separated user and group list per realm

[Rajesh R]

@jax, either one of those three options is what I meant. Say if your users are located in two different base dns, configuring the same in two different realms would suffice

So realm1
ou=People,ou=finance,dc=example,dc=com
realm2
ou=People,ou=hr,dc=example,dc=com

But say if you have all your users located under ou=People,dc=example,dc=com, you’ll have to use the same base DN in both realms. In such a scenario how would to fetch a subset of users from in there to one realm and the rest to another realm? That has to be using a search filter.

So in realm1
fetch those users from ou=People,dc=example,dc=com who have ou=hr value

in realm2
fetch those users from ou=People,dc=example,dc=com who have ou=finance value

Now, does it make sense?

[jax]

yes for the last part of your post. but now I have question about the first part:

>>>So realm1
>>>ou=People,ou=finance,dc=example,dc=com
>>>realm2
>>>ou=People,ou=hr,dc=example,dc=com

should I do anything else to store/put my users are located in two different base dns when I use REST/SDK of openAM in additional to the following config?

container people = people
container group = groups
Base DN = ou=people,ou=finance,dc=example,dc=com

container people = people
container group = groups
Base DN = ou=people,ou=hr,dc=example,dc=com

[Rajesh R]

@jax the base DN that you configure in your Identity Repository of OpenAM should map to the Directory information tree. You should have knowledge of the Directory Information Tree of your LDAP Server being used as the Identity Repository for OpenAM realms. So in my answers, I was assuming that there existed a Directory Server with ‘dc=example,dc=com’ as the top level suffix, which had the following branches:
(i) ou=finance,dc=example,dc=com
(ii) ou=engineering,dc=example,dc=com
If users in finance department are under the first branch mentioned above, and if those are the users whom I would like to see in my realm ‘reaml1’, I will go ahead and configure the Identity repository in realm1 to point to the base DN ou=finance,dc=example,dc=com. The LDAP people container by default is ‘People’ (but need not be). The LDAP people container points to the branch where the User identities are expected to be found. so if I use the value ‘People’ as LDAP People Container in the said configuration, the Users are to be found under the branch ou=People,ou=finance,dc=example,dc=com

Let me reiterate again that to configure the Identity repository in OpenAM realms, you should first have an understanding of how the data is stored in the underlying Directory Server. You could use some LDAP browsers to browse through the data and then configure the Identity repository accordingly in OpenAM.

[jax]

which tools (ssoadm or SDK) can I use to code/program to just create entry (ou=finance) in Identity repository (embeded) used in openAM?

• This reply was modified 5 years, 7 months ago by jax.

[Rajesh R]

@jax You may have to use an LDAP browser to create ou=finance branch in the embedded OpenDJ. Embedded OpenDJ by default listens to the port number 50389. The top level administrator is cn=Directory Manager and by default it uses the password of ‘amadmin’ user.

You can use the ldapmodify command with appropriate ldif file to work on the OpenDJ DIT.

A better option is to have an instance of external OpenDJ installed and configured as the Identity repository for your realms. If it helps, here’s a short video demonstration on the same:

http://www.fedji.com/blogs/forgerock/creating-realm-in-openam-and-configuring-opendj-as-a-data-store/

[jax]

we have a lot of users in multi tenant setup. how much do you strongly recommend to have external ldap instead of embeded. the performance things is really important for us?

[jax]

thank you.

[jax]

after setup opendj (I’m using embeded one in openAM)

I created ou=realm1 and ou=realm2 and created a user using openAM console in realm1, but it is still visible in realm2. when I check it in ldap browser, it turns out that openAM create users under (ou=people,dc=example,dc=com) even though I created the following layout in openDJ :

dc=example,dc=com
——–ou=realm1
—————-ou=people
—————-ou=groups
——–ou=realm2
—————-ou=people
—————-ou=groups

why?

• This reply was modified 5 years, 7 months ago by jax.

[Rajesh R]

@jax The branches that you create such as ‘realm1’, ‘realm2’ etc. in OpenDJ does not map to the realms in OpenAM. Therefore it is not sufficient that you create branches in the OpenDJ. You will have to specify those details in the Identity Repository configuration. So for each realm, you’ll have to go to the Configuration page of DataStore and then specify appropriate base DN.

[jax]

I did already that you mentioned in previous post and here. (config realm in openAM and also create their entry in LDAP entry)

[jax]

Hei,

Thank you for help and support. Could you please help me with my recent question.

[jax]

in openDJ, I created :

dc=example,dc=com
——–ou=realm1
—————-ou=people
—————-ou=groups
——–ou=realm2
—————-ou=people
—————-ou=groups

In openAM, in config of each realm:

base DN = ou=realm1
——–people container = people
——–groups container = group

base DN = ou=realm2
——-people container = people
——-groups container = group

[jax]

I can still see users created in a realm in other realms as they are created in Base DN/root even though I have created separated ou for each realm in openDJ and config them in openAM.

[Author]

Posts