How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure AM (All versions) to use the sAMAccountName for authentication?

Last updated Jan 16, 2023

The purpose of this article is to provide information on configuring AM to use the sAMAccountName attribute for authentication when you have an Active Directory® user data store. This change allows your users to log in using sAMAccountName as their user ID.

Using sAMAccountName as the user ID

Active Directory does not have a uid attribute, but instead uses sAMAccountName as the equivalent of the uid attribute. This means you need to configure AM to use sAMAccountName as the user ID. This article assumes you are already using the Active Directory authentication module; if not, you should configure it and set the attributes as described below. See Active Directory module properties for further information.

Note

The Search and Naming Attributes specified in your Active Directory authentication module configuration must match your user store configuration, otherwise you will encounter an error. See User has no profile in this organization message received when user authenticates in AM (All versions) for further information. Additionally, the Search and Naming Attributes set in the data store must match, otherwise you will see "User Requires Profile to Login" errors.

You can configure AM as follows:

  1. Change the attributes used in the Active Directory data store using either the AM admin UI, Amster or ssoadm:
    • AM admin UI: navigate to: Realms > [Realm Name] > Data Stores > [AD Data Store] and set the following attributes to sAMAccountName: User Configuration tab > LDAP Users Search Attribute Authentication Configuration tab > Authentication Naming Attribute
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: ActiveDirectory
      • Properties: sun-idrepo-ldapv3-config-users-search-attribute, sun-idrepo-ldapv3-config-auth-naming-attr
    • ssoadm: enter the following command: $ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -a sun-idrepo-ldapv3-config-users-search-attribute=sAMAccountName sun-idrepo-ldapv3-config-auth-naming-attr=sAMAccountNamereplacing [realmname], [datastorename], [adminID] and [passwordfile] with appropriate values.
  2. Change the attributes used in the Active Directory authentication module using either the AM admin UI, Amster or ssoadm:
    • AM admin UI: navigate to: Configure > Authentication > Active Directory and set the following attributes to sAMAccountName: Attribute Used to Retrieve User Profile Attributes Used to Search for a User to be Authenticated
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: ActiveDirectorymodule
      • Properties: userProfileRetrievalAttribute, userSearchAttributes
    • ssoadm: enter the following command: $ ./ssoadm update-auth-instance -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-ldap-user-naming-attribute=sAMAccountName iplanet-am-auth-ldap-user-search-attributes=sAMAccountNamereplacing [realmname], [adminID] and [passwordfile] with appropriate values.

See Also

How do I understand what the user data store is used for in AM (All versions)?

How do I create a user data store in AM (All versions) using ssoadm?

Data stores in AM

Authentication modules in AM

Configure an identity store

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.