Does OpenDJ supports Virtual Directory Capabilities

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of kpattana kpattana 1 week, 2 days ago.

  • Author
    Posts
  • #17947
    Profile photo of kpattana kpattana 
    Participant

    We would like to use a Virtual-Directory as a user store that aggregate user attributes from Active-Directory and OpenDJ. Does OpenDJ 5 supports virtual directory capabilities ?

    Thanks,
    Kabi

    #17954
    Profile photo of JnRouvignac JnRouvignac 
    Participant

    Does OpenDJ 5 supports virtual directory capabilities ?

    No

    • This reply was modified 3 weeks ago by Profile photo of JnRouvignac JnRouvignac.
    #17976
    Profile photo of Andy Cory Andy Cory 
    Participant

    But you may be able to achieve what you want with OpenIDM, or OpenAM depending on the use-case…

    #17983
    Profile photo of kpattana kpattana 
    Participant

    But you may be able to achieve what you want with OpenIDM, or OpenAM depending on the use-case…

    The use-case is, OpenAM authenticate user against AD and fetch additional user’s attributes from another OpenDj-LDAP. Finally it sends aggregated user information in SAML assertions.

    Note that, we do not have OpenIDM and we are not allowed to modify the AD schema. How can we achieve this in OpenAM ?

    #18001
    Profile photo of Andy Cory Andy Cory 
    Participant

    There are two things you can look at. You can use OpenDJ as the repository for authentication as well as for user profile information (your additional attributes) by using pass-through authentication. Documentation here -> https://backstage.forgerock.com/docs/opendj/3/admin-guide/chap-pta#configure-pta-to-ad

    A method that is possibly more simple is to define a datastore definition in OpenAM that points at your OpenDJ repo, and an authentication module that authenticates against your AD. OpenAM will then use AD to authenticate your users, but will pull the additional information from OpenDJ – this is the user’s ‘profile’. Using this method, you will need to make sure that there is a reliable mapping between a user in AD and the same user in OpenDJ, e.g. the AD sAMAccountName = UID in OpenDJ.

    See https://backstage.forgerock.com/docs/openam/13.5/admin-guide#ad-module-conf-hints for authentication against AD. ForgeRock’s @simon-harding wrote a detailed blog about using AD with OpenAM here -> https://forum.forgerock.com/2016/08/setting-active-directory-datastore-openam/

    Note that Simon’s blog covers using AD for both authentication and profile info, which is not what you want to do – the first part of the blog is very detailed and appropriate to you, though. As you pointed out, most often the AD schema cannot be modified, which is more of an operational problem than a technical one.

    Andy

    #18158
    Profile photo of kpattana kpattana 
    Participant

    Thank you Andy !

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?