Is there a way to make OpenSSO/OpenAM talk to Data

2019-08-14 05:12发布

问题:

We want to use OpenSSO for our authentication and authorization needs but would prefer it talking to database instead of the default LDAP datastore. We found that there is an experimental Database datastore present in the OpenAM 9.0 release.

However, it seems to be just concerned with authentication and user lifecycle management. There is no provision for storing entitlements information in the database datastore. We would want to keep the entire authentication and authorization info in database.

I'm okay to even put some efforts in customizing the code to make OpenAM talk to database for evaluating the policies and decide on what a user can do or cannot do on particular resource. By the way, We have requirements to safe guard several kinds of resources, not just pages(URLs).

I have looked into the code and found that the base datastore classes like com.sun.identity.entitlement.opensso.DataStore.java, com.sun.identity.entitlement.PolicyDataStore.java , com.sun.identity.entitlement.opensso.OpenSSOPolicyDataStore.java

are all tightly bound to LDAP based implementation.

Are there any interfaces or abstract classes which I can customize to make opensso talk to database datastore for its entitlements and policy decisions?

I would be even willing to spend a couple of months effort in getting this work if some can provide any hints using which I can get started.

Thanks and Regards,

Samba

回答1:

This might help for authentication: http://rahul-ghose.blogspot.com/2014/05/openam-database-connectivity-with-mysql.html

The contents of the blog, made by Rahul Ghose

OpenAM database connectivity with MySql

This post comes after a long time. I had been really stuck with my project in creating a Single Sign On implementation. I was working with an amazing piece of software, OpenAM, formerly OpenSSO, currently maintained by the Forgerock community.

My setup: I used Tomcat with Mysql and OpenAM 11.0.0 running on Centos

So first things first, install mysql-connector-java for your operating system and you should get a jar file. Here is what I got on my box:

# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java-5.1.17.jar
/usr/share/java/mysql-connector-java.jar
Now copy this to your tomcat installation directory. At "$CATALINA_HOME/lib" and restart tomcat.

If you skip the above step, you will run into an error that looks like this:

java.lang.InstantiationException: JdbcSimpleUserDao.initialize: failed to load driver class jdbcDriver=com.mysql.jdbc.Driver exception=com.mysql.jdbc.Driver
    at com.sun.identity.idm.plugins.database.JdbcSimpleUserDao.initialize(JdbcSimpleUserDao.java:274)
    at com.sun.identity.idm.plugins.database.DatabaseRepo.initialize(DatabaseRepo.java:429)
    at com.sun.identity.idm.server.IdRepoPluginsCache.constructIdRepoPlugin(IdRepoPluginsCache.java:475)
    at com.sun.identity.idm.server.IdRepoPluginsCache.addIdRepo(IdRepoPluginsCache.java:353)
    at com.sun.identity.idm.server.IdRepoPluginsCache.removeIdRepo(IdRepoPluginsCache.java:251)
    at com.sun.identity.idm.server.IdRepoPluginsCache.organizationConfigChanged(IdRepoPluginsCache.java:646)
    at com.sun.identity.sm.ServiceConfigManagerImpl.notifyOrgConfigChange(ServiceConfigManagerImpl.java:493)
    at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:453)
    at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:289)
    at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:365)
    at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:306)

Next up, connect to your mysql server and navigate to this page in OpenAM (Access Control -> Realm (of your choice) -> Datastores -> New):

Step 1 of 2: Select type of Data store

Name: My_Database_Repo
Type: 
   Active Directory
   Active Directory Application Mode (ADAM)
   Database Repository (Early Access)  <--- TICK THIS ONE
   Generic LDAPv3
   OpenDJ
   Sun DS with OpenAM schema
   Tivoli Directory Server

Now click on next. We just need to change the following fields:

Password for Connecting to database: 
Password for Connecting to database (confirm):
JDBC driver url: jdbc:mysql://127.0.0.1:3306/test
Connect this user to database: root

Enter the password and username of your mysql database user. Also change the IP address, port and database name of your mysql database installation to refer to a table you have specifically reserved for OpenAM to use. OpenAM will be using 2 tables in this database, the names of which you need to specify here:

User Configuration
    *Database User Table Name: opensso_users

and here:

Group configuration
    Database Membership table name: groups

So for the user table, you need to create the columns as VARCHAR, somehow integer did not work for me. The column names which you need to have in your table can be found in this table here:

List of User Attributes Names in Database

uid
ChangePassword
sunIdentityMSISDNNumber
mail
sn
manager
preferredlocale
iplanet_am_user_password_reset_force_reset
givenname
iplanet_am_user_alias_list

I removed all the iplanet_* attributes and created an user table in MySql Database. Then used the following sql script to create the database entries for default configuration:

create database test;
use test; 
create table opensso_users (uid varchar(50), userpassword varchar(50), inetuserstatus integer, cn varchar(50),mail varchar(50),manager varchar(50), preferredlocale varchar(50), givenname varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), sn varchar(50)  );
create table groups (uid varchar(50), group_name varchar(50), cn varchar(50));

Now add your users to this table and go, go, go!

NB: I could not get groups working with this configuration, if you have any know-how, please let me know

Read also:

1: https://wikis.forgerock.org/confluence/display/openidm/JDBC+Repository

2: Mailing list entry on database configuration



回答2:

Researching similar issue. Found custom authentication modules for for OpenAM: https://wikis.forgerock.org/confluence/display/openam/Write+a+custom+authentication+module



回答3:

I could make both authentication and authorization point to database (or any other storage support) by writing a new opensso repository. I did it by writing a new class which extends com.sun.identity.idm.IdRepo. This is quite long since the new class must overload a lot of IdRepo abstract methods.

But this allowed me to create a new datastore in opensso. To avoid issues with opensso internal datastore, I used my new datastore on a new realm.

I based my code on the opensso database and ldap repository example code (available in opensso sources).



回答4:

OpenAM configuration store is limited to LDAP directories at the moment, and the entitlements are stored in the configuration store, hence you may find this requirement quite difficult to implement. If you still really want to use DataBase as a backend, you would have to probably refactor a lot of code, and even then you may find that it isn't feasible at all.

The configuration is mainly retrieved/modified by the com.sun.identity.sm.SMSObject implementations, so you would have to come up with a custom impl that works with a database.