Sun ONE Identity Server Configuration Cookbook

by Mir Ali
September, 2003

We want to hear from you! Please send us your FEEDBACK.

Introduction

This article provides step-by-step instructions for configuring Sun ONE Identity Server 6.0 using the Identity Server console. For more information on Sun ONE Identity Server 6.0, refer to the documentation at http://docs.sun.com/.

Identity Server Provisioning

A provisioning system normally manages the user and system allocation of resources and services. Centralized or multiple points of administration managing this process can exist in an identity managed infrastructure. The provisioning system automates process enforcement of Identity Server administration across all other user authentication and access control systems. This process enforcement allows close and responsive coordination over who can obtain access to what information or system capability. Workflow is the automated process that enables and supports user provisioning. When an administrator assigns users their access rights, the workflow provisioning process triggers the appropriate notifications and updates to applications and individuals, which are required to complete the provisioning process. For example, when employees join an organization, the administrator adds their identity information to the system. The organization's facilities department then receives a notification to issue a desks, chairs, and office space. Managing and tracking changes to directory data is possible when the authoritative sources are identified and privileges to the data are established. The coordination of changes across existing systems and throughout the enterprise can then occur securely and seamlessly.

If you are using Sun ONE Directory Server 5.2 and have already provisioned it with users, you must make changes in the Directory Information Tree (DIT) before the Identity Server can recognize the user data. What you need to change depends on how the existing DIT is structured and how you plan to use the Identity Server. The Identity Server installation option using an existing DIT prepares existing entries to enable them to be managed by the Identity Server. However, you might also have to prepare the DIT manually before installing the Identity Server. For example, you might have an existing DIT that uses more than one type of entry to define organizations - dc=abc, dc=com, and o=xyz.com. In this case, reconfigure the existing DIT to standardize on which attribute is used (either dc or o). The ou attribute is used to define containers in the DIT structure. You might need to reconfigure the container entries if different attributes are used to define container entry types.

When an organization is created using the Identity Server tools, default roles, access control, a people containe,r and a groups container are also created below the organization. Default policies or services are not created for the organization.

Task 1: Configuring the Administration Service

• Open a browser window.
  
• Navigate to the Identity Server administration console using the following URL and credentials:
  http://hostname.dns-domainname:58080/amconsole
  User name: amadmin Password: password
  
• Select the Service Configuration tab. The Service Configuration window is displayed, as shown.
  

  
  

• Click on the arrow next to Administration Service in the Navigation pane.
  
• Check Enable User Management in the Data pane to enable user, role, and group management for all organizations.
  
• Click Save. To manage organizations using the Identity Server console, select the Identity Management tab, as shown above.
  

Task 2: Adding Organizations Using the Identity Server Console

• Choose Organizations from the View menu in the Identity Management Tab.
  Make sure you are in the correct parent organization - for example, the root organization or a sub-organization.
  
• Click New in the Navigation pane.
  
• The New Organization template displays in the Data pane.
  
• Type Finance in the name field in the Data pane or enter the full DNS name of the organization.
  
• Select a status of active or inactive.The default is active. This status can be changed at any time during the life of the organization by selecting the Properties icon. Selecting inactive disables login to the organization.
  
• Enter a value for the unique attribute and click add to add it to the Unique Attribute list.This is a list of attributes defined in the Sun ONE Directory Server schema. When the Attribute Uniqueness Enabled attribute is selected as true, each parent organization of the user created is checked. These parent organization are checked to determine if the Unique Attribute List attribute is configured. If this attribute is configured, a search is executed starting from that organization for the entire subtree. The search determines if any users exist with any of the attribute values contained in the list. If this type of entry exists, an error is returned. If this type of entry does not exist, the next sub-organization is checked. When all sub-organizations are checked, the user is created.
  

  
  

• Click Create.The new Finance organization is displayed in the Navigation pane. The amadmin command is useful for administrators who manage large amounts of data that would be time consuming to manage using the Identity Server console.
  

3. To delete an organization, complete the following steps:

• Select Organizations from the View menu in the Identity Management tab.
• Select the check box next to the name of the organization to delete.
• Click Delete.

Note - A warning message is not provided when performing a delete. All entries within the organization are deleted.

DOC ID# 1933