Active Directory Attributes and A-HA

Out-of-the-box, OpenSSO defines a set of objectclasses and attributes that are required to be a part of your directory schema if you want to manage the user entries using the OpenSSO console. If the directory you are trying to access does not have the predefined objectclasses and attributes, any attempted access involving the missing properties will fail. For example, when you create a user using the OpenSSO console, the console writes to the directory the predefined objectclasses and attributes for the user. If the directory is not configured with the same set of user objectclasses and attributes, the user create operation will fail.

When configuring Microsoft Active Directory to work with OpenSSO, you have to map the predefined properties to properties defined in your instance of Active Directory; this is attribute mapping. Following are the attributes that need to be defined when adding Active Directory as a data store to a realm. The configuration will allow you to list users and groups. It will also allow you to perform some user operations. The values assume a freshly installed Active Directory to which no attribute or schema changes have yet been made.

Still waiting for some email to verify some of the newer attributes. Will update when I receive them.

  • LDAP Server enter the host machine name and port number of the instance of Active Directory to which you are connecting. For example, myADServer.sun.com:389
  • LDAP Bind DN by default, CN=Administrator,CN=Users,dc=sun,dc=com
  • LDAP Bind Password enter the password for CN=Administrator,CN=Users,dc=sun,dc=com
  • LDAP Bind Password (confirm) confirm the password for CN=Administrator,CN=Users,dc=sun,dc=com
  • LDAP Organization DN enter the distinguished name (DN), defined in Active Directory, of the organization to which this data store will map; this becomes the base DN for all operations performed in this data store
  • LDAP SSL select if the directory is configured in SSL mode
  • LDAP Connection Pool Minimum Size specify the initial number of connections allowed in the connection pool; using the connection pool avoids creating a new connection every time
  • LDAP Connection Pool Maximum Size specify the maximum number of connections allowed
  • Maximum Results Returned from Search specify the maximum number of results to return when searching; this figure should be based on the size of your LDAP organization and cannot exceed the ns size limit configured on the directory side
  • Search Timeout specify the maximum time in seconds to wait for results from a search operation
  • LDAP Follows Referral select to specify whether or not referrals to other LDAP servers are automatically followed
  • LDAPv3 Repository Plug-in Class Name specify the path to the implemented class for Active Directory; by default, com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo
  • Attribute Name Mapping map any OpenSSO attributes to those in Active Directory; by default:

    • employeeNumber=distinguishedName
    • iplanet-am-user-alias-list=objectGUID
    • mail=userPrincipalName
    • portalAddress=sAMAccountName
    • telephonenumber=displayName
    • uid=sAMAccountName
  • LDAPv3 Plug-in Supported Types and Operations no changes needed
  • LDAPv3 Plug-in Search Scope select the range of any plug-in searches
  • LDAP Users Search Attribute specify the attribute used to search; by default, uid
  • LDAP Users Search Filter specify which entries the search will return; by default, only those entries that contain objectclass=person
  • LDAP User Object Class define the objectclasses added to a user's attribute list when the user is created; by default:

    • organizationalPerson
    • person
    • sunFederationManagerDataStore
    • sunFMSAML2NameIdentifier
    • sunIdentityServerLibertyPPService
    • top
    • User

    (objectclasses defined must actually exist in Active Directory or be mapped to one that exists otherwise you will get an objectclass violation)
  • LDAP User Attributes define the definitive list of attributes associated with a user entry; the attribute will not be sent or read if it is not on this list which, by default:

    • employeeNumber
    • objectClass
    • sAMAccountName
    • userpassword
    • mail
    • distinguishedName
    • userPrincipalname
    • objectGUID
    • sAMAccountType
    • name
    • displayName

    (if there is the slightest possibility that the user entry will contain an attribute include it here; on the other hand, if the attribute is not defined in Active Directory, do not enter it)
  • Create User Attribute Mapping
  • Attribute Name of User Status check the defined attribute to see if user is active or inactive; by default, userAccountControl
  • User Status Active Value
  • User Status Inactive Value
  • LDAP Groups Search Attribute by default, cn is the attribute used to construct the group's DN and search filter
  • LDAP Groups Search Filter by default, the search filter will return only those entries that contain objectclass=group
  • LDAP Groups Container Naming Attribute define the naming attribute for a group container if the groups reside in a container; by default, cn
  • LDAP Groups Container Value users (the value for the group container.)
  • LDAP Groups Object Class defines the objectclasses that will be added to a group when it is created; by default:

    • Group
    • top
  • LDAP Groups Attributes defines the definitive list of attributes associated with a groups entry; the attribute will not be sent or read if it is not on this list;

    • cn
    • distinguishedName
    • dn
    • member
    • name
    • objectCategory
    • objectclass
    • sAMAccountName
    • sAMAccountType

    (if there is the slightest possibility that the group entry will contain an attribute include it here; on the other hand, if the attribute is not defined in Active Directory, do not enter it)

  • Attribute Name for Group Membership specify the attribute in the user entry that contains the values that define the groups to which the entry belongs; generally, memberOf
  • Attribute Name of Unique Member specify the attribute in the groups entry that contains the DN of each member; by default, member
  • Attribute Name of Group Member URL specify the attribute in the groups entry whose value is an LDAP URL which resolves to the members belonging to it; by default, memberUrl
  • LDAP People Container Naming Attribute specify the attribute in a user entry of the people container in which the users reside, if applicable; leave blank if they don't reside in a people container
  • LDAP People Container Value by default, users
  • Identity Types That Can Be Authenticated
  • Authentication Naming Attribute by default, uid
  • Persistent Search Base DN specify the base DN to use for persistent searches; this needs to be the root suffix of your Active Directory instance
  • Persistent Search Filter specify which entries the search will return; by default, only those entries that contain objectclass=\*
  • Persistent Search Scope select the range of any persistent searches
  • Persistent Search Maximum Idle Time Before Restart specify the time in minutes before restarting an idle persistent search
  • Maximum Number of Retries After Error Codes specify the maximum number of times that a persistent search can be retried if it encounters the specified error codes; by default, 3
  • The Delay Time Between Retries specify the time in milliseconds to wait before each retry; by default, 1000
  • LDAPException Error Codes to Retry On specify the error codes that will initiate a retry on a persistent search operation; only applicable for persistent searches
  • Caching select enable
  • Maximum Age of Cached Items specify the oldest (in seconds) a cache item can be before it is removed; by default, 600
  • Maximum Size of the Cache specify the maximum size of the cache; by default, 10240

Now let's move on from the Active Directory attributes (ADA) to A-HA and my favoritest song by them. Oh, the nights I danced to this one!

Comments:

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today