ForgeRock Directory Services
Use these attributes when configuring DS data stores:
amster
service name: IdRepository
ssoadm
service name: sunIdentityRepositoryService
All tabs
Load Schema
Import appropriate LDAP schema to the directory server when saving the configuration. The LDAP Bind DN service account must have access to perform this operation.
For more information, see Prepare identity repositories.
Server Settings tab
LDAP Server
host:port
to contact the directory server,
with optional |serverID|siteID
for deployments with multiple servers and sites.
AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:
-
The first directory server in the list whose serverID matches the current AM server.
-
The first directory server in the list whose siteID matches the current AM server.
-
The first directory server in the remaining list.
If the directory server is not available, AM proceeds to the next directory server in the list.
XUI
Default: |
ssoadm
Default: You must add Example: sun-idrepo-ldapv3-config-ldap-server=[0]=localhost:51636|01 sun-idrepo-ldapv3-config-ldap-server=[1]=openam.example.com:52389|02 sun-idrepo-ldapv3-config-ldap-server=[2]=zzz.example.com:1636|01|02 sun-idrepo-ldapv3-config-ldap-server=[3]=xxx.example.com:1636|01|02 |
LDAP Bind DN
Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.
If you enable mTLS authentication, this value is ignored.
ssoadm
attribute: sun-idrepo-ldapv3-config-authid
LDAP Bind Password
Bind password for connecting to the directory server.
If you enable mTLS authentication, this value is ignored.
ssoadm
attribute: sun-idrepo-ldapv3-config-authpw
Proxied Authorization using Bind DN
When the force-change-on-reset
password policy is configured on the DS user data store,
users resetting their passwords using AM’s forgotten password feature
may be required to reset their passwords twice
(prompted by both AM’s User Self-Service and DS’s password policy).
When the Proxied Authorization using Bind DN property is enabled, AM leverages DS’s proxied authorization to reset user passwords acting as themselves rather than as the service account configured in the LDAP Bind DN property. This way, DS does not require users to reset their passwords again.
Before enabling this setting, ensure that the service account configured in the LDAP Bind DN property
has the proxied-auth
privilege granted.
If the service account does not have the required privilege,
users would not be able to reset their passwords and AM and DS will log an error message.
For examples of setting the privileges required for the password reset feature, see Installing and Configuring Directory Services for Identity Data.
Enable this property only if:
-
The
force-change-on-reset
password policy is configured in the DS user data store. -
The forgotten password user self-service feature is configured in AM.
-
Users are being forced to reset their passwords twice.
ssoadm
attribute: openam-idrepo-ldapv3-proxied-auth-enabled
Default: Disabled
Fallback using Bind DN if Proxied Authorization denied
Enable this setting to fallback and retry using non-proxied authorization
(without the Directory Services proxied-auth
privilege) when proxied authorization is denied.
Enabling this property causes AM to attempt to make LDAP changes as the LDAP Bind DN service account if proxied auth was unsuccessful; for example, if the user account attempting the changes originally is locked or the password has expired.
This setting is effective only when Proxied Authorization using Bind DN property is also enabled.
ssoadm
attribute: openam-idrepo-ldapv3-proxied-auth-denied-fallback
Default: Disabled
LDAP Organization DN
The base DN under which to find user and group profiles.
Ensure that the identity store is set up with the specified DN before making any changes to this property in AM.
ssoadm
attribute: sun-idrepo-ldapv3-config-organization_name
Default: base-dn
LDAP Connection Mode
Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. If you enable LDAPS or StartTLS, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.
ssoadm
attribute: sun-idrepo-ldapv3-config-connection-mode
Possible values: LDAP
, LDAPS
, and StartTLS
LDAP Connection Pool Minimum Size
Minimum number of connections to the directory server.
ssoadm
attribute: sun-idrepo-ldapv3-config-connection_pool_min_size
Default: 1
LDAP Connection Pool Maximum Size
Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.
ssoadm
attribute: sun-idrepo-ldapv3-config-connection_pool_max_size
Default: 10
LDAP Connection Heartbeat Interval
How often to send a heartbeat request to the directory server to ensure that the connection doesn’t remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0.
To set the units for the interval, use LDAP Connection Heartbeat Time Unit
.
Note that setting this property to 0
will disable the heartbeat (keepalive) requests and load balancer availability checks.
ssoadm
attribute: openam-idrepo-ldapv3-heartbeat-interval
Default: 10
LDAP Connection Heartbeat Search Base
Defines the search base for:
-
The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
-
The load balancer availability check.
The keepalive and availability checks are only enabled if the heartbeat interval and timeout
are set to a value greater than 0
.
The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.
If the search results in an error, AM fails to start up with an exception such as
org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available
.
ssoadm
attribute: openam-idrepo-ldapv3-keepalive-searchbase
Default: [Empty]
LDAP Connection Heartbeat Search Filter
Defines the search filter for:
-
The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
-
The load balancer availability check.
You can also use the absolute True and False filter (&
).
The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.
If the search results in an error, AM fails to start up with an exception such as
org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available
.
ssoadm
attribute: openam-idrepo-ldapv3-keepalive-searchfilter
Default: (objectClass=*)
LDAP Connection Heartbeat Time Unit
Time unit for the LDAP Connection Heartbeat Interval
setting.
ssoadm
attribute: openam-idrepo-ldapv3-heartbeat-timeunit
Default: second
Maximum Results Returned from Search
A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.
ssoadm
attribute: sun-idrepo-ldapv3-config-max-result
Default: 1000
Search Timeout
Maximum time to wait for search results in seconds. Doesn’t apply to persistent searches.
ssoadm
attribute: sun-idrepo-ldapv3-config-time-limit
Default: 10
LDAPv3 Plugin Search Scope
LDAP searches can apply to a single entry (SCOPE_BASE
), entries directly below the search DN (SCOPE_ONE
),
or all entries below the search DN (SEARCH_SUB
).
ssoadm
attribute: sun-idrepo-ldapv3-config-search-scope
Default: SCOPE_SUB
Behera Support Enabled
Enable this property to use Behera draft control in outgoing requests for operations that may modify password values.
Behera draft control allows AM to display password policy related error messages when password policies are not met.
ssoadm
attribute: openam-idrepo-ldapv3-behera-support-enabled
Default: Enabled
Affinity Enabled
Enables affinity-based load balanced access to the identity stores. Specify each of the directory server instances that form the affinity deployment in the LDAP Server field.
The directory server instance used for each operation is based on the DN of the identity involved.
When enabled, you must use an identical LDAP Server value in every AM instance in the deployment. |
ssoadm
attribute: openam-idrepo-ldapv3-affinity-enabled
Default: Disabled
mTLS Enabled
Enables mutual TLS (mTLS) between AM and the directory server.
When mTLS is enabled, AM ignores the values for LDAP Bind DN and LDAP Bind Password.
If you enable this property, you must:
-
Set the LDAP Connection Mode to
LDAPS
. -
Provide an mTLS Secret Label.
Default: Disabled
mTLS Secret Label
Label used to create a secret ID for mapping to the mTLS certificate in the secret store.
AM uses this label to create a specific secret ID for this identity repository. The secret ID takes the form
am.identity.repository.label.cert
, where label
is the value of
mTLS Secret Label. The label can only contain alphanumeric characters (a-z
, A-Z
, 0-9
) and periods (.
).
It can’t start or end with a period.
When you configure mTLS, you need to map the secret ID that’s based on this label to the correct certificate alias. To avoid a temporarily "broken" mTLS connection, add the mTLS Secret Label first, without enabling mTLS. Then configure the mapping to the certificate alias, then enable mTLS.
For more security, you should rotate certificates periodically. When you rotate a certificate, update the corresponding mapping in the realm secret store configuration to reflect this label. When you rotate a certificate, AM closes any existing connections using the old certificate. A new connection is selected from the connection pool and no server restart is required.
Plug-in Configuration tab
LDAPv3 Repository Plugin Class Name
AM identity repository implementation.
ssoadm
attribute: sunIdRepoClass
Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo
Attribute Name Mapping
Map of AM profile attribute names to directory server attribute names.
ssoadm
attribute: sunIdRepoAttributeMapping
LDAPv3 Plugin Supported Types and Operations
Specifies the identity types supported by the data store, such as user
, group
, or realm
,
and which operations can be performed on them.
The following table illustrates the identity types supported by this data store, and the operations that can be performed on them:
read | create | edit | delete | service | |
---|---|---|---|---|---|
|
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Read the identity type |
Create new identities of the given identity type |
Edit entities of the given identity type |
Delete entities of the given identity type |
Read and write service settings associated with the given identity type. |
You can remove permissions based on your data store needs.
For example, if the data store should not be written to,
you can set the operations to read
only for the identity types.
The service
operation is only relevant to the realm
and the user
identity types.
For example, the Session Service configuration can be stored by realm,
and a user can have specific session timeout settings.
ssoadm
attribute: sunIdRepoSupportedOperations
Default:
group=read,create,edit,delete
realm=read,create,edit,delete,service
user=read,create,edit,delete,service
User Configuration tab
LDAP Users Search Attribute
When searching for a user by name, match values against this attribute.
ssoadm
attribute: sun-idrepo-ldapv3-config-users-search-attribute
Default: uid
Do not modify the value of the search attribute in user profiles.
Modifying this attribute value can result in incorrectly cached identity data.
For example, if you configure the search attribute to |
LDAP Users Search Filter
When searching for users, apply this LDAP search filter as well.
ssoadm
attribute: sun-idrepo-ldapv3-config-users-search-filter
Default: (objectclass=inetorgperson)
LDAP User Object Class
User profiles have these LDAP object classes.
AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.
For example, with default settings, if you request that AM execute a search
that asks for the mailAlternateAddress
attribute, AM does the search,
but does not request mailAlternateAddress
.
In the same way, AM does perform an update operation with a request
to set the value of an unlisted attribute like mailAlternateAddress
,
but it drops the unlisted attribute from the update request.
ssoadm
attribute: sun-idrepo-ldapv3-config-user-objectclass
Default:
devicePrintProfilesContainer
forgerock-am-dashboard-service
iPlanetPreferences
inetorgperson
inetuser
iplanet-am-auth-configuration-service
iplanet-am-managed-person
iplanet-am-user-service
kbaInfoContainer
oathDeviceProfilesContainer
organizationalperson
person
pushDeviceProfilesContainer
sunAMAuthAccountLockout
sunFMSAML2NameIdentifier
sunFederationManagerDataStore
sunIdentityServerLibertyPPService
top
LDAP User Attributes
User profiles have these LDAP attributes.
AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.
ssoadm
attribute: sun-idrepo-ldapv3-config-user-attributes
Default:
adminRole
assignedDashboard
authorityRevocationList
caCertificate
cn
createTimestamp
devicePrintProfiles
distinguishedName
dn
employeeNumber
givenName
inetUserHttpURL
inetUserStatus
iplanet-am-auth-configuration
iplanet-am-session-destroy-sessions
iplanet-am-session-get-valid-sessions
iplanet-am-session-max-caching-time
iplanet-am-session-max-idle-time
iplanet-am-session-max-session-time
iplanet-am-session-quota-limit
iplanet-am-session-service-status
iplanet-am-user-account-life
iplanet-am-user-admin-start-dn
iplanet-am-user-alias-list
iplanet-am-user-auth-config
iplanet-am-user-auth-modules
iplanet-am-user-failure-url
iplanet-am-user-federation-info
iplanet-am-user-federation-info-key
iplanet-am-user-login-status
iplanet-am-user-password-reset-force-reset
iplanet-am-user-password-reset-options
iplanet-am-user-password-reset-question-answer
iplanet-am-user-success-url
kbaActiveIndex
kbaInfo
mail
manager
memberOf
modifyTimestamp
oath2faEnabled
oathDeviceProfiles
objectClass
postalAddress
preferredLocale
preferredlanguage
preferredtimezone
pushDeviceProfiles
sn
sun-fm-saml2-nameid-info
sun-fm-saml2-nameid-infokey
sunAMAuthInvalidAttemptsData
sunIdentityMSISDNNumber
sunIdentityServerDiscoEntries
sunIdentityServerPPAddressCard
sunIdentityServerPPCommonNameAltCN
sunIdentityServerPPCommonNameCN
sunIdentityServerPPCommonNameFN
sunIdentityServerPPCommonNameMN
sunIdentityServerPPCommonNamePT
sunIdentityServerPPCommonNameSN
sunIdentityServerPPDemographicsAge
sunIdentityServerPPDemographicsBirthDay
sunIdentityServerPPDemographicsDisplayLanguage
sunIdentityServerPPDemographicsLanguage
sunIdentityServerPPDemographicsTimeZone
sunIdentityServerPPEmergencyContact
sunIdentityServerPPEmploymentIdentityAltO
sunIdentityServerPPEmploymentIdentityJobTitle
sunIdentityServerPPEmploymentIdentityOrg
sunIdentityServerPPEncryPTKey
sunIdentityServerPPFacadeGreetSound
sunIdentityServerPPFacadeMugShot
sunIdentityServerPPFacadeNamePronounced
sunIdentityServerPPFacadeWebSite
sunIdentityServerPPFacadegreetmesound
sunIdentityServerPPInformalName
sunIdentityServerPPLegalIdentityAltIdType
sunIdentityServerPPLegalIdentityAltIdValue
sunIdentityServerPPLegalIdentityDOB
sunIdentityServerPPLegalIdentityGender
sunIdentityServerPPLegalIdentityLegalName
sunIdentityServerPPLegalIdentityMaritalStatus
sunIdentityServerPPLegalIdentityVATIdType
sunIdentityServerPPLegalIdentityVATIdValue
sunIdentityServerPPMsgContact
sunIdentityServerPPSignKey
telephoneNumber
uid
userCertificate
userPassword
Create User Attribute Mapping
When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.
Attributes not mapped to another attribute (for example, cn
) and attributes mapped to themselves
(for example, cn=cn
) take the value of the username unless the attribute values
are provided when creating the profile.
The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes,
so this prevents an LDAP constraint violation when performing the add operation.
ssoadm
attribute: sun-idrepo-ldapv3-config-createuser-attr-mapping
Default: cn
, sn
Attribute Name of User Status
Attribute to check/set user status.
ssoadm
attribute: sun-idrepo-ldapv3-config-isactive
Default: inetuserstatus
User Status Active Value
Active users have the user status attribute set to this value.
ssoadm
attribute: sun-idrepo-ldapv3-config-active
Default: Active
User Status Inactive Value
Inactive users have the user status attribute set to this value.
ssoadm
attribute: sun-idrepo-ldapv3-config-inactive
Default: Inactive
LDAP People Container Naming Attribute
RDN attribute of the LDAP base DN which contains user profiles.
ssoadm
attribute: sun-idrepo-ldapv3-config-people-container-name
Default: ou
LDAP People Container Value
RDN attribute value of the LDAP base DN which contains user profiles.
If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.
ssoadm
attribute: sun-idrepo-ldapv3-config-people-container-value
Default: people
Knowledge Based Authentication Attribute Name
Profile attribute in which knowledge-based authentication information is stored.
ssoadm
attribute: sun-idrepo-ldapv3-config-auth-kba-attr
Default: kbaInfo
Authentication Configuration tab
Authentication Naming Attribute
RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.
If you change this value after you have deployed and configured AM, you must update or recreate all existing identities to refresh user DNs. Failure to do so could result in unsuccessful authentication or risk of impersonation attacks. |
ssoadm
attribute: sun-idrepo-ldapv3-config-auth-naming-attr
Default: uid
Group Configuration tab
LDAP Groups Search Attribute
When searching for a group by name, match values against this attribute.
ssoadm
attribute: sun-idrepo-ldapv3-config-groups-search-attribute
Default: cn
LDAP Groups Search Filter
When searching for groups, apply this LDAP search filter as well.
ssoadm
attribute: sun-idrepo-ldapv3-config-groups-search-filter
Default: (objectclass=groupOfUniqueNames)
LDAP Groups Container Naming Attribute
RDN attribute of the LDAP base DN which contains group profiles.
ssoadm
attribute: sun-idrepo-ldapv3-config-group-container-name
Default: ou
LDAP Groups Container Value
RDN attribute value of the LDAP base DN which contains group profiles.
If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.
ssoadm
attribute: sun-idrepo-ldapv3-config-group-container-value
Default: groups
LDAP Groups Object Class
Group profiles have these LDAP object classes.
ssoadm
attribute: sun-idrepo-ldapv3-config-group-objectclass
Default: groupofuniquenames
, top
LDAP Groups Attributes
Group profiles have these LDAP attributes.
ssoadm
attribute: sun-idrepo-ldapv3-config-group-attributes
Default: cn
, dn
, objectclass
, uniqueMember
Attribute Name for Group Membership
LDAP attribute in the member’s LDAP entry whose values are the groups to which a member belongs.
ssoadm
attribute: sun-idrepo-ldapv3-config-memberof
Persistent Search Controls tab
Persistent Search Base DN
Base DN for LDAP-persistent searches used to receive notification of changes in directory server data.
ssoadm
attribute: sun-idrepo-ldapv3-config-psearchbase
Default: base-dn
Cache Control tab
DN Cache Enabled
Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.
ssoadm
attribute: sun-idrepo-ldapv3-dncache-enabled
Default: true