This topic has 187 replies, 22 voices, and was last updated 11 months, 3 weeks ago by anisha.mullamuri.

  • Author
  • #8223
     Jamie Bowen

    Hello, my name is Jamie and I look after community contributions on behalf of ForgeRock. Why not take a moment to introduce yourself, and maybe a little about your involvement with the projects? This will often help forum members to provide you with better information, and help us all to get to know one another.

    A bit about me;

    I’ve been working at ForgeRock for a year and a half now, and have been lucky enough to work on some great demos of future tech for our summits. On the contribution front I was responsible for the engineering involved in the contribution of the OpenAM 13 RADIUS server functionality by the LDS Church (thanks folks).

    My background; I have 20 years experience as software developer, and later architect working on defence projects, enterprise security software and enterprise big data software.

    In my spare time I sing and play guitar and mandolin in a folk rock band. I also and love to ski, surf and cycle.

    Once again, welcome to the forums.

    • This topic was modified 6 years, 7 months ago by Jamie Bowen.

    I am new to Open AM and Sync the AD users to open AM, Every time i used to go to Data Store and do reset to sync the users from AD to Open AM. Is there is Scheduler or Script by which I can automate the sycing of the users from AD to Open AM ?

    A bit of me..

    Consultant in Identity and Access Management.
    Most of my carrier worked in Microsoft and exploring the Open AM platform

     Jamie Bowen

    Hi Anirban, and welcome to the forums!

    Regarding your question; Syncing with data stores is what OpenIDM is for. It can keep a unified view of external data stores, run scheduled syncs etc. OpenAM is merely a consumer of identity information residing in a data store, in your case Active Directory.

    There’s no sync as OpenAM does not store identity information somewhere, but it does use the identity in the identity store to create sessions and tokens.

    OpenAM is not a ‘provisiong’ tool. OpenIDM does all that really well and can handle workflows, syncing data stores etc.


    Hi Bowen, this is Anji and we just started adopting ForgeRock products(OpenAM, DJ and IG) for our Identity and access management. So I am working on evaluating FR capabilities for different use cases.

     Jamie Bowen

    Hi Anji,

    I hope you enjoy working with our projects!


     Bill Nelson

    Hi Jamie,

    I always joke that I have been working with ForgeRock since it was just a pebble (some people will get that and others are like my wife that feel that I have no sense of humor). Essentially, I was working with DJ when it was OpenDS (and before that the DSEE product), AM when it was Sun Identity Server (yes, I did say “Identity Server”), and IDM when its connector origins date back to Sun Identity Manager. You could say that I have been around the block once or twice and maybe even helped put up some of the houses on the block.

    We are a ForgeRock partner specializing in training, services, and development for DJ, AM, and IDM. I have written much of ForgeRock’s training materials and many of the people on these forums are our customers. I jump in from time to time to try to explain some of the more difficult concepts to the newer folks (must be the instructor in me) or just because I love getting a good smack down from Peter Major (not saying that I don’t deserve it, mind you).

    I sometimes go by the handle “idmdude” (don’t laugh, it was available) and can be found blogging on ForgeRock and other topics at You can find more about me at or see my company’s website at

    It would be nice if the forum’s profile actually gave us the ability to describe our backgrounds, etc. It would help if I knew a person’s expertise level before I responded to them in the forums.

    Hope to see you again soon,

    bill (aka “idmdude”)

     Jamie Bowen

    Great intro Bill! I agree about the profiles. I’ll see what we can do about that.



    Hello everyone

    I work in a consulting firm as a software engineer and my clients are interested improving the security of their systems.

    We’re currently working on a study for them and OpenAM is the focus.

    Due to the age of the system, we are using the C SDK to integrate the system. I’ve managed to get it integrated into our system. It is able to authenticate the users on a module type basis, but I’m not sure how to force it to use the authentication chain I’ve set up.

    I had assumed that User authentication would follow the authentication chain in the realm. Am I missing something?


     Bill Nelson

    There is a default chain (aka “service”) associated with a realm, it is called ldapService and consists of the DataStore as the one lone authentication module. OpenAM permits module based authentication but you have to specify that as a parameter and it is highly discouraged to leave that running in a production environment. So, when you log into a realm and don’t specify the module specifically, you are essentially logging in to the chain.

    If you want to use a different chain (by default) for a realm, you can create a new one, populate it with modules to your heart’s desire and then specify the criteria in which each module is processed. Then comes the testing part – you can specify a non-default chain to use for authenticating against a realm with the “service” parameter. Once you are comfortable with your chain, then you can set it as the default for the realm and all authentication then starts using that new chain. I HIGHLY recommend that you test your chain before trying to associate it with the realm. Not doing so is an easy way to lock yourself out of your realm. Then, you WOULD hope that you didn’t disable the module based authentication as you would need that to log back in, or you could log in against the top (/) realm, instead.

    Notice how none of what I just mentioned discussed the SDK. That is because all of this is the default behavior when configuring OpenAM’s authentication chains for a particular realm.




    I am Praveen. We started evaluating OpenIDM for our user management in february. I did POC for our requirement of synchronization and reconciliation of users created in OpenIDM. Our Management liked the solution and we decided to use this product going forward. I am right now in development phase and will be having many questions whenever I face a roadblock. Hope to get help from the users in these forums.


     Jamie Bowen

    Nice to hear we made the cut! Thanks for posting Praveen!


    Hi Bowen, I’m Dario and work in Sielte S.p.A (Catania – Italy). I am considering the possibility of using OpenDJ in the company.


     Jamie Bowen

    Hi Dario,

    Good to meet you. Welcome to the forums. I hope you can find what you need here!



    Hi All,

    As a System administrator I was quite familiar with SunOpenDS.
    Seeing this fork and the development of features, I’m stunned!

    Here’s a summary what I been able to achieve, thanks to the opendj software.
    * – LDAP authentication based on OpenDJ PTA (using MS ADS)
    * – Works out-of-the-box for Solaris clients.
    * – Also, Linux clients, with a little help from sssd

    Especially, the netgroup implementaion using rfc2307bis works great +++


     Jamie Bowen

    Great to hear you’re having a good experience! Would love to hear more about what you’ve done with netgroup!


Viewing 15 posts - 1 through 15 (of 187 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?