding attribute in AD. so the default is left as is as a place holder.)

• LDAP Groups Search Attribute: cn
  (the naming attribute of group. this attribute name will be used to construct the group's dn and search filter. )

• LDAP Groups Search Filter: (objectclass=group)
  (the fitler employed when doing a search for groups. "LDAP Groups Search Attribute" will be prepended to this field to form the actual group search filter.)

• LDAP Groups container Naming Attribute: cn
  (the naming attribute for a group container if groups resides in a container, otherwise leave it blank. )

• LDAP Groups Container Value: groups
  (the value for the group container.)

• LDAP Groups Object Class:
  (objectclasses for group. when a group is created, this list of group objectclasses will be added to the group's attributes list. )
  the following object classes should be entered: (case does not matter)
  group
  top

• LDAP Groups Attributes: a definitive list of attributes associated with a group. Any attempt to read/write group attributes that is not on this list is not allowed. so you should enter all possible attributes.
  the following attributes should be entered: (case does not matter)
  objectClass
  sAMAccountName
  entrydn
  distinguishedName
  member
  objectCategory
  dn
  cn
  sAMAccountType
  name

• Attribute Name for Group Membership: memberOf
  (this is the name of the attribute whose values are the names of all the groups that this dn belongs to. )

• Attribute Name of Unique Member: member
  (the attribute name whose values is a dn belonging to this group.)

• Attribute Name of Group Member URL: memberUrl
  (the name of the attribute whose value is a LDAP URL which resolves to members belonging to this group.)

• LDAP People Container Naming Attribute : cn
  (The naming attribute of people container if user resides in a people container.)

• LDAP People Container Value: users

• LDAP Agents Search Attribute: cn
  (The naming attribute of an agent. This attribute name will be used to construct the agent's dn and search filter.)

• LDAP Agents Container Naming Attribute: cn
  (The naming attribute of agent container if agent resides in a agent container. )

• LDAP Agents Container Value: agents
  (the value of the agent container.)

• LDAP Agents Search Filter: (objectClass=sunIdentityServerDevice)
  (The filter employed when searching for agent.)

• LDAP Agents Object Class: ojectclasses for agents. when an agent is created, this list of
  user objectclasses will be added to the agent's attributes list.
  the following object classes should be entered: (case does not matter)
  sunIdentityServerDevice
  top

• LDAP Agents Attributes: a definitive list of attributes associated with a user. Any attempt to read/write user attributes that is not on this list is not allowed.
  the following attributes should be entered: (case does not matter)
  dn
  cn
  objectClass
  userPassword
  entrydn
  uid

• Persistent Search Base DN: DC=sun,DC=com
  (the base DN to use for persistent search. for AD, this needs to be the root suffix.)

• Persistent Search Maximum Idle Time Before Restart: restart the persistence search if has been idle for this "maximum" allowed time. the default value is ok.

• Maximum Number of Retries After Error Codes: how many times to retry the persistent search operation if it encounters the error codes specified in "LDAPException Error Codes to Retry On:". the default value is ok.

• The Delay Time Between Retries: the time to wait before each retry. only applies to persistent search connection. the default value ok.

• LDAPException Error Codes to Retry On: retry the persistent search operations if these errors are encountered. the default value is ok.

Operational notes:

The above configuration will allow you to list users and groups. It will also allow you do perform some user operations.
You should be able to change the following user info via console:

create user
can change emailaddress
can change employeeNumber
can change telephonenumber (AD will just add it.)
can change postalAddress: (which is homeaddress on console. ad will add it)
change can change user alias list.

You cannot do the following because of missing attributes and/or objectclasses or due to some Active Directory Controls.
cannot change/reset userpassword.
cannot create firstname,lastname,fullname
cannot create group.
cannot change user authentication(iplanet-am-user-auth-config) no such attribute.
cannot change user status(inetUserStatus). no such attribute.
cannot change success url(iplanet-am-user-success-url) no such attribute.
cannot change failure url(iplanet-am-user-failure-url) no such attribute.
cannot change MSISDN number(sunIdentityMSISDNNumber) no such attribute.