Saturday Feb 07, 2009

Identity Suite Essentials Tutorials

A collection of identity management tutorials have just been made public, available: Identity Suite Essentials. This material was originally developed last October by Sun engineers to provide tutorial information for our peers. We are making this available publically in the hope that others find value in the material for becoming acquainted with Sun Identity Manager and OpenSSO Enterprise.

Description:

The Identity Suite Essentials (ISE) is a collection of tutorials which are designed to provide the student with basic knowledge of these products. This self paced material covers the Sun Java Identity Management Suite. The purpose of these tutorials is to provide a positive first experience with these products. This includes initial installation and configuration of these products in a lab environment.

Thanks to the following contributors:



Friday Jun 27, 2008

OpenDS reconciliation with Identity Manager

In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.

Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:

Original ldif file to create the suffix:
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

THIS SEARCH WORKS FOR DIRECTORY MANAGER:
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"


But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"
SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights

This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
aci:  (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

dn: ou=People,dc=identric,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=ldapadmin,ou=people,dc=identric,dc=com
givenName: Ldap
sn: Admin
mail: ldap.admin@identric.com
uid: ldapadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
cn: LDAP Admin
userPassword: Passw0rd



Thursday Apr 24, 2008

Fedlet comes out with a (Head) Bang

OpenSSO is maturing at a rapid pace with a fantastic new feature addition released today, the Fedlet! Watch the video below to see the Instant federation for a partner in action with OpenSSO. This video is proof that federation can be fun (or at least that Daniel can make it fun).

I get involved in all types of identity discussions (provisioning, identity compliance, access management, federation, etc.) in my travels, recently (Tuesday), I had the opportunity to talk to Sun customers and potential customer about Federated Access Management at The Sun Identity Roadshow in Dallas. There was a lengthy Q&A after the session and some of the questions were related to asking when it will be easier to create federation agreements and enable smaller partners. I answered by describing the Federation configuration wizards in OpenSSO make configuration of federation simple, and the fedlet will make it easy to enable a partner to federate with you. The video above shows exactly how easy these tasks can be.

About

harcey

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today