Tagged: isMemberOf, opendj, Tivoli, tokeninfo
This topic has 6 replies, 2 voices, and was last updated 5 years, 10 months ago by Fernando A. Barbeiro Campos.
-
AuthorPosts
-
September 19, 2016 at 5:37 pm #13092
Fernando A. Barbeiro Campos
ParticipantHi guys,
Simple question:
I had configured an OpenDJ as my DataStore and once I assigned a user to a group, I could retrieve it through the /openam/oauth2/tokeninfo?access_token=XXXXX endpoint (yes I’m dealing with OAuth2 providers and the value of groups returns since I had “isMemberOf” among my scopes and once I had defined under my datastore, LDAP User Attributes, this isMemberOf value).The issue is that now we are using a Tivoli Directory Service instead of OpenDJ, and although my configuration via Console Admin is still retrieving and filling Subjects / Users / Groups pretty well, my /tokenInfo endpoint doesn’t provide anymore the information regarding groups assignation.
My question: do I need to change anything to have it working?
Any suggestion will be extremely appreciated.
Thanks in advance.
September 20, 2016 at 8:31 am #13111Fernando A. Barbeiro Campos
ParticipantJust in order to provide further details:
This is a CURL with OpenDJ as DataStore
$ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY{"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"cn=ROLE_EMPLOYEE,ou=groups,ou=employee,dc=example,dc=com","token_type":"Bearer","expires_in":22,"client_id":"poc", "access_token":"XXXXYYYY","grant_type":"password"}
Meanwhile, this same CURL with Tivoli as DataStore
$ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY
{"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"","token_type":"Bearer","expires_in":375,"client_id":"poc","access_token":"XXXXYYYY","grant_type":"password"}
Any suggestion?
Thanks,
-
This reply was modified 5 years, 10 months ago by
Fernando A. Barbeiro Campos.
September 20, 2016 at 10:09 am #13116Andrew Potter
ParticipantI think Tivoli uses ‘memberOf’, rather than ‘isMemberOf’ by default.
September 20, 2016 at 10:19 am #13117Fernando A. Barbeiro Campos
ParticipantSeptember 20, 2016 at 2:49 pm #13132Fernando A. Barbeiro Campos
ParticipantAt the end of the day, the attribute that I need to add to my LDAP User Attributes, as well as to my scope was “ibm-allgroups”.
Thanks for the collaborations Andrew.
September 20, 2016 at 3:59 pm #13145Andrew Potter
Participantperfect, glad you got it sorted :)
just a thought, if you wanted the behaviour to be consistent, would setting the ‘Attribute Name Mapping’ in the DataStore settings so that isMemberOf is mapped to ‘ibm-allgroups’ mean you could use isMemberOf in the scope list instead? i.e. provide consistency at the OpenAM interface irrespective of underlying repository schema.
September 20, 2016 at 4:04 pm #13146Fernando A. Barbeiro Campos
ParticipantGood suggestion @andrew-potter, I completely agree with you. I’ll try as soon as possible.
Thanks again :D
Regards,
-
This reply was modified 5 years, 10 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.