Remote LDAP for authentication and local LDAP for user profile
Hi all,
(Sorry for my english, it's not very good)
I want to use remote ldap for authentication purpose with Access Manager, actually I can authenticate users from the remote ldap, but I can't view users in tab "Subjects" in the sub-realm that i've created for this purpose, is it normally?. When a user is logged in successfully he can only view the message:
Information
You have successfully logged in.
I think it's is because the user hasn't got a profile, my question is, how to create a user profile for everybody? How can I achieve this?
Please suggest.
Thanks in advance.
# 1
The following may help:
http://docs.sun.com/source/817-7644/appC_activedirauth.html
Specifically, "Access Manager requires that an account exist within Directory Server for authorization despite authentication being delegated to an external source. The options for this are:
* Use a meta directory to synchronize accounts.
* Enable dynamic profile creation which allows Access Manager to look for an account for the user in question. If none exists, the account is automatically created with the same account name used in Active Directory."
Also, see http://docs.sun.com/app/docs/doc/819-4670/6n6qardu3?a=view . Scroll down to "realm parameter" and "org parameter".
Ankush
# 2
Specifically, "Access Manager requires that an account exist within Directory Server for authorization despite authentication being delegated to an external source. The options for this are:.........
This part of the doc is not entirely correct. Only certain subject like IdentityServerRoles subjects require this. LDAPGroups, LDAPRoles etc don't require a profile in local directory. You can modify policy config service to point to an external directory and use these subjects.
In AM 7.0, onwards we also provide AMIdentitySubject which can be used with external directories based on the data store configuration of a realm.
shivaram
