uCosminexus Application Server, Security Management Guide

[Contents][Index][Back][Next]

5.16.3 Extension of object class and user definition attributes

When single sign-on is used, register the object class and user definition attributes that are specific to the single sign-on library to the LDAP directory server, in order to extend the object class and user attribute definitions.

The extended object class and user definition attributes are the schemas that are specific to single sign-on library and cannot be shared with other systems. If the LDAP directory server has already been used, check the schemas being used in the LDAP directory server to make sure that the schemas that are specific to single sign-on are not used.

Organization of this subsection
(1) Object Class to be extended in the single sign-on library
(2) User definition attributes to be extended in the single sign-on library
(3) Procedures used to add the object class and user definition attributes to be extended

(1) Object Class to be extended in the single sign-on library

The following table shows the object class that is specific to the single sign-on library.

Table 5-13 Object class that is specific to the single sign-on library

Object class OID Required attribute Optional attribute
CosminexusSSOEntry 1.2.392.200010.7.6.21 objectClass,
CosminexusSSOEntryID,
CosminexusSSOUID		 CosminexusSSOSecretdata,
CosminexusSSOPublicdata,
CosminexusSSOMapping

(2) User definition attributes to be extended in the single sign-on library

The following table shows the attributes that are specific to the single sign-on library.

Table 5-14 Attributes that are specific to the single sign-on library

Attribute OID Syntax Multi-value/single value
CosminexusSSOEntryID 1.2.392.200010.7.4.71 cis Single value
CosminexusSSOUID 1.2.392.200010.7.4.72 ces Single value
CosminexusSSOSecretdata 1.2.392.200010.7.4.73 bin Single value
CosminexusSSOPublicdata 1.2.392.200010.7.4.74 ces Single value
CosminexusSSOMapping 1.2.392.200010.7.4.75 dn Multi-value

(3) Procedures used to add the object class and user definition attributes to be extended

This section explains the procedures used to add the object class and user definition attributes to be extended with respect to the types of LDAP directory servers.

Sun Java System Directory Server or Oracle Directory Server Enterprise Edition:
Make sure that the LDAP directory server is started and register uaschema.slapd.ldif to the LDAP directory server by using the following command:
 
ldapmodify -h host name -p port number -D management bind DN -w password -c -f uaschema.slapd.ldif

IBM SecureWay Directory or IBM Directory Server:
Make sure that the LDAP directory server is started and register uaschema.ldif to the LDAP directory server by using the following command:
 
ldapmodify -h host name -p port number -D bind DN -w password -c -f uaschema.ldif
Specify the bind DN that has administrative rights.

Active Directory:
  1. Change the settings so that the schemas can be changed in Active Directory. Start Microsoft Management Consol (mmc.exe) and click Add or Remove Snap-ins to add Active Directory schemas. Right-click Active Directory Schema, select Operations Master, select the The Schema may be modified on this Domain Controller check box, and then click the OK button.
  2. Use the following command to register uaschema.ad.ldif to Active Directory (when you want to connect to the domain controller to which you log on as the current logged on user).
 
     ldifde -i -c "dc=domain" "ToDN" -f uaschema.ad.ldif
Enter the appropriate DN in ToDN, which depends on the domain. For example, if the domain is hitachi.co.jp, ToDN will be dc=hitachi,dc=co,dc=jp.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd