Monday Apr 20, 2009

Creating an OpenSSO User Data Store Using Sun Directory Server is Like Riding a Bicycle

My instance of OpenSSO Enterprise Express Build 7 was installed with the option to use the embedded data store as a user data store. This option is for proof-of-concepts only and should not be used in real-time deployments. I wanted to check out some stuff regarding roles and, as the roles portion of OpenSSO only works with an installed Sun Directory Server, I installed Directory Server EE 6.3.

If you haven't installed OpenSSO yet, check out OpenSSO Build 2 and Glassfish: Ready to Go. It's an older entry but still works - despite the old screen shots. Once complete, proceed with the following tasks.
  1. Make a directory named ds.
  2. Download Directory Server Enterprise Edition (EE) 6.3 into the ds directory.
  3. Decompress the file.
    gunzip DSEE.6.3.Solaris-Sparc-full.tar.gz
    tar xvf DSEE.6.3.Solaris-Sparc-full.tar

    For some reason, executing gunzip and tar with one command did not work on this compressed file.
  4. Make a directory named /opt/dsee.
  5. Install the Directory Server EE software into the /opt/ds directory.
    /ds/DSEE_ZIP_Distribution/dsee_deploy install -i /opt/dsee
  6. Press Enter until you reach the end of the license agreement.
  7. Type Yes when asked Do you accept the license terms? and press Enter to execute.
  8. Make a directory in which to store Directory Server EE instances.
    mkdir /opt/dsee/instances
  9. Change to the directory that contains the dsadm command-line interface.
    cd /opt/dsee/ds6/bin
  10. Create a new instance of Directory Server.
    ./dsadm create -p 389 -P 636 /opt/dsee/instances/ example
    You will be prompted to enter a password for cn=Directory Manager.
  11. Start the example instance.
    ./dsadm start /opt/dsee/instances/example
  12. Create the dc=example,dc=com suffix.
    ./dsconf create-suffix dc=example,dc=com
  13. Type Y to accept the server certificate.
  14. Enter the Directory Manager password.
    In the next steps, you will load the OpenSSO schema and add the Directory Server instance as a user data store with the OpenSSO console.

Because my installation initially used the embedded data store as a user store I was not able to select this Directory Server instance during configuration so I had to follow the instructions, Loading the OpenSSO Schema into Sun Java System Directory Server.

Finally, add the data store to a realm. I created a sub realm to the /Top Level Realm and added the data store to the sub realm.
  1. Login to the OpenSSO console as the administrator.
  2. Click the Access Control tab.
  3. Click New under Realms, enter the appropriate values and click OK to create a sub realm.
  4. Click the name of the new sub realm.
  5. Click the Data Stores tab.
  6. Remove the embedded data store, if applicable.
  7. Click New under Data Stores.
  8. Enter a name, select Sun DS with OpenSSO Schema, and click Next.
  9. Enter the appropriate server information and click OK.

At this point, I was able to create users using the OpenSSO console and the instance of Directory Server. I did have a some issues though viewing users I had imported from an LDIF file. Trainer extraordinaire David Goldsmith gave me these tips which worked.
  • Use the fully qualified host name as a value for LDAP Server when configuring the data store.
  • Set the Persistent Search Scope attribute to SCOPE_SUB as it is the default when you connect to an external LDAP directory during configuration.
  • Remove ou and people for the LDAP people container naming value and attribute. David wrote "I have no idea of why I had to blank out the 2 people container naming fields. I tried it because I used to have to do it in 7.0/7.1 but I have not had to do it in 8.0." The interesting thing about this tip is the values for those attributes are back. Maybe during restart, the attributes were repopulated?
So in honor of David and his bicycling ways, here is Queen with Bicycle Race, complete with footage from the bicycle race that was filmed especially for this video...back in the day. Those who were around...back in the day...might remember this footage. To you others, some quick elements are NSFW.

Thursday Sep 25, 2008

Are You Ready for OpenSSO Deployment 1?

Hi all. I'm still around but haven't had the time to blog as regularly as I'd (and hopefully you'd) like. Come November after the release of OpenSSO Enterprise 8.0, I will have more blog entries so stay tuned.

In the meantime, here is the Early Access edition of the Sun OpenSSO Enterprise 8.0 Deployment 1: Single Sign-on with Load Balancing and Failover. The book contains the procedures to implement, configure and test a full OpenSSO deployment for the purpose of single sign-on.

See comments below for UPDATES since this posting.

Key features of Deployment 1 include:
  • Installing and configuring Directory Server as a user data store.
  • Installing J2EE and web policy agents on protected resources.
  • Installing and configuring OpenSSO instances to run as a non-root user.
  • Configuring load balancers for session failover and high performance.
  • Configuring the deployment for system failover, ensuring that when one instance of OpenSSO Enterprise goes down, requests are redirected to the second instance.
  • Configuring components (including OpenSSO and Directory Server, the Distributed Authentication User Interface, and policy agents) as redundant to achieve high availability.
  • Configuring for Secure Sockets Layer (SSL) communications to the OpenSSO load balancer, to the Distributed Authentication User Interface load balancer, and to the Directory Server load balancer.
So check it out. You can also see the complete set of Early Access documentation for OpenSSO Enterprise 8.0. Now is the time to air your thoughts.

Thanks to Sun engineer Anant for his work on the book. Because of it, this book is an invaluable tool for understanding and keystroking an OpenSSO deployment.

And whether you are ready or not, Bucks Fizz certainly is. Are You Ready is the title song of their second album. Not sure if it's Jay or Cheryl wearing the diaper but it's quite an 80s sight!



« July 2016