Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.5.0, 14.5.1
Fix Version/s: None
Support Ticket IDs:
When configuring any Data Store, the LDAP People Container Naming Attribute (sun-idrepo-ldapv3-config-people-container-value) and LDAP Groups Container Naming Attribute (sun-idrepo-ldapv3-config-group-container-name) need to be a single ou directly under the LDAP Organization DN (sun-idrepo-ldapv3-config-organization_name).
This does not always suit the underlying datastore structure, there may be additional separation between the baseDN and people/group containers.
The proposed use case is security based, where access is restricted to by branch. Administrators of realms are usually a subset of employees, authenticated identities are consumers, employees, things, etc. for example:
Then separate Groups used to manage Access within applications might be: ou=application1,ou=applications,dc=organization,dc=com ou=application2,ou=applications,dc=organization,dc=com
This structure is not currently possible with data store configuration properties. Given that the underlying datastore likely has no dependancy on where data must be stored, it seems like an unnecessary configuration limitation within AM.
The use of multiple data stores within the same realm has been explored, due to the limitations where underlying data is different, this will not work (
Permit non-relative DNs for people/group containers within data store configuration to cater for a more flexible directory structure.