This topic has 2 replies, 2 voices, and was last updated 6 years, 2 months ago by 
-
Posts
-
Hello All,
Could someone explain the implications of using dynamic user profile creation when the datastore is MS Active Directory?
How does this work in practice?
The reason I am asking is because there is a set of users to be authenticated by OpenAM that do not exist in AD, only in an external database.
An OpenIG route that is dependent on this authentication chain is using a value from the user’s profile, so the users that only exist in the db get authenticated successfully but then you get prompted about the missing profile.
OpenAM is really not an Identity Management tool. The dynamic profile creation does rely on user data being populated correctly by the authentication module. The JDBC authentication module for example doesn’t do anything like that for example, so you could easily end up in odd situations where your user entries are created in AD with the wrong username, or with a missing samAccountName for example.
If you can authenticate with user IDs coming from two different backends, then you could either just configure both authentication sources as data stores in your configuration (allowing the authentication framework to always find the user profile), or you could just set the profile mode to ignored and say good bye to profile attributes.Trying to “migrate” or “provision” accounts using dynamic profile creation (especially when the underlying technologies are different, like DB<->LDAP case) is just asking for trouble, and probably something will go horribly wrong. (Also keep in mind that OpenAM will NOT synchronize the entries after their creation.)
You must be logged in to reply to this topic.
