I have tried to use the account
expiry and account lockout features of
openSSO
with OpenLDAP as my user data repository. The problem is these features
heavily
rely on the Access Manager specific schema , so unless you extend the
Access
manager schema to OpenLDAP these features cannot be used in the
OpenSSO.

I did extend the Access Manager schema to OpenLDAP and tested the
following
features, You can download the schema file here

  • Account expiry
  • Account lockout

Few Quick steps

Create a new LDAPv3 generic data store

Add the following objectclasses(if not already added) to the ‘LDAP User Object Classes

 
inetadmin
inetorgperson
inetuser
iplanet-am-managed-person
iplanet-am-user-service
iplanet-am-session-service
iPlanetPreferences
organizationalperson
person
sunAMAuthAccountLockout
top

Under the ‘LDAP User Attributes’

cn
dn
employeeNumber
givenName
inetUserStatus
iplanet-am-static-group-dn
iplanet-am-user-account-life
iplanet-am-user-alias-list
iplanet-am-user-auth-config
iplanet-am-user-failure-url
iplanet-am-user-success-url
iplanet-am-user-login-status
mail
objectClass
postalAddress
preferredLocale
sn
sunAMAuthInvalidAttemptsData
sunIdentityMSISDNNumber
telephoneNumber
uid
userPassword

make sure your OpenLDAP has following entries  created already
inthe
database.

dn: ou=People,o=sun.com
objectClass: top
objectClass: organizationalunit
objectClass: iplanet-am-managed-people-container
ou:people
dn: ou=Groups,o=sun.com
objectClass: top
objectClass: organizationalunit
objectclass: iplanet-am-managed-group-container
ou:groups
dn: ou=agents,o=sun.com
objectClass: top
objectClass: organizationalunit
objectclass: iplanet-am-managed-org-unit
ou:agents

if not you can quickly add them by
using ldapmodify with input file
contents
shown above.  Now you are set to create users from openSSO
console.  you can
test
the account expiry and account lockout  features for the users
stored
in the OpenLDAP directory.  You should be able to store all the
user type attributes in this data store including the SAML,Federation
related user attributes.(for OpenFM things are different, there is a different schema, which I have not tried yet against openLDAP)

Limitations:

  • Persistent search not supported(hence immediate notification not
    possible)
    has to wait until the cache expiry . It appears persistent search is supported by OpenLDAP, We need to see how opensso can leverage this
  • No Roles support
  • Groups supported by OpenLDAP but the AM/OpenSSO console is not
    ready
    to mange them but you can use the group memberships to evaluate policies
Advertisements