OpenIAM allows you to authenticate users against repositories other than its own repository. Since authentication in OpenIAM occurs through the Authentication service, these underlying changes can be made without impact to the client that is consuming the authentication service. To configure OpenIAM to authenticate against an ldap repository, please follow the steps below:
- Select Policy from the top level menu.
- Select Authentication Policy from the drop down and view a previously defined authentication policy as shown below.
- In the field titled DEFAULT_LOGIN_MOD, enter the fully qualified name of the LDAP Login module: org.openiam.idm.srvc.auth.spi.LDAPLoginModule
- The LDAPLoginModule requires that the following parameters in the datasource.properties file be updated. These include
Parameter Name |
Description |
|---|---|
login.ldap.host |
Name or IP of the ldap directory service. For example: ldap://96.12.34.145:389 |
login.ldap.basedn |
BaseDN that will be used to find the user for ldap based authentication. DC=openiam,DC=org |
login.ldap.username |
Account that will be used to connect to LDAP to search for users. CN=Directory Manager |
login.ldap.password |
Password for the above user. |
login.ldap.protocol |
Protocol that will be used to communicate with LDAP. Unless a certificate has been installed this should be let to CLEAR. |
Note: When using LDAP based authentication, the identity of the user, not the identity's password, must still exist within the OpenIAM repository. The reason for this is that OpenIAM maintains several attributes about an identity that may not be native to the target repository. For example, OpenIAM maintains information such as last authentication attempt, last successful login, fail authentication attempt, etc. Since its not reasonable to expect that all repositories will have this information, OpenIAM maintains this information for each identity regardless of the repository that is used for authentication.