Adding IdRepo LDAPv3 instance using amadmin CLI

 

In this post I  bring you an easy commandline way of creating LDAPv3 Idrepo  plugin  instance on any given Sun Java ES Access Manager 7.0 system. There are many provisions that are supported by Sun Java ES Access Manager to make an administartor life easier. Lot of these details are buried in to the huge documentation. 

 

I would assume the reader is familair with LDAPv3 interface and its attributes.

Here is the XML that is used to create a  generic LDAPv3 plugin instance for Access Manager Version 7.0 
There are some enhancements that have been made in Sun Java ES Access Manager version 7.1 you can download the XML file for 7.1 http://blogs.sun.com/indira/resource/addldapv3am71.xml

 


 <!--<?xml version="1.0" encoding="ISO-8859-1"?>-->
<!--
    Copyright (c) 2004 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms.
-->


<!DOCTYPE Requests
    PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q1 Admin CLI DTD//EN"    "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
>
    <Requests>
<OrganizationRequests DN="o=example.com">
<AddSubConfiguration subConfigName="oneofMyLDAPv3"
            subConfigId="LDAPv3"
            priority = "0"
            serviceName="sunIdentityRepositoryService" >
            <AttributeValuePair>
            <Attribute name="sun-idrepo-ldapv3-config-ldap-server"/>
                            <Value>myldap.example.com:389</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-authid"/>
                            <Value>cn=dsameuser,ou=DSAME Users,o=ace.com</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>
                    <Attribute name="sun-idrepo-ldapv3-config-authpw"/>
                <Value>secret12</Value>

                    </AttributeValuePair>
                    <AttributeValuePair>
            
            <Attribute name="sun-idrepo-ldapv3-config-organization_name"/>
                <Value>o=ace.com</Value>
            </AttributeValuePair>
            <AttributeValuePair>
            
                    <Attribute name="sun-idrepo-ldapv3-config-ssl-enabled"/>
                            <Value>false</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-connection_pool_min_size"/>
                            <Value>1</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>
                    
                    <Attribute name="sun-idrepo-ldapv3-config-connection_pool_max_size"/>
                            <Value>10</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-max-result"/>
                            <Value>1000</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-time-limit"/>
                        <Value>10</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-referrals"/>
                            <Value>true</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-users-search-attribute"/>
                            <Value>cn</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-users-search-filter"/>
                            <Value>(objectclass=inetorgperson)</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>
                    
            <Attribute name="sun-idrepo-ldapv3-config-user-objectclass"/>
                <Value>inetadmin</Value>
                <Value>inetorgperson</Value>
                <Value>inetuser</Value>
                <Value>organizationalperson</Value>
                <Value>person</Value>
                <Value>top</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-user-attributes"/>
                            <Value>cn</Value>
                            <Value>entrydn</Value>
                            <Value>entryid</Value>
                            <Value>inetuserstatus</Value>
                            <Value>objectclass</Value>
                            <Value>sn</Value>
                            <Value>uid</Value>
                            <Value>userpassword</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-isactive"/>
                            <Value>inetuserstatus</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                   <Attribute name="sun-idrepo-ldapv3-config-groups-search-attribute"/>
                            <Value>cn</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-groups-search-filter"/>
                            <Value>(objectclass=groupOfUniqueNames)</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>
                    
                    <Attribute name="sun-idrepo-ldapv3-config-group-container-name"/>
                            <Value>ou</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-group-container-value"/>
                            <Value>groups</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-group-objectclass"/>
                <Value>groupofuniquenames</Value>
                <Value>groupofurls</Value>
                <Value>top</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-group-attributes"/>
                            <Value>cn</Value>
                            <Value>entrydn</Value>
                            <Value>objectclass</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-memberof"/>
                            <Value>memberOf</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-uniquemember"/>
                            <Value>uniqueMember</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-memberurl"/>
                            <Value>memberUrl</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-roles-search-attribute"/>
                            <Value>cn</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-roles-search-filter"/>
                            <Value>(&amp;(objectclass=ldapsubentry)(objectclass=nsroledefinition))</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>
                    
                    <Attribute name="sun-idrepo-ldapv3-config-role-search-scope"/>
                            <Value>SCOPE_SUB</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-role-objectclass"/>
                <Value>ldapsubentry</Value>
                <Value>nssimpleroledefinition</Value>
                <Value>nsmanagedroledefinition</Value>
                <Value>nsroledefinition</Value>
                <Value>top</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-nsrole"/>
                            <Value>nsrole</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-nsroledn"/>
                            <Value>nsRoleDN</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-nsrolefilter"/>
                            <Value>nsRoleFilter</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-people-container-name"/>
                            <Value>ou</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-people-container-value"/>
                            <Value>people</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-agent-search-attribute"/>
                            <Value>cn</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-agent-container-name"/>
                            <Value>ou</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-agent-container-value"/>
                            <Value>agents</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-agent-search-filter"/>
                <Value>(objectClass=sunIdentityServerDevice)</Value>
            </AttributeValuePair>
            <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-agent-objectclass"/>
                <Value>sunIdentityServerDevice</Value>
                <Value>top</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-agent-attributes"/>
                            <Value>cn</Value>
                            <Value>entrydn</Value>
                            <Value>objectclass</Value>
                            <Value>uid</Value>
                            <Value>userpassword</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                   <Attribute name="sun-idrepo-ldapv3-config-psearchbase"/>
                            <Value>o=ace.com</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-idletimeout"/>
                            <Value>0</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="sun-idrepo-ldapv3-config-numretires"/>
                            <Value>3</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

                    <Attribute name="com.iplanet.am.ldap.connection.delay.between.retries"/>
                            <Value>1000</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-errorcodes"/>
                <Value>80</Value>
                <Value>81</Value>
                <Value>91</Value>
                    </AttributeValuePair>
                    <AttributeValuePair>

            <Attribute name="sun-idrepo-ldapv3-config-service-attributes"/>
                    </AttributeValuePair>
</AddSubConfiguration>
    </OrganizationRequests>
</Requests>

 You need to map the following values to match your deployment

 

o=example.com =====> your Access Manager's root suffix/realm name

o=ace.com ====> your LDAPv3 server's base suffix

 

Couple of points to remember when deploying LDAPv3 interface

You can download the above xml addldapv3am70.xml
Then you need to run the following command as the Access Manager runtime user
amadmin -u amadmin -w passwd -v -t addldapv3am70.xml
  •  sun-idrepo-ldapv3-config-authid
    • This attribute holds the DN of the user who would have appropriate(read,search,mod,add,del) privleges to the LDAPv3 directory. If you are using this as a read only data store then you can leave this field empty  presuming you have enabled anonymous search access to your LDAPv3 directory.
  • sun-idrepo-ldapv3-config-user-objectclass
    • These are objectclasses that will construct an user entry. If you want your user entries that are stored in the external LDAPv3 directory store to include more objectclasses then this is the place to add them
  • sun-idrepo-ldapv3-config-user-attributes
    • These are attributes that are stored/fetched  to/from the external LDAPv3 data store. If you are querying/storing a particular user attribute and you dont see  that happening at the external LDAPv3 store then this is the attribute to checkfor.
  • sun-idrepo-ldapv3-config-psearchbase
    • This is some thing used for receiving change notifications that happened at the external LDAPv3. Using these persistent notifications Access Manager will dirty its IdRepo cache so that Access Manager will always have current data.  Not  all LDAP servers support this persistent search. AFAIK OpenLDAP does not support  this. Sun Java ES DSEE,Microsoft Active Directory and Novell's eDirectory support persistent search notifications.
    • Though OpenLDAP is not supporting persistent search which does not prevent customers using OpenLDAP as LDAPv3 datastore. If your data store is more of readonly then it is a perfect fit for using OpenLDAP. If you have MOD intensive application still you can use OpenLDAP by reducing the IdRepo cahce to a lower value(let us say 5mins). Which will make sure your idRepo cache will not be stale not more than 5 mins[available in 7.1 only]
Comments:

it is very useful post more like this thanks Jerome

Posted by guest on November 23, 2006 at 04:58 AM PST #

Hello,

This is very useful information. How can I add an instance of LDAP v3 plugin to a sub-realm from amAdmin CLI instead of the root realm? I have Access Manager 7.1 installed in pure realm mode. The script throws an error saying "Unable to find sub-realm".

Also, how can I accomplish the same via AM SDK.

Thanks,
Srinivas

Posted by Srinivas on September 05, 2007 at 11:35 PM PDT #

good example, hope to see more with amAdmin commands..regards

Posted by Narendra on November 09, 2007 at 12:01 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Indira Thangasamy, I manage the OpenSSO Quality engineering team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today