Using OpenDS as a user data store for OpenSSO

Latest version of this article is available here

 The information below is no longer  reflect the current state of the OpenSSO .

This is a follow up posting to my original post about OpenSSO and OpenDS

I have tested the OpenSSO system with OpenDS(bld 30), this time OpenDS is used as both configuration and user data store. For this I need to adapt the existing user schema to a form which is acceptable to OpenDS(which more strictly enforcing the schema,spec and DIT content rules).

Read my earlier post on how to configure OpenDS as a configuration datastore, in this article I am only focusing on how to use OpenDS as user data store for the OpenSSO system(not OpenFM). The key to this is the schema file, the remaining part is pretty much straight forward.

Step1: Install and Configure OpenDS

Install OpenDS build 30, you can use any build of OpenDS, but for this exercise I have used OpenDS build 30.

  • Install and configure with sample user entries, this will create sample users(whose passwd is: password) and the ou=people container
  • Until build 30 the ACIs are disabled, if you are using later builds of OpenDS, Access control might have been enabled, this should not cause any problems(assuming OpenDS ACIs are downward compatible with DSEE 6.0) but I have not verified yet.
  •  Verify the Directory server is up and running

 Step 2: Copy the OpenSSO User schema

Download the schema file and Copy the 98-opends_user_schema.ldif to OpenDS config/schema directory, and restart the OpenDS. Though there is an option to add this schema over the LDAP protocol, I have not tried that.

Step 3: Add the OpenSSO administrative users to OpenDS

There are couple of entries that needs to be added to the OpenDS to prepare it for the OpenSSO user store. I assume this user data store will also be used as LDAP authentication. The following entries needs to be added, you can use ldapmodify to add them.

dn: ou=agents,dc=sun,dc=com
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=sun,dc=com
objectClass: top
objectClass: organizationalUnit
dn: ou=dsame users,dc=sun,dc=com
objectClass: top
objectClass: organizationalUnit



dn: cn=amldapuser,ou=DSAME Users,dc=sun,dc=com

objectclass: inetuser

objectclass: organizationalperson

objectclass: person

objectclass: top

cn: amldapuser

sn: amldapuser

userPassword: secret123

dn: cn=dsameuser,ou=DSAME Users,dc=sun,dc=com
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: dsameuser
sn: dsameuser
userPassword: secret12



aci: (target="ldap:///dc=sun,dc=com")(targetattr="\*")(version 3.0; acl "S1IS special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,dc=sun,dc=com"; )

aci: (target="ldap:///dc=sun,dc=com")(targetattr="\*")(version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,dc=sun,dc=com"; )

you can download the above contents from the file ldapentries

ldapmodify -p 3389  -h slapd -D"cn=user manager" -w secret12 -c -a -f ldapentries

adding new entry ou=agents,dc=sun,dc=com
adding new entry ou=groups,dc=sun,dc=com
adding new entry ou=dsame users,dc=sun,dc=com
adding new entry cn=dsameuser,ou=DSAME Users,dc=sun,dc=com

adding new entry cn=amldapuser,ou=DSAME Users,dc=sun,dc=com
modifying entry dc=sun,dc=com

modifying entry dc=sun,dc=com

 Step 4: Add LDAPv3 DataStore

 Login as top level admin and create a new ldapv3 data store with Sun DS with AM schema.

 Step5: Modify the LDAP Authentication

Before configuring, make sure you create 'amadmin' user in the OpenDS, you can do this by creating a new user from subjects tab. [the existing amadmin is coming from the FlatFile store] Login as top level admin and modify the LDAP auth instance to include the OpenSSO hostname and port. You need to change the base and bind DN  appropriately.

Edit the ldapService auth chain to include LDAP as required in the place of DataStore. Dont delete the flatfile store. Logout from the console and try to login back , this time LDAP auth page should be displayed. You can enter the amadmin and the password that is stored in the OpenDS, You should be able to login successfully, verify this from OpenDS access log. After verifying this you can delete the flatfile store. Remember you will not get any role identity support from opends data store.

Persistent Search: OpenDS applies bind resource limits to the persistent connection(DSEE does not), This issue is being fixed (Thank You Neil!)in the forth coming builds of OpenDS

OpenFM: This will not work for the OpenFM, there is more needs to be done for the schema part of it

Disclaimer: OpenSSO with OpenDS is not a QA certified configuration, use it at your convenience.


Great instructions!...but...I am confused. I successfully did your steps but cannot figure out the following: when I create amadmin user (step 5) it get's created in the flatfile datastore, so I cannot login to / does AM know that when I create a new user, to store it in the new LDAP datastore I created in step 4?

Posted by Hector Jimenez on March 22, 2007 at 10:47 AM PDT #

Thanks for trying out. Whenever you create any identity from the OpenSSO console, it gets created in all the configured data stores(provided you have user=create in the datastore config), in this case it should be created on both FlatFile and OpenDS ldapv3 store. (amadmin is already in flatfile store, so creating amadmin will only create in the opends store.), you need to make this indeed gets created by looking at the opends access logs. -indira

Posted by indira on March 22, 2007 at 12:50 PM PDT #

Thank you for your reply. I checked the opends logs and found out that I had the dsameuser password wrong in the LDAP store. I fixed it and it works. Great howto. I will test these same steps in access manager 7.1 from j2ee sdk update 3 preview since i am interested in the web services policy agent. I will post my test result.

Posted by Hector Jimenez on March 22, 2007 at 02:53 PM PDT #

Good information! I have the schema that will utilize OpenDS as the user data store for OpenFM, if interested. With this schema, step 3 is essentially performed by the OpenFM configurator.jsp.

Posted by Chad Zezula on March 26, 2007 at 04:21 AM PDT #

Post a Comment:
Comments are closed for this entry.

Indira Thangasamy, I manage the OpenSSO Quality engineering team.


« July 2016