Identity Server must log in to each configured user store. It searches for users, and when a user is found, it reads the user’s attributes values. When you configure a user store, you must supply the distinguished name of the user you want Identity Server to use for logging in. You can use the admin user of your user store, or you can create a specialized admin user for the this purpose. When creating this admin user, you need to grant the following rights:
The admin user needs rights to browse the tree, so Identity Server can find the user who is trying to authenticate. The admin user needs browse rights to object class that defines the users and read and compare rights to the attributes of that class. When looking for the user, Identity Server uses the GUID and naming attributes of the user class.
|
Directory |
Object Class |
GUID Attribute |
Naming Attribute |
|---|---|---|---|
|
eDirectory |
User |
guid |
cn |
|
Active Directory |
User |
objectGUID |
sAMAccountName |
|
Sun ONE |
inetOrgPerson |
nsuniqueid |
uid |
Administrators need read rights to any attributes used in policies (Role, Form Fill, Identity Injection).
If a secret store is used in Form Fill policies, the administrator needs write rights to the attributes storing the secrets.
If a password management servlet is enabled, the administrator needs read rights to the attributes controlling grace login limits and remaining grace logins.
If you use an LDAP extension, the user must have write rights on ACL allowing the user to check for account locks, password expiration, grace logins used, and so on.
To perform these operations, the user must have additional rights. Access Manager uses NMAS that requires the user to have write rights on ACL.
If you enable provisioning with the SAML or Liberty protocols, the administrator needs write rights to create users in the user store.
If you use X.509 authentication, the administrator needs write rights to update the user’s login status attributes.
If you use OAuth and nidsOAuthGrant attribute, the administrator needs to have write access. For more information, refer to Defining Global Settings.
If your user store is an eDirectory user store, Access Manager verifies that the administrator has sufficient rights to browse for users in the specified search contexts.
IMPORTANT:This check is not performed for Active Directory or Sun ONE. If your users cannot log in, verify that the user store administrator has appropriate rights to the specified search contexts.