Duplicate userids across OpenAM realms

Tagged: , ,

This topic has 16 replies, 4 voices, and was last updated 5 years, 7 months ago by jax.

  • Author
    Posts
  • #7555
     nkarthik82
    Participant

    I want to know whether duplicate user ids are allowed across OpenAM realms.
    This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
    We might end up with 2 different users having same userid in 2 different idps.
    If we can have duplicate userids across realms, we can at least migrate the users to different realms. But, I am not sure whether OpenAM accepts that.

    • This topic was modified 5 years, 8 months ago by Peter Major.
    #7570
     Rajesh R
    Participant

    @nkarthik82 I do not see a reason why we cannot have the same user exist in two separate realms in OpenAM. A Realm in OpenAM is created to give a set of Users a common User experience. Once a realm is created I could give a different look and feel to the login pages of it,use a specific Authentication mechanism such as MFA etc.

    We define an Identity Repository for an OpenAM realm (such as OpenDJ) by configuring to connect to it and perform an LDAP search operation (using appropriate BIND DN, BaseDN and Search Filter). And you get to see the users listed in that Realm from OpenDJ (under ‘Subjects’ tab). Now let’s take for example, I create one Realm based on the Business Units within the Organization (Engineering, Finance etc.) and another Realm based on Countries (USA, France, UK,India etc.). I could have a user in Engineering division and based in France appear in two realms, one based on the Country and the other one based on the Business Unit, and that too from the same Identity Repository !! Just that the Search Filter used to fetch users from the IDrepo is different!

    Just so that the point is clear,Realms in OpenAM could be created based on Applications as well. So I could have an appA realm and and appB realm. Chances are that a single user in the Organization will have access to both appA and appB, therefore will appear in both the realms.

    Hope my ramblings have given you some idea on the point that I’m trying to make. Let us know.

    Rajesh

    #7581
     Peter Major
    Moderator

    Having the same username in different realms is a perfectly valid scenario. Having the same username represent more than one user identity within a single realm will result in unexpected behaviors.

    #7588
     nkarthik82
    Participant

    Thanks for the answers.
    Now, I get an idea of how it works. In my case, the requirement is to have only one OpenDJ configured at the top-level realm shared across all the sub-realms.
    So, if we have 2 different users with same username in 2 different applications and if we try to migrate the users to OpenAM, say realm1 (app1) and realm2 (app2), OpenAM won’t allow duplicates since we have only OpenDJ.
    Only option is to have 2 different OpenDJ’s for these 2 realms. Am I right?
    Or is there any option to migrate both the apps with just one OpenDJ, but instead of authenticating against userid, authenticate against username in that realm? In that way, I can have same usernames in 2 different realms, but userid’s will be different.

    #7589
     Rajesh R
    Participant

    @nkarthik82 By default the Identity Repository that you configure for the Top Level Realm gets inherited by the Child realms. So the users that you get to see in the Top Level Realm, you should be able to see in the Realms below that as well.

    If you want to list different set of users from the same OpenDJ instance in multiple realms, then you’ll have to configure the Identity Repository for each realm accordingly. As an example, let’s say you only have one OpenDJ instance running on the port 1389 of host myopendj.mydomain.com. The instance has users under the OU=Finance branch and OU=Engineering branch. Now in an OpenAM realm named ‘Finance’, you’ll go and connect to the OpenDJ instance running on port 1289 of myopendj.mydomain.com machine, but use a search filter that will fetch only users from the OU=Finance branch. Likewise, for the Engineering realm as well.

    The above was just a rough example, you can design the Directory Information Tree (DIT) of OpenDJ instance the way you want it, just that you’ll have to use the appropriate Base DNs and Search filters in the OpenAM realm to list relevant subjects in the realm.

    Hope this helps.

    #7590
     nkarthik82
    Participant

    @rajeshr
    Thanks for the info.
    Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. Is it possible to have different OU’s for each realm in same OpenDJ?

    • This reply was modified 5 years, 8 months ago by nkarthik82.
    #7592
     Rajesh R
    Participant

    @nkarthik82 Sorry, if I made you think that the Realms created in OpenAM maps to OU in OpenDJ. That’s not the case. I was just referring to an example.

    Let’s say I have one OpenDJ instance with Users under OU=People branch
    Now I create two Realms in OpenAM, one as ‘appA’ and other one as ‘appB’ (very clearly, the realm does not map to the Directory Structure in OpenAM.
    Now I go to ‘appA’ realm and configure the Identity Repository such a way that it searches the OpenDJ instance under the OU=People branch and uses a specific search filter (say a user attribute like cn=HR, cn=Eng etc.) to fetch users that have a specific value for an attribute of interest. So when you look at the ‘Subjects’ section of ‘appA’ realm, you’ll see those users who matches the search filter defined in the Identity Repository configure. Same way, you’ll configure the Identity Repository for other Realms in OpenAM as well.

    So please get rid of the understand that the Realms in OpenAM is mapped to Directory Information Tree (DIT) structure in the Identity Repository.

    #7593
     Peter Major
    Moderator

    You should just make sure that you are using different Base DNs in the different realms when configuring the data stores.
    As long as the Data Store settings are the same across the realms, you will see the same set of users both in the Subjects view and when browsing the directory using the control panel for example.

    #7594
     nkarthik82
    Participant

    @rajeshr
    Got it. So, if I want 2 OU’s for appA and appB, then I will have to manually create 2 OU’s in OpenDJ and map it to these 2 realms in OpenAM Data Store configuration. right?
    If my understanding is correct, is it a good practice to have same OpenDJ with 2 different OU’s for different apps or have totally different OpenDJ’s for each app?

    #7595
     Rajesh R
    Participant

    @nkarthik82 Yes, your understand it right. Like @peter-major mentioned in his reply, I could have one OU (say OU=appA) for appA and another OU for appB (say OU=appB) in OpenDJ instance, and use the BaseDN ou=People, ou=appA, dc=mydomain, dc=com in the ‘appA’ realm of OpenAM and similarly in the ‘appB’ realm as well. Keep in mind again, that the Realm that you create in OpenAM has nothing to do with the OU that you create in OpenDJ. Just that when you configure an Identity Repository for each Realm, you configure the Directory Server information accordingly (choosing a specific Base DN, Search Filter and the likes).

    Whether it’s a good practice to have OU based on Business Units or Roles (eg:- Employee and Contractor), Applications is a decision to be made during the Analysis and Design phase of Directory Server Project. I’m afraid, there is no general answer to it. Very site specific.

    #7596
     Peter Major
    Moderator

    You are correct.
    How to structure your directory is probably a question for the OpenDJ forum. There are 2 main concepts in OpenDJ that can help you achieve your needs:
    * base DN: so you can have one base DN called dc=foo,dc=bar and a different base DN called dc=example,dc=com. By having separate base DNs you can separate the data in the directory structure with ease, set up simpler access control/password policy rules etc.
    * backend: you can decide to have a given base DN on a completely different backend, in this scenario you have even bigger control on how your data is stored, because the indexes are configured per backend.

    But I’ve probably didn’t get this completely right :) The OpenDJ documentation and the forum should help you with your question.

    #7597
     nkarthik82
    Participant

    @rajeshr @peter-major
    Ok. In OpenAM settings, I see only 2 attributes “LDAP People Container Naming Attribute” and “LDAP People Container Value” which has default values of “ou” and “people”.
    If I add a new ou under people, say “appA”, is there any way to configure that directly in OpenAM?

    #7598
     Peter Major
    Moderator

    yes, configure the container value to appA, and change the base DN to ou=people,dc=foo,dc=bar according to your directory structure.

    #8669
     jax
    Participant

    Hei,

    I’d like to have seperated list of groups and people per each realm. setting Base DB or LDAP People/Groups Container Value does not work. the first way, users/groups are visible for each realm. the second way, insert user/group will be failed because of using comma which escaped so the parent entry of new entry could not be found.

    #8674
     Peter Major
    Moderator

    Looks like you’ve misconfigured your OpenAM in both cases, these settings are known to work…

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?