OpenIAM allows you to authenticate users against repositories other than its own repository. Since authentication in OpenIAM occurs through the Authentication service, these underlying changes can be made without impact to the client that is consuming the authentication service. To configure OpenIAM to authenticate against an Active Directory repository, please follow the steps below:
- Select Policy from the top level menu.
- Select Authentication Policy from the drop down and view a previously defined authentication policy as shown below.
- In the field titled DEFAULT_LOGIN_MOD, enter the fully qualified name of the LDAP Login module: org.openiam.idm.srvc.auth.spi.ADLoginModule
- The ADLoginModule requires that the following parameters in the datasource.properties file be updated. These include
Parameter Name |
Description |
|---|---|
login.ad.host |
Name or IP of the active directory service. For example: ldap://96.12.34.145:389 |
login.ad.basedn |
BaseDN that will be used to find the user for active directory based authentication. CN=Users,DC=build,DC=openiam,DC=local |
login.ad.username |
Account that will be used to connect to Active Directory to search for users. CN=Administrator,CN=Users,DC=build,DC=openiam,DC=local |
login.ad.password |
Password for the above user. |
login.ad.protocol |
Protocol that will be used to communicate with the Active Directory. Unless a certificate has been installed this should be let to CLEAR. |
Note: When using Active Directory based authentication, the identity of the user, not the identity's password, must still exist within the OpenIAM repository. The reason for this is that OpenIAM maintains several attributes about an identity that may not be native to the target repository. For example, OpenIAM maintains information such as last authentication attempt, last successful login, fail authentication attempt, etc. Since it's not reasonable to expect that all repositories will have this information, OpenIAM maintains this information for each identity regardless of the repository that is used for authentication.