问题描述
我们想用OpenSSO的为我们的认证和授权的需求,但将preFER它
说话的数据库,而不是默认的LDAP数据存储。我们发现,在OpenAM 9.0版本的试验数据库数据present。
We want to use OpenSSO for our authentication and authorization needs but would prefer it talking to database instead of the default LDAP datastore. We found that there is an experimental Database datastore present in the OpenAM 9.0 release.
不过,这似乎只是关心认证和用户的生命周期管理。没有规定存储在数据库数据信息的权利。我们希望保持整个认证和数据库授权信息。
However, it seems to be just concerned with authentication and user lifecycle management. There is no provision for storing entitlements information in the database datastore. We would want to keep the entire authentication and authorization info in database.
我没事,甚至把一些努力,定制code键使OpenAM聊到数据库,用于评估政策和决定哪些用户可以做或特定资源无法做到的。顺便说一句,我们要求安全防范多种资源,而不仅仅是网页(网址)。
I'm okay to even put some efforts in customizing the code to make OpenAM talk to database for evaluating the policies and decide on what a user can do or cannot do on particular resource. By the way, We have requirements to safe guard several kinds of resources, not just pages(URLs).
我特地到code和发现的基础数据存储类,如 com.sun.identity.entitlement.opensso.DataStore.java 的
com.sun.identity.entitlement.PolicyDataStore.java 的
com.sun.identity.entitlement.opensso.OpenSSOPolicyDataStore.java 的
I have looked into the code and found that the base datastore classes like com.sun.identity.entitlement.opensso.DataStore.java,com.sun.identity.entitlement.PolicyDataStore.java ,com.sun.identity.entitlement.opensso.OpenSSOPolicyDataStore.java
都紧密结合的基于LDAP的实现。
are all tightly bound to LDAP based implementation.
有没有我可以定制,使OpenSSO的谈话数据库数据为它的待遇和政策决定任何接口或抽象类?
Are there any interfaces or abstract classes which I can customize to make opensso talk to database datastore for its entitlements and policy decisions?
我会更愿意花几个月的努力,在获得这个工作,如果有些可以用任何提示,我就可以开始提供。
I would be even willing to spend a couple of months effort in getting this work if some can provide any hints using which I can get started.
感谢和问候,
桑巴
推荐答案
这可能有助于验证:的
博客的内容的按的 做
The contents of the blog, made by Rahul Ghose
OpenAM数据库连接与MySQL
这来后很长一段时间后。我一直很坚持我在创造一个单点登录的实施项目。我是用一个惊人的软件工作,OpenAM,以前的OpenSSO,目前由Forgerock社区维护。
This post comes after a long time. I had been really stuck with my project in creating a Single Sign On implementation. I was working with an amazing piece of software, OpenAM, formerly OpenSSO, currently maintained by the Forgerock community.
我的设置:我使用的Tomcat与MySQL和OpenAM 11.0.0在CentOS运行
My setup: I used Tomcat with Mysql and OpenAM 11.0.0 running on Centos
所以,首先第一件事情,安装mysql-连接器的java为您的操作系统,你应该得到一个jar文件。下面是我得到了我的盒子:
So first things first, install mysql-connector-java for your operating system and you should get a jar file. Here is what I got on my box:
# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java-5.1.17.jar
/usr/share/java/mysql-connector-java.jar
Now copy this to your tomcat installation directory. At "$CATALINA_HOME/lib" and restart tomcat.
如果您跳过上面的步骤,你会遇到像这样的错误:
If you skip the above step, you will run into an error that looks like this:
java.lang.InstantiationException: JdbcSimpleUserDao.initialize: failed to load driver class jdbcDriver=com.mysql.jdbc.Driver exception=com.mysql.jdbc.Driver
at com.sun.identity.idm.plugins.database.JdbcSimpleUserDao.initialize(JdbcSimpleUserDao.java:274)
at com.sun.identity.idm.plugins.database.DatabaseRepo.initialize(DatabaseRepo.java:429)
at com.sun.identity.idm.server.IdRepoPluginsCache.constructIdRepoPlugin(IdRepoPluginsCache.java:475)
at com.sun.identity.idm.server.IdRepoPluginsCache.addIdRepo(IdRepoPluginsCache.java:353)
at com.sun.identity.idm.server.IdRepoPluginsCache.removeIdRepo(IdRepoPluginsCache.java:251)
at com.sun.identity.idm.server.IdRepoPluginsCache.organizationConfigChanged(IdRepoPluginsCache.java:646)
at com.sun.identity.sm.ServiceConfigManagerImpl.notifyOrgConfigChange(ServiceConfigManagerImpl.java:493)
at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:453)
at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:289)
at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:365)
at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:306)
接下来,连接到你的MySQL服务器,并导航到该页面中OpenAM(访问控制 - >服务器(您选择的) - >数据存储 - >新建):
Next up, connect to your mysql server and navigate to this page in OpenAM (Access Control -> Realm (of your choice) -> Datastores -> New):
Step 1 of 2: Select type of Data store
Name: My_Database_Repo
Type:
Active Directory
Active Directory Application Mode (ADAM)
Database Repository (Early Access) <--- TICK THIS ONE
Generic LDAPv3
OpenDJ
Sun DS with OpenAM schema
Tivoli Directory Server
现在点击下一步。我们只需要改变以下字段:
Now click on next. We just need to change the following fields:
Password for Connecting to database:
Password for Connecting to database (confirm):
JDBC driver url: jdbc:mysql://127.0.0.1:3306/test
Connect this user to database: root
输入你的mysql数据库用户的用户名和密码。同时改变你的mysql数据库安装的IP地址,端口和数据库名是指您已专门预留OpenAM使用表。 OpenAM将使用在该数据库中的表2,而你只需要在这里指定的名称:
Enter the password and username of your mysql database user. Also change the IP address, port and database name of your mysql database installation to refer to a table you have specifically reserved for OpenAM to use. OpenAM will be using 2 tables in this database, the names of which you need to specify here:
User Configuration
*Database User Table Name: opensso_users
在这里:
Group configuration
Database Membership table name: groups
因此,对于用户表,你需要创建一个列作为VARCHAR,不知何故整数没有为我工作。你需要在你的表中的列名可以在此表在这里找到:
So for the user table, you need to create the columns as VARCHAR, somehow integer did not work for me. The column names which you need to have in your table can be found in this table here:
List of User Attributes Names in Database
uid
ChangePassword
sunIdentityMSISDNNumber
mail
sn
manager
preferredlocale
iplanet_am_user_password_reset_force_reset
givenname
iplanet_am_user_alias_list
我删除了所有的iplanet_ *属性和MySQL数据库创建了一个用户表。然后用下面的SQL脚本来创建默认配置数据库的条目:
I removed all the iplanet_* attributes and created an user table in MySql Database. Then used the following sql script to create the database entries for default configuration:
create database test;
use test;
create table opensso_users (uid varchar(50), userpassword varchar(50), inetuserstatus integer, cn varchar(50),mail varchar(50),manager varchar(50), preferredlocale varchar(50), givenname varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), sn varchar(50) );
create table groups (uid varchar(50), group_name varchar(50), cn varchar(50));
现在你的用户添加到该表走,走,走!
Now add your users to this table and go, go, go!
的注:我不能得到这个配置的工作组,如果您有任何诀窍,请让我知道的
阅读也:
1:
2:数据库配置邮件列表条目
2: Mailing list entry on database configuration
这篇关于有没有一种方法,使OpenSSO的/ OpenAM聊到数据库为其身份验证和授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!