This topic has 16 replies, 4 voices, and was last updated 6 years, 5 months ago by jax.
-
AuthorPosts
-
February 5, 2016 at 2:29 pm #7555
nkarthik82
ParticipantI want to know whether duplicate user ids are allowed across OpenAM realms.
This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
We might end up with 2 different users having same userid in 2 different idps.
If we can have duplicate userids across realms, we can at least migrate the users to different realms. But, I am not sure whether OpenAM accepts that.-
This topic was modified 6 years, 6 months ago by
Peter Major.
February 6, 2016 at 4:48 am #7570Rajesh R
Participant@nkarthik82 I do not see a reason why we cannot have the same user exist in two separate realms in OpenAM. A Realm in OpenAM is created to give a set of Users a common User experience. Once a realm is created I could give a different look and feel to the login pages of it,use a specific Authentication mechanism such as MFA etc.
We define an Identity Repository for an OpenAM realm (such as OpenDJ) by configuring to connect to it and perform an LDAP search operation (using appropriate BIND DN, BaseDN and Search Filter). And you get to see the users listed in that Realm from OpenDJ (under ‘Subjects’ tab). Now let’s take for example, I create one Realm based on the Business Units within the Organization (Engineering, Finance etc.) and another Realm based on Countries (USA, France, UK,India etc.). I could have a user in Engineering division and based in France appear in two realms, one based on the Country and the other one based on the Business Unit, and that too from the same Identity Repository !! Just that the Search Filter used to fetch users from the IDrepo is different!
Just so that the point is clear,Realms in OpenAM could be created based on Applications as well. So I could have an appA realm and and appB realm. Chances are that a single user in the Organization will have access to both appA and appB, therefore will appear in both the realms.
Hope my ramblings have given you some idea on the point that I’m trying to make. Let us know.
Rajesh
February 7, 2016 at 10:15 pm #7581Peter Major
ModeratorHaving the same username in different realms is a perfectly valid scenario. Having the same username represent more than one user identity within a single realm will result in unexpected behaviors.
February 8, 2016 at 9:13 am #7588nkarthik82
ParticipantThanks for the answers.
Now, I get an idea of how it works. In my case, the requirement is to have only one OpenDJ configured at the top-level realm shared across all the sub-realms.
So, if we have 2 different users with same username in 2 different applications and if we try to migrate the users to OpenAM, say realm1 (app1) and realm2 (app2), OpenAM won’t allow duplicates since we have only OpenDJ.
Only option is to have 2 different OpenDJ’s for these 2 realms. Am I right?
Or is there any option to migrate both the apps with just one OpenDJ, but instead of authenticating against userid, authenticate against username in that realm? In that way, I can have same usernames in 2 different realms, but userid’s will be different.February 8, 2016 at 9:19 am #7589Rajesh R
Participant@nkarthik82 By default the Identity Repository that you configure for the Top Level Realm gets inherited by the Child realms. So the users that you get to see in the Top Level Realm, you should be able to see in the Realms below that as well.
If you want to list different set of users from the same OpenDJ instance in multiple realms, then you’ll have to configure the Identity Repository for each realm accordingly. As an example, let’s say you only have one OpenDJ instance running on the port 1389 of host myopendj.mydomain.com. The instance has users under the OU=Finance branch and OU=Engineering branch. Now in an OpenAM realm named ‘Finance’, you’ll go and connect to the OpenDJ instance running on port 1289 of myopendj.mydomain.com machine, but use a search filter that will fetch only users from the OU=Finance branch. Likewise, for the Engineering realm as well.
The above was just a rough example, you can design the Directory Information Tree (DIT) of OpenDJ instance the way you want it, just that you’ll have to use the appropriate Base DNs and Search filters in the OpenAM realm to list relevant subjects in the realm.
Hope this helps.
February 8, 2016 at 9:40 am #7590nkarthik82
Participant@rajeshr
Thanks for the info.
Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. Is it possible to have different OU’s for each realm in same OpenDJ?-
This reply was modified 6 years, 6 months ago by
nkarthik82.
February 8, 2016 at 9:51 am #7592Rajesh R
Participant@nkarthik82 Sorry, if I made you think that the Realms created in OpenAM maps to OU in OpenDJ. That’s not the case. I was just referring to an example.
Let’s say I have one OpenDJ instance with Users under OU=People branch
Now I create two Realms in OpenAM, one as ‘appA’ and other one as ‘appB’ (very clearly, the realm does not map to the Directory Structure in OpenAM.
Now I go to ‘appA’ realm and configure the Identity Repository such a way that it searches the OpenDJ instance under the OU=People branch and uses a specific search filter (say a user attribute like cn=HR, cn=Eng etc.) to fetch users that have a specific value for an attribute of interest. So when you look at the ‘Subjects’ section of ‘appA’ realm, you’ll see those users who matches the search filter defined in the Identity Repository configure. Same way, you’ll configure the Identity Repository for other Realms in OpenAM as well.So please get rid of the understand that the Realms in OpenAM is mapped to Directory Information Tree (DIT) structure in the Identity Repository.
February 8, 2016 at 9:53 am #7593Peter Major
ModeratorYou should just make sure that you are using different Base DNs in the different realms when configuring the data stores.
As long as the Data Store settings are the same across the realms, you will see the same set of users both in the Subjects view and when browsing the directory using the control panel for example.February 8, 2016 at 9:55 am #7594nkarthik82
Participant@rajeshr
Got it. So, if I want 2 OU’s for appA and appB, then I will have to manually create 2 OU’s in OpenDJ and map it to these 2 realms in OpenAM Data Store configuration. right?
If my understanding is correct, is it a good practice to have same OpenDJ with 2 different OU’s for different apps or have totally different OpenDJ’s for each app?February 8, 2016 at 10:01 am #7595Rajesh R
Participant@nkarthik82 Yes, your understand it right. Like @peter-major mentioned in his reply, I could have one OU (say OU=appA) for appA and another OU for appB (say OU=appB) in OpenDJ instance, and use the BaseDN ou=People, ou=appA, dc=mydomain, dc=com in the ‘appA’ realm of OpenAM and similarly in the ‘appB’ realm as well. Keep in mind again, that the Realm that you create in OpenAM has nothing to do with the OU that you create in OpenDJ. Just that when you configure an Identity Repository for each Realm, you configure the Directory Server information accordingly (choosing a specific Base DN, Search Filter and the likes).
Whether it’s a good practice to have OU based on Business Units or Roles (eg:- Employee and Contractor), Applications is a decision to be made during the Analysis and Design phase of Directory Server Project. I’m afraid, there is no general answer to it. Very site specific.
February 8, 2016 at 10:02 am #7596Peter Major
ModeratorYou are correct.
How to structure your directory is probably a question for the OpenDJ forum. There are 2 main concepts in OpenDJ that can help you achieve your needs:
* base DN: so you can have one base DN called dc=foo,dc=bar and a different base DN called dc=example,dc=com. By having separate base DNs you can separate the data in the directory structure with ease, set up simpler access control/password policy rules etc.
* backend: you can decide to have a given base DN on a completely different backend, in this scenario you have even bigger control on how your data is stored, because the indexes are configured per backend.But I’ve probably didn’t get this completely right :) The OpenDJ documentation and the forum should help you with your question.
February 8, 2016 at 10:08 am #7597nkarthik82
Participant@rajeshr @peter-major
Ok. In OpenAM settings, I see only 2 attributes “LDAP People Container Naming Attribute” and “LDAP People Container Value” which has default values of “ou” and “people”.
If I add a new ou under people, say “appA”, is there any way to configure that directly in OpenAM?February 8, 2016 at 10:09 am #7598Peter Major
Moderatoryes, configure the container value to appA, and change the base DN to ou=people,dc=foo,dc=bar according to your directory structure.
March 17, 2016 at 3:05 pm #8669jax
ParticipantHei,
I’d like to have seperated list of groups and people per each realm. setting Base DB or LDAP People/Groups Container Value does not work. the first way, users/groups are visible for each realm. the second way, insert user/group will be failed because of using comma which escaped so the parent entry of new entry could not be found.
March 17, 2016 at 3:14 pm #8674Peter Major
ModeratorLooks like you’ve misconfigured your OpenAM in both cases, these settings are known to work…
-
This topic was modified 6 years, 6 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.