How To Setup Active Directory Authenticaion In OpenAM
Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-To-Setup-Active-Directory-Authenticaion-In-OpenAM
Preface
If your organization uses Microsoft Active Directory for user storage, it is a good practice to use Active Directory user accounts to authenticate in all your enterprise applications. OpenAM supports Microsoft Active Directory
But setting up Microsoft Active Directory as a user data store could be tricky. In this article, we’ll help you to set up user data store in OpenAM
Setup Active Directory User Data Store
Enterprise users should be in a separate realm.
NOTE
Of course, you can use an existing realm or even use different data stores in a single realm in OpenAM. But in this manual, we will create a separate realm and a sigle data store for employees
So login in OpenAM console as amadmin and create realm /staff
. Delete default user Data Store in /staff
realm.
Then create Active Directory data store with type Active Directory.
There are the most important settings in a table below:
Setting | Value |
---|---|
Ldap Server | AD host and port, for example: ad.example.com:389 |
LDAP Bind DN | Bund DN or user name for AD, for example EXAMPLE\Administrator |
LDAP Bind Password | Bind DN password |
LDAP Organization DN | DN where users are located DC=ad,DC=example,DC=com |
LDAP Connection Pool Maximum Size | 128 |
Attribute Name Mapping | uid=sAMAccountName userPassword=unicodePwd |
LDAPv3 Plug-in Supported Types and Operations | user=read group=read realm=read |
LDAP Users Search Attribute: | sAMAccountName |
LDAP Users Search Filter | (objectclass=person) |
DN Cache | Enabled |
Test Data Store and Authentication
If you set all settings correctly, you should see user accounts form your active directory, in Subjects tab in the realm.
Then test authentication: Open OpenAM URL in your browser, for example
For XUI:
http://openam.example.org:8080/openam/XUI/?org=/staff#login/
For legacy UI:
http://openam.example.org:8080/openam/UI/Login?org=/staff
Enter your Active Directory credentials, and you should be successfully authenticated