July 5, 2017 at 8:01 pm #17947
We would like to use a Virtual-Directory as a user store that aggregate user attributes from Active-Directory and OpenDJ. Does OpenDJ 5 supports virtual directory capabilities ?
KabiJuly 6, 2017 at 10:34 am #17954JnRouvignacParticipant
Does OpenDJ 5 supports virtual directory capabilities ?
July 7, 2017 at 8:19 am #17976Andy CoryParticipant
- This reply was modified 2 months, 2 weeks ago by JnRouvignac.
But you may be able to achieve what you want with OpenIDM, or OpenAM depending on the use-case…July 7, 2017 at 6:54 pm #17983
But you may be able to achieve what you want with OpenIDM, or OpenAM depending on the use-case…
The use-case is, OpenAM authenticate user against AD and fetch additional user’s attributes from another OpenDj-LDAP. Finally it sends aggregated user information in SAML assertions.
Note that, we do not have OpenIDM and we are not allowed to modify the AD schema. How can we achieve this in OpenAM ?July 10, 2017 at 12:06 pm #18001Andy CoryParticipant
There are two things you can look at. You can use OpenDJ as the repository for authentication as well as for user profile information (your additional attributes) by using pass-through authentication. Documentation here -> https://backstage.forgerock.com/docs/opendj/3/admin-guide/chap-pta#configure-pta-to-ad
A method that is possibly more simple is to define a datastore definition in OpenAM that points at your OpenDJ repo, and an authentication module that authenticates against your AD. OpenAM will then use AD to authenticate your users, but will pull the additional information from OpenDJ – this is the user’s ‘profile’. Using this method, you will need to make sure that there is a reliable mapping between a user in AD and the same user in OpenDJ, e.g. the AD sAMAccountName = UID in OpenDJ.
See https://backstage.forgerock.com/docs/openam/13.5/admin-guide#ad-module-conf-hints for authentication against AD. ForgeRock’s @simon-harding wrote a detailed blog about using AD with OpenAM here -> https://forum.forgerock.com/2016/08/setting-active-directory-datastore-openam/
Note that Simon’s blog covers using AD for both authentication and profile info, which is not what you want to do – the first part of the blog is very detailed and appropriate to you, though. As you pointed out, most often the AD schema cannot be modified, which is more of an operational problem than a technical one.
AndyJuly 17, 2017 at 7:27 pm #18158
Thank you Andy !
You must be logged in to reply to this topic.