Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11368

Allow finer control of DNs for people/group containers within a data store configuration

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.5.0, 14.5.1
    • Fix Version/s: None
    • Component/s: idrepo
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      When configuring any Data Store, the LDAP People Container Naming Attribute (sun-idrepo-ldapv3-config-people-container-value) and LDAP Groups Container Naming Attribute (sun-idrepo-ldapv3-config-group-container-name) need to be a single ou directly under the LDAP Organization DN (sun-idrepo-ldapv3-config-organization_name). 

      This does not always suit the underlying datastore structure, there may be additional separation between the baseDN and people/group containers. 

      The proposed use case is security based, where access is restricted to by branch. Administrators of realms are usually a subset of employees, authenticated identities are consumers, employees, things, etc. for example:

      ou=consumer,ou=user,dc=organization,dc=com

      ou=employees,ou=user,dc=organization,dc=com

      ou=things,ou=user,dc=organization,dc=com

       

      Then separate Groups used to manage Access within applications might be: ou=application1,ou=applications,dc=organization,dc=com ou=application2,ou=applications,dc=organization,dc=com

      ...

      This structure is not currently possible with data store configuration properties. Given that the underlying datastore likely has no dependancy on where data must be stored, it seems like an unnecessary configuration limitation within AM.

      The use of multiple data stores within the same realm has been explored, due to the limitations where underlying data is different, this will not work (OPENAM-7871). 

       

      Expectation:

      Permit non-relative DNs for people/group containers within data store configuration to cater for a more flexible directory structure.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                john.noble John Noble
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: