separated user and group list per realm

Tagged: , ,

This topic has 27 replies, 2 voices, and was last updated 5 years, 7 months ago by jax.

  • Author
    Posts
  • #8706
     Rajesh R
    Participant

    @jax, either one of those three options is what I meant. Say if your users are located in two different base dns, configuring the same in two different realms would suffice

    So realm1
    ou=People,ou=finance,dc=example,dc=com
    realm2
    ou=People,ou=hr,dc=example,dc=com

    But say if you have all your users located under ou=People,dc=example,dc=com, you’ll have to use the same base DN in both realms. In such a scenario how would to fetch a subset of users from in there to one realm and the rest to another realm? That has to be using a search filter.

    So in realm1
    fetch those users from ou=People,dc=example,dc=com who have ou=hr value

    in realm2
    fetch those users from ou=People,dc=example,dc=com who have ou=finance value

    Now, does it make sense?

    #8707
     jax
    Participant

    yes for the last part of your post. but now I have question about the first part:

    >>>So realm1
    >>>ou=People,ou=finance,dc=example,dc=com
    >>>realm2
    >>>ou=People,ou=hr,dc=example,dc=com

    should I do anything else to store/put my users are located in two different base dns when I use REST/SDK of openAM in additional to the following config?

    container people = people
    container group = groups
    Base DN = ou=people,ou=finance,dc=example,dc=com

    container people = people
    container group = groups
    Base DN = ou=people,ou=hr,dc=example,dc=com

    #8708
     Rajesh R
    Participant

    @jax the base DN that you configure in your Identity Repository of OpenAM should map to the Directory information tree. You should have knowledge of the Directory Information Tree of your LDAP Server being used as the Identity Repository for OpenAM realms. So in my answers, I was assuming that there existed a Directory Server with ‘dc=example,dc=com’ as the top level suffix, which had the following branches:
    (i) ou=finance,dc=example,dc=com
    (ii) ou=engineering,dc=example,dc=com
    If users in finance department are under the first branch mentioned above, and if those are the users whom I would like to see in my realm ‘reaml1’, I will go ahead and configure the Identity repository in realm1 to point to the base DN ou=finance,dc=example,dc=com. The LDAP people container by default is ‘People’ (but need not be). The LDAP people container points to the branch where the User identities are expected to be found. so if I use the value ‘People’ as LDAP People Container in the said configuration, the Users are to be found under the branch ou=People,ou=finance,dc=example,dc=com

    Let me reiterate again that to configure the Identity repository in OpenAM realms, you should first have an understanding of how the data is stored in the underlying Directory Server. You could use some LDAP browsers to browse through the data and then configure the Identity repository accordingly in OpenAM.

    #8709
     jax
    Participant

    which tools (ssoadm or SDK) can I use to code/program to just create entry (ou=finance) in Identity repository (embeded) used in openAM?

    • This reply was modified 5 years, 7 months ago by jax.
    #8711
     Rajesh R
    Participant

    @jax You may have to use an LDAP browser to create ou=finance branch in the embedded OpenDJ. Embedded OpenDJ by default listens to the port number 50389. The top level administrator is cn=Directory Manager and by default it uses the password of ‘amadmin’ user.

    You can use the ldapmodify command with appropriate ldif file to work on the OpenDJ DIT.

    A better option is to have an instance of external OpenDJ installed and configured as the Identity repository for your realms. If it helps, here’s a short video demonstration on the same:

    http://www.fedji.com/blogs/forgerock/creating-realm-in-openam-and-configuring-opendj-as-a-data-store/

    #8712
     jax
    Participant

    we have a lot of users in multi tenant setup. how much do you strongly recommend to have external ldap instead of embeded. the performance things is really important for us?

    #8719
     jax
    Participant

    thank you.

    #8720
     jax
    Participant

    after setup opendj (I’m using embeded one in openAM)

    I created ou=realm1 and ou=realm2 and created a user using openAM console in realm1, but it is still visible in realm2. when I check it in ldap browser, it turns out that openAM create users under (ou=people,dc=example,dc=com) even though I created the following layout in openDJ :

    dc=example,dc=com
    ——–ou=realm1
    —————-ou=people
    —————-ou=groups
    ——–ou=realm2
    —————-ou=people
    —————-ou=groups

    why?

    • This reply was modified 5 years, 7 months ago by jax.
    #8723
     Rajesh R
    Participant

    @jax The branches that you create such as ‘realm1’, ‘realm2’ etc. in OpenDJ does not map to the realms in OpenAM. Therefore it is not sufficient that you create branches in the OpenDJ. You will have to specify those details in the Identity Repository configuration. So for each realm, you’ll have to go to the Configuration page of DataStore and then specify appropriate base DN.

    #8725
     jax
    Participant

    I did already that you mentioned in previous post and here. (config realm in openAM and also create their entry in LDAP entry)

    #8770
     jax
    Participant

    Hei,

    Thank you for help and support. Could you please help me with my recent question.

    #8771
     jax
    Participant

    in openDJ, I created :

    dc=example,dc=com
    ——–ou=realm1
    —————-ou=people
    —————-ou=groups
    ——–ou=realm2
    —————-ou=people
    —————-ou=groups

    In openAM, in config of each realm:

    base DN = ou=realm1
    ——–people container = people
    ——–groups container = group

    base DN = ou=realm2
    ——-people container = people
    ——-groups container = group

    #8776
     jax
    Participant

    I can still see users created in a realm in other realms as they are created in Base DN/root even though I have created separated ou for each realm in openDJ and config them in openAM.

Viewing 13 posts - 16 through 28 (of 28 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?