Using OpenDS as a user data store for OpenSSO
By user12601562 on Mar 21, 2007
Latest version of this article is available here
The information below is no longer reflect the current state of the OpenSSO .
This is a follow up posting to my original post about OpenSSO and OpenDS
I have tested the OpenSSO system with OpenDS(bld 30), this time OpenDS is used as both configuration and user data store. For this I need to adapt the existing user schema to a form which is acceptable to OpenDS(which more strictly enforcing the schema,spec and DIT content rules).
Read my earlier post on how to configure OpenDS as a configuration datastore, in this article I am only focusing on how to use OpenDS as user data store for the OpenSSO system(not OpenFM). The key to this is the schema file, the remaining part is pretty much straight forward.
Step1: Install and Configure OpenDS
Install OpenDS build 30, you can use any build of OpenDS, but for this exercise I have used OpenDS build 30.
- Install and configure with sample user entries, this will create sample users(whose passwd is: password) and the ou=people container
- Until build 30 the ACIs are disabled, if you are using later builds of OpenDS, Access control might have been enabled, this should not cause any problems(assuming OpenDS ACIs are downward compatible with DSEE 6.0) but I have not verified yet.
- Verify the Directory server is up and running
Step 2: Copy the OpenSSO User schema
Download the schema file and Copy the 98-opends_user_schema.ldif to OpenDS config/schema directory, and restart the OpenDS. Though there is an option to add this schema over the LDAP protocol, I have not tried that.
Step 3: Add the OpenSSO administrative users to OpenDS
There are couple of entries that needs to be added to the OpenDS to prepare it for the OpenSSO user store. I assume this user data store will also be used as LDAP authentication. The following entries needs to be added, you can use ldapmodify to add them.
dn: ou=dsame users,dc=sun,dc=com
dn: cn=amldapuser,ou=DSAME Users,dc=sun,dc=com objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: amldapuser sn: amldapuser userPassword: secret123 dn: cn=dsameuser,ou=DSAME Users,dc=sun,dc=com
changetype:modify add:aci aci: (target="ldap:///dc=sun,dc=com")(targetattr="\*")(version 3.0; acl "S1IS special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,dc=sun,dc=com"; ) dn:dc=sun,dc=com
aci: (target="ldap:///dc=sun,dc=com")(targetattr="\*")(version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,dc=sun,dc=com"; )
you can download the above contents from the file ldapentries
ldapmodify -p 3389 -h slapd -D"cn=user manager" -w secret12 -c -a -f ldapentries
adding new entry ou=agents,dc=sun,dc=com
adding new entry ou=groups,dc=sun,dc=com
adding new entry ou=dsame users,dc=sun,dc=com
adding new entry cn=dsameuser,ou=DSAME Users,dc=sun,dc=com
adding new entry cn=amldapuser,ou=DSAME Users,dc=sun,dc=com
modifying entry dc=sun,dc=com
modifying entry dc=sun,dc=com
Step 4: Add LDAPv3 DataStore
Login as top level admin and create a new ldapv3 data store with Sun DS with AM schema.
Step5: Modify the LDAP Authentication
Before configuring, make sure you create 'amadmin' user in the OpenDS, you can do this by creating a new user from subjects tab. [the existing amadmin is coming from the FlatFile store] Login as top level admin and modify the LDAP auth instance to include the OpenSSO hostname and port. You need to change the base and bind DN appropriately.
Edit the ldapService auth chain to include LDAP as required in the place of DataStore. Dont delete the flatfile store. Logout from the console and try to login back , this time LDAP auth page should be displayed. You can enter the amadmin and the password that is stored in the OpenDS, You should be able to login successfully, verify this from OpenDS access log. After verifying this you can delete the flatfile store. Remember you will not get any role identity support from opends data store.
Persistent Search: OpenDS applies bind resource limits to the persistent connection(DSEE does not), This issue is being fixed (Thank You Neil!)in the forth coming builds of OpenDS
OpenFM: This will not work for the OpenFM, there is more needs to be done for the schema part of it
Disclaimer: OpenSSO with OpenDS is not a QA certified configuration, use it at your convenience.