This topic has 27 replies, 2 voices, and was last updated 6 years, 5 months ago by jax.
-
AuthorPosts
-
March 18, 2016 at 11:48 am #8706
Rajesh R
Participant@jax, either one of those three options is what I meant. Say if your users are located in two different base dns, configuring the same in two different realms would suffice
So realm1
ou=People,ou=finance,dc=example,dc=com
realm2
ou=People,ou=hr,dc=example,dc=comBut say if you have all your users located under ou=People,dc=example,dc=com, you’ll have to use the same base DN in both realms. In such a scenario how would to fetch a subset of users from in there to one realm and the rest to another realm? That has to be using a search filter.
So in realm1
fetch those users from ou=People,dc=example,dc=com who have ou=hr valuein realm2
fetch those users from ou=People,dc=example,dc=com who have ou=finance valueNow, does it make sense?
March 18, 2016 at 11:54 am #8707jax
Participantyes for the last part of your post. but now I have question about the first part:
>>>So realm1
>>>ou=People,ou=finance,dc=example,dc=com
>>>realm2
>>>ou=People,ou=hr,dc=example,dc=comshould I do anything else to store/put my users are located in two different base dns when I use REST/SDK of openAM in additional to the following config?
container people = people
container group = groups
Base DN = ou=people,ou=finance,dc=example,dc=comcontainer people = people
container group = groups
Base DN = ou=people,ou=hr,dc=example,dc=comMarch 18, 2016 at 11:57 am #8708Rajesh R
Participant@jax the base DN that you configure in your Identity Repository of OpenAM should map to the Directory information tree. You should have knowledge of the Directory Information Tree of your LDAP Server being used as the Identity Repository for OpenAM realms. So in my answers, I was assuming that there existed a Directory Server with ‘dc=example,dc=com’ as the top level suffix, which had the following branches:
(i) ou=finance,dc=example,dc=com
(ii) ou=engineering,dc=example,dc=com
If users in finance department are under the first branch mentioned above, and if those are the users whom I would like to see in my realm ‘reaml1’, I will go ahead and configure the Identity repository in realm1 to point to the base DN ou=finance,dc=example,dc=com. The LDAP people container by default is ‘People’ (but need not be). The LDAP people container points to the branch where the User identities are expected to be found. so if I use the value ‘People’ as LDAP People Container in the said configuration, the Users are to be found under the branch ou=People,ou=finance,dc=example,dc=comLet me reiterate again that to configure the Identity repository in OpenAM realms, you should first have an understanding of how the data is stored in the underlying Directory Server. You could use some LDAP browsers to browse through the data and then configure the Identity repository accordingly in OpenAM.
March 18, 2016 at 12:03 pm #8709jax
Participantwhich tools (ssoadm or SDK) can I use to code/program to just create entry (ou=finance) in Identity repository (embeded) used in openAM?
-
This reply was modified 6 years, 5 months ago by
jax.
March 18, 2016 at 12:08 pm #8711Rajesh R
Participant@jax You may have to use an LDAP browser to create ou=finance branch in the embedded OpenDJ. Embedded OpenDJ by default listens to the port number 50389. The top level administrator is cn=Directory Manager and by default it uses the password of ‘amadmin’ user.
You can use the ldapmodify command with appropriate ldif file to work on the OpenDJ DIT.
A better option is to have an instance of external OpenDJ installed and configured as the Identity repository for your realms. If it helps, here’s a short video demonstration on the same:
March 18, 2016 at 12:14 pm #8712jax
Participantwe have a lot of users in multi tenant setup. how much do you strongly recommend to have external ldap instead of embeded. the performance things is really important for us?
March 18, 2016 at 1:32 pm #8719jax
Participantthank you.
March 18, 2016 at 1:54 pm #8720jax
Participantafter setup opendj (I’m using embeded one in openAM)
I created ou=realm1 and ou=realm2 and created a user using openAM console in realm1, but it is still visible in realm2. when I check it in ldap browser, it turns out that openAM create users under (ou=people,dc=example,dc=com) even though I created the following layout in openDJ :
dc=example,dc=com
——–ou=realm1
—————-ou=people
—————-ou=groups
——–ou=realm2
—————-ou=people
—————-ou=groupswhy?
-
This reply was modified 6 years, 5 months ago by
jax.
March 18, 2016 at 2:02 pm #8723Rajesh R
Participant@jax The branches that you create such as ‘realm1’, ‘realm2’ etc. in OpenDJ does not map to the realms in OpenAM. Therefore it is not sufficient that you create branches in the OpenDJ. You will have to specify those details in the Identity Repository configuration. So for each realm, you’ll have to go to the Configuration page of DataStore and then specify appropriate base DN.
March 18, 2016 at 3:01 pm #8725jax
ParticipantI did already that you mentioned in previous post and here. (config realm in openAM and also create their entry in LDAP entry)
March 21, 2016 at 8:47 am #8770jax
ParticipantHei,
Thank you for help and support. Could you please help me with my recent question.
March 21, 2016 at 9:18 am #8771jax
Participantin openDJ, I created :
dc=example,dc=com
——–ou=realm1
—————-ou=people
—————-ou=groups
——–ou=realm2
—————-ou=people
—————-ou=groupsIn openAM, in config of each realm:
base DN = ou=realm1
——–people container = people
——–groups container = groupbase DN = ou=realm2
——-people container = people
——-groups container = groupMarch 21, 2016 at 11:07 am #8776jax
ParticipantI can still see users created in a realm in other realms as they are created in Base DN/root even though I have created separated ou for each realm in openDJ and config them in openAM.
-
This reply was modified 6 years, 5 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.