www.bonsaiframework.com
Page tree

Versions Compared

Old Version 16

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

openam.krypton.com and www.openam.krypton.com

First, OpenAM does not require requires these entries on the server. Edit your /etc/hosts file accordingly.

If you are not using real DNS, then ensure that these entries are on your client machine's hosts file.

Setup Tomcat

Setup Zero Footprint Tomcat run as serveradmin. Do not have Tomcat started yet.

...

If you really want to use an external data store for the Configuration read https://wikis.forgerock.org/confluence/display/openam/Configure+an+external+OpenDJ+or+OpenDS+as+the+configuration+store

User Data Store Settings

The OpenAM data store is not supported in the production environment per the wizard.

Other User Data Store = selected

...

SSL/TLS Enabled = no
Host Name = opendjopendj0.krypton.com
Port = 1389
Root Suffix = dc=krypton,dc=com
Login ID = cn=Directory Manager

...

This instance is not setup behind a load balancer

Run

The LDAP operation failed., refer to install.log under /opt/openam-config.0 for more information.

Another bug in a sense. Carefully reading the manual,

If you decide to use an existing installation of OpenDJ for configuration data, then you must first relax the restriction on objects with multiple structural object classes, by using the OpenDJ *dsconfig* command before completing OpenAM configuration.

Enter this into the command line

Code Block
cd /opt/opends.0
./dsconfig -h opendj.krypton.com -p 4444 -D "cn=Directory Manager" -w ****** set-global-configuration-prop --set single-structural-objectclass-behavior:warn -X -n

When the configuration completes, click Proceed to Login, and then login as OpenAM administrator.

There is a note from the online manual,

Panel

Restrict permissions to the configuration directory (by default $HOME/openam, where $HOME corresponds to the user who runs the web container).

But no instructions on how to do this or even why we need to do this.

Ah, I figured it out. By default OpenAM selects the user running the web container's home directory as the location for the OpenAM configuration files. It is saying to set permissions up so other users can not modify it. In our case, we are using serveradmin as the user running the web container, but then we choose a more explicit directory /opt/openam-config and is already configured to only allow staff and svradm.