Access centralization methods

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Access centralization methods

Elias Pereira
Hello guys,

In our institution we have a openldap base and we will also have a samba4 ADDC. The principle can not migrate our openldap base to AD, because there are some services that synchronize with our rectory through the openldap base. Our users perform login through this base openldap.

My doubts regarding the use of openam as the other access centralized method. 

1. We must have a openDJ base for the OpenAM function properly? 

2. Can I use my databases (openldap and samba AD) in OpenAM for my users to perform access through OpenAM? How would be the access using a domain?

Thanks in advance!

--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Bernhard Thalmayr
Am 24/10/16 um 14:24 schrieb Elias Pereira:

> Hello guys,
>
> In our institution we have a openldap base and we will also have a
> samba4 ADDC. The principle can not migrate our openldap base to AD,
> because there are some services that synchronize with our rectory
> through the openldap base. Our users perform login through this base
> openldap.
>
> My doubts regarding the use of openam as the other access centralized
> method.
>
> 1. We must have a openDJ base for the OpenAM function properly?

No
>
> 2. Can I use my databases (openldap and samba AD) in OpenAM for my users
> to perform access through OpenAM? How would be the access using a domain?

most likely.

OpenAM does not store user identity information itself, but rather
consumes identity information from configured user data stores.

You can even write your own user data store implemenatation.

OpenLDAP does neither support 'persistent search control' nor 'change
notification control' so you can not use OpenAM IdRepo cache update
mechanism for OpenLDAP.

AD offers 'change notification control'.

Make sure to read about OpenAM IdRepo caching.

-Bernhard

>
> Thanks in advance!
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
OpenLDAP does neither support 'persistent search control' nor 'change
notification control' so you can not use OpenAM IdRepo cache update
mechanism for OpenLDAP.

Ok. Would have any way to work without these options? 

Perhaps an alternative is to migrate the openldap base to openDJ base. It's possible?

On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 14:24 schrieb Elias Pereira:
> Hello guys,
>
> In our institution we have a openldap base and we will also have a
> samba4 ADDC. The principle can not migrate our openldap base to AD,
> because there are some services that synchronize with our rectory
> through the openldap base. Our users perform login through this base
> openldap.
>
> My doubts regarding the use of openam as the other access centralized
> method.
>
> 1. We must have a openDJ base for the OpenAM function properly?

No
>
> 2. Can I use my databases (openldap and samba AD) in OpenAM for my users
> to perform access through OpenAM? How would be the access using a domain?

most likely.

OpenAM does not store user identity information itself, but rather
consumes identity information from configured user data stores.

You can even write your own user data store implemenatation.

OpenLDAP does neither support 'persistent search control' nor 'change
notification control' so you can not use OpenAM IdRepo cache update
mechanism for OpenLDAP.

AD offers 'change notification control'.

Make sure to read about OpenAM IdRepo caching.

-Bernhard

>
> Thanks in advance!
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Bernhard Thalmayr
Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     OpenLDAP does neither support 'persistent search control' nor 'change
>     notification control' so you can not use OpenAM IdRepo cache update
>     mechanism for OpenLDAP.
>
>
> Ok. Would have any way to work without these options?

Sure, you can either disable IdRepo cache completely or use time-based
cache aging.

There has also been an OpenLDAP IdRepo implementation as a community
extension, however I'm not sure if this implemented the OpenLDAP
Content Synchronization protocol which would allow to update the IdRepo
cache on an event basis.
>
> Perhaps an alternative is to migrate the openldap base to openDJ base.
> It's possible?

Sure this would be possible too, but you need to check if some OpenLDAP
specific feature is used by other client applications.

-Bernhard


>
> On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     > Hello guys,
>     >
>     > In our institution we have a openldap base and we will also have a
>     > samba4 ADDC. The principle can not migrate our openldap base to AD,
>     > because there are some services that synchronize with our rectory
>     > through the openldap base. Our users perform login through this base
>     > openldap.
>     >
>     > My doubts regarding the use of openam as the other access centralized
>     > method.
>     >
>     > 1. We must have a openDJ base for the OpenAM function properly?
>
>     No
>     >
>     > 2. Can I use my databases (openldap and samba AD) in OpenAM for my users
>     > to perform access through OpenAM? How would be the access using a domain?
>
>     most likely.
>
>     OpenAM does not store user identity information itself, but rather
>     consumes identity information from configured user data stores.
>
>     You can even write your own user data store implemenatation.
>
>     OpenLDAP does neither support 'persistent search control' nor 'change
>     notification control' so you can not use OpenAM IdRepo cache update
>     mechanism for OpenLDAP.
>
>     AD offers 'change notification control'.
>
>     Make sure to read about OpenAM IdRepo caching.
>
>     -Bernhard
>
>     >
>     > Thanks in advance!
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:%2B49%20%280%29176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
Sure, you can either disable IdRepo cache completely or use time-based
cache aging.

To disable, are these options below?
com.iplanet.am.sdk.caching.enabled=false
com.sun.identity.sm.cache.enabled=false
com.sun.identity.idm.cache.enabled=false

There has also been an OpenLDAP IdRepo implementation as a community
extension, however I'm not sure if this implemented the OpenLDAP
Content Synchronization protocol which would allow to update the IdRepo
cache on an event basis.

Where can I find this plugin?

Sure this would be possible too, but you need to check if some OpenLDAP
specific feature is used by other client applications.

Yea.We use a scheme for access to eduroam¹. I believe that is the only feature that we have in our database.


Another problem I'm facing now is that the progress of my configuration is stopped at the Loading Schema opendj_oathdevices.ldif ... Success. After some research I found that it was fixed in version 13.5.0 (subscription only), but I'm using version 13 (free).

There is another way to solve this problem?

On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     OpenLDAP does neither support 'persistent search control' nor 'change
>     notification control' so you can not use OpenAM IdRepo cache update
>     mechanism for OpenLDAP.
>
>
> Ok. Would have any way to work without these options?

Sure, you can either disable IdRepo cache completely or use time-based
cache aging.

There has also been an OpenLDAP IdRepo implementation as a community
extension, however I'm not sure if this implemented the OpenLDAP
Content Synchronization protocol which would allow to update the IdRepo
cache on an event basis.
>
> Perhaps an alternative is to migrate the openldap base to openDJ base.
> It's possible?

Sure this would be possible too, but you need to check if some OpenLDAP
specific feature is used by other client applications.

-Bernhard


>
> On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     > Hello guys,
>     >
>     > In our institution we have a openldap base and we will also have a
>     > samba4 ADDC. The principle can not migrate our openldap base to AD,
>     > because there are some services that synchronize with our rectory
>     > through the openldap base. Our users perform login through this base
>     > openldap.
>     >
>     > My doubts regarding the use of openam as the other access centralized
>     > method.
>     >
>     > 1. We must have a openDJ base for the OpenAM function properly?
>
>     No
>     >
>     > 2. Can I use my databases (openldap and samba AD) in OpenAM for my users
>     > to perform access through OpenAM? How would be the access using a domain?
>
>     most likely.
>
>     OpenAM does not store user identity information itself, but rather
>     consumes identity information from configured user data stores.
>
>     You can even write your own user data store implemenatation.
>
>     OpenLDAP does neither support 'persistent search control' nor 'change
>     notification control' so you can not use OpenAM IdRepo cache update
>     mechanism for OpenLDAP.
>
>     AD offers 'change notification control'.
>
>     Make sure to read about OpenAM IdRepo caching.
>
>     -Bernhard
>
>     >
>     > Thanks in advance!
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699 <tel:%2B49%20%280%29176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Bernhard Thalmayr
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: +49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: +49 (0)176 55060699
>     <tel:%2B49%20%280%29176%2055060699> <tel:%2B49%20%280%29176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:%2B49%20%280%29176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: +49 (0)176 55060699
>     <tel:%2B49%20%280%29176%2055060699> <tel:%2B49%20%280%29176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699 <tel:%2B49%20%280%29176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
Hello,

I configured one realm with openldap and one realm with AD. 

How do I get the computers that are in my domain, now access the openam to perform the verification? This is possible?

NOTE: The verification would be as follows. Checks if user is in openldap. If not, check to see if it is in AD.

On Mon, Oct 24, 2016 at 7:08 PM, Elias Pereira <[hidden email]> wrote:
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Rogério Augusto Rondini
Hi Elias,

According to your use case, I don`t think it is a good idea to have 2 Realms. 
Maybe would be better you  create a single Realm with an Authentication Chain with 2 authentication modules where OpenLDAP is SUFFICIENT and AD is REQUIRED. 

Abs.

2016-11-23 12:42 GMT-02:00 Elias Pereira <[hidden email]>:
Hello,

I configured one realm with openldap and one realm with AD. 

How do I get the computers that are in my domain, now access the openam to perform the verification? This is possible?

NOTE: The verification would be as follows. Checks if user is in openldap. If not, check to see if it is in AD.

On Mon, Oct 24, 2016 at 7:08 PM, Elias Pereira <[hidden email]> wrote:
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
Hello Rogério, thanks for your answer!!

Ok, I had looked at this option as well. Suppose I use this option. How do I configure a computer in my domain for it to do this double-stpep auth check in openam?

On Wed, Nov 23, 2016 at 3:15 PM, Rogério Augusto Rondini <[hidden email]> wrote:
Hi Elias,

According to your use case, I don`t think it is a good idea to have 2 Realms. 
Maybe would be better you  create a single Realm with an Authentication Chain with 2 authentication modules where OpenLDAP is SUFFICIENT and AD is REQUIRED. 

Abs.

2016-11-23 12:42 GMT-02:00 Elias Pereira <[hidden email]>:
Hello,

I configured one realm with openldap and one realm with AD. 

How do I get the computers that are in my domain, now access the openam to perform the verification? This is possible?

NOTE: The verification would be as follows. Checks if user is in openldap. If not, check to see if it is in AD.

On Mon, Oct 24, 2016 at 7:08 PM, Elias Pereira <[hidden email]> wrote:
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Rogério Augusto Rondini
Hi Elias,

So... Actually I did not understand what you mean on "configure a computer in my domain". 

Primary focus of OpenAM is Web Single Sign On. It means that you can protect web applications and enable Single Single On between heterogeneous web applications.  If you have Web Applications running in Web or JEE containers like MS-IIS, Apache HTTP Server, IBM Websphere, Tomcat, Oracle Weblogic and so on, the best way to protect these applications is to deploy the Policy Agent component. 

I believe would be useful you take a look into this presentation http://pt.slideshare.net/ForgeRock/openam-an-introduction , mainly on the slide 17. 

2016-11-23 17:30 GMT-02:00 Elias Pereira <[hidden email]>:
Hello Rogério, thanks for your answer!!

Ok, I had looked at this option as well. Suppose I use this option. How do I configure a computer in my domain for it to do this double-stpep auth check in openam?

On Wed, Nov 23, 2016 at 3:15 PM, Rogério Augusto Rondini <[hidden email]> wrote:
Hi Elias,

According to your use case, I don`t think it is a good idea to have 2 Realms. 
Maybe would be better you  create a single Realm with an Authentication Chain with 2 authentication modules where OpenLDAP is SUFFICIENT and AD is REQUIRED. 

Abs.

2016-11-23 12:42 GMT-02:00 Elias Pereira <[hidden email]>:
Hello,

I configured one realm with openldap and one realm with AD. 

How do I get the computers that are in my domain, now access the openam to perform the verification? This is possible?

NOTE: The verification would be as follows. Checks if user is in openldap. If not, check to see if it is in AD.

On Mon, Oct 24, 2016 at 7:08 PM, Elias Pereira <[hidden email]> wrote:
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Access centralization methods

Elias Pereira
Hi Rogério,

So... Actually I did not understand what you mean on "configure a computer in my domain".
 
I had a misunderstanding about openam. I found that with it I could use my "openldap and samba ad" bases in a two step authentication in relation to the computers that are in our domain.

Like domain:
Inline image 1

Primary focus of OpenAM is Web Single Sign On. It means that you can protect web applications and enable Single Single On between heterogeneous web applications.  If you have Web Applications running in Web or JEE containers like MS-IIS, Apache HTTP Server, IBM Websphere, Tomcat, Oracle Weblogic and so on, the best way to protect these applications is to deploy the Policy Agent component.

Ok. I watched and had some answers answered.

On Wed, Nov 23, 2016 at 9:29 PM, Rogério Augusto Rondini <[hidden email]> wrote:
Hi Elias,

So... Actually I did not understand what you mean on "configure a computer in my domain". 

Primary focus of OpenAM is Web Single Sign On. It means that you can protect web applications and enable Single Single On between heterogeneous web applications.  If you have Web Applications running in Web or JEE containers like MS-IIS, Apache HTTP Server, IBM Websphere, Tomcat, Oracle Weblogic and so on, the best way to protect these applications is to deploy the Policy Agent component. 

I believe would be useful you take a look into this presentation http://pt.slideshare.net/ForgeRock/openam-an-introduction , mainly on the slide 17. 

2016-11-23 17:30 GMT-02:00 Elias Pereira <[hidden email]>:
Hello Rogério, thanks for your answer!!

Ok, I had looked at this option as well. Suppose I use this option. How do I configure a computer in my domain for it to do this double-stpep auth check in openam?

On Wed, Nov 23, 2016 at 3:15 PM, Rogério Augusto Rondini <[hidden email]> wrote:
Hi Elias,

According to your use case, I don`t think it is a good idea to have 2 Realms. 
Maybe would be better you  create a single Realm with an Authentication Chain with 2 authentication modules where OpenLDAP is SUFFICIENT and AD is REQUIRED. 

Abs.

2016-11-23 12:42 GMT-02:00 Elias Pereira <[hidden email]>:
Hello,

I configured one realm with openldap and one realm with AD. 

How do I get the computers that are in my domain, now access the openam to perform the verification? This is possible?

NOTE: The verification would be as follows. Checks if user is in openldap. If not, check to see if it is in AD.

On Mon, Oct 24, 2016 at 7:08 PM, Elias Pereira <[hidden email]> wrote:
Bernhard,

I was using version 8 of tomcat. At first that was the problem, because I installed version 7 and everything is ok.

On Mon, Oct 24, 2016 at 5:58 PM, Elias Pereira <[hidden email]> wrote:
 The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.


I follow this link: https://wikis.forgerock.org/confluence/display/openam/3+OpenAM+Server+Configuration

Inline image 2

In both options as shown in the picture above I get the bug error.

I don't know what is wrong.


On Mon, Oct 24, 2016 at 4:36 PM, Bernhard Thalmayr <[hidden email]> wrote:
Am 24/10/16 um 18:59 schrieb Elias Pereira:
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>
> To disable, are these options below?
> /com.iplanet.am.sdk.caching.enabled=false

com.iplanet.am.sdk.caching.enabled=true

> com.sun.identity.sm.cache.enabled=false

com.sun.identity.sm.cache.enabled=true (That's for the Service
Management cache)

> com.sun.identity.idm.cache.enabled=false/
>
> https://wikis.forgerock.org/confluence/display/openam/Tune+Caches+in+OpenAM
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>
>
> Where can I find this plugin?

https://svn.forgerock.org/openam/trunk/community/extensions/openldaprepo/

It seems the extensions have not been migrated to git repo.

>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>
> Yea.We use a scheme for access to eduroam¹. I believe that is the only
> feature that we have in our database.
>
> ¹. https://www.eduroam.org/
>
> Another problem I'm facing now is that the progress of my configuration
> is stopped at the Loading Schema opendj_oathdevices.ldif ... Success
> <https://bugster.forgerock.org/jira/browse/OPENAM-8875>. After some
> research I found that it was fixed in version 13.5.0 (subscription
> only), but I'm using version 13 (free).
>
> There is another way to solve this problem?

The bug mentions external configuration store, so you could easily
prepare the external configuration store yourself.

-Bernhard

>
> On Mon, Oct 24, 2016 at 2:14 PM, Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 24/10/16 um 16:39 schrieb Elias Pereira:
>     >     OpenLDAP does neither support 'persistent search control' nor 'change
>     >     notification control' so you can not use OpenAM IdRepo cache update
>     >     mechanism for OpenLDAP.
>     >
>     >
>     > Ok. Would have any way to work without these options?
>
>     Sure, you can either disable IdRepo cache completely or use time-based
>     cache aging.
>
>     There has also been an OpenLDAP IdRepo implementation as a community
>     extension, however I'm not sure if this implemented the OpenLDAP
>     Content Synchronization protocol which would allow to update the IdRepo
>     cache on an event basis.
>     >
>     > Perhaps an alternative is to migrate the openldap base to openDJ base.
>     > It's possible?
>
>     Sure this would be possible too, but you need to check if some OpenLDAP
>     specific feature is used by other client applications.
>
>     -Bernhard
>
>
>     >
>     > On Mon, Oct 24, 2016 at 11:14 AM, Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     Am 24/10/16 um 14:24 schrieb Elias Pereira:
>     >     > Hello guys,
>     >     >
>     >     > In our institution we have a openldap base and we will also
>     have a
>     >     > samba4 ADDC. The principle can not migrate our openldap base
>     to AD,
>     >     > because there are some services that synchronize with our
>     rectory
>     >     > through the openldap base. Our users perform login through
>     this base
>     >     > openldap.
>     >     >
>     >     > My doubts regarding the use of openam as the other access
>     centralized
>     >     > method.
>     >     >
>     >     > 1. We must have a openDJ base for the OpenAM function properly?
>     >
>     >     No
>     >     >
>     >     > 2. Can I use my databases (openldap and samba AD) in OpenAM
>     for my users
>     >     > to perform access through OpenAM? How would be the access
>     using a domain?
>     >
>     >     most likely.
>     >
>     >     OpenAM does not store user identity information itself, but rather
>     >     consumes identity information from configured user data stores.
>     >
>     >     You can even write your own user data store implemenatation.
>     >
>     >     OpenLDAP does neither support 'persistent search control' nor
>     'change
>     >     notification control' so you can not use OpenAM IdRepo cache
>     update
>     >     mechanism for OpenLDAP.
>     >
>     >     AD offers 'change notification control'.
>     >
>     >     Make sure to read about OpenAM IdRepo caching.
>     >
>     >     -Bernhard
>     >
>     >     >
>     >     > Thanks in advance!
>     >     >
>     >     > --
>     >     > Elias Pereira
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     <tel:%2B49%20%280%298062%207769174>
>     >     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699
>     <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699> <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     >     <http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>>
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>     >     <http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>>
>     >
>     >     This e-mail may contain confidential and/or privileged information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     >     <https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>>
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >     <https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>>
>     >
>     >
>     >
>     >
>     > --
>     > Elias Pereira
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
>     Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699 <tel:%2B49%20%280%29176%<a href="tel:2055060699" value="+12055060699" target="_blank">2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <http://www.xing.com/profile/Bernhard_Thalmayr>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <http://de.linkedin.com/in/bernhardthalmayr>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://forgerock.org/forum/fr-projects/openam/>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://lists.forgerock.org/mailman/listinfo/openam>
>
>
>
>
> --
> Elias Pereira
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
Elias Pereira



--
Elias Pereira



--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
Elias Pereira

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam