Configuring Access Manager Repository Plug-in in OpenSSO

The Following are quick steps to configure amSDK Plugin



NOTE :


Make sure you dont use the same directory   server for Identity Repository Plugin and Access Manager (amSDK) Repository Plug-in as well, this will yield undesired results.


1.0 Prerequisites



Before proceeding with the below steps, one should have completed the prerequisites required by section 1.0





  •   Deploy  and Configure the opensso.war on a supported container




  •   Install and configure CLI (ssoadm)




  •  You must use a Sun Java System Directory Server Enterprise Edition as your amSDK repository , NO other LDAP servers are supported 




 Make sure the server is up and running by login to the console as 'amadmin' as well as through the command line tool 'ssoadm'


 2.0 Edit  and Load the appropriate  LDAP schema files


 Locate your opensso configuration directory (CONFIGDIR) and edit the following LDIF files(can be found in CONFIGDIR/template/ldif) 
You need to perform the steps in the same order as shown below


2.1 Load sunone_schema2.ldif


You can find the file in the CONFIGDIR/template/ldif directory , you dont need to make any changes to this file, load as it is  


ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f sunone_schema2.ldif 

2.2 Load ds_remote_schema.ldif


This file also does not require any modifications, just load as it is  


 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ds_remote_schema.ldif 

2.3 Load plugin.ldif  


This file can be loaded as it is, it enables certain plugins in the directory server 


ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f plugin.ldif 

2.4 Load fam_sds_schema.ldif


This file is located under the  CONFIGDIR , load this file as it is.


 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ../../fam_sds_schema.ldif 

2.5 Load index.ldif


This file requires certain modifications, like you need to replace   @DB_NAME@ with your backend


DB name and @ORG_NAMING_ATTR@ with your deployment specific organization naming attribute. Usually it is 'o'




  •     You can get the DB_NAME by running the following command 


ldapsearch -h dshost -p 3456 -s base -b"cn=config" -D"cn=directory manager" -w secret12 "objectclass=\*"|grep backend

nsslapd-backendconfig: cn=config,cn=opensso,cn=ldbm database,cn=plugins,cn=con




in this case my suffix is dc=opensso,dc=java,dc=net, DB_NAME is 'opensso'


 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f index.ldif 

adding new entry cn=nsroledn,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

ldap_add: Already exists

adding new entry cn=memberof,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=iplanet-am-static-group-dn,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=iplanet-am-modifiable-by,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=sunxmlkeyvalue,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=o,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=ou,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=sunPreferredDomain,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=associatedDomain,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=sunOrganizationAlias,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

2.6 Load install.ldif



To load the install.ldif you have to modify the following parameters


ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f install.ldif 

 

























































 
 TAG


 
 Value if SM suffix is dc=opensso,dc=java,dc=net


 
 Comments


 
@NORMALIZED_RS@


 
dc=opensso,dc=java,dc=net


 
Basically removing leading trailing spaces


 
@RS_RDN@


opensso


  the first part of dc


 @ADMIN_PWD@


secret12


 amadmin and dsameuser passwd


 @AMLDAPUSERPASSWD@  


secret123


 amldapuser passwd


 @SERVER_HOST@


 opensso.example.com


 This is the DNS alias/realm alias equivalent


 @USER_NAMING_ATTR@


 uid


 user naming attribute typically uid


 @ORG_NAMING_ATTR@ 


 o


 organization naming attribute. typically "o"


 @ORG_OBJECT_CLASS@


sunmanagedisorganization


 this is the default organization marker objectclass in the legacy mode


 @People_NM_ORG_ROOT_SUFFIX@ 


 People_dc=opensso_dc=java_dc=net








modifying entry cn=config

modifying entry cn=config

modifying entry cn=config,cn=ldbm database,cn=plugins,cn=config

adding new entry dc=opensso,dc=java,dc=net

ldap_add: Already exists

adding new entry ou=DSAME Users,dc=opensso,dc=java,dc=net

modifying entry cn=schema

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

modifying entry dc=opensso,dc=java,dc=net

adding new entry o=Internet,dc=opensso,dc=java,dc=net

adding new entry cn=Deny Write Access,dc=opensso,dc=java,dc=net

adding new entry cn=Top-level Admin Role,dc=opensso,dc=java,dc=net

adding new entry cn=Top-level Help Desk Admin Role,dc=opensso,dc=java,dc=net

adding new entry cn=Top-level Policy Admin Role,dc=opensso,dc=java,dc=net

adding new entry ou=People,dc=opensso,dc=java,dc=net

adding new entry cn=ou=People_dc=opensso_dc=java_dc=net,dc=opensso,dc=java,dc=net

adding new entry ou=Groups,dc=opensso,dc=java,dc=net

adding new entry cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net

adding new entry cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net

adding new entry cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net

adding new entry cn=ContainerDefaultTemplateRole,dc=opensso,dc=java,dc=net



3.0 Add the "Access Manager  Repository Plug-in"




You need to have the ssoadm tool configured before runningthe following command (make sure to have /tmp/plaintxtpassofdsameuser, /tmp/plaintxtpassofproxyuser in place)


3.1 Add the Subschema

 ./ssoadm add-amsdk-idrepo-plugin  -u amadmin -f /tmp/.opensso_pass -b "dc=opensso,dc=java,dc=net" -s ldap://dshost.red.iplanet.com:3456 -x /tmp/plaintxtpassofdsameuser  -p /tmp/plaintxtpassofproxyuser     -v -a uid -o o

Process Request ...


Constructing Request Context...


Validating mandatory options...


Processing Sub Command ...




Executing class, com.sun.identity.cli.datastore.AddAMSDKIdRepoPlugin.


Authenticating...


Authenticated.


add-amsdk-idrepo-plugin: AMSDK Plugin creaded successfully.


3.2 Creating the amsdk repository from CLI

    \* ./ssoadm create-datastore -e / -u amadmin -f /tmp/.opensso_pass -t amSDK -D datastore_amsdk_attrs.txt -m qatest_ldapv3foramds 


4.0 How to verify amSDK Repository


Make sure you restart the OpenSSO web container after you have added the  amSDK plugin




- Login to Console, Navigate to "Access Control" -> Data Stores -> "New" -> verify that you see "Access Manager Repository Plug-in"




- Create a role and make sure you can assign a service to a role


5.0 How to remove amSDK


5.1 Delete  the amsdk datastore instances

for eg:




    \* ./ssoadm delete-datastores -m qatest_ldapv3foramds -e / -u amadmin -f /tmp/.opensso_pass 

5.2 Remove the sub schema

    \* ./ssoadm remove-sub-schema -s sunIdentityRepositoryService -t Organization -a amSDK -u amadmin -f /tmp/.opensso_pass 

5.3 Remove the DAI service

    \* ./ssoadm delete-svc -s DAI -u amadmin -f /tmp/.opensso_pass 



NOTE: the delegation policies are not removed though


Comments:

Hey Indira, what are the features of amSDK regarding password management ?

Posted by Bastien LEGRAS on November 12, 2008 at 02:34 AM PST #

Post a Comment:
Comments are closed for this entry.
About

Indira Thangasamy, I manage the OpenSSO Quality engineering team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today