In a large scale IAMS infrastructure setup, it would be better if each OpenSSO server is configured to authenticate against a dedicated authentication source (in my case, Microsoft Active Directory).
Is this feature available in OpenSSO 8.0 U2? Yes, as far as the OpenSSO Admin Console is concerned. (see digram below)
However, you need to first figure out what does "local server name" means?
I had a hard time figuring out what this really mean. In the end, I had to read the source codes from OpenAM 9.5 (forgerock.com) to figure out. The code refers "local server name" to AM_SERVER_HOST.
private static final String localDsameServer = SystemPropertiesManager.get(
Constants.AM_SERVER_HOST);
OK, AM_SERVER_HOST should then be FQDN of the OpenSSO server.
Server Name is protocol
So, I'm up and running. I have the following in my Active Directory Primary Server:
osso1.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636
osso2.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636
I configured the reverse for my Active Directory Secondary Server:
osso1.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636
osso2.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636
Theoretically, this will definitely work. I was wrong! There is a bug in OpenSSO 8.0 U2.
The method getServerMapAttr() in CollectionHelper class is not able to detect that there are multiple entries. What's worse is it is not able to parse the String with the "|" to return the appropriate Active Directory server.
The code simply gets the first entry without any parsing and tries to connect. And of course, "Unknown host" is thrown.
Luckily, the code for this method in OpenAM 9.5 looks good. I copied and finally fixed the issue.
Thank you, OpenAM!
.
No comments:
Post a Comment