Identity Stores

An identity store, or an identity repository, is a persistent repository of user data. For example, DS or Microsoft Active Directory. You can configure identity stores either when installing AM, or by adding them to an existing AM instance.

AM also uses other types of data stores, like the configuration data store, the UMA data store, and the Core Token Service (CTS) data store, but those are not being discussed in this chapter.

When you first set up a realm, the new realm inherits the identity store from the parent realm. For example, in an installation where the Top Level Realm has a DS server as the identity store, any new realm created would have the same DS instance as the identity store, by default.

Yet, if your administrators are in one realm and your users in another, your new child realm might retrieve users from a different identity store.

Note

You should not configure more than one writeable identity repository in a single realm. AM will try to perform write operations on each identity repository configured in a realm, and there is no way to configure which repository is written to.

To manage identities and reconcile differences between multiple identity repositories, use ForgeRock Identity Management.

Tasks to Connect Identity Stores
TaskResources

Prepare an Identity Store

You must prepare the identity store before AM can use it.

"Preparing Identity Repositories"

Configure an Identity Store

Configure the store in a realm so that users can be authenticated.

By default, AM re-uses your configuration store as the identity store of the Top Level realm.

"To Configure an Identity Store"

Customize an Identity Store

Create custom attributes for your users or custom identity plugins to change how AM maps users and groups to a realm.

"Customizing Identity Stores".

To Configure an Identity Store
  1. Share the identity store certificate with the AM container to prepare for TLS/LDAPS. Identity stores should communicate over secure connections for security reasons.

    DS 7 or later is configured to require secure connections by default; therefore, share its certificate with the AM container before continuing.

    1. Export the DS server certificate:

      $ /path/to/opendj/bin/dskeymgr export-ca-cert \
      --deploymentKey $DEPLOYMENT_KEY \
      --deploymentKeyPassword password \
      --alias ds-ca-cert \
      --outputFile ds-ca-cert.pem

      Note that $DEPLOYMENT_KEY is a Unix variable that contains the DS deployment key, so that it is not logged in the user's command history.

      The default DS server certificate only has the hostname you supplied at setup time, and localhost, as the value of the SubjectAlternativeName attribute; however, certificate hostname validation is strict.

      Ensure that the certificate matches the hostname (or the FQDN) of the DS server before continuing.

    2. Import the DS certificate into the AM truststore:

      $ keytool \
      -importcert \
      -alias ds-ca-cert \
      -file ds-ca-cert.pem \
      -keystore /path/to/openam/security/keystores/truststore

    For more information on configuring AM's truststore, see "Preparing a Truststore".

  2. In the AM console, browse to Realms > Realm Name > Identity Stores.

  3. Click Add Identity Store, enter an ID, and select the type of identity store.

  4. Click Create.

  5. In the tabbed view, provide information on how to connect to your identity store.

    See the following for hints depending on the type of identity store:

    Use these attributes when configuring Active Directory data stores:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    ID

    The ID of the data store configuration

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    Default: CN=Administrator,CN=Users,base-dn

    LDAP Bind Password

    Bind password for connecting to the directory server

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: SECONDS

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB)

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    Default: userPassword=unicodePwd

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    user=read,create,edit,delete,service
    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: cn

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. For example, if you configure the search attribute to mail, it could prevent users from being able to update their email addresses in their user profiles.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=person)

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    Default: cn

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    Default: users

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any such unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings, if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: organizationalPerson, person, top, User,

    LDAP User Attributes

    User profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: assignedDashboard, cn, createTimestamp, devicePrintProfiles, displayName, distinguishedName, dn, employeeNumber, givenName, iplanet-am-auth-configuration, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info, iplanet-am-user-federation-info-key, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, kbaActiveIndex, kbaInfo, mail, modifyTimestamp, name, oath2faEnabled, oathDeviceProfiles, objectGUID, objectclass, postalAddress, preferredLocale, preferredlanguage, preferredtimezone, pushDeviceProfiles, sAMAccountName, sn, sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, sunIdentityServerDiscoEntries, sunIdentityServerPPAddressCard, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPCommonNameSN, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPEmergencyContact, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEncryPTKey, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPMsgContact, sunIdentityServerPPSignKey, telephoneNumber, unicodePwd, userAccountControl, userPrincipalname, userpassword

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    The LDAP user profile entries require the Common Name (cn) and Surname (sn) attributes, so that LDAP constraint violations do not occur when performing an add operation.

    The cn attribute gets its value from the uid attribute, which comes from the User Name field on the AM console's login page. The sn attribute gets the value of the givenName attribute. Attributes not mapped to another attribute and attributes mapped to themselves (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: userAccountControl

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: 544

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: 546

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: cn

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=group)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: cn

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    Default: users

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: Group, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: cn, distinguishedName, dn, member, name, objectCategory, objectclass, sAMAccountName, sAMAccountType

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: member

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    Specify either SCOPE_BASE or SCOPE_ONE. Do not specify SCOPE_SUB, as it can have a severe impact on Active Directory performance.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: false

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Load Schema

    Import appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    This option is not available for use with the ssoadm command.

    Default: Disabled.

    Use these attributes when configuring Active Directory Application Mode (ADAM) Identity Stores:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    ID

    The ID of the data store configuration.

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    Default: CN=Administrator,CN=Users,base-dn

    LDAP Bind Password

    Bind password for connecting to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: second

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    Default: userPassword=unicodePwd

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    user=read,create,edit,delete,service
    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: cn

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. For example, if you configure the search attribute to mail, it could prevent users from being able to update their email addresses in their user profiles.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=person)

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings, if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: devicePrintProfilesContainer, forgerock-am-dashboard-service, iPlanetPreferences, iplanet-am-auth-configuration-service, iplanet-am-managed-person, iplanet-am-user-service, kbaInfoContainer, oathDeviceProfilesContainer, organizationalPerson, person, pushDeviceProfilesContainer, sunAMAuthAccountLockout, sunFMSAML2NameIdentifier, sunFederationManagerDataStore, sunIdentityServerLibertyPPService, top, User

    LDAP User Attributes

    User profiles have these LDAP attributes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: assignedDashboard, cn, createTimestamp, devicePrintProfiles, displayName, distinguishedName, dn, employeeNumber, givenName, iplanet-am-auth-configuration, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info, iplanet-am-user-federation-info-key, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, kbaActiveIndex, kbaInfo, mail, modifyTimestamp, msDS-UserAccountDisabled, name, oath2faEnabled, oathDeviceProfiles, objectGUID, objectclass, postalAddress, preferredLocale, preferredlanguage, preferredtimezone, pushDeviceProfiles, sn, sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, sunIdentityServerDiscoEntries, sunIdentityServerPPAddressCard, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPCommonNameSN, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPEmergencyContact, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEncryPTKey, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPMsgContact, sunIdentityServerPPSignKey, telephoneNumber, unicodePwd, userPrincipalname, userpassword

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves, (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile. The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes, so this prevents an LDAP constraint violation when performing the add operation.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: msDS-UserAccountDisabled

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: FALSE

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: TRUE

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: cn

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=group)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: cn

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: Group, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: cn, distinguishedName, dn, member, name, objectCategory, objectclass, sAMAccountName, sAMAccountType

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: member

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    Specify either SCOPE_BASE or SCOPE_ONE. Do not specify SCOPE_SUB, as it can have a severe impact on Active Directory performance.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: false

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Load Schema

    Import appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    This option is not available for use with the ssoadm command.

    Default: Disabled.

    Use these attributes when configuring data stores for Oracle DSEE or Sun DSEE using AM schema:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    ID

    The ID of the data store configuration.

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    Default: cn=dsameuser,ou=DSAME Users,base-dn

    LDAP Bind Password

    Bind password for connecting to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: second

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
    role-
    filteredrole-
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    filteredrole=read,create,edit,delete
    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    role=read,create,edit,delete
    user=read,create,edit,delete,service
    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: uid

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=inetorgperson)

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    Default: ou

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    Default: people

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings, if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: devicePrintProfilesContainer, forgerock-am-dashboard-service, iPlanetPreferences, inetadmin, inetorgperson, inetuser, iplanet-am-auth-configuration-service, iplanet-am-managed-person, iplanet-am-user-service, kbaInfoContainer, oathDeviceProfilesContainer, organizationalperson, person, pushDeviceProfilesContainer, sunAMAuthAccountLockout, sunFMSAML2NameIdentifier, sunFederationManagerDataStore, sunIdentityServerLibertyPPService, top

    LDAP User Attributes

    User profiles have these LDAP attributes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: assignedDashboard, authorityRevocationList, caCertificate, cn, createTimestamp, devicePrintProfiles, distinguishedName, adminRole, dn, employeeNumber, givenName, inetUserHttpURL, inetUserStatus, iplanet-am-auth-configuration, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-static-group-dn, iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info, iplanet-am-user-federation-info-key, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, kbaActiveIndex, kbaInfo, mail, manager, memberOf, modifyTimestamp, oath2faEnabled, oathDeviceProfiles, objectClass, postalAddress, preferredLocale, preferredlanguage, preferredtimezone, pushDeviceProfiles, sn, sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, sunIdentityServerDiscoEntries, sunIdentityServerPPAddressCard, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPCommonNameSN, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPEmergencyContact, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEncryPTKey, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPMsgContact, sunIdentityServerPPSignKey, telephoneNumber, uid, userCertificate, userPassword

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile. The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes, so this prevents an LDAP constraint violation when performing the add operation.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: inetuserstatus

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: Active

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: Inactive

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: uid

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=groupOfUniqueNames)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: ou

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    Default: groups

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: groupofuniquenames, iplanet-am-managed-group, iplanet-am-managed-static-group, groupofurls, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: cn, iplanet-am-group-subscribable, dn, objectclass, uniqueMember

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: uniqueMember

    Attribute Name of Group Member URL

    Attribute in the dynamic group's LDAP entry whose values are LDAP URLs specifying members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberurl

    Default: memberUrl

    LDAP Roles Search Attribute

    When searching for a role by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-roles-search-attribute

    Default: cn

    LDAP Roles Search Filter

    When searching for roles, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-roles-search-filter

    Default: (&(objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition))

    LDAP Roles Object Class

    Role profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-role-objectclass

    Default: ldapsubentry, nsmanagedroledefinition, nsroledefinition, nssimpleroledefinition, top

    LDAP Filter Roles Search Attribute

    When searching for a filtered role by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-filterroles-search-attribute

    Default: cn

    LDAP Filter Roles Search Filter

    When searching for filtered roles, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-filterroles-search-filter

    Default: (&(objectclass=ldapsubentry)(objectclass=nsfilteredroledefinition))

    LDAP Filter Roles Object Class

    Filtered role profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-filterrole-objectclass

    Default: ldapsubentry, nscomplexroledefinition, nsfilteredroledefinition, nsroledefinition

    LDAP Filter Roles Attributes

    Filtered role profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-filterrole-attributes

    Default: nsRoleFilter

    Attribute Name for Filtered Role Membership

    LDAP attribute in the member's LDAP entry whose values are the filtered roles to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-nsrole

    Default: nsrole

    Attribute Name of Role Membership

    LDAP attribute in the member's LDAP entry whose values are the roles to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-nsroledn

    Default: nsRoleDN

    Attribute Name of Filtered Role Filter

    LDAP attribute whose values are the filters for filtered roles.

    ssoadm attribute: sun-idrepo-ldapv3-config-nsrolefilter

    Default: nsRoleFilter

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Filter

    LDAP filter to apply when performing persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-filter

    Default: (objectclass=*)

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: true

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Load Schema

    Import appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    This option is not available for use with the ssoadm command.

    Default: Disabled.

    Use these attributes when configuring Generic LDAPv3 compliant data stores:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    ID

    The ID of the data store configuration.

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    LDAP Bind Password

    Bind password for connecting to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: second

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    user=read,create,edit,delete,service
    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: uid

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. For example, if you configure the search attribute to mail, it could prevent users from being able to update their email addresses in their user profiles.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=inetorgperson)

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings, if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: inetorgperson, inetUser, organizationalPerson, person, top,

    LDAP User Attributes

    User profiles have these LDAP attributes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: uid, caCertificate, authorityRevocationList, inetUserStatus, mail, sn, manager, userPassword, adminRole, objectClass, givenName, memberOf, cn, telephoneNumber, preferredlanguage, userCertificate, postalAddress, dn, employeeNumber, distinguishedName

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile. The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes, so this prevents an LDAP constraint violation when performing the add operation.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: inetuserstatus

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: Active

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: Inactive

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: uid

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=groupOfUniqueNames)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: ou

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    Default: groups

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: groupofuniquenames, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: ou, cn, description, dn, objectclass, uniqueMember

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: uniqueMember

    Attribute Name of Group Member URL

    Attribute in the dynamic group's LDAP entry whose value is a URL specifying the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberurl

    Default: memberUrl

    Default Group Member's User DN

    DN of member added to all newly created groups.

    ssoadm attribute: sun-idrepo-ldapv3-config-dftgroupmember

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Filter

    LDAP filter to apply when performing persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-filter

    Default: (objectclass=*)

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: false

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Load Schema

    Import appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    This option is not available for use with the ssoadm command.

    Default: Disabled.

    Use these attributes when configuring DS data stores:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    The following property appears on every tab:

    Load Schema

    Import appropriate LDAP schema to the directory server when saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    For more information, see "Preparing Identity Repositories".

    Server Settings

    The following properties appear on the Server Settings tab:

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    LDAP Bind Password

    Bind password for connecting to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    Proxied Authorization using Bind DN

    When the force-change-on-reset password policy is configured on the DS user data store, users resetting their passwords using AM's forgotten password feature may be required to reset their passwords twice (prompted by both AM's User Self-Service and DS's password policy).

    When the Proxied Authorization using Bind DN property is enabled, AM leverages DS's proxied authorization to reset user passwords acting as themselves rather than as the service account configured in the LDAP Bind DN property. This way, DS does not require users to reset their passwords again.

    Before enabling this setting, ensure that the service account configured in the LDAP Bind DN property has the proxied-auth privilege granted. If the service account does not have the required privilege, users would not be able to reset their passwords and AM and DS will log an error message.

    For examples of setting the privileges required for the password reset feature, see "Installing and Configuring Directory Services for Identity Data".

    Enable this property only if:

    • The force-change-on-reset password policy is configured in the DS user data store.

    • The forgotten password user self-service feature is configured in AM.

    • Users are being forced to reset their passwords twice.

    ssoadm attribute: openam-idrepo-ldapv3-proxied-auth-enabled

    Default: Disabled

    Fallback using Bind DN if Proxied Authorization denied

    Enable this setting to fallback and retry using non-proxied authorization (without the Directory Services proxied-auth privilege) when proxied authorization is denied.

    Enabling this property causes AM to attempt to make LDAP changes as the LDAP Bind DN service account if proxied auth was unsuccessful; for example, if the user account attempting the changes originally is locked or the password has expired.

    This setting is effective only when Proxied Authorization using Bind DN property is also enabled.

    ssoadm attribute: openam-idrepo-ldapv3-proxied-auth-denied-fallback

    Default: Disabled

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Minimum Size

    Minimum number of connections to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_min_size

    Default: 1

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: second

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    Behera Support Enabled

    Enable this property to use Behera draft control in outgoing requests for operations that may modify password values.

    Behera draft control allows AM to display password policy related error messages when password policies are not met.

    ssoadm attribute: openam-idrepo-ldapv3-behera-support-enabled

    Default: Enabled

    Affinity Enabled

    Enables affinity-based load balanced access to the identity stores. Specify each of the directory server instances that form the affinity deployment in the LDAP Server field.

    The directory server instance used for each operation is based on the DN of the identity involved.

    Important

    When enabled, you must use an identical LDAP Server value in every AM instance in the deployment.

    ssoadm attribute: openam-idrepo-ldapv3-affinity-enabled

    Default: Disabled

    Plug-in Configuration

    The following properties appear on the Plug-in Configuration tab:

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    user=read,create,edit,delete,service
    User Configuration

    The following properties appear on the User Configuration tab:

    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: uid

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. For example, if you configure the search attribute to mail, it could prevent users from being able to update their email addresses in their user profiles.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=inetorgperson)

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings, if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: devicePrintProfilesContainer, forgerock-am-dashboard-service, iPlanetPreferences, inetorgperson, inetuser, iplanet-am-auth-configuration-service, iplanet-am-managed-person, iplanet-am-user-service, kbaInfoContainer, oathDeviceProfilesContainer, organizationalperson, person, pushDeviceProfilesContainer, sunAMAuthAccountLockout, sunFMSAML2NameIdentifier, sunFederationManagerDataStore, sunIdentityServerLibertyPPService, top

    LDAP User Attributes

    User profiles have these LDAP attributes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: adminRole, assignedDashboard, authorityRevocationList, caCertificate, cn, createTimestamp, devicePrintProfiles, distinguishedName, dn, employeeNumber, givenName, inetUserHttpURL, inetUserStatus, iplanet-am-auth-configuration, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info, iplanet-am-user-federation-info-key, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, kbaActiveIndex, kbaInfo, mail, manager, memberOf, modifyTimestamp, oath2faEnabled, oathDeviceProfiles, objectClass, postalAddress, preferredLocale, preferredlanguage, preferredtimezone, pushDeviceProfiles, sn, sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, sunIdentityServerDiscoEntries, sunIdentityServerPPAddressCard, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPCommonNameSN, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPEmergencyContact, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEncryPTKey, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPMsgContact, sunIdentityServerPPSignKey, telephoneNumber, uid, userCertificate, userPassword

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile. The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes, so this prevents an LDAP constraint violation when performing the add operation.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: inetuserstatus

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: Active

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: Inactive

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    Default: ou

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    Default: people

    Knowledge Based Authentication Attribute Name

    Profile attribute in which knowledge-based authentication information is stored.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-kba-attr

    Default: kbaInfo

    Knowledge Based Authentication Active Index

    Profile attribute in the which knowledge-based authentication index is stored.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-kba-index-attr

    Default: kbaActiveIndex

    Knowledge Based Authentication Attempts Attribute Name

    Profile attribute in which the number of failed attempts by a user when completing knowledge-based authentication information is stored.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-kba-attempts-attr

    Default: kbaInfoAttempts

    Authentication Configuration

    The following properties appear on the Authentication Configuration tab:

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: uid

    Group Configuration

    The following properties appear on the Group Configuration tab:

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=groupOfUniqueNames)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: ou

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    Default: groups

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: groupofuniquenames, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: cn, dn, objectclass, uniqueMember

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: uniqueMember

    Attribute Name of Group Member URL

    Attribute in the group's LDAP entry whose values are LDAP URLs which define dynamic members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberurl

    Default: memberUrl

    Persistent Search Controls

    The following properties appear on the Persistent Search Controls tab:

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Filter

    LDAP filter to apply when performing persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-filter

    Default: (objectclass=*)

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    Error Handling Configuration

    The following properties appear on the Error Handling Configuration tab:

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    The DS data store uses this setting only for persistent searches.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    Cache Control

    The following properties appear on the Cache Control tab:

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: true

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Use these attributes when configuring Tivoli Directory Server data stores:

    amster service name: IdRepository

    ssoadm service name: sunIdentityRepositoryService

    ID

    The ID of the data store configuration.

    LDAP Server

    host:port to contact the directory server, with optional |server_ID|site_ID for deployments with multiple servers and sites.

    AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first.

    1. The first directory server in the list whose server_ID matches the current AM server.

    2. The first directory server in the list whose site_ID matches the current AM server.

    3. The first directory server in the remaining list.

    If the directory server is not available, AM proceeds to the next directory server in the list.

    XUI

    Default: host:port of the initial directory server configured for this AM server.

    ssoadm

    ssoadm attribute: sun-idrepo-ldapv3-config-ldap-server

    Default: =[0]=host:port of the initial directory server configured for this AM server.

    You must add =[n]= before the host:port, where n is an array index, starting with 0, of servers listed. See the example below.

    Example:

    sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01
    sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02
    sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02
    sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02

    LDAP Bind DN

    Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-authid

    LDAP Bind Password

    Bind password for connecting to the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-authpw

    LDAP Organization DN

    The base DN under which to find user and group profiles.

    Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.

    ssoadm attribute: sun-idrepo-ldapv3-config-organization_name

    Default: base-dn

    LDAP Connection Mode

    Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection-mode

    Possible values: LDAP, LDAPS, and StartTLS

    LDAP Connection Pool Maximum Size

    Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.

    ssoadm attribute: sun-idrepo-ldapv3-config-connection_pool_max_size

    Default: 10

    LDAP Connection Heartbeat Interval

    How often to send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-interval

    Default: 10

    LDAP Connection Heartbeat Time Unit

    Time unit for the LDAP Connection Heartbeat Interval setting.

    ssoadm attribute: openam-idrepo-ldapv3-heartbeat-timeunit

    Default: second

    Maximum Results Returned from Search

    A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.

    ssoadm attribute: sun-idrepo-ldapv3-config-max-result

    Default: 1000

    Search Timeout

    Maximum time to wait for search results in seconds. Does not apply to persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-time-limit

    Default: 10

    LDAPv3 Plugin Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-search-scope

    Default: SCOPE_SUB

    LDAPv3 Repository Plugin Class Name

    AM identity repository implementation.

    ssoadm attribute: sunIdRepoClass

    Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo

    Attribute Name Mapping

    Map of AM profile attribute names to directory server attribute names.

    ssoadm attribute: sunIdRepoAttributeMapping

    LDAPv3 Plugin Supported Types and Operations

    Specifies the identity types supported by the data store, such as user, group, or realm, and which operations can be performed on them.

    The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:

    Supported Identity Types and Operations
     readcreateeditdeleteservice
    group-
    realm
    user
     Read the identity typeCreate new identities of the given identity typeEdit entities of the given identity typeDelete entities of the given identity typeRead and write service settings associated with the given identity type.

    You can remove permissions based on your data store needs. For example, if the data store should not be written to, you can set the operations to read only for the identity types.

    The service operation is only relevant to the realm and the user identity types. For example, the Session Service configuration can be stored by realm, and a user can have specific session timeout settings.

    ssoadm attribute: sunIdRepoSupportedOperations

    Default:

    group=read,create,edit,delete
    realm=read,create,edit,delete,service
    user=read,create,edit,delete,service
    LDAP Users Search Attribute

    When searching for a user by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-attribute

    Default: cn

    Warning

    Do not modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. For example, if you configure the search attribute to mail, it could prevent users from being able to update their email addresses in their user profiles.

    LDAP Users Search Filter

    When searching for users, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-users-search-filter

    Default: (objectclass=inetorgperson)

    LDAP People Container Naming Attribute

    RDN attribute of the LDAP base DN which contains user profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-name

    Default: ou

    LDAP People Container Value

    RDN attribute value of the LDAP base DN which contains user profiles.

    If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-people-container-value

    LDAP User Object Class

    User profiles have these LDAP object classes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    For example, with default settings if you request that AM execute a search that asks for the mailAlternateAddress attribute, AM does the search, but does not request mailAlternateAddress. In the same way, AM does perform an update operation with a request to set the value of an unlisted attribute like mailAlternateAddress, but it drops the unlisted attribute from the update request.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-objectclass

    Default: devicePrintProfilesContainer, forgerock-am-dashboard-service, inetorgperson, inetuser, iplanet-am-auth-configuration-service, iplanet-am-managed-person, iplanet-am-user-service, iPlanetPreferences, organizationalperson, person, sunAMAuthAccountLockout, sunFederationManagerDataStore, sunFMSAML2NameIdentifier, sunIdentityServerLibertyPPService, top

    LDAP User Attributes

    User profiles have these LDAP attributes.

    AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-user-attributes

    Default: adminRole, assignedDashboard, authorityRevocationList, caCertificate, cn, devicePrintProfiles, distinguishedName, dn, employeeNumber, givenName, inetUserHttpURL, inetUserStatus, iplanet-am-auth-configuration, iplanet-am-session-add-session-listener-on-all-sessions, iplanet-am-session-destroy-sessions, iplanet-am-session-get-valid-sessions, iplanet-am-session-max-caching-time, iplanet-am-session-max-idle-time, iplanet-am-session-max-session-time, iplanet-am-session-quota-limit, iplanet-am-session-service-status, iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info-key, iplanet-am-user-federation-info, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-success-url, mail, manager, memberOf, objectClass, postalAddress, preferredlanguage, preferredLocale, preferredtimezone, sn, sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey, sunAMAuthInvalidAttemptsData, sunIdentityMSISDNNumber, sunIdentityServerDiscoEntries, sunIdentityServerPPAddressCard, sunIdentityServerPPCommonNameAltCN, sunIdentityServerPPCommonNameCN, sunIdentityServerPPCommonNameFN, sunIdentityServerPPCommonNameMN, sunIdentityServerPPCommonNamePT, sunIdentityServerPPCommonNameSN, sunIdentityServerPPDemographicsAge, sunIdentityServerPPDemographicsBirthDay, sunIdentityServerPPDemographicsDisplayLanguage, sunIdentityServerPPDemographicsLanguage, sunIdentityServerPPDemographicsTimeZone, sunIdentityServerPPEmergencyContact, sunIdentityServerPPEmploymentIdentityAltO, sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityOrg, sunIdentityServerPPEncryPTKey, sunIdentityServerPPFacadegreetmesound, sunIdentityServerPPFacadeGreetSound, sunIdentityServerPPFacadeMugShot, sunIdentityServerPPFacadeNamePronounced, sunIdentityServerPPFacadeWebSite, sunIdentityServerPPInformalName, sunIdentityServerPPLegalIdentityAltIdType, sunIdentityServerPPLegalIdentityAltIdValue, sunIdentityServerPPLegalIdentityDOB, sunIdentityServerPPLegalIdentityGender, sunIdentityServerPPLegalIdentityLegalName, sunIdentityServerPPLegalIdentityMaritalStatus, sunIdentityServerPPLegalIdentityVATIdType, sunIdentityServerPPLegalIdentityVATIdValue, sunIdentityServerPPMsgContact, sunIdentityServerPPSignKey, telephoneNumber, uid, userCertificate, userPassword

    Create User Attribute Mapping

    When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.

    Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves (for example, cn=cn) take the value of the username unless the attribute values are provided when creating the profile. The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes, so this prevents an LDAP constraint violation when performing the add operation.

    ssoadm attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping

    Default: cn, sn

    Attribute Name of User Status

    Attribute to check/set user status.

    ssoadm attribute: sun-idrepo-ldapv3-config-isactive

    Default: inetuserstatus

    User Status Active Value

    Active users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-active

    Default: Active

    User Status Inactive Value

    Inactive users have the user status attribute set to this value.

    ssoadm attribute: sun-idrepo-ldapv3-config-inactive

    Default: Inactive

    Authentication Naming Attribute

    RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.

    ssoadm attribute: sun-idrepo-ldapv3-config-auth-naming-attr

    Default: cn

    LDAP Groups Search Attribute

    When searching for a group by name, match values against this attribute.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-attribute

    Default: cn

    LDAP Groups Search Filter

    When searching for groups, apply this LDAP search filter as well.

    ssoadm attribute: sun-idrepo-ldapv3-config-groups-search-filter

    Default: (objectclass=groupOfNames)

    LDAP Groups Container Naming Attribute

    RDN attribute of the LDAP base DN which contains group profiles.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-name

    Default: ou

    LDAP Groups Container Value

    RDN attribute value of the LDAP base DN which contains group profiles.

    If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-container-value

    LDAP Groups Object Class

    Group profiles have these LDAP object classes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-objectclass

    Default: groupofnames, top

    LDAP Groups Attributes

    Group profiles have these LDAP attributes.

    ssoadm attribute: sun-idrepo-ldapv3-config-group-attributes

    Default: cn, description, dn, member, objectclass, ou

    Attribute Name for Group Membership

    LDAP attribute in the member's LDAP entry whose values are the groups to which a member belongs.

    ssoadm attribute: sun-idrepo-ldapv3-config-memberof

    Attribute Name of Unique Member

    Attribute in the group's LDAP entry whose values are the members of the group.

    ssoadm attribute: sun-idrepo-ldapv3-config-uniquemember

    Default: member

    Default Group Member's User DN

    DN of member added to all newly created groups.

    ssoadm attribute: sun-idrepo-ldapv3-config-dftgroupmember

    Persistent Search Base DN

    Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearchbase

    Default: base-dn

    Persistent Search Filter

    LDAP filter to apply when performing persistent searches.

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-filter

    Default: (objectclass=*)

    Persistent Search Scope

    LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE), or all entries below the search DN (SEARCH_SUB).

    ssoadm attribute: sun-idrepo-ldapv3-config-psearch-scope

    Default: SCOPE_SUB

    The Delay Time Between Retries

    How long to wait after receiving an error result that indicates AM should try the LDAP operation again.

    ssoadm attribute: com.iplanet.am.ldap.connection.delay.between.retries

    Default: 1000 milliseconds

    DN Cache Enabled

    Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-enabled

    Default: true

    DN Cache Size

    Maximum number of DNs cached when caching is enabled.

    ssoadm attribute: sun-idrepo-ldapv3-dncache-size

    Default: 1500 items

    Load Schema

    Import appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have access to perform this operation.

    This option is not available for use with the ssoadm command.

    Default: Disabled.

  6. (Optional) If you have not applied the schema configuration to your identity data, but the AM service account used to bind to the directory service has permission to alter schema, enable the Load Schema option.

  7. Click Save Changes.

  8. If you no longer need the connection to the inherited, embedded identity store in this realm, then you can delete its entry in the Identity Stores list.

    Also, once you change the identity store for a realm, you might opt to change the authentication module configuration to use your realm identity store, rather than the inherited settings. See "To Configure Authentication Modules".

  9. To test the connection, see "Testing External Identity Repository Access".

Read a different version of :