Creating Authentication Chain using OpenSSO ssoadm CLI

You can use ssoadm CLI to automate the OpenSSO service configuration.  In the next few blog entries I am planning to give some examples on how to perform certain configuration changes using the ssoadm CLI. In this article I am going to show you how to create an Authentication Chain. You should have configured the CLI  as a prerequisite.

Here is the scenario:

• Create an LDAP auth module with Name "MyLDAP" pointing to the ldapserver myldap.example.com:5389  with BIND DN "cn=myldap manager"
• Create an Authentication Chain ‘myauthcfg’ with MyLDAP as the required module

Creating LDAP Authentication Module

• ./ssoadm create-auth-instance -m MyLDAP -t LDAP -u amadmin -f /tmp/.pass -e /

 Update the LDAP Server Properties

Add the ldap server configuration details to the newly created auth module ‘MyLDAP’

• ./ssoadm update-auth-instance -e / -m MyLDAP -u amadmin -f /tmp/.pass -a "iplanet-am-auth-ldap-server=myldap.example.com:5389" "iplanet-am-auth-ldap-bind-dn=cn=myldap manager"

Create the Authentication Chain

When you create the auth chain there will be no modules added to it, you need add it later

Create the Auth Chain named ‘myauthcfg’

• ./ssoadm create-auth-cfg -e / -m myauthcfg -u amadmin -f /tmp/.pass

Add Auth Instances to  Auth chain 

Add the MyLDAP as the required module to the auth chain ‘myauthcfg’

• ./ssoadm update-auth-cfg-entr -m myauthcfg -e / -u amadmin -f /tmp/.pass
  -a "MyLDAP|REQUIRED"

Listing Auth Chains

You can list the available authentication configurations in a realm using the list-auth-cfgs  sub command.

./ssoadm list-auth-cfgs -e / -u amadmin -f /tmp/.pass

Authentication Configurations:

ldapService

myauthcfg

Listing Authentication Instances

You can also list the available authentication instances in a realm using the list-auth-instances sub command

• ./ssoadm list-auth-instances -e / -u amadmin -f /tmp/.pass

Authentication Instances:
WSSAuthModule, [type=WSSAuthModule]
MyLDAP, [type=LDAP]
Federation, [type=Federation]
LDAP, [type=LDAP]
HOTP, [type=HOTP]
DataStore, [type=DataStore]
SAE, [type=SAE]

Workaround fix for the ssoadm CLI issue 3955

If you are running in to the Opensso issue 3955

Problem:

While configuring the OpenSSO(build 6) server
against Sun Directory Server to store the configuration data, if you
have selected  different passwords for the ‘amadmin’ user and for the
DSEE Bind DN user(for eg: cn=directory manager), then  the command line
tool ‘ssoadm’ will fail on certain circumstances.

This issue
does not happen when OpenSSO server is configured with default
configuration store. There are two workarounds to resolve the issue.

1. Create cn=dsameuser entry under the configuration directory server
2. Update the serverconfig.xml in the configuration store

later option is recommended to the production customers

for instance when you invoke the ‘list-server-cfg’ subcommand you might see following type of error messages in the command window 

Run the following sequence of steps 

Step 1

Login as amadmin user to the OpenSSO Console, and access ssoadm.jsp

Step 2

Get the existing serverconfig.xml and save it in a text file

Step 3

Encode the ‘amadmin’ passwd using the encode.jsp

Step 3a

Edit the serverconfig.xml dumped from step 1 to include the correct encrypted password of amadmin to the  following users

• User1: puser
• User2: dsameuser

Make sure you dont update the password for the Server group named ‘sms’ that has the correct password

Step 4

Load the new serverconfig.xml with the change

Workaround Option 2

 Create following entries in your Configuration Directory Server

dn: ou=dsame users,ROOT_SUFFIX
objectClass: top
objectClass: organizationalUnit
dn: cn=dsameuser,ou=DSAME Users, ROOT_SUFFIX
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: dsameuser
sn: dsameuser
userPassword: AMADMIN_PASSWD

Creating user Data Stores in opensso using famadm CLI

NOTE: This procedure has been validated with OpenSSO promoted build4(Apr 1, 2008)

 

Create AD datastore

---

 

• ./famadm create-datastore -m "AD_STORE" -t LDAPv3ForAD -D  datastore_AD_attrs.txt -v -u amadmin -f /tmp/pass
  -e /

---

Create Data store with SunDS+AM Schema

---

 

• ./famadm create-datastore -m "DSEE_STORE" -t LDAPv3ForAMDS -D datastore_dsee_attrs.txt -v -u amadmin -f
  /tmp/pass -e /

---

Create Datastore for generic LDAPv3(OpenLDAP)

---

 

• ./famadm create-datastore -m "LDAPv3_STORE" -t LDAPv3 -D datastore_ldapv3_attrs.txt -v -u amadmin -f
  /tmp/pass -e /

---

Create Datastore for IBM Tivoli Directory Server

 

Prerequisites

 To create and manage successfully identies in Tivoli, you need to load the following schema using ldapmodify

• am_remote_tivolids_schema.ldif

• fam_tivolids_schema.ldif

.

---

• ./famadm create-datastore -m "IBM_TIVOLI_STORE" -t LDAPv3 -D datastore_ldapv3_attrs.txt -v -u amadmin -f
  /tmp/pass -e /

---

 

Update Datastore

---

 

• ./famadm update-datastore -m "DSEE_STORE" -D datastore_update_attrs.txt -v -u amadmin -f
  /tmp/pass -e /

The above command will update the bind DN and the password for the data store named "DSEE_STORE" in the root realm

---

Delete Data Store

---

 

• ./famadm delete-datastores -m LDAPv3_STORE -v -u amadmin -f /tmp/pass -e /
• ./famadm delete-datastores -m IBM_TIVOLI_STORE -v -u amadmin -f /tmp/pass -e /

---