separated user and group list per realm

Tagged: , ,

This topic has 27 replies, 2 voices, and was last updated 5 years, 7 months ago by jax.

  • Author
    Posts
  • #8685
     jax
    Participant

    Hello,

    I need to have separated user and group list per realm in OpenAM. I appreciate your help.

    #8686
     Rajesh R
    Participant

    @jax Configure a separate Identity Repository for each realm.

    Or if you intend to use the same instance of a repository (say an LDAP Server) and have users for each realm in separate branch of DIT, configure the Identity Repository for each realm accordingly (point it to the suffix where the users for that particular realm is located).

    #8689
     jax
    Participant

    Hello,

    >>> configure the Identity Repository for each realm

    is it possible by ssoadm tool or any other way?

    • This reply was modified 5 years, 7 months ago by jax.
    #8691
     Rajesh R
    Participant

    @jax You can use the OpenAM Administration UI to do it.

    ssoadm commands can also be used. Here’s a wiki page for your reference:

    https://wikis.forgerock.org/confluence/display/openam/ssoadm-datastores

    #8693
     jax
    Participant

    I did already, both, way. different Base DB.
    realm1
    base dn = dc=realm1,dc=openam,dc=forgerock,dc=org
    realm2
    base dn = dc=realm2,dc=openam,dc=forgerock,dc=org

    I still can see users of realm1 in realm2 which I do not want it.

    • This reply was modified 5 years, 7 months ago by jax.
    #8695
     jax
    Participant

    sorry for edit my post again. but now it is my main question. could please help me.

    #8696
     Rajesh R
    Participant

    @jax could you please advise if you are connecting to an LDAP Server as an Identity Repository? In the LDAP Server, what is the DN for the Users who belong to realm1 and similary what is the DN for the Users who belong to realm2?

    Or are you trying to put a set of users from the same suffix in two different realms of OpenAM based on some attributes?

    It would help if you can explain what is the Directory Information Tree structure of your Identity Repository?

    You might also want to make sure that you’ve only one Identity Repository configured per realm. The Subjects tab of a Realm will show you all users from all the DataStores that you have confirmed per realm.

    #8697
     jax
    Participant

    Hello,

    and thank your reply. my config is the following and using the same LDAP directory (embeded)

    realm1
    container people = people
    container group = groups
    base db = realm1, ….

    realm2
    container people = people
    container group = groups
    base db = realm2, ….

    no other config , but I still can see users of realm 1 in realm2 or vice versa. but I do not want it.

    #8698
     jax
    Participant

    later , I should have user only can authenticate against his realm. (not top-level or other realms).

    #8699
     Rajesh R
    Participant

    @jax Both your realm is pointing to the same DataStore (embedded DB) in your case, and is referring to the same suffix I guess (ou=People container), so obviously all Users are made available to both the realms.

    If you want to have a separate set of Users for each realm:
    (i) configure different repositories for each realm, each having set of Users specifically for the realm
    (ii) have the Users for each realm in different suffices of the Directory Server and use the appropriate BaseDN while configuring the Identity repository for each realm. As an example, if there are two branches in the Directory Server (ou=people,ou=finance,dc=example,dc=com && ou=people,ou=engineering,dc=example,dc=com)I could have ou=People,ou=finance,dc=example,dc=com as the base dn for the Identity repository of one realm and ou=people,ou=engineering,dc=example,dc=com as the base dn for the second realm). So in the finance realm, only people belonging to that branch will show up, likewise in the other realm, identities in the ‘engineering’ branch will show up
    (iii) For each of the Realm, configure the Identity Repository in such a way that the search filter used will identify specific Users from the Repository. Say, if all Users in the suffix ou=People,dc=example,dc=com have an attribute ‘ou’ that has values such as ‘Human Resources’, ‘Finance’, ‘Engineering’ etc, per realm we could configure an Identity Repository to search for users based on the said attribute, in which case only a subset of Users who matches the search filter will be made available to the realm.

    #8700
     jax
    Participant

    I got it, and what should I put in the two follwing field in each realm config:

    container people = ??
    container group = ??

    #8701
     jax
    Participant

    and I should say even though I understand and appreciate your reply. it does not make sense. why we should config search filter after having different Base DN on each realm. having different Base DN should work, but it does not work and as you said we need also to config search filter. I’m trying your solution. (waiting for your answer).

    #8702
     Rajesh R
    Participant

    @jax that should point to the branch of your DIT where Users and Groups are located. For example, if LDAP People Container value is ‘People’ for the LDAP Organization DN ‘dc=example,dc=com, then the user dn would look like ‘uid=user.0,ou=People,dc=example,dc=com’ Likewise for the groups

    #8704
     jax
    Participant

    so you mean the following:

    container people = people
    container group = groups

    another things I’d like to talk about which also does not make sense is that when set Base DN = u=people,ou=finance,dc=example,dc=com, then it seems can not have groups. as usually Base DB is a parent container for people and groups, but now we mention it is just for people (starting part).

    #8705
     jax
    Participant

    my understanding from your reply is the following, am I right?

    container people = people
    container group = groups
    Base DN = ou=people,ou=realm1,dc=example,dc=com

    container people = people
    container group = groups
    Base DN = ou=people,ou=realm2,dc=example,dc=com

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?