[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam-commit
Subject: [CommitOpenAM] [10296] branches/AME-3423: Merging 10214 10217 10218 10222 10224 10229 10230 10243 10
From: noreply () forgerock ! org
Date: 2014-08-28 15:42:34
Message-ID: 20140828154234.CEF10422A4 () sources ! internal ! forgerock ! com
[Download RAW message or body]
[Attachment #2 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[10296] branches/AME-3423: Merging 10214 10217 10218 10222 10224 10229 10230 \
10243 10244 10249 10251 10253 10254 10255 10258 10259 10265 10274 10276 10282 \
10288</title> </head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: \
verdana,arial,helvetica,sans-serif; font-size: 10pt; } #msg dl a { font-weight: \
bold} #msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: \
bold; } #msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: \
6px; } #logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em \
0; } #logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg \
h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } \
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; \
} #logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: \
-1.5em; padding-left: 1.5em; } #logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em \
1em 0 1em; background: white;} #logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid \
#fa0; border-bottom: 1px solid #fa0; background: #fff; } #logmsg table th { \
text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted \
#fa0; } #logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: \
0.2em 0.5em; } #logmsg table thead th { text-align: center; border-bottom: 1px solid \
#fa0; } #logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: \
6px; } #patch { width: 100%; }
#patch h4 {font-family: \
verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, \
#patch .copfile {border:1px solid #ccc;margin:10px 0;} #patch ins \
{background:#dfd;text-decoration:none;display:block;padding:0 10px;} #patch del \
{background:#fdd;text-decoration:none;display:block;padding:0 10px;} #patch .lines, \
.info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a \
href="http://sources.forgerock.org/changelog/openam/?cs=10296">10296</a></dd> \
<dt>Author</dt> <dd>rwapshott</dd> <dt>Date</dt> <dd>2014-08-28 16:42:34 +0100 (Thu, \
28 Aug 2014)</dd> </dl>
<h3>Log Message</h3>
<pre>Merging 10214 10217 10218 10222 10224 10229 10230 10243 10244 10249 10251 10253 \
10254 10255 10258 10259 10265 10274 10276 10282 10288</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchesAME3423openamopenamauthenticationopenamauthhotpsrcmainjavacomsun \
identityauthenticationmoduleshotpHOTPjava">branches/AME-3423/openam/openam-authenticat \
ion/openam-auth-hotp/src/main/java/com/sun/identity/authentication/modules/hotp/HOTP.java</a></li>
<li><a href="#branchesAME3423openamopenamclientsdkpomxml">branches/AME-3423/openam/openam-clientsdk/pom.xml</a></li>
<li><a href="#branchesAME3423openamopenamcoresrcmainjavacomsunidentityentitlementopen \
ssoPolicyPrivilegeManagerjava">branches/AME-3423/openam/openam-core/src/main/java/com/sun/identity/entitlement/opensso/PolicyPrivilegeManager.java</a></li>
<li><a href="#branchesAME3423openamopenamcoresrcmainjavaorgforgerockopenamctsapifilte \
rTokenFilterBuilderjava">branches/AME-3423/openam/openam-core/src/main/java/org/forgerock/openam/cts/api/filter/TokenFilterBuilder.java</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadm \
inguidechaprealmsxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadm \
inguidechaptuningxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-tuning.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxdev \
guidechaprestxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/dev-guide/chap-rest.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxins \
tallguidechapctsxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/install-guide/chap-cts.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxref \
erencechapconfigrefxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-config-ref.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxref \
erencechapendpointsxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-endpoints.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxrel \
easenoteschapwhatsnewxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxweb \
releasenoteschapwebagentsxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/web-release-notes/chap-web-agents.xml</a></li>
<li><a href="#branchesAME3423openamopenamentitlementssrcmainjavacomsunidentityentitle \
mentPrivilegeManagerjava">branches/AME-3423/openam/openam-entitlements/src/main/java/com/sun/identity/entitlement/PrivilegeManager.java</a></li>
<li><a href="#branchesAME3423openamopenamfederationopenamfederationlibrarysrcmainjava \
comsunidentitysaml2profileIDPSSOUtiljava">branches/AME-3423/openam/openam-federation/o \
penam-federation-library/src/main/java/com/sun/identity/saml2/profile/IDPSSOUtil.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestentitlementsJsonPolicyParserjava">branches/AME-3423/openam/openam-forgerock \
-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParser.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestentitlementsPolicyResourcejava">branches/AME-3423/openam/openam-forgerock-r \
est/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResource.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestentitlementsPolicyStorejava">branches/AME-3423/openam/openam-forgerock-rest \
/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyStore.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestentitlementsPrivilegePolicyStorejava">branches/AME-3423/openam/openam-forge \
rock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStore.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestentitlementsmodeljsonJsonPolicyjava">branches/AME-3423/openam/openam-forger \
ock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/model/json/JsonPolicy.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamfo \
rgerockrestguiceForgerockRestGuiceModulejava">branches/AME-3423/openam/openam-forgeroc \
k-rest/src/main/java/org/forgerock/openam/forgerockrest/guice/ForgerockRestGuiceModule.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamoa \
uth2restTokenResourcejava">branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/oauth2/rest/TokenResource.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamfo \
rgerockrestentitlementsJsonPolicyParserTestjava">branches/AME-3423/openam/openam-forge \
rock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParserTest.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamfo \
rgerockrestentitlementsPolicyResourceTestjava">branches/AME-3423/openam/openam-forgero \
ck-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResourceTest.java</a></li>
<li><a href="#branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamfo \
rgerockrestentitlementsPrivilegePolicyStoreTestjava">branches/AME-3423/openam/openam-f \
orgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStoreTest.java</a></li>
<li><a href="#branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2OAu \
thTokenStorejava">branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OAuthTokenStore.java</a></li>
<li><a href="#branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2Ope \
nAMOAuth2ProviderSettingsFactoryjava">branches/AME-3423/openam/openam-oauth2/src/main/ \
java/org/forgerock/openam/oauth2/OpenAMOAuth2ProviderSettingsFactory.java</a></li> \
<li><a href="#branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2Open \
AMTokenStorejava">branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMTokenStore.java</a></li>
<li><a href="#branchesAME3423openamopenamscriptingsrcmainjavaorgforgerockopenamscript \
ingsandboxGroovySandboxValueFilterjava">branches/AME-3423/openam/openam-scripting/src/ \
main/java/org/forgerock/openam/scripting/sandbox/GroovySandboxValueFilter.java</a></li>
<li><a href="#branchesAME3423openamopenamserveronlysrcmainresourcesMETAINFservicescom \
googleinjectAbstractModule">branches/AME-3423/openam/openam-server-only/src/main/resources/META-INF/services/com.google.inject.AbstractModule</a></li>
<li><a href="#branchesAME3423openamopenamuipolicysrcmainjsorgforgerockopenamuipolicyM \
anageApplicationsViewjs">branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManageApplicationsView.js</a></li>
<li><a href="#branchesAME3423openamopenamuipolicysrcmainjsorgforgerockopenamuipolicyM \
anagePoliciesViewjs">branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManagePoliciesView.js</a></li>
<li><a href="#branchesAME3423openamopenamuipolicysrcmainresourcescsspolicycommonless" \
>branches/AME-3423/openam/openam-ui-policy/src/main/resources/css/policy/common.less</a></li>
>
<li><a href="#branchesAME3423openamopenamuipolicysrctestqunitpolicyjs">branches/AME-3423/openam/openam-ui-policy/src/test/qunit/policy.js</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardD \
ashboardViewjs">branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/DashboardView.js</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardm \
ainjs">branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/main.js</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuiuserloginR \
ESTLoginViewjs">branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginView.js</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainresourcescssopenamdashboardless" \
>branches/AME-3423/openam/openam-ui-ria/src/main/resources/css/openam/dashboard.less</a></li>
>
<li><a href="#branchesAME3423openamopenamuiriasrcmainresourceslocalesentranslationjson \
">branches/AME-3423/openam/openam-ui-ria/src/main/resources/locales/en/translation.json</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainresourcestemplatesopenamDashboar \
dTemplatehtml">branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/DashboardTemplate.html</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainresourcestemplatesopenamoauth2To \
kensTemplatehtml">branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/oauth2/TokensTemplate.html</a></li>
<li><a href="#branchesAME3423openssoproductswebagentsamsourceurlcpp">branches/AME-3423/opensso/products/webagents/am/source/url.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadmi \
nguideimagestrusteddevicemgmtpng">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/images/trusted-device-mgmt.png</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastoresactivedirectoryxml">branches/AME-3423/openam/openam-documentation/open \
am-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml</a></li> \
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxshar \
edsecdatastoresadamxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastoresdbxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastoresdseexml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastoresgenericldapv3xml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastoresopendjxml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsha \
redsecdatastorestivolixml">branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardO \
AuthTokensDelegatejs">branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensDelegate.js</a></li>
<li><a href="#branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardO \
AuthTokensViewjs">branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensView.js</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#branchesAME3423openamopenamcoresrcmainresourcesMETAINFservicescomgooglei \
njectAbstractModule">branches/AME-3423/openam/openam-core/src/main/resources/META-INF/services/com.google.inject.AbstractModule</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branchesAME3423">branches/AME-3423/</a></li>
<li><a href="#branchesAME3423communityextensionscrowdprovider">branches/AME-3423/community/extensions/crowdprovider/</a></li>
<li><a href="#branchesAME3423openam">branches/AME-3423/openam/</a></li>
<li><a href="#branchesAME3423openamopenamdocumentationopenamdocsource">branches/AME-3423/openam/openam-documentation/openam-doc-source/</a></li>
<li><a href="#branchesAME3423openamopenamoauth2">branches/AME-3423/openam/openam-oauth2/</a></li>
<li><a href="#branchesAME3423openamagents">branches/AME-3423/openam-agents/</a></li>
<li><a href="#branchesAME3423opensso">branches/AME-3423/opensso/</a></li>
<li><a href="#branchesAME3423openssoproducts">branches/AME-3423/opensso/products/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchesAME3423"></a>
<div class="propset"><h4>Property changes: branches/AME-3423</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-2526-SFO-between-sites:7510-8258
</span><span class="cx">/branches/AME-3612-pcunnington:9534-9723
</span><span class="cx">/branches/AME-3719:9517-9879
</span><span class="cx">/branches/IIS7PostData:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes:8747-8835
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation:7834-7844
</span><span class="cx">/branches/ame4103:9979,9981,9998,10000,10002,10007-10008,10016,10018,10038
</span><span class="cx">/branches/ame4272:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory:5311-5328
</span><span class="cx">/branches/andy-cts-connection-pool:7098-7175
</span><span class="cx">/branches/andy-openam-2654:6872-6911
</span><span class="cx">/branches/andy-openam-2880:6451-6503
</span><span class="cx">/branches/andy-openam-2907:6531-6534
</span><span class="cx">/branches/andy-openam-3006:6709-6749
</span><span class="cx">/branches/andy-openam-3063:6927-6948
</span><span class="cx">/branches/andy-openam-3193:7124-7128
</span><span class="cx">/branches/andy-openam-3248:7171-7715
</span><span class="cx">/branches/andy-openam2743:6372-6439
</span><span class="cx">/branches/andy-openam2744:6347-6367
</span><span class="cx">/branches/andyAme2972:8270-8318
</span><span class="cx">/branches/andyAme3196:8853-9084
</span><span class="cx">/branches/andyOpenam1708:5576-5592
</span><span class="cx">/branches/andyOpenam2140:7819-7862
</span><span class="cx">/branches/andyOpenam2373:5600-5706
</span><span class="cx">/branches/andyOpenam2525:5601-5733
</span><span class="cx">/branches/andyOpenam3509:7881-7963
</span><span class="cx">/branches/andyOpenam3638:8094-8172
</span><span class="cx">/branches/andyPolicyCrest:8295-8813
</span><span class="cx">/branches/apforrest-ame1316:4881-5305
</span><span class="cx">/branches/maven_merge:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug:6767-6804
</span><span class="cx">/branches/openam2742-andy:6266-6323
</span><span class="cx">/branches/pcunnington-AME-3115-refactor:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114:8314-8341
</span><span class="cx">/branches/policyimprovements:5513-5515
</span><span class="cx">/branches/rwapshott-AME-1739:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars:6170-6194
</span><span class="cx">/trunk:10107-10111,10114-10116,10119,10129-10131,10134-10136,1 \
0138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + /branches/10.1.0-Xpress:3888-3892
</span><span class="cx">/branches/AME-2526-SFO-between-sites:7510-8258
</span><span class="cx">/branches/AME-3612-pcunnington:9534-9723
</span><span class="cx">/branches/AME-3719:9517-9879
</span><span class="cx">/branches/IIS7PostData:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes:8747-8835
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation:7834-7844
</span><span class="cx">/branches/ame4103:9979,9981,9998,10000,10002,10007-10008,10016,10018,10038
</span><span class="cx">/branches/ame4272:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory:5311-5328
</span><span class="cx">/branches/andy-cts-connection-pool:7098-7175
</span><span class="cx">/branches/andy-openam-2654:6872-6911
</span><span class="cx">/branches/andy-openam-2880:6451-6503
</span><span class="cx">/branches/andy-openam-2907:6531-6534
</span><span class="cx">/branches/andy-openam-3006:6709-6749
</span><span class="cx">/branches/andy-openam-3063:6927-6948
</span><span class="cx">/branches/andy-openam-3193:7124-7128
</span><span class="cx">/branches/andy-openam-3248:7171-7715
</span><span class="cx">/branches/andy-openam2743:6372-6439
</span><span class="cx">/branches/andy-openam2744:6347-6367
</span><span class="cx">/branches/andyAme2972:8270-8318
</span><span class="cx">/branches/andyAme3196:8853-9084
</span><span class="cx">/branches/andyOpenam1708:5576-5592
</span><span class="cx">/branches/andyOpenam2140:7819-7862
</span><span class="cx">/branches/andyOpenam2373:5600-5706
</span><span class="cx">/branches/andyOpenam2525:5601-5733
</span><span class="cx">/branches/andyOpenam3509:7881-7963
</span><span class="cx">/branches/andyOpenam3638:8094-8172
</span><span class="cx">/branches/andyPolicyCrest:8295-8813
</span><span class="cx">/branches/apforrest-ame1316:4881-5305
</span><span class="cx">/branches/maven_merge:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug:6767-6804
</span><span class="cx">/branches/openam2742-andy:6266-6323
</span><span class="cx">/branches/pcunnington-AME-3115-refactor:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114:8314-8341
</span><span class="cx">/branches/policyimprovements:5513-5515
</span><span class="cx">/branches/rwapshott-AME-1739:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars:6170-6194
</span><span class="cx">/trunk:10107-10111,10114-10116,10119,10129-10131,10134-10136,1 \
0138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-102 \
01,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423communityextensionscrowdprovider"></a>
<div class="propset"><h4>Property changes: \
branches/AME-3423/community/extensions/crowdprovider</h4> <pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-3612-pcunnington/community/extensions/crowdprovider:9534-9723
</span><span class="cx">/branches/AME-3719/community/extensions/crowdprovider:9517-9879
</span><span class="cx">/branches/IIS7PostData/opensso/extensions/seraphprovider:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/community/extensions/crowdprovider:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/community/extensions/crowdprovider:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/community/extensions/crowdprovider:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/community/extensions/crowdprovider:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/community/extensions/crowdprovider:8747-8835
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/community/extensions/crowdprovider:7834-7844
</span><span class="cx">/branches/allanCSDK/extensions/seraphprovider:64-163
</span><span class="cx">/branches/ame4272/community/extensions/crowdprovider:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/community/extensions/crowdprovider:7508-7697
</span><span class="cx">/branches/maven_merge/community/extensions/crowdprovider:2556-2561
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/community/extensions/crowdprovider:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/community/extensions/crowdprovider:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/community/extensions/crowdprovider:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/community/extensions/crowdprovider:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/community/extensions/crowdprovider:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/community/extensions/crowdprovider:8348-8473
</span><span class="cx">/branches/pcunnington-oauth2/community/extensions/crowdprovider:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/community/extensions/crowdprovider:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/community/extensions/crowdprovider:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/community/extensions/crowdprovider:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/community/extensions/crowdprovider:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/community/extensions/crowdprovider:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/community/extensions/crowdprovider:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/community/extensions/crowdprovider:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/community/extensions/crowdprovider:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/community/extensions/crowdprovider:6170-6194
</span><span class="cx">/trunk/community/extensions/crowdprovider:2556-2930,10107-101 \
11,10114-10116,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + \
/branches/AME-2526-SFO-between-sites/community/extensions/crowdprovider:7510-8258 \
</span><span class="cx">/branches/AME-3612-pcunnington/community/extensions/crowdprovider:9534-9723
</span><span class="cx">/branches/AME-3719/community/extensions/crowdprovider:9517-9879
</span><span class="cx">/branches/IIS7PostData/opensso/extensions/seraphprovider:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/community/extensions/crowdprovider:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/community/extensions/crowdprovider:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/community/extensions/crowdprovider:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/community/extensions/crowdprovider:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/community/extensions/crowdprovider:8747-8835
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/community/extensions/crowdprovider:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/community/extensions/crowdprovider:7834-7844
</span><span class="cx">/branches/allanCSDK/extensions/seraphprovider:64-163
</span><span class="cx">/branches/ame4272/community/extensions/crowdprovider:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/community/extensions/crowdprovider:7508-7697
</span><span class="cx">/branches/maven_merge/community/extensions/crowdprovider:2556-2561
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/community/extensions/crowdprovider:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/community/extensions/crowdprovider:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/community/extensions/crowdprovider:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/community/extensions/crowdprovider:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/community/extensions/crowdprovider:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/community/extensions/crowdprovider:8348-8473
</span><span class="cx">/branches/pcunnington-oauth2/community/extensions/crowdprovider:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/community/extensions/crowdprovider:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/community/extensions/crowdprovider:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/community/extensions/crowdprovider:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/community/extensions/crowdprovider:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/community/extensions/crowdprovider:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/community/extensions/crowdprovider:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/community/extensions/crowdprovider:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/community/extensions/crowdprovider:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/community/extensions/crowdprovider:6170-6194
</span><span class="cx">/trunk/community/extensions/crowdprovider:2556-2930,10107-101 \
11,10114-10116,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161,10172,10174 \
-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212,10214,10217-10218,10222,1 \
0224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423openam"></a>
<div class="propset"><h4>Property changes: branches/AME-3423/openam</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-2629/openam:7585-7632
</span><span class="cx">/branches/AME-2766-policy-entitlements-REST-APIs/openam:8455-8476
</span><span class="cx">/branches/AME-3087-entitlements-CREST-management/openam:8481-8664
</span><span class="cx">/branches/AME-3087_query_and_patch/openam:8667-8681
</span><span class="cx">/branches/AME-3405-session-read-from-cts/openam:8749-8823
</span><span class="cx">/branches/AME-3612-pcunnington/openam:9534-9723
</span><span class="cx">/branches/AME-3719/openam:9517-9879
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam:9663-9819
</span><span class="cx">/branches/CTS-Async/openam:8847-9739
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam:9750-10171
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam:7834-7844
</span><span class="cx">/branches/ame4272/openam:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory/openam:5311-5328
</span><span class="cx">/branches/andy-cts-connection-pool/openam:7098-7175
</span><span class="cx">/branches/andy-openam-2654/openam:6872-6911
</span><span class="cx">/branches/andy-openam-2880/openam:6451-6503
</span><span class="cx">/branches/andy-openam-2907/openam:6531-6534
</span><span class="cx">/branches/andy-openam-3006/openam:6709-6749
</span><span class="cx">/branches/andy-openam-3063/openam:6927-6948
</span><span class="cx">/branches/andy-openam-3193/openam:7124-7128
</span><span class="cx">/branches/andy-openam-3248/openam:7171-7715
</span><span class="cx">/branches/andy-openam2743/openam:6372-6439
</span><span class="cx">/branches/andy-openam2744/openam:6347-6367
</span><span class="cx">/branches/andyAme2972/openam:8270-8318
</span><span class="cx">/branches/andyAme3102/openam:8312-8413
</span><span class="cx">/branches/andyAme3196/openam:8853-9084
</span><span class="cx">/branches/andyOpenam1708/openam:5576-5592
</span><span class="cx">/branches/andyOpenam2140/openam:7819-7862
</span><span class="cx">/branches/andyOpenam2373/openam:5600-5706
</span><span class="cx">/branches/andyOpenam2525/openam:5601-5733
</span><span class="cx">/branches/andyOpenam3509/openam:7881-7963
</span><span class="cx">/branches/andyOpenam3638/openam:8094-8172
</span><span class="cx">/branches/andyPolicyCrest/openam:8295-8813
</span><span class="cx">/branches/apforrest-ame1316/openam:4881-5305
</span><span class="cx">/branches/apforrest_ame805_indextree/openam:4567-4852
</span><span class="cx">/branches/dirk_oauth_perf:5904
</span><span class="cx">/branches/dirk_sts:5297,5314,5317-5318,5320-5321
</span><span class="cx">/branches/oidc_authn:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam:6767-6804
</span><span class="cx">/branches/openam2742-andy/openam:6266-6323
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam:4141-4379
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350/openam:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344/openam:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2/openam:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam:8314-8341
</span><span class="cx">/branches/policyimprovements/openam:5513-5515
</span><span class="cx">/branches/rest_sts_publish:8167,8180,8214,8227,8245,8260
</span><span class="cx">/branches/rest_sts_view_bean:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam:6247-6257
</span><span class="cx">/branches/sts_oidc_saml:8310,8352,8355,8368,8378-8379,8387-8388,8403,8410,8416
</span><span class="cx">/branches/sts_oidc_saml_redux:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service:8706,8717-8720,8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2:8844-8887,8894-9000
</span><span class="cx">/trunk/openam:10107-10111,10114-10116,10119,10129-10131,10134- \
10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + /branches/AME-2526-SFO-between-sites/openam:7510-8258
</span><span class="cx">/branches/AME-2629/openam:7585-7632
</span><span class="cx">/branches/AME-2766-policy-entitlements-REST-APIs/openam:8455-8476
</span><span class="cx">/branches/AME-3087-entitlements-CREST-management/openam:8481-8664
</span><span class="cx">/branches/AME-3087_query_and_patch/openam:8667-8681
</span><span class="cx">/branches/AME-3405-session-read-from-cts/openam:8749-8823
</span><span class="cx">/branches/AME-3612-pcunnington/openam:9534-9723
</span><span class="cx">/branches/AME-3719/openam:9517-9879
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam:9663-9819
</span><span class="cx">/branches/CTS-Async/openam:8847-9739
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam:9750-10171
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/openam:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam:7834-7844
</span><span class="cx">/branches/ame4272/openam:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory/openam:5311-5328
</span><span class="cx">/branches/andy-cts-connection-pool/openam:7098-7175
</span><span class="cx">/branches/andy-openam-2654/openam:6872-6911
</span><span class="cx">/branches/andy-openam-2880/openam:6451-6503
</span><span class="cx">/branches/andy-openam-2907/openam:6531-6534
</span><span class="cx">/branches/andy-openam-3006/openam:6709-6749
</span><span class="cx">/branches/andy-openam-3063/openam:6927-6948
</span><span class="cx">/branches/andy-openam-3193/openam:7124-7128
</span><span class="cx">/branches/andy-openam-3248/openam:7171-7715
</span><span class="cx">/branches/andy-openam2743/openam:6372-6439
</span><span class="cx">/branches/andy-openam2744/openam:6347-6367
</span><span class="cx">/branches/andyAme2972/openam:8270-8318
</span><span class="cx">/branches/andyAme3102/openam:8312-8413
</span><span class="cx">/branches/andyAme3196/openam:8853-9084
</span><span class="cx">/branches/andyOpenam1708/openam:5576-5592
</span><span class="cx">/branches/andyOpenam2140/openam:7819-7862
</span><span class="cx">/branches/andyOpenam2373/openam:5600-5706
</span><span class="cx">/branches/andyOpenam2525/openam:5601-5733
</span><span class="cx">/branches/andyOpenam3509/openam:7881-7963
</span><span class="cx">/branches/andyOpenam3638/openam:8094-8172
</span><span class="cx">/branches/andyPolicyCrest/openam:8295-8813
</span><span class="cx">/branches/apforrest-ame1316/openam:4881-5305
</span><span class="cx">/branches/apforrest_ame805_indextree/openam:4567-4852
</span><span class="cx">/branches/dirk_oauth_perf:5904
</span><span class="cx">/branches/dirk_sts:5297,5314,5317-5318,5320-5321
</span><span class="cx">/branches/oidc_authn:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam:6767-6804
</span><span class="cx">/branches/openam2742-andy/openam:6266-6323
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam:4141-4379
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350/openam:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344/openam:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2/openam:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam:8314-8341
</span><span class="cx">/branches/policyimprovements/openam:5513-5515
</span><span class="cx">/branches/rest_sts_publish:8167,8180,8214,8227,8245,8260
</span><span class="cx">/branches/rest_sts_view_bean:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam:6247-6257
</span><span class="cx">/branches/sts_oidc_saml:8310,8352,8355,8368,8378-8379,8387-8388,8403,8410,8416
</span><span class="cx">/branches/sts_oidc_saml_redux:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service:8706,8717-8720,8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2:8844-8887,8894-9000
</span><span class="cx">/trunk/openam:10107-10111,10114-10116,10119,10129-10131,10134- \
10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10 \
196-10201,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423openamopenamauthenticationopenamauthhotpsrcmainjavacomsunidentityauthenticationmoduleshotpHOTPjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-authentication/openam-auth-hotp/src/main/java/com/sun/identity/authentication/modules/hotp/HOTP.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-authentication/openam-auth-hotp/src/main/java/com/sun/identity/authentication/modules/hotp/HOTP.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-authentication/openam-auth-hotp/src/main/java/com/sun/identity/authentication/modules/hotp/HOTP.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -24,9 +24,7 @@
</span><span class="cx"> *
</span><span class="cx"> * $Id: HOTP.java,v 1.1 2009/03/24 23:52:12 pluo Exp $
</span><span class="cx"> *
</span><del>- */
-/*
- * Portions Copyrighted 2012-2014 ForgeRock AS
</del><ins>+ * Portions Copyrighted 2012-2014 ForgeRock AS.
</ins><span class="cx"> * Portions Copyrighted 2014 Nomura Research Institute, Ltd
</span><span class="cx"> */
</span><span class="cx">
</span><span class="lines">@@ -52,7 +50,6 @@
</span><span class="cx"> import java.util.ResourceBundle;
</span><span class="cx">
</span><span class="cx"> public class HOTP extends AMLoginModule {
</span><del>- // local variables
</del><span class="cx">
</span><span class="cx"> protected static final String amAuthHOTP = \
"amAuthHOTP"; </span><span class="cx"> protected static final Debug \
debug = Debug.getInstance(amAuthHOTP); </span><span class="lines">@@ -66,35 +63,31 @@
</span><span class="cx"> public Map currentConfig;
</span><span class="cx"> protected Principal userPrincipal;
</span><span class="cx">
</span><del>- String enteredHOTPCode = null;
</del><ins>+ private String enteredHOTPCode = null;
</ins><span class="cx">
</span><span class="cx"> // Module specific properties
</span><del>- private static String AUTHLEVEL = \
"sunAMAuthHOTPAuthLevel";
- private static String GATEWAYSMSImplCLASS =
- "sunAMAuthHOTPSMSGatewayImplClassName";
- private static String CODEVALIDITYDURATION =
- "sunAMAuthHOTPPasswordValidityDuration";
- private static String CODELENGTH = "sunAMAuthHOTPPasswordLength";
- private static String CODEDELIVERY = "sunAMAuthHOTPasswordDelivery";
- String gatewaySMSImplClass = null;
- String codeValidityDuration = null;
- String codeLength = null;
- String codeDelivery = null;
-
- private int START_STATE = 2;
-
</del><ins>+ private static final String AUTHLEVEL = \
"sunAMAuthHOTPAuthLevel"; + private static final String \
GATEWAYSMSImplCLASS = "sunAMAuthHOTPSMSGatewayImplClassName"; + private \
static final String CODEVALIDITYDURATION = \
"sunAMAuthHOTPPasswordValidityDuration"; + private static final String \
CODELENGTH = "sunAMAuthHOTPPasswordLength"; + private static final \
String CODEDELIVERY = "sunAMAuthHOTPasswordDelivery"; + private static \
final String ATTRIBUTEPHONE = "openamTelephoneAttribute"; + private \
static final String ATTRIBUTECARRIER = "openamSMSCarrierAttribute"; + \
private static final String ATTRIBUTEEMAIL = "openamEmailAttribute"; \
</ins><span class="cx"> private static final String AUTO_CLICKING = \
"sunAMAuthHOTPAutoClicking"; </span><span class="cx"> private static \
final String SKIP_HOTP = "skipHOTP"; </span><del>- boolean skip = false;
- boolean hotpAutoClicking = false;
-
- private static String ATTRIBUTEPHONE = "openamTelephoneAttribute";
- private static String ATTRIBUTECARRIER = "openamSMSCarrierAttribute";
- private static String ATTRIBUTEEMAIL = "openamEmailAttribute";
</del><ins>+ private String gatewaySMSImplClass = null;
+ private String codeValidityDuration = null;
+ private String codeLength = null;
+ private String codeDelivery = null;
</ins><span class="cx"> private String telephoneAttribute = null;
</span><span class="cx"> private String carrierAttribute = null;
</span><span class="cx"> private String emailAttribute = null;
</span><ins>+ private boolean skip = false;
+ private boolean hotpAutoClicking = false;
</ins><span class="cx">
</span><ins>+ private int START_STATE = 2;
+
</ins><span class="cx"> private HOTPService hotpService;
</span><span class="cx">
</span><span class="cx"> public void init(Subject subject, Map sharedState, Map \
options) { </span><span class="lines">@@ -129,18 +122,35 @@
</span><span class="cx"> if (debug.messageEnabled()) {
</span><span class="cx"> debug.message("HOTP.init() : " + \
"HOTP resouce bundle locale=" + locale); </span><span class="cx"> }
</span><del>- try {
- userName = (String) sharedState.get(getUserKey());
- } catch (Exception e) {
- debug.error("HOTP.init() : " + "Unable to set userName : \
", e); </del><ins>+
+ userName = (String) sharedState.get(getUserKey());
+ if (userName == null || userName.isEmpty()) {
+ try {
+ //Session upgrade case. Need to find the user ID from the old \
session. + SSOTokenManager mgr = SSOTokenManager.getInstance();
+ InternalSession isess = \
getLoginState("HOTP").getOldSession(); + if (isess == null) \
{ + throw new AuthLoginException("amAuth", \
"noInternalSession", null); + }
+ SSOToken token = mgr.createSSOToken(isess.getID().toString());
+ userUUID = token.getPrincipal().getName();
+ userName = token.getProperty("UserToken");
+ if (debug.messageEnabled()) {
+ debug.message("HOTP.init() : UserName in SSOToken : " \
+ userName); + }
+ } catch (SSOException ssoe) {
+ debug.error("HOTP.init() : Unable to retrieve userName from \
existing session", ssoe); + } catch (AuthLoginException ale) {
+ debug.error("HOTP.init() : Unable to retrieve userName from \
existing session", ale); + }
</ins><span class="cx"> }
</span><span class="cx"> this.sharedState = sharedState;
</span><span class="cx">
</span><del>- if(sharedState.containsKey(SKIP_HOTP)) {
</del><ins>+ if (sharedState.containsKey(SKIP_HOTP)) {
</ins><span class="cx"> skip = (Boolean) sharedState.get(SKIP_HOTP);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- hotpAutoClicking = CollectionHelper.getMapAttr(options, \
AUTO_CLICKING).equals("true") ? true : false; </del><ins>+ \
hotpAutoClicking = CollectionHelper.getMapAttr(options, \
AUTO_CLICKING).equals("true"); </ins><span class="cx">
</span><span class="cx"> HOTPParams hotpParams = new \
HOTPParams(gatewaySMSImplClass, Long.parseLong(codeValidityDuration), </span><span \
class="cx"> telephoneAttribute, carrierAttribute, emailAttribute, \
codeDelivery, currentConfig, </span><span class="lines">@@ -149,39 +159,16 @@
</span><span class="cx"> hotpService = new \
HOTPService(getAMIdentityRepository(getRequestOrg()), userName, hotpParams); \
</span><span class="cx"> } </span><span class="cx">
</span><del>- public int process(Callback[] callbacks, int state)
- throws AuthLoginException {
- if(skip) {
</del><ins>+ public int process(Callback[] callbacks, int state) throws \
AuthLoginException { + if (skip) {
</ins><span class="cx"> debug.message("Skipping HOTP module");
</span><span class="cx"> return ISAuthConstants.LOGIN_SUCCEED;
</span><span class="cx"> }
</span><del>- try {
- if (userName == null || userName.length() == 0) {
- // session upgrade case. Need to find the user ID from the old
- // session
- SSOTokenManager mgr = SSOTokenManager.getInstance();
- InternalSession isess = \
getLoginState("HOTP").getOldSession();
- if (isess == null) {
- throw new AuthLoginException("amAuth", \
"noInternalSession",
- null);
- }
- SSOToken token = mgr.createSSOToken(isess.getID().toString());
- userUUID = token.getPrincipal().getName();
- userName = token.getProperty("UserToken");
- if (debug.messageEnabled()) {
- debug.message("HOTP.process() : " + "UserName in \
SSOToekn : " + userName);
- }
</del><ins>+ if (userName == null || userName.length() == 0) {
+ throw new AuthLoginException("amAuth", "noUserName", \
null); + }
</ins><span class="cx">
</span><del>- if (userName == null || userName.length() == 0) {
- throw new AuthLoginException("amAuth", \
"noUserName", null);
- }
- }
- } catch (SSOException e) {
- debug.error("HOTP.process() : " + \
"SSOException", e);
- throw new InvalidPasswordException("amAuth", \
"invalidPasswd", null);
- }
-
- if( state == 1) {
</del><ins>+ if (state == 1) {
</ins><span class="cx"> if(hotpAutoClicking) {
</span><span class="cx"> debug.message("Auto sending OTP \
code"); </span><span class="cx"> try {
</span></span></pre></div>
<a id="branchesAME3423openamopenamclientsdkpomxml"></a>
<div class="modfile"><h4>Modified: branches/AME-3423/openam/openam-clientsdk/pom.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- branches/AME-3423/openam/openam-clientsdk/pom.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-clientsdk/pom.xml 2014-08-28 15:42:34 UTC (rev \
10296) </span><span class="lines">@@ -250,6 +250,7 @@
</span><span class="cx"> \
<include>org/forgerock/openam/authentication/service/protocol/**</include>
</span><span class="cx"> \
<include>org/forgerock/openam/entitlement/indextree/TreeSaveIndex*</include>
</span><span class="cx"> \
<include>org/forgerock/openam/entitlement/indextree/TreeSearchIndex*</include>
</span><ins>+ \
<include>org/forgerock/openam/entitlement/utils/EntitlementUtils*</include>
</ins><span class="cx"> \
<include>org/forgerock/openam/services/cdm/**</include> </span><span \
class="cx"> \
<include>org/forgerock/openam/security/whitelist/**</include> \
</span><span class="cx"> \
<include>org/forgerock/openam/upgrade/UpgradeException*</include> \
</span></span></pre></div> <a \
id="branchesAME3423openamopenamcoresrcmainjavacomsunidentityentitlementopenssoPolicyPrivilegeManagerjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-core/src/main/java/com/sun/identity/entitlement/opensso/PolicyPrivilegeManager.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-core/src/main/java/com/sun/identity/entitlement/opensso/PolicyPrivilegeManager.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-core/src/main/java/com/sun/identity/entitlement/opensso/PolicyPrivilegeManager.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -23,6 +23,8 @@
</span><span class="cx"> * "Portions Copyrighted [year] [name of copyright \
owner]" </span><span class="cx"> *
</span><span class="cx"> * $Id: PolicyPrivilegeManager.java,v 1.9 2010/01/26 \
20:10:15 dillidorai Exp $ </span><ins>+ *
+ * Portions Copyrighted 2014 ForgeRock AS
</ins><span class="cx"> */
</span><span class="cx"> package com.sun.identity.entitlement.opensso;
</span><span class="cx">
</span><span class="lines">@@ -242,14 +244,15 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- private void updateMetaInfo(Privilege privilege)
</del><ins>+ private void updateMetaInfo(String existingName, Privilege privilege)
</ins><span class="cx"> throws EntitlementException {
</span><del>- Privilege origPrivilege = getPrivilege(privilege.getName(),
- PrivilegeManager.superAdminSubject);
</del><ins>+ Privilege origPrivilege = getPrivilege(existingName, \
PrivilegeManager.superAdminSubject); +
</ins><span class="cx"> if (origPrivilege != null) {
</span><span class="cx"> \
privilege.setCreatedBy(origPrivilege.getCreatedBy()); </span><span class="cx"> \
privilege.setCreationDate(origPrivilege.getCreationDate()); </span><span class="cx"> \
} </span><ins>+
</ins><span class="cx"> Date date = new Date();
</span><span class="cx"> privilege.setLastModifiedDate(date.getTime());
</span><span class="cx">
</span><span class="lines">@@ -259,18 +262,11 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- /**
- * Modifies a privilege
- * @param privilege the privilege to be modified
- * @throws com.sun.identity.entitlement.EntitlementException
- */
</del><span class="cx"> @Override
</span><del>- public void modifyPrivilege(Privilege privilege)
- throws EntitlementException {
</del><ins>+ public void modifyPrivilege(String existingName, Privilege privilege) \
throws EntitlementException { </ins><span class="cx"> \
validatePrivilege(privilege); </span><span class="cx"> \
privilege.validateResourceNames(dsameUserSubject, realm); </span><del>- \
updateMetaInfo(privilege);
- String privilegeName = privilege.getName();
</del><ins>+ updateMetaInfo(existingName, privilege);
</ins><span class="cx">
</span><span class="cx"> try {
</span><span class="cx"> if (!migratedToEntitlementSvc) {
</span><span class="lines">@@ -278,23 +274,35 @@
</span><span class="cx"> \
pm.addPolicy(PrivilegeUtils.privilegeToPolicy(realm, privilege)); </span><span \
class="cx"> } else { </span><span class="cx"> \
PolicyDataStore pdb = PolicyDataStore.getInstance(); </span><del>- \
Privilege oldP = getPrivilege(privilegeName, getAdminSubject());
- pdb.removePrivilege(getAdminSubject(), getRealm(),
- privilege);
</del><ins>+ Privilege oldP = getPrivilege(existingName, \
getAdminSubject()); +
</ins><span class="cx"> String currentRealm = getRealm();
</span><del>- pdb.addPolicy(getAdminSubject(), getRealm(), privilege);
</del><ins>+
+ pdb.removePrivilege(getAdminSubject(), currentRealm, oldP);
+
+ pdb.addPolicy(getAdminSubject(), currentRealm, privilege);
</ins><span class="cx"> notifyPrivilegeChanged(currentRealm, oldP, \
privilege); </span><span class="cx"> }
</span><span class="cx"> } catch (PolicyException e) {
</span><del>- Object[] params = {privilegeName};
</del><ins>+ Object[] params = {existingName};
</ins><span class="cx"> throw new EntitlementException(206, params, e);
</span><span class="cx"> } catch (SSOException e) {
</span><del>- Object[] params = {privilegeName};
</del><ins>+ Object[] params = {existingName};
</ins><span class="cx"> throw new EntitlementException(206, params, e);
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * Modifies a privilege
+ * @param privilege the privilege to be modified
+ * @throws com.sun.identity.entitlement.EntitlementException
+ */
+ @Override
+ public void modifyPrivilege(Privilege privilege) throws EntitlementException {
+ modifyPrivilege(privilege.getName(), privilege);
+ }
+
+ /**
</ins><span class="cx"> * Returns the XML representation of this privilege.
</span><span class="cx"> *
</span><span class="cx"> * @param name Privilege name.
</span></span></pre></div>
<a id="branchesAME3423openamopenamcoresrcmainjavaorgforgerockopenamctsapifilterTokenFilterBuilderjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-core/src/main/java/org/forgerock/openam/cts/api/filter/TokenFilterBuilder.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-core/src/main/java/org/forgerock/openam/cts/api/filter/TokenFilterBuilder.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-core/src/main/java/org/forgerock/openam/cts/api/filter/TokenFilterBuilder.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -42,6 +42,13 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * @return Moves the builder into mode specified by type.
+ */
+ public FilterAttributeBuilder type(TokenFilter.Type type) {
+ return new FilterAttributeBuilder(tokenFilter, type);
+ }
+
+ /**
</ins><span class="cx"> * Moves the TokenFilter into AND mode, and filters the \
query by the given attribute. </span><span class="cx"> *
</span><span class="cx"> * @see \
TokenFilterBuilder.FilterAttributeBuilder#withAttribute(CoreTokenField, Object) \
</span></span></pre></div> <a \
id="branchesAME3423openamopenamcoresrcmainresourcesMETAINFservicescomgoogleinjectAbstractModule"></a>
<div class="delfile"><h4>Deleted: \
branches/AME-3423/openam/openam-core/src/main/resources/META-INF/services/com.google.inject.AbstractModule \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-core/src/main/resources/META-INF/services/com.google.inject.AbstractModule 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-core/src/main/resources/META-INF/services/com.google.inject.AbstractModule 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-#
-# The contents of this file are subject to the terms of the Common Development and
-# Distribution License (the License). You may not use this file except in compliance \
with the
-# License.
-#
-# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for \
the
-# specific language governing permission and limitations under the License.
-#
-# When distributing Covered Software, include this CDDL Header Notice in each file \
and include
-# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the \
CDDL
-# Header, with the fields enclosed by brackets [] replaced by your own identifying
-# information: "Portions copyright [year] [name of copyright owner]".
-#
-# Copyright 2014 ForgeRock AS.
-#
-org.forgerock.openam.core.guice.DataLayerGuiceModule
</del><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsource"></a>
<div class="propset"><h4>Property changes: \
branches/AME-3423/openam/openam-documentation/openam-doc-source</h4> <pre \
class="diff"><span> </span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-2629/openam/openam-documentation/openam-doc-source:7585-7632
</span><span class="cx">/branches/AME-3405-session-read-from-cts/openam/openam-documentation/openam-doc-source:8749-8823
</span><span class="cx">/branches/AME-3612-pcunnington/openam/openam-documentation/openam-doc-source:9534-9723
</span><span class="cx">/branches/AME-3719/openam/openam-documentation/openam-doc-source:9517-9879
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam/openam-documentation/openam-doc-source:9663-9819
</span><span class="cx">/branches/CTS-Async/openam/openam-documentation/openam-doc-source:8847-9739
</span><span class="cx">/branches/IIS7PostData/openam/openam-documentation/openam-doc-source:224-261
</span><span class="cx">/branches/IIS7PostData/openam/openam-documentation/openam-site:224-261
</span><span class="cx">/branches/OAuth2_Maven/openam/openam-documentation/openam-doc-source:2756-3584
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam/openam-documentation/openam-doc-source:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam/openam-documentation/openam-doc-source:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam/openam-documentation/openam-doc-source:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam/openam-documentation/openam-doc-source:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam/openam-documentation/openam-doc-source:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam/openam-documentation/openam-doc-source:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam/openam-documentation/openam-doc-source:9750-10171
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam/openam-documentation/openam-doc-source:7834-7844
</span><span class="cx">/branches/ame4272/openam/openam-documentation/openam-doc-source:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam/openam-documentation/openam-doc-source:7508-7697
</span><span class="cx">/branches/andyAme3102/openam/openam-documentation/openam-doc-source:8312-8413
</span><span class="cx">/branches/andyOpenam1708/openam/openam-documentation/openam-doc-source:5576-5592
</span><span class="cx">/branches/maven_merge/openam/openam-documentation/openam-doc-source:2556-3124
</span><span class="cx">/branches/maven_merge/openam/openam-documentation/openam-site:2556-2631
</span><span class="cx">/branches/oidc_authn/openam-documentation/openam-doc-source:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam/openam-documentation/openam-doc-source:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam/openam-documentation/openam-doc-source:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam/openam-documentation/openam-doc-source:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam/openam-documentation/openam-doc-source:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam/openam-documentation/openam-doc-source:6767-6804
</span><span class="cx">/branches/openam_10.1.0_SAML2_FIXES/openam-documentation/openam-doc-source:3725-3740
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-documentation/openam-doc-source:3128-3527
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-documentation/openam-site:3128-3287
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam/openam-documentation/openam-doc-source:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam/openam-documentation/openam-doc-source:4141-4379
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam/openam-documentation/openam-doc-source:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam/openam-documentation/openam-doc-source:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/openam/openam-documentation/openam-doc-source:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam/openam-documentation/openam-doc-source:8314-8341
</span><span class="cx">/branches/rest_sts_view_bean/openam-documentation/openam-doc-source:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam/openam-documentation/openam-doc-source:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam/openam-documentation/openam-doc-source:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam/openam-documentation/openam-doc-source:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam/openam-documentation/openam-doc-source:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam/openam-documentation/openam-doc-source:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam/openam-documentation/openam-doc-source:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam/openam-documentation/openam-doc-source:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam/openam-documentation/openam-doc-source:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam/openam-documentation/openam-doc-source:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam/openam-documentation/openam-doc-source:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam/openam-documentation/openam-doc-source:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam/openam-documentation/openam-doc-source:6247-6257
</span><span class="cx">/branches/sts_oidc_saml_redux/openam-documentation/openam-doc-source:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence/openam-documentation/openam-doc-source:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners/openam-documentation/openam-doc-source:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service/openam-documentation/openam-d \
oc-source:8706,8717-8720,8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2/openam-documentation/openam-doc-source:8844-8887,8894-9000
</span><span class="cx">/trunk/openam/openam-documentation/openam-doc-source:3127-333 \
2,10107-10111,10114-10116,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx">/trunk/openam/openam-documentation/openam-site:2556-2930
</span><span class="cx">/trunk/opensso/openam-site:2912-3070
</span><span class="cx"> + \
/branches/AME-2526-SFO-between-sites/openam/openam-documentation/openam-doc-source:7510-8258
</span><span class="cx">/branches/AME-2629/openam/openam-documentation/openam-doc-source:7585-7632
</span><span class="cx">/branches/AME-3405-session-read-from-cts/openam/openam-documentation/openam-doc-source:8749-8823
</span><span class="cx">/branches/AME-3612-pcunnington/openam/openam-documentation/openam-doc-source:9534-9723
</span><span class="cx">/branches/AME-3719/openam/openam-documentation/openam-doc-source:9517-9879
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam/openam-documentation/openam-doc-source:9663-9819
</span><span class="cx">/branches/CTS-Async/openam/openam-documentation/openam-doc-source:8847-9739
</span><span class="cx">/branches/IIS7PostData/openam/openam-documentation/openam-doc-source:224-261
</span><span class="cx">/branches/IIS7PostData/openam/openam-documentation/openam-site:224-261
</span><span class="cx">/branches/OAuth2_Maven/openam/openam-documentation/openam-doc-source:2756-3584
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam/openam-documentation/openam-doc-source:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam/openam-documentation/openam-doc-source:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam/openam-documentation/openam-doc-source:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam/openam-documentation/openam-doc-source:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam/openam-documentation/openam-doc-source:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam/openam-documentation/openam-doc-source:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam/openam-documentation/openam-doc-source:9750-10171
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/openam/openam-documentation/openam-doc-source:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam/openam-documentation/openam-doc-source:7834-7844
</span><span class="cx">/branches/ame4272/openam/openam-documentation/openam-doc-source:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam/openam-documentation/openam-doc-source:7508-7697
</span><span class="cx">/branches/andyAme3102/openam/openam-documentation/openam-doc-source:8312-8413
</span><span class="cx">/branches/andyOpenam1708/openam/openam-documentation/openam-doc-source:5576-5592
</span><span class="cx">/branches/maven_merge/openam/openam-documentation/openam-doc-source:2556-3124
</span><span class="cx">/branches/maven_merge/openam/openam-documentation/openam-site:2556-2631
</span><span class="cx">/branches/oidc_authn/openam-documentation/openam-doc-source:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam/openam-documentation/openam-doc-source:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam/openam-documentation/openam-doc-source:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam/openam-documentation/openam-doc-source:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam/openam-documentation/openam-doc-source:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam/openam-documentation/openam-doc-source:6767-6804
</span><span class="cx">/branches/openam_10.1.0_SAML2_FIXES/openam-documentation/openam-doc-source:3725-3740
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-documentation/openam-doc-source:3128-3527
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-documentation/openam-site:3128-3287
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam/openam-documentation/openam-doc-source:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam/openam-documentation/openam-doc-source:4141-4379
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam/openam-documentation/openam-doc-source:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam/openam-documentation/openam-doc-source:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/openam/openam-documentation/openam-doc-source:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam/openam-documentation/openam-doc-source:8314-8341
</span><span class="cx">/branches/rest_sts_view_bean/openam-documentation/openam-doc-source:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam/openam-documentation/openam-doc-source:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam/openam-documentation/openam-doc-source:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam/openam-documentation/openam-doc-source:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam/openam-documentation/openam-doc-source:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam/openam-documentation/openam-doc-source:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam/openam-documentation/openam-doc-source:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam/openam-documentation/openam-doc-source:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam/openam-documentation/openam-doc-source:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam/openam-documentation/openam-doc-source:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam/openam-documentation/openam-doc-source:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam/openam-documentation/openam-doc-source:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam/openam-documentation/openam-doc-source:6247-6257
</span><span class="cx">/branches/sts_oidc_saml_redux/openam-documentation/openam-doc-source:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence/openam-documentation/openam-doc-source:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners/openam-documentation/openam-doc-source:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service/openam-documentation/openam-d \
oc-source:8706,8717-8720,8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2/openam-documentation/openam-doc-source:8844-8887,8894-9000
</span><span class="cx">/trunk/openam/openam-documentation/openam-doc-source:3127-333 \
2,10107-10111,10114-10116,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161, \
10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212,10214,10217-10 \
218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><span class="cx">/trunk/openam/openam-documentation/openam-site:2556-2930
</span><span class="cx">/trunk/opensso/openam-site:2912-3070
</span><a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguidechaprealmsxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -24,12 +24,12 @@
</span><span class="cx"> !
</span><span class="cx"> -->
</span><span class="cx"> <chapter xml:id='chap-realms'
</span><del>- xmlns='http://docbook.org/ns/docbook'
- version='5.0' xml:lang='en'
- xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook
- http://docbook.org/xml/5.0/xsd/docbook.xsd'
- xmlns:xlink='http://www.w3.org/1999/xlink'>
</del><ins>+ xmlns='http://docbook.org/ns/docbook' version='5.0' \
xml:lang='en' + xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xmlns:xlink='http://www.w3.org/1999/xlink'
+ xmlns:xinclude='http://www.w3.org/2001/XInclude'>
</ins><span class="cx"> <title>Configuring Realms</title>
</span><span class="cx">
</span><span class="cx"> \
<indexterm><primary>Realms</primary></indexterm> </span><span \
class="lines">@@ -326,17 +326,75 @@ </span><span class="cx"> <step>
</span><span class="cx"> <para>In the second screen, provide information on \
how to connect </span><span class="cx"> to your data store, and then click Finish \
to save your work.</para> </span><del>-
- <para>See the <link \
xlink:href="admin-guide#chap-auth-services"
- xlink:role="http://docbook.org/xlink/role/olink">chapter on
- authentication</link> for hints on connecting to
- <link xlink:href="admin-guide#ad-module-conf-hints"
- xlink:role="http://docbook.org/xlink/role/olink">Active \
Directory</link>,
- <link xlink:href="admin-guide#ldap-module-conf-hints"
- xlink:role="http://docbook.org/xlink/role/olink">LDAP \
directory</link>, and
- <link xlink:href="admin-guide#jdbc-module-conf-hints"
- xlink:role="http://docbook.org/xlink/role/olink">JDBC</link> \
data
- sources.</para>
</del><ins>+
+ <itemizedlist>
+ <para>
+ See the following sections for hints depending on the type of data store.
+ </para>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-active-directory"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-adam"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-db"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-generic-ldapv3"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-opendj"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-dsee"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <link
+ xlink:href="admin-guide#sec-data-stores-tivoli"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ />
+ </para>
+ </listitem>
+ </itemizedlist>
</ins><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="cx"> <para>Click the Subjects tab, and make sure the \
connection to your </span><span class="lines">@@ -393,4 +451,12 @@
</span><span class="cx"> <para>Save your work.</para>
</span><span class="cx"> </step>
</span><span class="cx"> </procedure>
</span><ins>+
+ <xinclude:include \
href="../shared/sec-data-stores-active-directory.xml" /> + \
<xinclude:include href="../shared/sec-data-stores-adam.xml" /> + \
<xinclude:include href="../shared/sec-data-stores-db.xml" /> + \
<xinclude:include href="../shared/sec-data-stores-generic-ldapv3.xml" \
/> + <xinclude:include href="../shared/sec-data-stores-opendj.xml" \
/> + <xinclude:include href="../shared/sec-data-stores-dsee.xml" \
/> + <xinclude:include href="../shared/sec-data-stores-tivoli.xml" \
/> </ins><span class="cx"> </chapter>
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguidechaptuningxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-tuning.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-tuning.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-tuning.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -20,15 +20,15 @@
</span><span class="cx"> !
</span><span class="cx"> ! CCPL HEADER END
</span><span class="cx"> !
</span><del>- ! Copyright 2011-2013 ForgeRock, Inc
</del><ins>+ ! Copyright 2011-2014 ForgeRock, Inc
</ins><span class="cx"> !
</span><span class="cx"> -->
</span><span class="cx"> <chapter xml:id='chap-tuning'
</span><del>- xmlns='http://docbook.org/ns/docbook'
- version='5.0' xml:lang='en'
- xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook \
http://docbook.org/xml/5.0/xsd/docbook.xsd'
- xmlns:xlink='http://www.w3.org/1999/xlink'>
</del><ins>+ xmlns='http://docbook.org/ns/docbook'
+ version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
</ins><span class="cx"> <title>Tuning OpenAM</title>
</span><span class="cx"> \
<indexterm><primary>Performance</primary></indexterm> \
</span><span class="cx"> <para>This chapter covers key OpenAM tunings to \
ensure smoothly performing </span><span class="lines">@@ -84,8 +84,9 @@
</span><span class="cx"> <section xml:id="tuning-ldap-settings">
</span><span class="cx"> <title>LDAP Settings</title>
</span><span class="cx">
</span><del>- <para>Tune both your LDAP data stores and also your LDAP \
authentication
- modules.</para>
</del><ins>+ <para>
+ Tune both your LDAP data stores and also your LDAP authentication modules.
+ </para>
</ins><span class="cx">
</span><span class="cx"> <para>To change LDAP data store settings, browse to \
Access Control &gt; </span><span class="cx"> <replaceable>Realm \
Name</replaceable> &gt; Data Stores &gt; </span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguidei \
magestrusteddevicemgmtpngfromrev10244trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguideimagestrusteddevicemgmtpng"></a>
<div class="binary"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/images/trusted-device-mgmt.png \
(from rev 10244, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/images/trusted-device-mgmt.png)</h4>
<pre class="diff"><span>
<span class="cx">(Binary files differ)
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxdevguidechaprestxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/dev-guide/chap-rest.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/dev-guide/chap-rest.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/dev-guide/chap-rest.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -574,7 +574,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> You can use the query string parameter,
</span><del>- <literal>sessionUpgrade=<replaceable>tokenId</replaceable></literal>,
</del><ins>+ <literal>sessionUpgradeSSOTokenId=<replaceable>tokenId</replaceable></literal>,
</ins><span class="cx"> to request session upgrade.
</span><span class="cx"> For an explanation of session upgrade,
</span><span class="cx"> see the <citetitle>Administration \
Guide</citetitle> section on, </span><span class="lines">@@ -1960,16 +1960,22 \
@@ </span><span class="cx"> {
</span><span class="cx"> "type": "NumericAttribute",
</span><span class="cx"> "attributeName": "gidNumber",
</span><del>- "caseSensitive": "&lt;=",
</del><ins>+ "operator": "LESS_THAN",
</ins><span class="cx"> "value": "1000"
</span><span class="cx"> }
</span><span class="cx"> </programlisting>
</span><span class="cx">
</span><del>- <para><!-- This is my reading of \
NumericAttributeCondition.java. Looks like a bug. -->
- <literal>"caseSensitive"</literal> is optional, but \
if used
- then it should be set to a comparison operator, one of:
- <literal>&lt; &lt;= = > >=</literal>.
- If not specified, then OpenAM checks for equality.
</del><ins>+ <para>
+ <literal>"operator"</literal> is optional, but if \
used + it must be one of the following comparison operators:
+ <literal>LESS_THAN</literal>,
+ <literal>LESS_THAN_OR_EQUAL</literal>,
+ <literal>EQUAL</literal>,
+ <literal>GREATER_THAN_OR_EQUAL</literal>, or
+ <literal>GREATER_THAN</literal>.
+ Note that using symbols such as &lt;, &lt;=,=,&gt;=, or \
&gt; is not + supported.
+ If not specified, then OpenAM checks for equality \
(<literal>EQUAL</literal>). </ins><span class="cx"> \
</para> </span><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="lines">@@ -5570,6 +5576,25 @@
</span><span class="cx"> <computeroutput>{}</computeroutput>
</span><span class="cx"> </screen>
</span><span class="cx">
</span><ins>+ <para>Note that you can also use the \
<literal>email</literal> attribute + to locate the user. If both \
<literal>username</literal> and <literal>mail</literal> + \
attributes are used, then a request error is issued. If more + than one account \
has been registered with the same email address, + the password reset process \
does not start.</para> +
+ <screen>
+$ <userinput>curl \
+ --request POST \
+ --header "Content-Type: application/json" \
+ --data '{
+ "email": "demo@example.com",
+ "subject": "Reset your forgotten password with OpenAM",
+ "message": "Follow this link to reset your password"
+ }' \
+ https://openam.example.com:8443/openam/json/users/?_action=forgotPassword</userinput>
+<computeroutput>{}</computeroutput>
+ </screen>
+
</ins><span class="cx"> <para>On success, the response is an empty JSON \
object <literal>{}</literal> </span><span class="cx"> as shown in the \
example.</para> </span><span class="cx"> </listitem>
</span><span class="lines">@@ -5580,10 +5605,10 @@
</span><span class="cx"> but all on one line.</para>
</span><span class="cx">
</span><span class="cx"> <literallayout class="monospaced"
</span><del>- >https://openam.example.com:8443/openam/json/confirmation/forgotPassword
</del><ins>+ >https://openam.example.com:8443/openam/json/XUI/confirm.html
</ins><span class="cx"> ?confirmationId=jrUZ3E7CK4UQJM5jnDHGNKH1UaQ=
</span><span class="cx"> &amp;tokenId=M8cVqWqbKtCtpd/UqEAr0x25fxA=
</span><del>- &amp;username=demo</literallayout>
</del><ins>+ &amp;username=demo&amp;realm=/</literallayout>
</ins><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -5595,7 +5620,9 @@
</span><span class="cx"> query string parameters as shown in the following \
example.</para> </span><span class="cx">
</span><span class="cx"> <para>Your POST includes the new password as the \
value of the "userpassword" </span><del>- field in the JSON \
payload.</para> </del><ins>+ field in the JSON payload. You can also use \
the <literal>email</literal> + attribute instead of \
<literal>username</literal>. + </para>
</ins><span class="cx">
</span><span class="cx"> <screen>
</span><span class="cx"> $ <userinput>curl \
</span><span class="lines">@@ -5608,53 +5635,12 @@
</span><span class="cx"> \
"confirmationId":"jrUZ3E7CK4UQJM5jnDHGNKH1UaQ=" </span><span \
class="cx"> }' \ </span><span class="cx"> \
https://openam.example.com:8443/openam/json/users?_action=forgotPasswordReset</userinput>
</span><del>-<computeroutput>{
- "name": "demo",
- "realm": "/",
- "uid": [
- "demo"
- ],
- "mail": [
- "demo@example.com"
- ],
- "sn": [
- "demo"
- ],
- "userPassword": [
- "{SSHA}zgeBu4yOAy1i9QAgnldMCzW8LWX36ViVj9leig=="
- ],
- "cn": [
- "demo"
- ],
- "inetUserStatus": [
- "Active"
- ],
- "objectClass": [
- "devicePrintProfilesContainer",
- "person",
- "sunIdentityServerLibertyPPService",
- "inetorgperson",
- "sunFederationManagerDataStore",
- "iPlanetPreferences",
- "iplanet-am-auth-configuration-service",
- "organizationalperson",
- "sunFMSAML2NameIdentifier",
- "inetuser",
- "forgerock-am-dashboard-service",
- "iplanet-am-managed-person",
- "iplanet-am-user-service",
- "sunAMAuthAccountLockout",
- "top"
- ],
- "universalid": [
- "id=demo,ou=user,dc=openam,dc=forgerock,dc=org"
- ]
-}</computeroutput>
</del><ins>+<computeroutput>{}</computeroutput>
</ins><span class="cx"> </screen>
</span><span class="cx">
</span><del>- <para>On success, the response is the JSON representation of \
the user
- profile with the new password hashed according to the password storage
- scheme for the identity repository.</para>
</del><ins>+ <para>On success or failure, the REST call returns an empty \
message, so that + information is not leaked.
+ </para>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </orderedlist>
</span><span class="cx">
</span><span class="lines">@@ -7479,7 +7465,8 @@
</span><span class="cx">
</span><span class="cx"> <para>OpenAM REST APIs respond to successful \
requests with HTTP status codes </span><span class="cx"> in the 2xx range. OpenAM \
REST APIs respond to error conditions with HTTP </span><del>- status codes in the \
4xx and 5xx range. Status codes used are described in the </del><ins>+ status codes \
in the 4xx and 5xx range. Status codes used are described in + the
</ins><span class="cx"> following list.</para>
</span><span class="cx">
</span><span class="cx"> <variablelist>
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxinstallguidechapctsxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/install-guide/chap-cts.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/install-guide/chap-cts.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/install-guide/chap-cts.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -159,10 +159,17 @@
</span><span class="cx"> <listitem>
</span><span class="cx"> \
<para><literal>Password</literal></para> </span><span \
class="cx"> </listitem> </span><ins>+
</ins><span class="cx"> <listitem>
</span><del>- <para><literal>Max \
Connections</literal></para>
- <para><literal>20</literal> (arbitrary \
number)</para> </del><ins>+ <para>
+ <literal>Max Connections</literal>
+ </para>
+
+ <para>
+ <literal>20</literal> (arbitrary number)
+ </para>
</ins><span class="cx"> </listitem>
</span><ins>+
</ins><span class="cx"> <listitem>
</span><span class="cx"> \
<para><literal>Heartbeat</literal></para> </span><span \
class="cx"> <para><literal>10</literal> (default, in \
seconds)</para> </span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxreferencechapconfigrefxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-config-ref.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-config-ref.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-config-ref.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -24,12 +24,12 @@
</span><span class="cx"> !
</span><span class="cx"> -->
</span><span class="cx"> <chapter xml:id='chap-config-ref'
</span><del>- xmlns='http://docbook.org/ns/docbook'
- version='5.0' xml:lang='en'
- xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook
- http://docbook.org/xml/5.0/xsd/docbook.xsd'
- xmlns:xlink='http://www.w3.org/1999/xlink'>
</del><ins>+ xmlns='http://docbook.org/ns/docbook'
+ version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xmlns:xlink='http://www.w3.org/1999/xlink'>
</ins><span class="cx"> <title>Configuration Reference</title>
</span><span class="cx">
</span><span class="cx"> \
<indexterm><primary>Configuration</primary></indexterm> \
</span><span class="lines">@@ -162,6 +162,73 @@ </span><span class="cx"> \
Authentication</citetitle></link>.</para> </span><span class="cx"> \
<para>This section presents the properties that you can set in the DAS \
properties file to configure your </span><span class="cx"> OpenAM \
instances.</para> </span><ins>+
+ <itemizedlist>
+ <para>
+ This section describes the following sets of properties.
+ </para>
+
+ <listitem>
+ <para>
+ <xref linkend="das-properties" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="security-credentials-to-read-config-data" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="cache-notifications" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="server-protocol-host-port-descriptor" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="cert-db" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="policy-decision-log" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="das-monitoring" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="general" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="http-header-properties" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="load-balancer" />
+ </para>
+ </listitem>
+ </itemizedlist>
+
</ins><span class="cx"> <variablelist xml:id="das-properties">
</span><span class="cx"> <title>Administration</title>
</span><span class="cx"> <varlistentry>
</span><span class="lines">@@ -711,6 +778,24 @@
</span><span class="cx"> <para>Under Configuration &gt; Console you can \
customize how the OpenAM </span><span class="cx"> console appears, and what \
character sets are used.</para> </span><span class="cx">
</span><ins>+ <itemizedlist>
+ <para>
+ This section describes the following sets of properties.
+ </para>
+
+ <listitem>
+ <para>
+ <xref linkend="console-administration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="console-g11n" />
+ </para>
+ </listitem>
+ </itemizedlist>
+
</ins><span class="cx"> <variablelist \
xml:id="console-administration"> </span><span class="cx"> \
<title>Administration</title> </span><span class="cx">
</span><span class="lines">@@ -840,6 +925,42 @@
</span><span class="cx"> server logging, monitoring, service URL naming, locale, \
cookie domain, and </span><span class="cx"> how OpenAM detects specific \
clients.</para> </span><span class="cx">
</span><ins>+ <itemizedlist>
+ <para>
+ This section describes the following sets of properties.
+ </para>
+
+ <listitem>
+ <para>
+ <xref linkend="system-client-detection" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="system-logging" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="system-monitoring" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="system-platform" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="system-platform-attrs" />
+ </para>
+ </listitem>
+ </itemizedlist>
+
</ins><span class="cx"> <variablelist \
xml:id="system-client-detection"> </span><span class="cx"> \
<title>Client Detection</title> </span><span class="cx">
</span><span class="lines">@@ -1532,6 +1653,96 @@
</span><span class="cx"> federation services, for password reset, for policy \
configuration, for </span><span class="cx"> session management, and for dynamic \
user attributes.</para> </span><span class="cx">
</span><ins>+ <itemizedlist>
+ <para>
+ This section describes the following sets of properties.
+ </para>
+
+ <listitem>
+ <para>
+ <xref linkend="common-federation-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="dashboard-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="email-service-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="liberty-id-ff-service-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="multi-federation-protocol-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="oauth2-provider-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="password-reset-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="policy-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="rest-security-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="saml2-service-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="saml2-soap-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="sts-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="session-configuration-attributes" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="user-configuration-attributes" />
+ </para>
+ </listitem>
+ </itemizedlist>
+
</ins><span class="cx"> <variablelist \
xml:id="common-federation-configuration"> </span><span class="cx"> \
<title>Common Federation Configuration</title> </span><span class="cx">
</span><span class="lines">@@ -3625,6 +3836,60 @@
</span><span class="cx"> application container where OpenAM runs for the changes to \
take </span><span class="cx"> effect.</para>
</span><span class="cx">
</span><ins>+ <itemizedlist>
+ <para>
+ This section describes the following sets of properties.
+ </para>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-general-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-security-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-session-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-sdk-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-directory-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-cts" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="servers-advanced-configuration" />
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="sites-configuration" />
+ </para>
+ </listitem>
+ </itemizedlist>
+
</ins><span class="cx"> <variablelist \
xml:id="servers-general-configuration"> </span><span class="cx"> \
<title>Servers &gt; General</title> </span><span class="cx">
</span><span class="lines">@@ -4358,97 +4623,132 @@
</span><span class="cx"> <variablelist xml:id="servers-cts">
</span><span class="cx"> <title>Servers &gt; CTS</title>
</span><span class="cx">
</span><del>- <para>The Core Token Service (CTS) does not need to be \
configured in the same LDAP storage as the
- external or embedded user store. The CTS can instead be configured on its own \
external directory server.
- There are some specific requirements for indexing and replication which need to \
be accounted for.
- In particular, WAN replication is an important consideration which needs to be \
handled carefully for
- optimum performance.</para>
</del><ins>+ <para>
+ The Core Token Service (CTS) does not need to be configured
+ in the same LDAP storage as the external or embedded user store.
+ The CTS can instead be configured on its own external directory server.
+ There are some specific requirements for indexing and replication
+ which need to be accounted for.
+ In particular, WAN replication is an important consideration
+ which needs to be handled carefully for optimum performance.
+ </para>
</ins><span class="cx">
</span><del>- <para>You may also choose to set advanced properties related \
to token size, including
- <literal>com.sun.identity.session.repository.enableEncryption</literal>,
- <literal>com.sun.identity.session.repository.enableCompression</literal>, \
and
- <literal>com.sun.identity.session.repository.enableAttributeCompression</literal>. \
For more information,
- identify these variables in the following section: <xref \
linkend="servers-advanced-configuration" />.</para> </del><ins>+ \
<para> + You may also choose to set advanced properties related to token \
size, including + \
<literal>com.sun.identity.session.repository.enableEncryption</literal>, \
+ <literal>com.sun.identity.session.repository.enableCompression</literal>,
+ and <literal>com.sun.identity.session.repository.enableAttributeCompression</literal>.
+ For more information, identify these variables in the following section:
+ <xref linkend="servers-advanced-configuration" />.
+ </para>
</ins><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Default Token Store</term>
- <listitem>
- <para>If selected, CTS tokens are stored in the same external or \
embedded datastore as is
- used on an OpenAM configuration store. If you use the default token \
store, you can only
- configure the <literal>Root Suffix</literal>. Associated \
with the <literal>Directory Configuration</literal>
- tab associated with individual servers.</para>
- </listitem>
</del><ins>+ <term>Default Token Store</term>
+ <listitem>
+ <para>
+ If selected, CTS tokens are stored
+ in the same external or embedded datastore
+ as is used on an OpenAM configuration store.
+ If you use the default token store,
+ you can only configure the <literal>Root Suffix</literal>.
+ Associated with the <literal>Directory Configuration</literal> \
tab + associated with individual servers.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>External Token Store</term>
- <listitem>
- <para>If you use OpenDJ, you can separate the CTS from the \
configuration on different external servers.
- On the external CTS server, you can also configure token schema and \
indexes.</para>
- </listitem>
</del><ins>+ <term>External Token Store</term>
+ <listitem>
+ <para>
+ If you use OpenDJ, you can separate the CTS
+ from the configuration on different external servers.
+ On the external CTS server, you can also configure token schema and indexes.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Root Suffix</term>
- <listitem>
- <para>For either the default or external token stores, enter the \
base DN for CTS storage information in
- LDAP format, such as \
<literal>dc=cts,dc=forgerock,dc=com</literal>. The <literal>Root \
Suffix</literal>
- would be a database that can be maintained and replicated separately \
from tha standard user datastore.</para>
- </listitem>
</del><ins>+ <term>Root Suffix</term>
+ <listitem>
+ <para>
+ For either the default or external token stores,
+ enter the base DN for CTS storage information in LDAP format,
+ such as <literal>dc=cts,dc=forgerock,dc=com</literal>.
+ The <literal>Root Suffix</literal> would be a database
+ that can be maintained and replicated separately
+ from the standard user datastore.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>SSL/TLS Enabled</term>
- <listitem>
- <para>Access the directory service using StartTLS or \
LDAPS.</para>
- </listitem>
</del><ins>+ <term>SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Access the directory service using StartTLS or LDAPS.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Directory Name</term>
- <listitem>
- <para>The hostname of the external server.</para>
- </listitem>
</del><ins>+ <term>Directory Name</term>
+ <listitem>
+ <para>
+ The hostname of the external server.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Port</term>
- <listitem>
- <para>Specifies the TCP/IP port number used for communication to \
to external datastore,
- such as 389 for LDAP.</para>
- </listitem>
</del><ins>+ <term>Port</term>
+ <listitem>
+ <para>
+ Specifies the TCP/IP port number used for communication
+ with the external datastore, such as 389 for LDAP.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Login Id</term>
- <listitem>
- <para>Specifies the user, in DN format, needed to authenticate. \
The user needs sufficient
- privileges to read and write to the root suffix of the external \
datastore.</para>
- </listitem>
</del><ins>+ <term>Login Id</term>
+ <listitem>
+ <para>
+ Specifies the user, in DN format, needed to authenticate.
+ The user needs sufficient privileges to read and write
+ to the root suffix of the external datastore.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Password</term>
- <listitem>
- <para>Specifies the password associated with the Login \
Id.</para>
- </listitem>
</del><ins>+ <term>Password</term>
+ <listitem>
+ <para>
+ Specifies the password associated with the Login Id.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Max Connections</term>
- <listitem>
- <para>Notes the maximum number of remote connections to the \
external datastore.</para>
- </listitem>
</del><ins>+ <term>Max Connections</term>
+ <listitem>
+ <para>
+ Notes the maximum number of remote connections to the external datastore.
+ </para>
+ </listitem>
</ins><span class="cx"> </varlistentry>
</span><span class="cx">
</span><span class="cx"> <varlistentry>
</span><del>- <term>Heartbeat</term>
- <listitem>
- <para>Specifies how often OpenAM should send a heartbeat request \
to the directory server
- to ensure that the connection does not remain idle, in seconds. Default: \
10.</para>
- </listitem>
- </varlistentry>
-
</del><ins>+ <term>Heartbeat</term>
+ <listitem>
+ <para>
+ Specifies how often OpenAM should send a heartbeat request to the directory \
server + to ensure that the connection does not remain idle, in seconds.
+ Default: 10.
+ </para>
+ </listitem>
+ </varlistentry>
</ins><span class="cx"> </variablelist>
</span><span class="cx">
</span><span class="cx"> <variablelist \
xml:id="servers-advanced-configuration"> </span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxreferencechapendpointsxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-endpoints.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-endpoints.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/reference/chap-endpoints.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -760,7 +760,7 @@
</span><span class="cx"> \
<term><literal>userDenied.jsp</literal></term> </span><span \
class="cx"> <listitem> </span><span class="cx"> \
<para>Associated with role-based authentication. Tells a user when the required \
role has not been configured </span><del>- for that user. Message \
defined by the user.not.inrole parameter, defined in the amAuthUI.prooperties \
</del><ins>+ for that user. Message defined by the user.not.inrole \
parameter, defined in the amAuthUI.properties </ins><span class="cx"> \
file.</para> </span><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxreleasenoteschapwhatsnewxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -274,6 +274,21 @@
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><ins>+ <emphasis role="bold">Configurable DN Cache for \
LDAP Data Stores</emphasis>. + OpenAM now has the capability to enable and \
disable DN caching. + DN caching helps avoid DN lookups
+ that can happen in bursts during authentication.
+ (
+ <link
+ xlink:show="new"
+ xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-3822"
+ >OPENAM-3822</link>
+ ).
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
</ins><span class="cx"> <emphasis role="bold">Quicker UI \
Customization</emphasis>. </span><span class="cx"> While customizing the \
UI, you can set the advanced server property, </span><span class="cx"> \
<literal>org.forgerock.openam.core.resource.lookup.cache.enabled</literal>,
</span></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresactivedirectoryxmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresactivedirectoryxml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,1001 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-active-directory"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring Active Directory Data Stores</title>
+
+ <para>
+ Use these hints when configuring Active Directory Data Stores.
+ </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Active Directory</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>CN=Administrator,CN=Users,<replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls and load balancers
+ to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>userPassword=unicodePwd</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>group=read,create,edit,delete</literal>,
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>user=read,create,edit,delete</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=person)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>users</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any such unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>organizationalPerson</literal>,
+ <literal>person</literal>,
+ <literal>top</literal>,
+ <literal>User</literal>,
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>assignedDashboard</literal>,
+ <literal>cn</literal>,
+ <literal>devicePrintProfiles</literal>,
+ <literal>displayName</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>dn</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>givenName</literal>,
+ <literal>iplanet-am-auth-configuration</literal>,
+ <literal>iplanet-am-session-add-session-listener-on-all-sessions</literal>,
+ <literal>iplanet-am-session-destroy-sessions</literal>,
+ <literal>iplanet-am-session-get-valid-sessions</literal>,
+ <literal>iplanet-am-session-max-caching-time</literal>,
+ <literal>iplanet-am-session-max-idle-time</literal>,
+ <literal>iplanet-am-session-max-session-time</literal>,
+ <literal>iplanet-am-session-quota-limit</literal>,
+ <literal>iplanet-am-session-service-status</literal>,
+ <literal>iplanet-am-user-account-life</literal>,
+ <literal>iplanet-am-user-admin-start-dn</literal>,
+ <literal>iplanet-am-user-alias-list</literal>,
+ <literal>iplanet-am-user-auth-config</literal>,
+ <literal>iplanet-am-user-auth-modules</literal>,
+ <literal>iplanet-am-user-failure-url</literal>,
+ <literal>iplanet-am-user-federation-info-key</literal>,
+ <literal>iplanet-am-user-federation-info</literal>,
+ <literal>iplanet-am-user-login-status</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset</literal>,
+ <literal>iplanet-am-user-password-reset-options</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer</literal>,
+ <literal>iplanet-am-user-success-url</literal>,
+ <literal>mail</literal>,
+ <literal>name</literal>,
+ <literal>objectclass</literal>,
+ <literal>objectGUID</literal>,
+ <literal>postalAddress</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>preferredLocale</literal>,
+ <literal>preferredtimezone</literal>,
+ <literal>sAMAccountName</literal>,
+ <literal>sn</literal>,
+ <literal>sun-fm-saml2-nameid-info</literal>,
+ <literal>sun-fm-saml2-nameid-infokey</literal>,
+ <literal>sunAMAuthInvalidAttemptsData</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>sunIdentityServerDiscoEntries</literal>,
+ <literal>sunIdentityServerPPAddressCard</literal>,
+ <literal>sunIdentityServerPPCommonNameAltCN</literal>,
+ <literal>sunIdentityServerPPCommonNameCN</literal>,
+ <literal>sunIdentityServerPPCommonNameFN</literal>,
+ <literal>sunIdentityServerPPCommonNameMN</literal>,
+ <literal>sunIdentityServerPPCommonNamePT</literal>,
+ <literal>sunIdentityServerPPCommonNameSN</literal>,
+ <literal>sunIdentityServerPPDemographicsAge</literal>,
+ <literal>sunIdentityServerPPDemographicsBirthDay</literal>,
+ <literal>sunIdentityServerPPDemographicsDisplayLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsTimeZone</literal>,
+ <literal>sunIdentityServerPPEmergencyContact</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityAltO</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityJobTitle</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityOrg</literal>,
+ <literal>sunIdentityServerPPEncryPTKey</literal>,
+ <literal>sunIdentityServerPPFacadegreetmesound</literal>,
+ <literal>sunIdentityServerPPFacadeGreetSound</literal>,
+ <literal>sunIdentityServerPPFacadeMugShot</literal>,
+ <literal>sunIdentityServerPPFacadeNamePronounced</literal>,
+ <literal>sunIdentityServerPPFacadeWebSite</literal>,
+ <literal>sunIdentityServerPPInformalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdValue</literal>,
+ <literal>sunIdentityServerPPLegalIdentityDOB</literal>,
+ <literal>sunIdentityServerPPLegalIdentityGender</literal>,
+ <literal>sunIdentityServerPPLegalIdentityLegalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityMaritalStatus</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdValue</literal>,
+ <literal>sunIdentityServerPPMsgContact</literal>,
+ <literal>sunIdentityServerPPSignKey</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>unicodePwd</literal>,
+ <literal>userAccountControl</literal>,
+ <literal>userpassword</literal>,
+ <literal>userPrincipalname</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>userAccountControl</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ 544
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ 546
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN
+ when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=group)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>users</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Group</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>dn</literal>,
+ <literal>member</literal>,
+ <literal>name</literal>,
+ <literal>objectCategory</literal>,
+ <literal>objectclass</literal>,
+ <literal>sAMAccountName</literal>,
+ <literal>sAMAccountType</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>member</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches
+ used to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ Specify either <literal>SCOPE_BASE</literal>
+ or <literal>SCOPE_ONE</literal>.
+ Do not specify <literal>SCOPE_SUB</literal>,
+ as it can have a severe impact on Active Directory performance.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresadamxmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresadamxml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,1013 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-adam"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring Active Directory Application Mode (ADAM) Data \
Stores</title> +
+ <para>
+ Use these hints when configuring Active Directory Application Mode (ADAM) Data \
Stores. + </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Active Directory Application Mode (ADAM)</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>CN=Administrator,CN=Users,<replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls
+ and load balancers to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>userPassword=unicodePwd</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>group=read,create,edit,delete</literal>,
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>user=read,create,edit,delete</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=person)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>devicePrintProfilesContainer</literal>,
+ <literal>forgerock-am-dashboard-service</literal>,
+ <literal>iplanet-am-auth-configuration-service</literal>,
+ <literal>iplanet-am-managed-person</literal>,
+ <literal>iplanet-am-user-service</literal>,
+ <literal>iPlanetPreferences</literal>,
+ <literal>organizationalPerson</literal>,
+ <literal>person</literal>,
+ <literal>sunAMAuthAccountLockout</literal>,
+ <literal>sunFederationManagerDataStore</literal>,
+ <literal>sunFMSAML2NameIdentifier</literal>,
+ <literal>sunIdentityServerLibertyPPService</literal>,
+ <literal>top</literal>,
+ <literal>User</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>assignedDashboard</literal>,
+ <literal>cn</literal>,
+ <literal>devicePrintProfiles</literal>,
+ <literal>displayName</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>dn</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>givenName</literal>,
+ <literal>iplanet-am-auth-configuration</literal>,
+ <literal>iplanet-am-session-add-session-listener-on-all-sessions</literal>,
+ <literal>iplanet-am-session-destroy-sessions</literal>,
+ <literal>iplanet-am-session-get-valid-sessions</literal>,
+ <literal>iplanet-am-session-max-caching-time</literal>,
+ <literal>iplanet-am-session-max-idle-time</literal>,
+ <literal>iplanet-am-session-max-session-time</literal>,
+ <literal>iplanet-am-session-quota-limit</literal>,
+ <literal>iplanet-am-session-service-status</literal>,
+ <literal>iplanet-am-user-account-life</literal>,
+ <literal>iplanet-am-user-admin-start-dn</literal>,
+ <literal>iplanet-am-user-alias-list</literal>,
+ <literal>iplanet-am-user-auth-config</literal>,
+ <literal>iplanet-am-user-auth-modules</literal>,
+ <literal>iplanet-am-user-failure-url</literal>,
+ <literal>iplanet-am-user-federation-info-key</literal>,
+ <literal>iplanet-am-user-federation-info</literal>,
+ <literal>iplanet-am-user-login-status</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset</literal>,
+ <literal>iplanet-am-user-password-reset-options</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer</literal>,
+ <literal>iplanet-am-user-success-url</literal>,
+ <literal>mail</literal>,
+ <literal>name</literal>,
+ <literal>objectclass</literal>,
+ <literal>objectGUID</literal>,
+ <literal>postalAddress</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>preferredLocale</literal>,
+ <literal>preferredtimezone</literal>,
+ <literal>sAMAccountName</literal>,
+ <literal>sn</literal>,
+ <literal>sun-fm-saml2-nameid-info</literal>,
+ <literal>sun-fm-saml2-nameid-infokey</literal>,
+ <literal>sunAMAuthInvalidAttemptsData</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>sunIdentityServerDiscoEntries</literal>,
+ <literal>sunIdentityServerPPAddressCard</literal>,
+ <literal>sunIdentityServerPPCommonNameAltCN</literal>,
+ <literal>sunIdentityServerPPCommonNameCN</literal>,
+ <literal>sunIdentityServerPPCommonNameFN</literal>,
+ <literal>sunIdentityServerPPCommonNameMN</literal>,
+ <literal>sunIdentityServerPPCommonNamePT</literal>,
+ <literal>sunIdentityServerPPCommonNameSN</literal>,
+ <literal>sunIdentityServerPPDemographicsAge</literal>,
+ <literal>sunIdentityServerPPDemographicsBirthDay</literal>,
+ <literal>sunIdentityServerPPDemographicsDisplayLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsTimeZone</literal>,
+ <literal>sunIdentityServerPPEmergencyContact</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityAltO</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityJobTitle</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityOrg</literal>,
+ <literal>sunIdentityServerPPEncryPTKey</literal>,
+ <literal>sunIdentityServerPPFacadegreetmesound</literal>,
+ <literal>sunIdentityServerPPFacadeGreetSound</literal>,
+ <literal>sunIdentityServerPPFacadeMugShot</literal>,
+ <literal>sunIdentityServerPPFacadeNamePronounced</literal>,
+ <literal>sunIdentityServerPPFacadeWebSite</literal>,
+ <literal>sunIdentityServerPPInformalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdValue</literal>,
+ <literal>sunIdentityServerPPLegalIdentityDOB</literal>,
+ <literal>sunIdentityServerPPLegalIdentityGender</literal>,
+ <literal>sunIdentityServerPPLegalIdentityLegalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityMaritalStatus</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdValue</literal>,
+ <literal>sunIdentityServerPPMsgContact</literal>,
+ <literal>sunIdentityServerPPSignKey</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>unicodePwd</literal>,
+ <literal>userAccountControl</literal>,
+ <literal>userpassword</literal>,
+ <literal>userPrincipalname</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>msDS-UserAccountDisabled</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=group)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Group</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>dn</literal>,
+ <literal>member</literal>,
+ <literal>name</literal>,
+ <literal>objectCategory</literal>,
+ <literal>objectclass</literal>,
+ <literal>sAMAccountName</literal>,
+ <literal>sAMAccountType</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>member</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches used
+ to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ Specify either <literal>SCOPE_BASE</literal>
+ or <literal>SCOPE_ONE</literal>.
+ Do not specify <literal>SCOPE_SUB</literal>,
+ as it can have a severe impact on Active Directory performance.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresdbxmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresdbxml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,538 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-db"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xmlns:xlink='http://www.w3.org/1999/xlink'>
+ <title>Hints for Configuring Database Repository (Early Access) Data \
Stores</title> +
+ <para>
+ Use these hints when configuring Database Repository (Early Access) Data Stores.
+ </para>
+
+ <important>
+ <para>
+ This feature is in Early Access,
+ meaning it is not generally supported for use in production environments.
+ If you expect to use a relational database as an identity repository
+ other than for development or testing purposes,
+ first confirm supportability of your configuration with an expert.
+ You can contact ForgeRock at
+ <link xlink:href="mailto:info@forgerock.com">info@forgerock.com</link>.
+ </para>
+ </important>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Database Repository (Early Access)</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add the appropriate schema to the database on saving the configuration.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database Data Access Object Plugin Class Name</term>
+ <listitem>
+ <para>
+ OpenAM data access implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-dao-class-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>com.sun.identity.idm.plugins.database.JdbcSimpleUserDao</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Connection Type</term>
+ <listitem>
+ <para>
+ Whether to connect directly to the database,
+ or to connect through JNDI provided by the container where OpenAM runs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-dao-JDBCConnectionType</literal>
+ </para>
+
+ <para>
+ Default:
+ Connection is retrieved via programmatic connection
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database DataSource Name</term>
+ <listitem>
+ <para>
+ Data source name from the container configuration when connecting over JNDI
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-DataSourceJndiName</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>java:comp/env/jdbc/openssousersdb</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>JDBC Driver Class Name</term>
+ <listitem>
+ <para>
+ Driver class used when connecting directly
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-JDBCDriver</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>com.mysql.jdbc.Driver</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>JDBC Driver URL</term>
+ <listitem>
+ <para>
+ URL used when connecting directly
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-JDBCUrl</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>jdbc:mysql://127.0.0.1:3306/test</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Connect This User to Database</term>
+ <listitem>
+ <para>
+ Username used when connecting directly
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-JDBCDbuser</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>root</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Password for Connecting to Database</term>
+ <listitem>
+ <para>
+ Password used when connecting directly
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-JDBCDbpassword</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer profiles.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database Repository Plugin Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>com.sun.identity.idm.plugins.database.DatabaseRepo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to database column names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>iplanet-am-user-account-life=iplanet_am_user_account_life</literal>,
+ <literal>iplanet-am-user-alias-list=iplanet_am_user_alias_list</literal>,
+ <literal>iplanet-am-user-auth-config=iplanet_am_user_auth_config</literal>,
+ <literal>iplanet-am-user-failure-url=iplanet_am_user_failure_url</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset=iplanet_am_user_password_reset_force_reset</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer=iplanet_am_user_password_reset_question_answer</literal>,
+ <literal>iplanet-am-user-password-resetoptions=iplanet_am_user_password_resetoptions</literal>,
+ <literal>iplanet-am-user-success-url=iplanet_am_user_success_url</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>group=read,create,edit,delete</literal>,
+ <literal>user=read,create,edit,delete,service</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database User Table Name</term>
+ <listitem>
+ <para>
+ Table to store user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-UserTableName</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>opensso_users</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>List of User Attributes Names in Database</term>
+ <listitem>
+ <para>
+ Columns for user profile attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-UserAttrs</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ChangePassword</literal>,
+ <literal>cn</literal>,
+ <literal>employeenumber</literal>,
+ <literal>givenname</literal>,
+ <literal>inetuserstatus</literal>,
+ <literal>iplanet_am_user_account_life</literal>,
+ <literal>iplanet_am_user_alias_list</literal>,
+ <literal>iplanet_am_user_auth_config</literal>,
+ <literal>iplanet_am_user_failure_url</literal>,
+ <literal>iplanet_am_user_password_reset_force_reset</literal>,
+ <literal>iplanet_am_user_password_reset_question_answer</literal>,
+ <literal>iplanet_am_user_password_resetoptions</literal>,
+ <literal>iplanet_am_user_success_url</literal>,
+ <literal>mail</literal>,
+ <literal>manager</literal>,
+ <literal>postaladdress</literal>,
+ <literal>preferredlocale</literal>,
+ <literal>sn</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>telephonenumber</literal>,
+ <literal>uid</literal>,
+ <literal>userpassword</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Password Attribute Name</term>
+ <listitem>
+ <para>
+ Column for user passwords
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-UserPasswordAttr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>userpassword</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User ID Attribute Name</term>
+ <listitem>
+ <para>
+ Column for user IDs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-UserIDAttr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Column to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-UserStatusAttr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetuserstatus</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-activeValue</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Active</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-inactiveValue</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Inactive</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Users Search Attribute in Database</term>
+ <listitem>
+ <para>
+ Key for looking up user profiles by name
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Database Membership table name</term>
+ <listitem>
+ <para>
+ Table to store group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-MembershipTableName</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groups</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Membership ID Attribute Name</term>
+ <listitem>
+ <para>
+ Column for group IDs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-MembershipIDAttr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>group_name</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Membership Search Attribute in Database</term>
+ <listitem>
+ <para>
+ Key for looking up group profiles by name
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-opensso-database-membership-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresdseexmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresdseexml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,1261 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-dsee"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring Sun DS with OpenAM schema Data \
Stores</title> +
+ <para>
+ Use these hints when configuring Data Stores
+ for Oracle DSEE or Sun DSEE using OpenAM schema.
+ </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Oracle DSEE</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn=dsameuser,ou=DSAME \
Users,<replaceable>base-dn</replaceable></literal> + \
</para> + </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls
+ and load balancers to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>filteredrole=read,create,edit,delete</literal>,
+ <literal>group=read,create,edit,delete</literal>,
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>role=read,create,edit,delete</literal>,
+ <literal>user=read,create,edit,delete,service</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=inetorgperson)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>people</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>devicePrintProfilesContainer</literal>,
+ <literal>forgerock-am-dashboard-service</literal>,
+ <literal>inetadmin</literal>,
+ <literal>inetorgperson</literal>,
+ <literal>inetuser</literal>,
+ <literal>iplanet-am-auth-configuration-service</literal>,
+ <literal>iplanet-am-managed-person</literal>,
+ <literal>iplanet-am-user-service</literal>,
+ <literal>iPlanetPreferences</literal>,
+ <literal>organizationalperson</literal>,
+ <literal>person</literal>,
+ <literal>sunAMAuthAccountLockout</literal>,
+ <literal>sunFederationManagerDataStore</literal>,
+ <literal>sunFMSAML2NameIdentifier</literal>,
+ <literal>sunIdentityServerLibertyPPService</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>sunIdentityServerPPDemographicsBirthDay</literal>,
+ <literal>uid</literal>,
+ <literal>sunIdentityServerPPLegalIdentityLegalName</literal>,
+ <literal>manager</literal>,
+ <literal>assignedDashboard</literal>,
+ <literal>sunIdentityServerPPCommonNameSN</literal>,
+ <literal>userPassword</literal>,
+ <literal>iplanet-am-session-get-valid-sessions</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityJobTitle</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer</literal>,
+ <literal>sunIdentityServerPPLegalIdentityDOB</literal>,
+ <literal>sunIdentityServerPPEmergencyContact</literal>,
+ <literal>sunIdentityServerPPCommonNameCN</literal>,
+ <literal>iplanet-am-user-success-url</literal>,
+ <literal>iplanet-am-user-admin-start-dn</literal>,
+ <literal>iplanet-am-user-federation-info</literal>,
+ <literal>userCertificate</literal>,
+ <literal>sunIdentityServerPPFacadeGreetSound</literal>,
+ <literal>sunAMAuthInvalidAttemptsData</literal>,
+ <literal>sunIdentityServerPPFacadeNamePronounced</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>sunIdentityServerPPDemographicsTimeZone</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>iplanet-am-session-max-caching-time</literal>,
+ <literal>sn</literal>,
+ <literal>iplanet-am-session-quota-limit</literal>,
+ <literal>iplanet-am-session-max-session-time</literal>,
+ <literal>adminRole</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityAltO</literal>,
+ <literal>objectClass</literal>,
+ <literal>sun-fm-saml2-nameid-info</literal>,
+ <literal>sunIdentityServerPPLegalIdentityMaritalStatus</literal>,
+ <literal>iplanet-am-user-login-status</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdType</literal>,
+ <literal>devicePrintProfiles</literal>,
+ <literal>iplanet-am-session-max-idle-time</literal>,
+ <literal>sunIdentityServerPPFacadegreetmesound</literal>,
+ <literal>cn</literal>,
+ <literal>iplanet-am-user-password-reset-options</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>iplanet-am-user-federation-info-key</literal>,
+ <literal>sunIdentityServerPPMsgContact</literal>,
+ <literal>sunIdentityServerPPLegalIdentityGender</literal>,
+ <literal>iplanet-am-user-alias-list</literal>,
+ <literal>sunIdentityServerPPCommonNameFN</literal>,
+ <literal>caCertificate</literal>,
+ <literal>inetUserStatus</literal>,
+ <literal>sunIdentityServerPPCommonNameMN</literal>,
+ <literal>sunIdentityServerPPEncryPTKey</literal>,
+ <literal>givenName</literal>,
+ <literal>memberOf</literal>,
+ <literal>iplanet-am-static-group-dn</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdValue</literal>,
+ <literal>preferredLocale</literal>,
+ <literal>iplanet-am-session-service-status</literal>,
+ <literal>sun-fm-saml2-nameid-infokey</literal>,
+ <literal>sunIdentityServerPPDemographicsAge</literal>,
+ <literal>sunIdentityServerDiscoEntries</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdType</literal>,
+ <literal>iplanet-am-user-auth-config</literal>,
+ <literal>iplanet-am-user-failure-url</literal>,
+ <literal>sunIdentityServerPPAddressCard</literal>,
+ <literal>sunIdentityServerPPCommonNamePT</literal>,
+ <literal>dn</literal>,
+ <literal>iplanet-am-session-add-session-listener-on-all-sessions</literal>,
+ <literal>mail</literal>,
+ <literal>authorityRevocationList</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset</literal>,
+ <literal>inetUserHttpURL</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdValue</literal>,
+ <literal>sunIdentityServerPPCommonNameAltCN</literal>,
+ <literal>preferredtimezone</literal>,
+ <literal>sunIdentityServerPPInformalName</literal>,
+ <literal>sunIdentityServerPPSignKey</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityOrg</literal>,
+ <literal>iplanet-am-session-destroy-sessions</literal>,
+ <literal>sunIdentityServerPPFacadeMugShot</literal>,
+ <literal>sunIdentityServerPPFacadeWebSite</literal>,
+ <literal>sunIdentityServerPPDemographicsDisplayLanguage</literal>,
+ <literal>postalAddress</literal>,
+ <literal>iplanet-am-auth-configuration</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>iplanet-am-user-auth-modules</literal>,
+ <literal>iplanet-am-user-account-life</literal>,
+ <literal>sunIdentityServerPPDemographicsLanguage</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetuserstatus</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Active</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Inactive</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=groupOfUniqueNames)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groups</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groupofuniquenames</literal>,
+ <literal>iplanet-am-managed-group</literal>,
+ <literal>iplanet-am-managed-static-group</literal>,
+ <literal>groupofurls</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>iplanet-am-group-subscribable</literal>,
+ <literal>dn</literal>,
+ <literal>objectclass</literal>,
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Group Member URL</term>
+ <listitem>
+ <para>
+ Attribute in the dynamic group's LDAP entry
+ whose values are LDAP URLs specifying members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberurl</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>memberUrl</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Roles Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a role by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-roles-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Roles Search Filter</term>
+ <listitem>
+ <para>
+ When searching for roles, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-roles-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(&amp;(objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition))</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Roles Object Class</term>
+ <listitem>
+ <para>
+ Role profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-role-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ldapsubentry</literal>,
+ <literal>nsmanagedroledefinition</literal>,
+ <literal>nsroledefinition</literal>,
+ <literal>nssimpleroledefinition</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Filter Roles Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a filtered role by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-filterroles-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Filter Roles Search Filter</term>
+ <listitem>
+ <para>
+ When searching for filtered roles, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-filterroles-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(&amp;(objectclass=ldapsubentry)(objectclass=nsfilteredroledefinition))</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Filter Roles Object Class</term>
+ <listitem>
+ <para>
+ Filtered role profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-filterrole-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ldapsubentry</literal>,
+ <literal>nscomplexroledefinition</literal>,
+ <literal>nsfilteredroledefinition</literal>,
+ <literal>nsroledefinition</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Filter Roles Attributes</term>
+ <listitem>
+ <para>
+ Filtered role profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-filterrole-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>nsRoleFilter</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Filtered Role Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the filtered roles to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-nsrole</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>nsrole</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Role Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the roles to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-nsroledn</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>nsRoleDN</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Filtered Role Filter</term>
+ <listitem>
+ <para>
+ LDAP attribute whose values are the filters for filtered roles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-nsrolefilter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>nsRoleFilter</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches used
+ to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Filter</term>
+ <listitem>
+ <para>
+ LDAP filter to apply when performing persistent searches
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=*)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresgenericldapv3xmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresgenericldapv3xml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,978 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-generic-ldapv3"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring Generic LDAPv3 Data Stores</title>
+
+ <para>
+ Use these hints when configuring Generic LDAPv3 compliant Data Stores.
+ </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Generic LDAPv3</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls
+ and load balancers to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>user=read,create,edit,delete</literal>,
+ <literal>group=read,create,edit,delete</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=inetorgperson)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetorgperson</literal>,
+ <literal>inetUser</literal>,
+ <literal>organizationalPerson</literal>,
+ <literal>person</literal>,
+ <literal>top</literal>,
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>,
+ <literal>caCertificate</literal>,
+ <literal>authorityRevocationList</literal>,
+ <literal>inetUserStatus</literal>,
+ <literal>mail</literal>,
+ <literal>sn</literal>,
+ <literal>manager</literal>,
+ <literal>userPassword</literal>,
+ <literal>adminRole</literal>,
+ <literal>objectClass</literal>,
+ <literal>givenName</literal>,
+ <literal>memberOf</literal>,
+ <literal>cn</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>userCertificate</literal>,
+ <literal>postalAddress</literal>,
+ <literal>dn</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>distinguishedName</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>, <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetuserstatus</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Active</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Inactive</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=groupOfUniqueNames)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groups</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groupofuniquenames</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>,
+ <literal>cn</literal>,
+ <literal>description</literal>,
+ <literal>dn</literal>,
+ <literal>objectclass</literal>,
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Group Member URL</term>
+ <listitem>
+ <para>
+ Attribute in the dynamic group's LDAP entry
+ whose value is a URL specifying the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberurl</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>memberUrl</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Default Group Member's User DN</term>
+ <listitem>
+ <para>
+ DN of member added to all newly created groups
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-dftgroupmember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches used
+ to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Filter</term>
+ <listitem>
+ <para>
+ LDAP filter to apply when performing persistent searches
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=*)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastoresopendjxmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresopendjxml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,1031 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-opendj"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring OpenDJ Data Stores</title>
+
+ <para>
+ Use these hints when configuring OpenDJ Data Stores.
+ </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>OpenDJ</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls
+ and load balancers to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>user=read,create,edit,delete</literal>,
+ <literal>group=read,create,edit,delete</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=inetorgperson)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>people</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>devicePrintProfilesContainer</literal>,
+ <literal>forgerock-am-dashboard-service</literal>,
+ <literal>inetorgperson</literal>,
+ <literal>inetuser</literal>,
+ <literal>iplanet-am-auth-configuration-service</literal>,
+ <literal>iplanet-am-managed-person</literal>,
+ <literal>iplanet-am-user-service</literal>,
+ <literal>iPlanetPreferences</literal>,
+ <literal>organizationalperson</literal>,
+ <literal>person</literal>,
+ <literal>sunAMAuthAccountLockout</literal>,
+ <literal>sunFederationManagerDataStore</literal>,
+ <literal>sunFMSAML2NameIdentifier</literal>,
+ <literal>sunIdentityServerLibertyPPService</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>sunIdentityServerPPDemographicsBirthDay</literal>,
+ <literal>uid</literal>,
+ <literal>sunIdentityServerPPLegalIdentityLegalName</literal>,
+ <literal>manager</literal>,
+ <literal>assignedDashboard</literal>,
+ <literal>sunIdentityServerPPCommonNameSN</literal>,
+ <literal>userPassword</literal>,
+ <literal>iplanet-am-session-get-valid-sessions</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityJobTitle</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer</literal>,
+ <literal>sunIdentityServerPPLegalIdentityDOB</literal>,
+ <literal>sunIdentityServerPPEmergencyContact</literal>,
+ <literal>sunIdentityServerPPCommonNameCN</literal>,
+ <literal>iplanet-am-user-success-url</literal>,
+ <literal>iplanet-am-user-admin-start-dn</literal>,
+ <literal>iplanet-am-user-federation-info</literal>,
+ <literal>userCertificate</literal>,
+ <literal>sunIdentityServerPPFacadeGreetSound</literal>,
+ <literal>sunAMAuthInvalidAttemptsData</literal>,
+ <literal>sunIdentityServerPPFacadeNamePronounced</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>sunIdentityServerPPDemographicsTimeZone</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>iplanet-am-session-max-caching-time</literal>,
+ <literal>sn</literal>,
+ <literal>iplanet-am-session-quota-limit</literal>,
+ <literal>iplanet-am-session-max-session-time</literal>,
+ <literal>adminRole</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityAltO</literal>,
+ <literal>objectClass</literal>,
+ <literal>sun-fm-saml2-nameid-info</literal>,
+ <literal>sunIdentityServerPPLegalIdentityMaritalStatus</literal>,
+ <literal>iplanet-am-user-login-status</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdType</literal>,
+ <literal>devicePrintProfiles</literal>,
+ <literal>iplanet-am-session-max-idle-time</literal>,
+ <literal>sunIdentityServerPPFacadegreetmesound</literal>,
+ <literal>cn</literal>,
+ <literal>iplanet-am-user-password-reset-options</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>iplanet-am-user-federation-info-key</literal>,
+ <literal>sunIdentityServerPPMsgContact</literal>,
+ <literal>sunIdentityServerPPLegalIdentityGender</literal>,
+ <literal>iplanet-am-user-alias-list</literal>,
+ <literal>sunIdentityServerPPCommonNameFN</literal>,
+ <literal>caCertificate</literal>,
+ <literal>inetUserStatus</literal>,
+ <literal>sunIdentityServerPPCommonNameMN</literal>,
+ <literal>sunIdentityServerPPEncryPTKey</literal>,
+ <literal>givenName</literal>,
+ <literal>memberOf</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdValue</literal>,
+ <literal>preferredLocale</literal>,
+ <literal>iplanet-am-session-service-status</literal>,
+ <literal>sun-fm-saml2-nameid-infokey</literal>,
+ <literal>sunIdentityServerPPDemographicsAge</literal>,
+ <literal>sunIdentityServerDiscoEntries</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdType</literal>,
+ <literal>iplanet-am-user-auth-config</literal>,
+ <literal>iplanet-am-user-failure-url</literal>,
+ <literal>sunIdentityServerPPAddressCard</literal>,
+ <literal>sunIdentityServerPPCommonNamePT</literal>,
+ <literal>dn</literal>,
+ <literal>iplanet-am-session-add-session-listener-on-all-sessions</literal>,
+ <literal>mail</literal>,
+ <literal>authorityRevocationList</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset</literal>,
+ <literal>inetUserHttpURL</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdValue</literal>,
+ <literal>sunIdentityServerPPCommonNameAltCN</literal>,
+ <literal>preferredtimezone</literal>,
+ <literal>sunIdentityServerPPInformalName</literal>,
+ <literal>sunIdentityServerPPSignKey</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityOrg</literal>,
+ <literal>iplanet-am-session-destroy-sessions</literal>,
+ <literal>sunIdentityServerPPFacadeMugShot</literal>,
+ <literal>sunIdentityServerPPFacadeWebSite</literal>,
+ <literal>sunIdentityServerPPDemographicsDisplayLanguage</literal>,
+ <literal>postalAddress</literal>,
+ <literal>iplanet-am-auth-configuration</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>iplanet-am-user-account-life</literal>,
+ <literal>iplanet-am-user-auth-modules</literal>,
+ <literal>sunIdentityServerPPDemographicsLanguage</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>, <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetuserstatus</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Active</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Inactive</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=groupOfUniqueNames)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groups</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groupofuniquenames</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>dn</literal>,
+ <literal>objectclass</literal>,
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>uniqueMember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches used
+ to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Filter</term>
+ <listitem>
+ <para>
+ LDAP filter to apply when performing persistent searches
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=*)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ The OpenDJ data store uses this setting only for persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecda \
tastorestivolixmlfromrev10288trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastorestivolixml"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml \
(from rev 10288, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml \
(rev 0)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,1032 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ! CCPL HEADER START
+ !
+ ! This work is licensed under the Creative Commons
+ ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+ ! To view a copy of this license, visit
+ ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+ ! or send a letter to Creative Commons, 444 Castro Street,
+ ! Suite 900, Mountain View, California, 94041, USA.
+ !
+ ! You can also obtain a copy of the license at
+ ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! If applicable, add the following below this CCPL HEADER, with the fields
+ ! enclosed by brackets "[]" replaced with your own identifying \
information: + ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CCPL HEADER END
+ !
+ ! Copyright 2011-2014 ForgeRock AS
+ !
+-->
+<section xml:id="sec-data-stores-tivoli"
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'>
+ <title>Hints for Configuring Tivoli Directory Server Data \
Stores</title> +
+ <para>
+ Use these hints when configuring Tivoli Directory Server Data Stores.
+ </para>
+
+ <indexterm>
+ <primary>Data stores</primary>
+ <secondary>Tivoli Directory Server</secondary>
+ </indexterm>
+
+ <para>
+ <command>ssoadm</command> service name:
+ <literal>sunIdentityRepositoryService</literal>
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Name</term>
+ <listitem>
+ <para>
+ Name for the data store configuration
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Load schema when finished</term>
+ <listitem>
+ <para>
+ Add appropriate LDAP schema to the directory server
+ when saving the configuration.
+ The LDAP Bind DN user must have access to perform this operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>idRepoLoadSchema</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Server</term>
+ <listitem>
+ <para>
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ to contact the directory server, with optional
+ <literal>|<replaceable>server_ID</replaceable>|<replaceable>site_ID</replaceable></literal>
+ for deployments with multiple servers and sites
+ </para>
+
+ <orderedlist>
+ <para>
+ OpenAM uses the optional settings to determine
+ which directory server to contact first.
+ OpenAM tries to contact directory servers
+ in the following priority order, with highest priority first.
+ </para>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>server_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the list
+ whose <replaceable>site_ID</replaceable>
+ matches the current OpenAM server
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The first directory server in the remaining list
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ If the directory server is not available,
+ OpenAM proceeds to the next directory server in the list.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ldap-server</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>host</replaceable>:<replaceable>port</replaceable></literal>
+ of the initial directory server configured for this OpenAM server
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind DN</term>
+ <listitem>
+ <para>
+ Bind DN for connecting to the directory server.
+ Some OpenAM capabilities require write access to directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authid</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Bind Password</term>
+ <listitem>
+ <para>
+ Bind password for connecting to the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-authpw</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Organization DN</term>
+ <listitem>
+ <para>
+ The base DN under which to find user and group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-organization_name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP SSL/TLS Enabled</term>
+ <listitem>
+ <para>
+ Whether to use LDAPS or StartTLS to connect to the directory server.
+ If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+ either because the server certificates were signed by a CA
+ whose certificate is already included in the trust store
+ used by the container where OpenAM runs,
+ or because you imported the certificates into the trust store.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-ssl-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Pool Maximum Size</term>
+ <listitem>
+ <para>
+ Maximum number of connections to the directory server.
+ Make sure the directory service can cope
+ with the maximum number of client connections across all servers.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-connection_pool_max_size</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Interval</term>
+ <listitem>
+ <para>
+ How often to send a heartbeat request to the directory server
+ to ensure that the connection does not remain idle.
+ Some network administrators configure firewalls
+ and load balancers to drop connections that are idle for too long.
+ You can turn this off by setting the value to 0 or to a negative number.
+ To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-interval</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Connection Heartbeat Time Unit</term>
+ <listitem>
+ <para>
+ Time unit for the LDAP Connection Heartbeat Interval setting
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>openam-idrepo-ldapv3-heartbeat-timeunit</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>second</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Maximum Results Returned from Search</term>
+ <listitem>
+ <para>
+ A cap for the number of search results to request.
+ For example when using the Subjects tab to view profiles,
+ even if you set
+ Configuration > Console > Administration > Maximum Results Returned \
from Search + to a larger number, OpenAM does not exceed this setting.
+ Rather than raise this number,
+ consider narrowing your search to match fewer directory entries.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-max-result</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Search Timeout</term>
+ <listitem>
+ <para>
+ Maximum time to wait for search results in seconds.
+ Does not apply to persistent searches.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-time-limit</literal>
+ </para>
+
+ <para>
+ Default:
+ 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-search-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Repository Plug-in Class Name</term>
+ <listitem>
+ <para>
+ OpenAM identity repository implementation
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoClass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name Mapping</term>
+ <listitem>
+ <para>
+ Map of OpenAM profile attribute names to directory server attribute names
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoAttributeMapping</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAPv3 Plug-in Supported Types and Operations</term>
+ <listitem>
+ <para>
+ Map of OpenAM operations that can be performed in the specified OpenAM contexts
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sunIdRepoSupportedOperations</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>group=read,create,edit,delete</literal>,
+ <literal>realm=read,create,edit,delete,service</literal>,
+ <literal>user=read,create,edit,delete,service</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a user by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Users Search Filter</term>
+ <listitem>
+ <para>
+ When searching for users, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-users-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=inetorgperson)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP People Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains user profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-people-container-value</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Object Class</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP object classes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>devicePrintProfilesContainer</literal>,
+ <literal>forgerock-am-dashboard-service</literal>,
+ <literal>inetorgperson</literal>,
+ <literal>inetuser</literal>,
+ <literal>iplanet-am-auth-configuration-service</literal>,
+ <literal>iplanet-am-managed-person</literal>,
+ <literal>iplanet-am-user-service</literal>,
+ <literal>iPlanetPreferences</literal>,
+ <literal>organizationalperson</literal>,
+ <literal>person</literal>,
+ <literal>sunAMAuthAccountLockout</literal>,
+ <literal>sunFederationManagerDataStore</literal>,
+ <literal>sunFMSAML2NameIdentifier</literal>,
+ <literal>sunIdentityServerLibertyPPService</literal>,
+ <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP User Attributes</term>
+ <listitem>
+ <para>
+ User profiles have these LDAP attributes
+ </para>
+
+ <para>
+ OpenAM handles only those attributes listed in this setting.
+ OpenAM discards any unlisted attributes from requests
+ and the request proceeds without the attribute.
+ </para>
+
+ <para>
+ For example, with default settings
+ if you request that OpenAM execute a search that asks for
+ the <literal>mailAlternateAddress</literal> attribute,
+ OpenAM does the search, but does not request
+ <literal>mailAlternateAddress</literal>.
+ In the same way, OpenAM does perform an update operation
+ with a request to set the value of an unlisted attribute
+ like <literal>mailAlternateAddress</literal>,
+ but it drops the unlisted attribute from the update request.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-user-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>adminRole</literal>,
+ <literal>assignedDashboard</literal>,
+ <literal>authorityRevocationList</literal>,
+ <literal>caCertificate</literal>,
+ <literal>cn</literal>,
+ <literal>devicePrintProfiles</literal>,
+ <literal>distinguishedName</literal>,
+ <literal>dn</literal>,
+ <literal>employeeNumber</literal>,
+ <literal>givenName</literal>,
+ <literal>inetUserHttpURL</literal>,
+ <literal>inetUserStatus</literal>,
+ <literal>iplanet-am-auth-configuration</literal>,
+ <literal>iplanet-am-session-add-session-listener-on-all-sessions</literal>,
+ <literal>iplanet-am-session-destroy-sessions</literal>,
+ <literal>iplanet-am-session-get-valid-sessions</literal>,
+ <literal>iplanet-am-session-max-caching-time</literal>,
+ <literal>iplanet-am-session-max-idle-time</literal>,
+ <literal>iplanet-am-session-max-session-time</literal>,
+ <literal>iplanet-am-session-quota-limit</literal>,
+ <literal>iplanet-am-session-service-status</literal>,
+ <literal>iplanet-am-user-account-life</literal>,
+ <literal>iplanet-am-user-admin-start-dn</literal>,
+ <literal>iplanet-am-user-alias-list</literal>,
+ <literal>iplanet-am-user-auth-config</literal>,
+ <literal>iplanet-am-user-auth-modules</literal>,
+ <literal>iplanet-am-user-failure-url</literal>,
+ <literal>iplanet-am-user-federation-info-key</literal>,
+ <literal>iplanet-am-user-federation-info</literal>,
+ <literal>iplanet-am-user-login-status</literal>,
+ <literal>iplanet-am-user-password-reset-force-reset</literal>,
+ <literal>iplanet-am-user-password-reset-options</literal>,
+ <literal>iplanet-am-user-password-reset-question-answer</literal>,
+ <literal>iplanet-am-user-success-url</literal>,
+ <literal>mail</literal>,
+ <literal>manager</literal>,
+ <literal>memberOf</literal>,
+ <literal>objectClass</literal>,
+ <literal>postalAddress</literal>,
+ <literal>preferredlanguage</literal>,
+ <literal>preferredLocale</literal>,
+ <literal>preferredtimezone</literal>,
+ <literal>sn</literal>,
+ <literal>sun-fm-saml2-nameid-info</literal>,
+ <literal>sun-fm-saml2-nameid-infokey</literal>,
+ <literal>sunAMAuthInvalidAttemptsData</literal>,
+ <literal>sunIdentityMSISDNNumber</literal>,
+ <literal>sunIdentityServerDiscoEntries</literal>,
+ <literal>sunIdentityServerPPAddressCard</literal>,
+ <literal>sunIdentityServerPPCommonNameAltCN</literal>,
+ <literal>sunIdentityServerPPCommonNameCN</literal>,
+ <literal>sunIdentityServerPPCommonNameFN</literal>,
+ <literal>sunIdentityServerPPCommonNameMN</literal>,
+ <literal>sunIdentityServerPPCommonNamePT</literal>,
+ <literal>sunIdentityServerPPCommonNameSN</literal>,
+ <literal>sunIdentityServerPPDemographicsAge</literal>,
+ <literal>sunIdentityServerPPDemographicsBirthDay</literal>,
+ <literal>sunIdentityServerPPDemographicsDisplayLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsLanguage</literal>,
+ <literal>sunIdentityServerPPDemographicsTimeZone</literal>,
+ <literal>sunIdentityServerPPEmergencyContact</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityAltO</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityJobTitle</literal>,
+ <literal>sunIdentityServerPPEmploymentIdentityOrg</literal>,
+ <literal>sunIdentityServerPPEncryPTKey</literal>,
+ <literal>sunIdentityServerPPFacadegreetmesound</literal>,
+ <literal>sunIdentityServerPPFacadeGreetSound</literal>,
+ <literal>sunIdentityServerPPFacadeMugShot</literal>,
+ <literal>sunIdentityServerPPFacadeNamePronounced</literal>,
+ <literal>sunIdentityServerPPFacadeWebSite</literal>,
+ <literal>sunIdentityServerPPInformalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityAltIdValue</literal>,
+ <literal>sunIdentityServerPPLegalIdentityDOB</literal>,
+ <literal>sunIdentityServerPPLegalIdentityGender</literal>,
+ <literal>sunIdentityServerPPLegalIdentityLegalName</literal>,
+ <literal>sunIdentityServerPPLegalIdentityMaritalStatus</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdType</literal>,
+ <literal>sunIdentityServerPPLegalIdentityVATIdValue</literal>,
+ <literal>sunIdentityServerPPMsgContact</literal>,
+ <literal>sunIdentityServerPPSignKey</literal>,
+ <literal>telephoneNumber</literal>,
+ <literal>uid</literal>,
+ <literal>userCertificate</literal>,
+ <literal>userPassword</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Create User Attribute Mapping</term>
+ <listitem>
+ <para>
+ When creating a user profile,
+ apply this map of OpenAM profile attribute names
+ to directory server attribute names.
+ </para>
+
+ <para>
+ Attributes not mapped to another attribute
+ (for example, <literal>cn</literal>)
+ and attributes mapped to themselves
+ (for example, <literal>cn=cn</literal>)
+ take the value of the username
+ unless the attribute values are provided when creating the profile.
+ The object classes for user profile LDAP entries
+ generally require Common Name (cn) and Surname (sn) attributes,
+ so this prevents an LDAP constraint violation
+ when performing the add operation.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-createuser-attr-mapping</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>, <literal>sn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of User Status</term>
+ <listitem>
+ <para>
+ Attribute to check/set user status
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-isactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>inetuserstatus</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Active Value</term>
+ <listitem>
+ <para>
+ Active users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-active</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Active</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User Status Inactive Value</term>
+ <listitem>
+ <para>
+ Inactive users have the user status attribute set to this value.
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-inactive</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>Inactive</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Authentication Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute for building the bind DN when given a username and password
+ to authenticate a user against the directory server
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-auth-naming-attr</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Attribute</term>
+ <listitem>
+ <para>
+ When searching for a group by name, match values against this attribute
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-attribute</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Search Filter</term>
+ <listitem>
+ <para>
+ When searching for groups, apply this LDAP search filter as well
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-groups-search-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=groupOfNames)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Naming Attribute</term>
+ <listitem>
+ <para>
+ RDN attribute of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-name</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Container Value</term>
+ <listitem>
+ <para>
+ RDN attribute value of the LDAP base DN which contains group profiles
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-container-value</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Object Class</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP object classes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-objectclass</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>groupofnames</literal>, <literal>top</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>LDAP Groups Attributes</term>
+ <listitem>
+ <para>
+ Group profiles have these LDAP attributes
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-group-attributes</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>cn</literal>,
+ <literal>description</literal>,
+ <literal>dn</literal>,
+ <literal>member</literal>,
+ <literal>objectclass</literal>,
+ <literal>ou</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name for Group Membership</term>
+ <listitem>
+ <para>
+ LDAP attribute in the member's LDAP entry
+ whose values are the groups to which a member belongs
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-memberof</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Attribute Name of Unique Member</term>
+ <listitem>
+ <para>
+ Attribute in the group's LDAP entry
+ whose values are the members of the group
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-uniquemember</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>member</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Default Group Member's User DN</term>
+ <listitem>
+ <para>
+ DN of member added to all newly created groups
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-dftgroupmember</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Base DN</term>
+ <listitem>
+ <para>
+ Base DN for LDAP persistent searches used
+ to receive notification of changes in directory server data
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearchbase</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal><replaceable>base-dn</replaceable></literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Filter</term>
+ <listitem>
+ <para>
+ LDAP filter to apply when performing persistent searches
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-filter</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>(objectclass=*)</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Persistent Search Scope</term>
+ <listitem>
+ <para>
+ LDAP searches can apply to a single entry (SCOPE_BASE),
+ entries directly below the search DN (SCOPE_ONE),
+ or all entries below the search DN (SEARCH_SUB)
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-config-psearch-scope</literal>
+ </para>
+
+ <para>
+ Default:
+ <literal>SCOPE_SUB</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>The Delay Time Between Retries</term>
+ <listitem>
+ <para>
+ How long to wait after receiving an error result
+ that indicates OpenAM should try the LDAP operation again
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>com.iplanet.am.ldap.connection.delay.between.retries</literal>
+ </para>
+
+ <para>
+ Default:
+ 1000 milliseconds
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Enabled</term>
+ <listitem>
+ <para>
+ Whether to enable the DN cache, which is used to cache DN lookups
+ that can happen in bursts during authentication.
+ As the cache can become stale when a user is moved or renamed,
+ enable DN caching when the directory service allows move/rename operations (Mod \
DN), + and when OpenAM uses persistent searches to obtain notification of such \
updates. + </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-enabled</literal>
+ </para>
+
+ <para>
+ Default:
+ true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>DN Cache Size</term>
+ <listitem>
+ <para>
+ Maximum number of DNs cached when caching is enabled
+ </para>
+
+ <para>
+ <command>ssoadm</command> attribute:
+ <literal>sun-idrepo-ldapv3-dncache-size</literal>
+ </para>
+
+ <para>
+ Default:
+ 1500 items
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</section>
</ins></span></pre></div>
<a id="branchesAME3423openamopenamdocumentationopenamdocsourcesrcmaindocbkxwebreleasenoteschapwebagentsxml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/web-release-notes/chap-web-agents.xml \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/web-release-notes/chap-web-agents.xml 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-documentation/openam-doc-source/src/main/docbkx/web-release-notes/chap-web-agents.xml 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -302,7 +302,7 @@
</span><span class="cx"> <section \
xml:id="platform-requirements-web-agents"> </span><span class="cx"> \
<title>Web Agents Platform Requirements</title> </span><span class="cx">
</span><del>- <para>Apache HTTP web policy agents have been tested on Linux \
2.6 or later, </del><ins>+ <para>Apache HTTP web policy agents run on Linux \
2.6.18 or later, </ins><span class="cx"> and on Oracle Solaris 10 or \
later.</para> </span><span class="cx">
</span><span class="cx"> <para>The Microsoft IIS 6 web policy agent has \
been tested on Windows Server </span><span class="lines">@@ -320,6 +320,20 @@
</span><span class="cx"> -->
</span><span class="cx">
</span><span class="cx"> <para>
</span><ins>+ Before installing web policy agents on Linux,
+ make sure the system can run <command>gcc</command> 4.4.7.
+ <literal>libc.so.6</literal> must be available
+ and it must support the GLIBC_2.3 ABI.
+ You can check this by running the following command:
+ <command>strings libc.so.6 | grep GLIBC_2</command>.
+ Also, <literal>libstdc++.so.6</literal> must be available
+ and it must support GLIBCXX_3.4 and CXXABI_1.3.
+ You can check this by running the following commands:
+ <command>strings libstdc++.so.6 | grep GLIBCXX_3</command>
+ and <command>strings libstdc++.so.6 | grep CXXABI_1</command>.
+ </para>
+
+ <para>
</ins><span class="cx"> Before installing the IIS 7 web policy agent on \
Microsoft IIS 7 or IIS 8, </span><span class="cx"> make sure that the optional \
Application Development component of </span><span class="cx"> Web Server (IIS) \
is installed. </span><span class="lines">@@ -373,6 +387,22 @@
</span><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><ins>+ <para>
+ On Linux, library requirements have changed.
+ Make sure the system can run <command>gcc</command> 4.4.7.
+ <literal>libc.so.6</literal> must be available
+ and it must support the GLIBC_2.3 ABI.
+ You can check this by running the following command:
+ <command>strings libc.so.6 | grep GLIBC_2</command>.
+ Also, <literal>libstdc++.so.6</literal> must be available
+ and it must support GLIBCXX_3.4 and CXXABI_1.3.
+ You can check this by running the following commands:
+ <command>strings libstdc++.so.6 | grep GLIBCXX_3</command>
+ and <command>strings libstdc++.so.6 | grep CXXABI_1</command>.
+ </para>
+ </listitem>
+
+ <listitem>
</ins><span class="cx"> <para>IIS web policy agents no longer rely on the \
Windows registry to </span><span class="cx"> determine where to find \
configuration settings. Instead, IIS agents </span><span class="cx"> determine \
the relative location of their configuration properties files \
</span></span></pre></div> <a \
id="branchesAME3423openamopenamentitlementssrcmainjavacomsunidentityentitlementPrivilegeManagerjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-entitlements/src/main/java/com/sun/identity/entitlement/PrivilegeManager.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-entitlements/src/main/java/com/sun/identity/entitlement/PrivilegeManager.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-entitlements/src/main/java/com/sun/identity/entitlement/PrivilegeManager.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -186,6 +186,19 @@
</span><span class="cx"> throws EntitlementException;
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * Modifies the specified policy.
+ *
+ * @param existingName
+ * The existing policy name
+ * @param privilege
+ * The new policy content
+ *
+ * @throws EntitlementException
+ * When an error occurs during modification
+ */
+ public abstract void modifyPrivilege(String existingName, Privilege privilege) \
throws EntitlementException; +
+ /**
</ins><span class="cx"> * Returns a set of privilege names for a given search \
criteria. </span><span class="cx"> *
</span><span class="cx"> * @param filter Set of search filter.
</span></span></pre></div>
<a id="branchesAME3423openamopenamfederationopenamfederationlibrarysrcmainjavacomsunidentitysaml2profileIDPSSOUtiljava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/profile/IDPSSOUtil.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/profile/IDPSSOUtil.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/profile/IDPSSOUtil.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -1403,20 +1403,18 @@
</span><span class="cx"> allowCreate = nameIDPolicy.isAllowCreate();
</span><span class="cx"> spNameQualifier = \
nameIDPolicy.getSPNameQualifier(); </span><span class="cx"> if \
(spNameQualifier != null && !spNameQualifier.isEmpty()) { </span><del>- \
AffiliationDescriptorType affiDesc = metaManager.
- getAffiliationDescriptor(realm, spNameQualifier);
</del><ins>+ AffiliationDescriptorType affiDesc = \
metaManager.getAffiliationDescriptor(realm, spNameQualifier); </ins><span class="cx"> \
</span><span class="cx"> if (affiDesc != null) {
</span><del>- if (affiDesc.getAffiliateMember().contains(
- remoteEntityID)) {
-
</del><ins>+ if \
(affiDesc.getAffiliateMember().contains(remoteEntityID)) { </ins><span class="cx"> \
isAffiliation = true; </span><span class="cx"> \
remoteEntityID = spNameQualifier; </span><span class="cx"> } \
else { </span><del>- throw new \
SAML2Exception(SAML2Utils.bundle.
- getString("spNotAffiliationMember"));
</del><ins>+ throw new \
SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember")); \
</ins><span class="cx"> } </span><span class="cx"> \
} </span><ins>+ } else {
+ spNameQualifier = recipientEntityID;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="lines">@@ -1515,8 +1513,7 @@
</span><span class="cx">
</span><span class="cx"> IDPAccountMapper idpAccountMapper =
</span><span class="cx"> SAML2Utils.getIDPAccountMapper(realm, \
idpEntityID); </span><del>- nameID = idpAccountMapper.getNameID(session, \
idpEntityID,
- spNameQualifier, realm, nameIDFormat);
</del><ins>+ nameID = idpAccountMapper.getNameID(session, idpEntityID, \
spNameQualifier, realm, nameIDFormat); </ins><span class="cx">
</span><span class="cx"> // If the IdP has received a request from a \
remote SP for which it has </span><span class="cx"> // been configured \
not to persist the Federation if unspecified NameID </span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestentitlementsJsonPolicyParserjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParser.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParser.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParser.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx"> import java.util.List;
</span><span class="cx"> import java.util.TimeZone;
</span><span class="cx">
</span><ins>+import static org.apache.commons.lang.StringUtils.isBlank;
</ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * Parses entitlements policies ("privileges") \
to/from JSON representations. </span><span class="lines">@@ -74,10 +75,6 @@
</span><span class="cx"> public Privilege parsePolicy(String name, JsonValue \
json) </span><span class="cx"> throws EntitlementException {
</span><span class="cx">
</span><del>- if (name == null || name.trim().isEmpty()) {
- throw new \
EntitlementException(EntitlementException.MISSING_PRIVILEGE_NAME);
- }
-
</del><span class="cx"> if (json == null || json.isNull()) {
</span><span class="cx"> throw new \
EntitlementException(EntitlementException.INVALID_JSON); </span><span class="cx"> \
} </span><span class="lines">@@ -128,14 +125,22 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- private Privilege parsePrivilege(String name, JsonValue jsonValue) \
throws EntitlementException { </del><ins>+ private Privilege parsePrivilege(String \
providedName, JsonValue jsonValue) throws EntitlementException { </ins><span \
class="cx"> try { </span><span class="cx"> // Note: this is a bit \
ugly as we re-serialise the JsonValue back into a JSON String to then parse it \
</span><span class="cx"> // again using Jackson. Unfortunately, that \
appears to be the easiest way as JsonValue does not support </span><span class="cx"> \
// data binding. </span><span class="cx"> JsonPolicy policy = \
MAPPER.readValue(jsonValue.toString(), JsonPolicy.class); </span><span class="cx"> \
Privilege privilege = policy.asPrivilege(); </span><del>- \
privilege.setName(name); </del><ins>+
+ if (isBlank(privilege.getName())) {
+ privilege.setName(providedName);
+ }
+
+ if (isBlank(privilege.getName())) {
+ throw new \
EntitlementException(EntitlementException.MISSING_PRIVILEGE_NAME); + }
+
</ins><span class="cx"> return privilege;
</span><span class="cx"> } catch (UnrecognizedPropertyException ex) {
</span><span class="cx"> throw new \
EntitlementException(EntitlementException.INVALID_VALUE, </span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestentitlementsPolicyResourcejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResource.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResource.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResource.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -148,7 +148,14 @@
</span><span class="cx"> @Override
</span><span class="cx"> public void createInstance(ServerContext context, \
CreateRequest request, ResultHandler<Resource> handler) { </span><span \
class="cx"> try { </span><del>- Privilege policy = \
policyParser.parsePolicy(determineNewPolicyName(request), request.getContent()); \
</del><ins>+ final String providedName = request.getNewResourceId(); + \
Privilege policy = policyParser.parsePolicy(providedName, request.getContent()); +
+ if (isNotBlank(providedName) && \
!providedName.equals(policy.getName())) { + // Resource name and json \
body name do not match. + throw new \
EntitlementException(EntitlementException.POLICY_NAME_MISMATCH); + }
+
</ins><span class="cx"> \
policyStoreProvider.getPolicyStore(context).create(policy); </span><span class="cx"> \
handler.handleResult(policyResource(policy)); </span><span class="cx"> } \
catch (EntitlementException ex) { </span><span class="lines">@@ -157,34 +164,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><del>- * Determines the policy name to use for a new policy based on \
either the name specified in the URL (for PUT
- * requests) or the name specified in the JSON body (for POST requests). If \
neither is specified then an error is
- * raised as we do not support auto-generating policy names. If both are \
specified, and they are different, then
- * an error is raised indicating client confusion.
- *
- * @param request the create request for the policy.
- * @return the name to use for the new policy.
- * @throws EntitlementException if the name cannot be determined from the \
request.
- */
- private String determineNewPolicyName(CreateRequest request) throws \
EntitlementException {
-
- String requestPolicyName = request.getNewResourceId();
- String jsonPolicyName = \
request.getContent().get("name").asString();
-
- if (isNotBlank(requestPolicyName) && isNotBlank(jsonPolicyName) \
&& !requestPolicyName.equals(jsonPolicyName)) {
- throw new \
EntitlementException(EntitlementException.POLICY_NAME_MISMATCH);
- }
-
- String policyName = isNotBlank(requestPolicyName) ? requestPolicyName : \
jsonPolicyName;
-
- if (isBlank(policyName)) {
- throw new \
EntitlementException(EntitlementException.MISSING_PRIVILEGE_NAME);
- }
-
- return policyName;
- }
-
- /**
</del><span class="cx"> * {@inheritDoc}
</span><span class="cx"> */
</span><span class="cx"> @Override
</span><span class="lines">@@ -260,7 +239,7 @@
</span><span class="cx"> ResultHandler<Resource> \
handler) { </span><span class="cx"> try {
</span><span class="cx"> Privilege policy = \
policyParser.parsePolicy(resourceId, request.getContent()); </span><del>- \
Resource result = policyResource(policyStoreProvider.getPolicyStore(context).update(policy));
</del><ins>+ Resource result = \
policyResource(policyStoreProvider.getPolicyStore(context).update(resourceId, \
policy)); </ins><span class="cx"> handler.handleResult(result);
</span><span class="cx"> } catch (EntitlementException ex) {
</span><span class="cx"> \
handler.handleError(resourceErrorHandler.handleError(request, ex)); \
</span></span></pre></div> <a \
id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestentitlementsPolicyStorejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyStore.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyStore.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PolicyStore.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -50,10 +50,11 @@
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * Updates the given policy to match the new definition.
</span><ins>+ * @param existingName the existing policy name
</ins><span class="cx"> * @param policy the policy to update.
</span><span class="cx"> * @throws EntitlementException if an error occurs or \
the policy does not exist. </span><span class="cx"> */
</span><del>- Privilege update(Privilege policy) throws EntitlementException;
</del><ins>+ Privilege update(String existingName, Privilege policy) throws \
EntitlementException; </ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * Deletes the given policy from the policy store.
</span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestentitlementsPrivilegePolicyStorejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStore.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStore.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStore.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -69,8 +69,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Override
</span><del>- public Privilege update(Privilege policy) throws \
EntitlementException {
- privilegeManager.modifyPrivilege(policy);
</del><ins>+ public Privilege update(String existingName, Privilege policy) throws \
EntitlementException { + privilegeManager.modifyPrivilege(existingName, \
policy); </ins><span class="cx"> return policy;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestentitlementsmodeljsonJsonPolicyjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/model/json/JsonPolicy.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/model/json/JsonPolicy.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/entitlements/model/json/JsonPolicy.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -94,6 +94,19 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * Set the policy name.
+ *
+ * @param name
+ * The name of the policy
+ *
+ * @throws EntitlementException
+ * Should some error occur whilst setting the name
+ */
+ public void setName(String name) throws EntitlementException {
+ privilege.setName(name);
+ }
+
+ /**
</ins><span class="cx"> * Returns {@code true} if this policy is active (i.e., \
in use). </span><span class="cx"> *
</span><span class="cx"> * @return true if the policy is active, otherwise \
false. </span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamforgerockrestguiceForgerockRestGuiceModulejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/guice/ForgerockRestGuiceModule.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/guice/ForgerockRestGuiceModule.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/guice/ForgerockRestGuiceModule.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -55,6 +55,7 @@
</span><span class="cx"> import org.forgerock.openam.rest.router.RestEndpointManager;
</span><span class="cx"> import \
org.forgerock.openam.rest.router.RestEndpointManagerProxy; </span><span class="cx"> \
import org.forgerock.openam.utils.AMKeyProvider; </span><ins>+import \
org.forgerock.openidconnect.ClientDAO; </ins><span class="cx"> import \
org.forgerock.util.SignatureUtil; </span><span class="cx">
</span><span class="cx"> import javax.inject.Inject;
</span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrcmainjavaorgforgerockopenamoauth2restTokenResourcejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/oauth2/rest/TokenResource.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/oauth2/rest/TokenResource.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/main/java/org/forgerock/openam/oauth2/rest/TokenResource.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * DO NOT REMOVE COPYRIGHT NOTICES OR THIS HEADER.
</span><span class="cx"> *
</span><del>- * Copyright (c) 2012-2014 ForgeRock AS. All rights reserved.
</del><ins>+ * Copyright 2012-2014 ForgeRock AS.
</ins><span class="cx"> *
</span><span class="cx"> * The contents of this file are subject to the terms
</span><span class="cx"> * of the Common Development and Distribution License
</span><span class="lines">@@ -21,6 +21,7 @@
</span><span class="cx"> * your own identifying information:
</span><span class="cx"> * "Portions copyright [year] [name of copyright \
owner]" </span><span class="cx"> */
</span><ins>+
</ins><span class="cx"> package org.forgerock.openam.oauth2.rest;
</span><span class="cx">
</span><span class="cx"> import com.iplanet.am.util.SystemProperties;
</span><span class="lines">@@ -32,12 +33,14 @@
</span><span class="cx"> import com.sun.identity.idm.IdType;
</span><span class="cx"> import com.sun.identity.security.AdminTokenAction;
</span><span class="cx"> import com.sun.identity.shared.Constants;
</span><del>-import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
</del><ins>+import com.sun.identity.shared.locale.Locale;
+import org.apache.commons.lang.StringUtils;
</ins><span class="cx"> import org.forgerock.json.fluent.JsonValue;
</span><span class="cx"> import org.forgerock.json.resource.ActionRequest;
</span><span class="cx"> import \
org.forgerock.json.resource.CollectionResourceProvider; </span><span class="cx"> \
import org.forgerock.json.resource.CreateRequest; </span><span class="cx"> import \
org.forgerock.json.resource.DeleteRequest; </span><ins>+import \
org.forgerock.json.resource.InternalServerErrorException; </ins><span class="cx"> \
import org.forgerock.json.resource.NotFoundException; </span><span class="cx"> import \
org.forgerock.json.resource.NotSupportedException; </span><span class="cx"> import \
org.forgerock.json.resource.PatchRequest; </span><span class="lines">@@ -52,25 +55,54 \
@@ </span><span class="cx"> import org.forgerock.json.resource.ServerContext;
</span><span class="cx"> import \
org.forgerock.json.resource.ServiceUnavailableException; </span><span class="cx"> \
import org.forgerock.json.resource.UpdateRequest; </span><ins>+import \
org.forgerock.json.resource.servlet.HttpContext; </ins><span class="cx"> import \
org.forgerock.oauth2.core.OAuth2Constants; </span><del>-import \
org.forgerock.openam.oauth2.IdentityManager; </del><ins>+import \
org.forgerock.oauth2.core.OAuth2ProviderSettings; +import \
org.forgerock.oauth2.core.OAuth2Request; +import \
org.forgerock.oauth2.core.exceptions.ServerException; +import \
org.forgerock.oauth2.core.exceptions.UnauthorizedClientException; +import \
org.forgerock.openam.cts.api.filter.TokenFilter; </ins><span class="cx"> import \
org.forgerock.openam.cts.exceptions.CoreTokenException; </span><span class="cx"> \
import org.forgerock.openam.forgerockrest.RestUtils; </span><ins>+import \
org.forgerock.openam.oauth2.IdentityManager; </ins><span class="cx"> import \
org.forgerock.openam.oauth2.OAuthTokenStore; </span><ins>+import \
org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettingsFactory; +import \
org.forgerock.openidconnect.Client; +import org.forgerock.openidconnect.ClientDAO;
</ins><span class="cx">
</span><span class="cx"> import javax.inject.Inject;
</span><ins>+import java.net.HttpURLConnection;
</ins><span class="cx"> import java.security.AccessController;
</span><ins>+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
</ins><span class="cx"> import java.util.HashMap;
</span><ins>+import java.util.List;
</ins><span class="cx"> import java.util.Map;
</span><span class="cx"> import java.util.Set;
</span><span class="cx">
</span><ins>+import static org.forgerock.json.fluent.JsonValue.*;
+import static org.forgerock.oauth2.core.OAuth2Constants.CoreTokenParams.*;
+import static org.forgerock.oauth2.core.OAuth2Constants.Params.GRANT_TYPE;
+import static org.forgerock.oauth2.core.OAuth2Constants.Params.REALM;
+import static org.forgerock.oauth2.core.OAuth2Constants.Token.OAUTH_ACCESS_TOKEN;
+import static org.forgerock.oauth2.core.OAuth2Constants.TokenEndpoint.CLIENT_CREDENTIALS;
+
</ins><span class="cx"> public class TokenResource implements \
CollectionResourceProvider { </span><span class="cx">
</span><del>- private OAuthTokenStore tokenStore;
</del><ins>+ private static final DateFormat DATE_FORMATTER = (new \
SimpleDateFormat()).getDateTimeInstance(DateFormat.MEDIUM, + \
DateFormat.SHORT); + public static final String EXPIRE_TIME_KEY = \
"expireTime"; + private final ClientDAO clientDao;
</ins><span class="cx">
</span><ins>+ private final OAuthTokenStore tokenStore;
+ private final OpenAMOAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory;
+
</ins><span class="cx"> private static SSOToken token = (SSOToken) \
AccessController.doPrivileged(AdminTokenAction.getInstance()); </span><span \
class="cx"> private static String adminUser = \
SystemProperties.get(Constants.AUTHENTICATION_SUPER_USER); </span><span class="cx"> \
private static AMIdentity adminUserId = null; </span><ins>+
</ins><span class="cx"> static {
</span><span class="cx"> if (adminUser != null) {
</span><span class="cx"> adminUserId = new AMIdentity(token,
</span><span class="lines">@@ -81,217 +113,385 @@
</span><span class="cx"> private final IdentityManager identityManager;
</span><span class="cx">
</span><span class="cx"> @Inject
</span><del>- public TokenResource(final OAuthTokenStore tokenStore, final \
IdentityManager identityManager) { </del><ins>+ public \
TokenResource(OAuthTokenStore tokenStore, ClientDAO clientDao, IdentityManager \
identityManager, + OpenAMOAuth2ProviderSettingsFactory \
oAuth2ProviderSettingsFactory) { </ins><span class="cx"> this.tokenStore = \
tokenStore; </span><ins>+ this.clientDao = clientDao;
</ins><span class="cx"> this.identityManager = identityManager;
</span><ins>+ this.oAuth2ProviderSettingsFactory = \
oAuth2ProviderSettingsFactory; </ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Override
</span><del>- public void actionCollection(ServerContext context, ActionRequest \
actionRequest, ResultHandler<JsonValue> handler){
- final ResourceException e =
- new NotSupportedException("Actions are not supported for \
resource instances");
- handler.handleError(e);
</del><ins>+ public void actionCollection(ServerContext context, ActionRequest \
actionRequest, ResultHandler<JsonValue> handler) { + \
handler.handleError(new NotSupportedException("Actions are not supported for \
resource instances")); </ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Override
</span><span class="cx"> public void actionInstance(ServerContext context, String \
resourceId, ActionRequest request, </span><del>- \
ResultHandler<JsonValue> handler){
- final ResourceException e =
- new NotSupportedException("Actions are not supported for \
resource instances");
- handler.handleError(e);
</del><ins>+ ResultHandler<JsonValue> handler) {
+
+ String actionId = request.getAction();
+
+ if ("revoke".equalsIgnoreCase(actionId)) {
+ if (deleteToken(context, resourceId, handler, true)) {
+ handler.handleResult(json(object()));
+ }
+ } else {
+ handler.handleError(new NotSupportedException("Action not \
supported.")); + }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Override
</span><del>- public void createInstance(ServerContext context, CreateRequest \
createRequest, ResultHandler<Resource> handler){
- final ResourceException e =
- new NotSupportedException("Create is not supported for resource \
instances");
- handler.handleError(e);
</del><ins>+ public void createInstance(ServerContext context, CreateRequest \
createRequest, ResultHandler<Resource> handler) { + \
handler.handleError(new NotSupportedException("Create is not supported for \
resource instances")); </ins><span class="cx"> }
</span><span class="cx">
</span><del>- @Override
- public void deleteInstance(ServerContext context, String resourceId, \
DeleteRequest request,
- ResultHandler<Resource> handler){
- //only admin can delete
- AMIdentity uid = null;
</del><ins>+ /**
+ * Deletes the token with the provided token id.
+ *
+ * @param context The context.
+ * @param tokenId The token id.
+ * @param handler The handler.
+ * @param deleteRefreshToken Whether to delete associated refresh token, if \
token id is for an access token. + * @return {@code true} if the token has been \
deleted. + */
+ private boolean deleteToken(ServerContext context, String tokenId, \
ResultHandler<?> handler, + boolean deleteRefreshToken) {
</ins><span class="cx"> try {
</span><del>- //first check if SSOToken is valid
- uid = getUid(context);
</del><ins>+ AMIdentity uid = getUid(context);
</ins><span class="cx">
</span><del>- JsonValue response = null;
- try {
- response = tokenStore.read(resourceId);
- if (response == null){
- throw new NotFoundException("Token Not Found", null);
</del><ins>+ JsonValue token = tokenStore.read(tokenId);
+ if (token == null) {
+ throw new NotFoundException("Token Not Found", null);
+ }
+ String username = getAttributeValue(token, USERNAME);
+ if (username == null || username.isEmpty()) {
+ throw new PermanentException(HttpURLConnection.HTTP_NOT_FOUND, \
"Not Found", null); + }
+
+ String grantType = getAttributeValue(token, GRANT_TYPE);
+
+ if (grantType != null && \
grantType.equalsIgnoreCase(CLIENT_CREDENTIALS)) { + if \
(deleteRefreshToken) { + deleteAccessTokensRefreshToken(token);
</ins><span class="cx"> }
</span><del>- Set<String> usernameSet = \
(Set<String>)response.get(OAuth2Constants.CoreTokenParams.USERNAME).getObject();
- String username= null;
- if (usernameSet != null && !usernameSet.isEmpty()){
- username = usernameSet.iterator().next();
- }
- if(username == null || username.isEmpty()){
- throw new PermanentException(404, "Not Found", null);
- }
-
- Set<String> grantTypes = (Set<String>) \
response.get(OAuth2Constants.Params.GRANT_TYPE).getObject();
- String grantType = null;
- if (grantTypes != null && !grantTypes.isEmpty()){
- grantType = grantTypes.iterator().next();
- }
-
- if (grantType != null && \
grantType.equalsIgnoreCase(OAuth2Constants.TokenEndpoint.CLIENT_CREDENTIALS)) \
{
- tokenStore.delete(resourceId);
</del><ins>+ tokenStore.delete(tokenId);
+ } else {
+ String realm = getAttributeValue(token, REALM);
+ AMIdentity uid2 = identityManager.getResourceOwnerIdentity(username, \
realm); + if (uid.equals(uid2) || uid.equals(adminUserId)) {
+ if (deleteRefreshToken) {
+ deleteAccessTokensRefreshToken(token);
+ }
+ tokenStore.delete(tokenId);
</ins><span class="cx"> } else {
</span><del>- Set<String> realms = (Set<String>) \
response.get(OAuth2Constants.CoreTokenParams.REALM).getObject();
- String realm = null;
- if (realms != null && !realms.isEmpty()){
- realm = realms.iterator().next();
- }
- AMIdentity uid2 = \
identityManager.getResourceOwnerIdentity(username, realm);
- if (uid.equals(uid2) || uid.equals(adminUserId)) {
- tokenStore.delete(resourceId);
- } else {
- throw new PermanentException(401, "Unauthorized", \
null);
- }
</del><ins>+ throw new PermanentException(401, \
"Unauthorized", null); </ins><span class="cx"> }
</span><del>- } catch (CoreTokenException e) {
- throw new ServiceUnavailableException(e.getMessage(),e);
</del><span class="cx"> }
</span><del>- Map< String, String> responseVal = new HashMap< \
String, String>();
- responseVal.put("success", "true");
- response = new JsonValue(responseVal);
- Resource resource = new Resource(resourceId, "1", response);
- handler.handleResult(resource);
- } catch (ResourceException e){
</del><ins>+
+ return true;
+
+ } catch (CoreTokenException e) {
+ handler.handleError(new ServiceUnavailableException(e.getMessage(), e));
+ } catch (ResourceException e) {
</ins><span class="cx"> handler.handleError(e);
</span><del>- } catch (SSOException e){
- handler.handleError(new PermanentException(401, "Unauthorized" \
,e));
- } catch (IdRepoException e){
- handler.handleError(new PermanentException(401, "Unauthorized" \
,e)); </del><ins>+ } catch (SSOException e) {
+ handler.handleError(new PermanentException(401, \
"Unauthorized", e)); + } catch (IdRepoException e) {
+ handler.handleError(new PermanentException(401, \
"Unauthorized", e)); </ins><span class="cx"> } catch \
(UnauthorizedClientException e) { </span><span class="cx"> \
handler.handleError(new PermanentException(401, "Unauthorized", e)); \
</span><span class="cx"> } </span><ins>+
+ return false;
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ /**
+ * Deletes the provided access token's refresh token.
+ *
+ * @param token The access token.
+ * @throws CoreTokenException If there was a problem deleting the refresh token.
+ */
+ private void deleteAccessTokensRefreshToken(JsonValue token) throws \
CoreTokenException { + if (OAUTH_ACCESS_TOKEN.equals(getAttributeValue(token, \
TOKEN_NAME))) { + String refreshTokenId = getAttributeValue(token, \
REFRESH_TOKEN); + if (refreshTokenId != null) {
+ tokenStore.delete(refreshTokenId);
+ }
+ }
+ }
+
+ /**
+ * Gets the value of the named attribute from the provided token.
+ *
+ * @param token The token.
+ * @param attributeName The attribute name.
+ * @return The attribute value.
+ */
+ private String getAttributeValue(JsonValue token, String attributeName) {
+ final Set<String> value = getAttributeAsSet(token, attributeName);
+ if (value != null && !value.isEmpty()) {
+ return value.iterator().next();
+ }
+ return null;
+ }
+
+ /**
+ * Gets the {@code Set<String>} of values for the given attributeName.
+ *
+ * @param value The {@code JsonValue}.
+ * @param attributeName The attribute name.
+ * @return The attribute set.
+ */
+ @SuppressWarnings("unchecked")
+ private Set<String> getAttributeAsSet(JsonValue value, String \
attributeName) { + final JsonValue param = value.get(attributeName);
+ if (param != null) {
+ return (Set<String>) param.getObject();
+ }
+ return null;
+ }
+
</ins><span class="cx"> @Override
</span><ins>+ public void deleteInstance(ServerContext context, String resourceId, \
DeleteRequest request, + ResultHandler<Resource> handler) {
+ if (deleteToken(context, resourceId, handler, false)) {
+ Resource resource = new Resource(resourceId, "1", \
json(object(field("success", "true")))); + \
handler.handleResult(resource); + }
+ }
+
+ @Override
</ins><span class="cx"> public void patchInstance(ServerContext context, String \
resourceId, PatchRequest request, </span><del>- \
ResultHandler<Resource> handler){ </del><ins>+ \
ResultHandler<Resource> handler) { </ins><span class="cx"> final \
ResourceException e = </span><span class="cx"> new \
NotSupportedException("Patch is not supported for resource instances"); \
</span><span class="cx"> handler.handleError(e); </span><span class="cx"> \
} </span><span class="cx">
</span><span class="cx"> @Override
</span><del>- public void queryCollection(ServerContext context, QueryRequest \
queryRequest, QueryResultHandler handler){
- try{
</del><ins>+ public void queryCollection(ServerContext context, QueryRequest \
queryRequest, QueryResultHandler handler) { + try {
</ins><span class="cx"> JsonValue response = null;
</span><del>- Resource resource;
</del><ins>+ Map<String, Object> query = new HashMap<String, \
Object>(); +
+ //get uid of submitter
+ AMIdentity uid;
</ins><span class="cx"> try {
</span><del>- Map<String, Object> query = new HashMap<String, \
Object>();
- String id = queryRequest.getQueryId();
</del><ins>+ uid = getUid(context);
+ if (!uid.equals(adminUserId)) {
+ query.put(USERNAME, uid.getName());
+ } else {
+ query.put(USERNAME, "*");
+ }
+ } catch (Exception e) {
+ handler.handleError(new PermanentException(401, \
"Unauthorized", e)); + }
</ins><span class="cx">
</span><del>- //get uid of submitter
- AMIdentity uid;
- try {
- uid = getUid(context);
- if (!uid.equals(adminUserId)){
- query.put(OAuth2Constants.CoreTokenParams.USERNAME, \
uid.getName());
- } else {
- query.put(OAuth2Constants.CoreTokenParams.USERNAME, \
"*"); </del><ins>+ String id = queryRequest.getQueryId();
+ String queryString = null;
+
+ if (id.equals("access_token")) {
+ queryString = "tokenName=access_token";
+ } else {
+ queryString = "";
+ }
+
+ String[] constraints = queryString.split("\\,");
+ for (String constraint : constraints) {
+ String[] params = constraint.split("=");
+ if (params.length == 2) {
+ query.put(params[0], params[1]);
+ }
+ }
+
+ response = tokenStore.query(query, TokenFilter.Type.AND);
+ handleResponse(handler, response, context);
+
+ } catch (UnauthorizedClientException e) {
+ handler.handleError(new PermanentException(401, e.getMessage(), e));
+ } catch (CoreTokenException e) {
+ handler.handleError(new ServiceUnavailableException(e.getMessage(), e));
+ } catch (InternalServerErrorException e) {
+ handler.handleError(e);
+ }
+ }
+
+ private void handleResponse(QueryResultHandler handler, JsonValue response, \
ServerContext context) throws UnauthorizedClientException, + \
CoreTokenException, InternalServerErrorException { + Resource resource = new \
Resource("result", "1", response); + JsonValue value = \
resource.getContent(); + String acceptLanguage = \
context.asContext(HttpContext.class).getHeaderAsString("accept-language"); \
+ Set<HashMap<String, Set<String>>> list = \
(Set<HashMap<String, Set<String>>>) value.getObject(); +
+ Resource res = null;
+ JsonValue val = null;
+
+ if (list != null && !list.isEmpty()) {
+ for (HashMap<String, Set<String>> entry : list) {
+ val = new JsonValue(entry);
+ res = new Resource("result", "1", val);
+ Client client = getClient(val);
+
+ val.put(EXPIRE_TIME_KEY, getExpiryDate(json(entry)));
+ val.put(OAuth2Constants.ShortClientAttributeNames.DISPLAY_NAME.getType(), \
getClientName(client)); + \
val.put(OAuth2Constants.ShortClientAttributeNames.SCOPES.getType(), getScopes(client, \
val, + acceptLanguage));
+
+ handler.handleResource(res);
+ }
+ }
+ handler.handleResult(new QueryResult());
+ }
+
+ private String getClientName(Client client) throws UnauthorizedClientException {
+ return client.get(OAuth2Constants.ShortClientAttributeNames.DISPLAY_NAME.getType()).get(0).asString();
+ }
+
+ private String getScopes(Client client, JsonValue entry, String acceptLanguage) \
throws UnauthorizedClientException { + JsonValue allScopes = \
client.get(OAuth2Constants.ShortClientAttributeNames.SCOPES.getType()); + \
Set<String> allowedScopes = getAttributeAsSet(entry, "scope"); +
+ String result = "";
+
+ java.util.Locale locale = \
Locale.getLocaleObjFromAcceptLangHeader(acceptLanguage); +
+ List<String> displayNames = new ArrayList<String>();
+ for (String allowedScope : allowedScopes) {
+ displayNames.add(getDisplayName(allowedScope, allScopes, locale));
+ }
+
+ return StringUtils.join(displayNames, ",");
+ }
+
+ private String getDisplayName(String allowedScope, JsonValue allScopes, \
java.util.Locale serverLocale) { + final String delimiter = "|";
+ String defaultDisplayName = null;
+
+ for (JsonValue scope : allScopes) {
+ if (scope.asString().contains(delimiter)) {
+ String[] values = scope.asString().split("\\" + \
delimiter); + if (values.length == 3) {
+ String name = values[0];
+ String language = values[1];
+ String displayName = values[2];
+ java.util.Locale currentLocale = Locale.getLocale(language);
+
+ final String currentLanguage = currentLocale.getLanguage();
+ if (currentLanguage.equalsIgnoreCase("en")) {
+ defaultDisplayName = displayName;
</ins><span class="cx"> }
</span><del>- } catch (Exception e){
- PermanentException ex = new PermanentException(401, \
"Unauthorized" ,e);
- handler.handleError(ex);
</del><ins>+
+ if (serverLocale.getLanguage().equals(currentLanguage) \
&& name.equals(allowedScope)) { + return displayName;
+ }
</ins><span class="cx"> }
</span><ins>+ }
+ }
</ins><span class="cx">
</span><del>- //split id into the query fields
- String[] queries = id.split("\\,");
- for (String q: queries){
- String[] params = q.split("=");
- if (params.length == 2){
- query.put(params[0], params[1]);
</del><ins>+ if (defaultDisplayName != null) {
+ return defaultDisplayName;
+ }
+
+ return allowedScope;
+ }
+
+ private Client getClient(JsonValue entry) throws UnauthorizedClientException {
+ final String clientId = getAttributeValue(entry, "clientID");
+ final String realm = getAttributeValue(entry, "realm");
+
+ return clientDao.read(clientId, getRequest(realm));
+ }
+
+ private OAuth2Request getRequest(final String realm) {
+ return new OAuth2Request() {
+ public <T> T getRequest() {
+ throw new UnsupportedOperationException("Realm parameter \
only OAuth2Request"); + }
+
+ public <T> T getParameter(String name) {
+ if ("realm".equals(name)) {
+ return (T) realm;
</ins><span class="cx"> }
</span><ins>+ throw new UnsupportedOperationException("Realm \
parameter only OAuth2Request"); </ins><span class="cx"> }
</span><span class="cx">
</span><del>- response = tokenStore.query(query);
- } catch (CoreTokenException e) {
- throw new ServiceUnavailableException(e.getMessage(),e);
- }
- resource = new Resource("result", "1", response);
- JsonValue value = resource.getContent();
- Set<HashMap<String,Set<String>>> list = \
(Set<HashMap<String,Set<String>>>) \
value.getObject();
- Resource res = null;
- JsonValue val = null;
- if (list != null && !list.isEmpty() ){
- for (HashMap<String,Set<String>> entry : list){
- val = new JsonValue(entry);
- res = new Resource("result", "1", val);
- handler.handleResource(res);
</del><ins>+ @Override
+ public JsonValue getBody() {
+ return null;
</ins><span class="cx"> }
</span><ins>+ };
+ }
+
+ private String getExpiryDate(JsonValue token) throws CoreTokenException, \
InternalServerErrorException { +
+ OAuth2ProviderSettings oAuth2ProviderSettings = \
oAuth2ProviderSettingsFactory.get( + getAttributeValue(token, \
"realm")); +
+ try {
+ if (token.isDefined("refreshToken")) {
+ if (oAuth2ProviderSettings.issueRefreshTokensOnRefreshingToken()) {
+ return "Indefinitely";
+ } else {
+ //Use refresh token expiry
+ JsonValue refreshToken = \
tokenStore.read(getAttributeValue(token, "refreshToken")); + \
long expiryTimeInMilliseconds = Long.parseLong(getAttributeValue(refreshToken, \
EXPIRE_TIME_KEY)); + return DATE_FORMATTER.format(new \
Date(expiryTimeInMilliseconds)); + }
+ } else {
+ //Use access token expiry
+ long expiryTimeInMilliseconds = \
Long.parseLong(getAttributeValue(token, EXPIRE_TIME_KEY)); + return \
DATE_FORMATTER.format(new Date(expiryTimeInMilliseconds)); </ins><span class="cx"> \
} </span><del>- handler.handleResult(new QueryResult());
- } catch (ResourceException e){
- handler.handleError(e);
</del><ins>+ } catch (ServerException e) {
+ throw new InternalServerErrorException(e);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Override
</span><span class="cx"> public void readInstance(ServerContext context, String \
resourceId, ReadRequest request, </span><del>- \
ResultHandler<Resource> handler){ </del><ins>+ \
ResultHandler<Resource> handler) { </ins><span class="cx">
</span><del>- AMIdentity uid = null;
- String username = null;
</del><span class="cx"> try {
</span><del>- //first check if SSOToken is valid
- uid = getUid(context);
-
- JsonValue response;
</del><ins>+ AMIdentity uid = getUid(context);
+
+ JsonValue response;
</ins><span class="cx"> Resource resource;
</span><span class="cx"> try {
</span><span class="cx"> response = tokenStore.read(resourceId);
</span><span class="cx"> } catch (CoreTokenException e) {
</span><span class="cx"> throw new NotFoundException("Token Not \
Found", e); </span><span class="cx"> }
</span><del>- if (response == null){
- throw new NotFoundException("Token Not Found", null);
</del><ins>+ if (response == null) {
+ throw new NotFoundException("Token Not Found");
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- Set<String> grantTypes = (Set<String>) \
response.get(OAuth2Constants.Params.GRANT_TYPE).getObject();
- String grantType = null;
- if (grantTypes != null && !grantTypes.isEmpty()){
- grantType = grantTypes.iterator().next();
- }
-
</del><ins>+ String grantType = getAttributeValue(response, GRANT_TYPE);
+
</ins><span class="cx"> if (grantType != null && \
grantType.equalsIgnoreCase(OAuth2Constants.TokenEndpoint.CLIENT_CREDENTIALS)) { \
</span><del>- resource = new Resource(OAuth2Constants.Params.ID, \
"1", response);
- handler.handleResult(resource);
</del><ins>+ resource = new Resource(OAuth2Constants.Params.ID, \
"1", response); + handler.handleResult(resource);
</ins><span class="cx"> } else {
</span><del>- Set<String> realms = (Set<String>) \
response.get(OAuth2Constants.CoreTokenParams.REALM).getObject();
- String realm = null;
- if (realms != null && !realms.isEmpty()){
- realm = realms.iterator().next();
- }
-
- Set<String> usernameSet = \
(Set<String>)response.get(OAuth2Constants.CoreTokenParams.USERNAME).getObject();
- if (usernameSet != null && !usernameSet.isEmpty()){
- username = usernameSet.iterator().next();
- }
- if(username == null || username.isEmpty()){
</del><ins>+ String realm = getAttributeValue(response, REALM);
+
+ String username = getAttributeValue(response, USERNAME);
+ if (username == null || username.isEmpty()) {
</ins><span class="cx"> throw new PermanentException(404, \
"Not Found", null); </span><span class="cx"> }
</span><span class="cx"> AMIdentity uid2 = \
identityManager.getResourceOwnerIdentity(username, realm); </span><del>- \
if (uid.equals(adminUserId) || uid.equals(uid2)){ </del><ins>+ if \
(uid.equals(adminUserId) || uid.equals(uid2)) { </ins><span class="cx"> \
resource = new Resource(OAuth2Constants.Params.ID, "1", response); \
</span><span class="cx"> handler.handleResult(resource); \
</span><span class="cx"> } else { </span><del>- \
throw new PermanentException(401, "Unauthorized" ,null); </del><ins>+ \
throw new PermanentException(401, "Unauthorized", null); </ins><span \
class="cx"> } </span><span class="cx"> }
</span><del>- } catch (ResourceException e){
</del><ins>+ } catch (ResourceException e) {
</ins><span class="cx"> handler.handleError(e);
</span><del>- } catch (SSOException e){
- handler.handleError(new PermanentException(401, "Unauthorized" \
,e));
- } catch (IdRepoException e){
- handler.handleError(new PermanentException(401, "Unauthorized" \
,e)); </del><ins>+ } catch (SSOException e) {
+ handler.handleError(new PermanentException(401, \
"Unauthorized", e)); + } catch (IdRepoException e) {
+ handler.handleError(new PermanentException(401, \
"Unauthorized", e)); </ins><span class="cx"> } catch \
(UnauthorizedClientException e) { </span><span class="cx"> \
handler.handleError(new PermanentException(401, "Unauthorized", e)); \
</span><span class="cx"> } </span><span class="lines">@@ -299,10 +499,8 @@
</span><span class="cx">
</span><span class="cx"> @Override
</span><span class="cx"> public void updateInstance(ServerContext context, String \
resourceId, UpdateRequest request, </span><del>- \
ResultHandler<Resource> handler){
- final ResourceException e =
- new NotSupportedException("Update is not supported for resource \
instances");
- handler.handleError(e);
</del><ins>+ ResultHandler<Resource> handler) {
+ handler.handleError(new NotSupportedException("Update is not supported \
for resource instances")); </ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamforgerockrestentitlementsJsonPolicyParserTestjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParserTest.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParserTest.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/JsonPolicyParserTest.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -102,12 +102,25 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Test
</span><del>- public void shouldUsePolicyNameArgument() throws Exception {
</del><ins>+ public void shouldUseJsonNameFirst() throws Exception {
</ins><span class="cx"> // Given
</span><span class="cx"> String name = "realName";
</span><del>- JsonValue content = json(object(field("name", \
"fakeName"))); </del><ins>+ JsonValue content = \
json(object(field("name", name))); </ins><span class="cx">
</span><span class="cx"> // When
</span><ins>+ Privilege result = parser.parsePolicy("resourceName", \
content); +
+ // Then
+ assertThat(result.getName()).isEqualTo(name);
+ }
+
+ @Test
+ public void shouldUsePassedNameIfJsonNameIsMissing() throws Exception {
+ // Given
+ String name = "resourceName";
+ JsonValue content = json(object());
+
+ // When
</ins><span class="cx"> Privilege result = parser.parsePolicy(name, content);
</span><span class="cx">
</span><span class="cx"> // Then
</span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamforgerockrestentitlementsPolicyResourceTestjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResourceTest.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResourceTest.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PolicyResourceTest.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -173,24 +173,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> @Test
</span><del>- public void shouldAcceptPolicyNameFromJson() throws Exception {
- // Given
- String policyName = "policyName";
- // Specify policy name in JSON rather than in request URL:
- JsonValue json = \
JsonValue.json(JsonValue.object(JsonValue.field("name", \
policyName)));
-
- CreateRequest request = mockCreateRequest(null, json);
- Privilege policy = mockPrivilege(policyName, 123l);
- given(mockParser.parsePolicy(policyName, json)).willReturn(policy);
-
- // When
- policyResource.createInstance(mockServerContext, request, \
mockResultHandler);
-
- // Then
- verify(mockParser).parsePolicy(policyName, json);
- }
-
- @Test
</del><span class="cx"> public void \
shouldAcceptConsistentPolicyNamesFromURLandJSON() throws Exception { </span><span \
class="cx"> // Given </span><span class="cx"> String policyName = \
"policyName"; </span><span class="lines">@@ -212,22 +194,13 @@
</span><span class="cx"> public void shouldRejectMismatchedPolicyName() throws \
Exception { </span><span class="cx"> // Given
</span><span class="cx"> String policyName = "policyName";
</span><ins>+ String differentPolicyName = "Different!";
</ins><span class="cx"> JsonValue json = \
JsonValue.json(JsonValue.object(JsonValue.field("name", policyName))); \
</span><del>- CreateRequest request = \
mockCreateRequest("Different!", json); </del><ins>+ CreateRequest \
request = mockCreateRequest(differentPolicyName, json); </ins><span class="cx">
</span><del>- // When
- policyResource.createInstance(mockServerContext, request, \
mockResultHandler); </del><ins>+ Privilege policy = mockPrivilege(policyName, \
123l); + given(mockParser.parsePolicy(differentPolicyName, \
json)).willReturn(policy); </ins><span class="cx">
</span><del>- // Then
- verify(mockResultHandler).handleError(isA(BadRequestException.class));
- }
-
- @Test
- public void shouldRejectUnspecifiedPolicyName() throws Exception {
- // Given
- JsonValue json = new JsonValue("");
- CreateRequest request = mockCreateRequest(null, json);
-
</del><span class="cx"> // When
</span><span class="cx"> policyResource.createInstance(mockServerContext, \
request, mockResultHandler); </span><span class="cx">
</span><span class="lines">@@ -343,7 +316,7 @@
</span><span class="cx"> given(request.getContent()).willReturn(content);
</span><span class="cx"> Privilege privilege = mockPrivilege(id, \
lastModified); </span><span class="cx"> given(mockParser.parsePolicy(id, \
content)).willReturn(privilege); </span><del>- \
given(mockStore.update(privilege)).willReturn(privilege); </del><ins>+ \
given(mockStore.update(id, privilege)).willReturn(privilege); </ins><span class="cx"> \
</span><span class="cx"> // When
</span><span class="cx"> policyResource.updateInstance(mockServerContext, id, \
request, mockResultHandler); </span></span></pre></div>
<a id="branchesAME3423openamopenamforgerockrestsrctestjavaorgforgerockopenamforgerockrestentitlementsPrivilegePolicyStoreTestjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStoreTest.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStoreTest.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-forgerock-rest/src/test/java/org/forgerock/openam/forgerockrest/entitlements/PrivilegePolicyStoreTest.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -110,13 +110,14 @@
</span><span class="cx"> @Test
</span><span class="cx"> public void shouldDelegateUpdatesToPrivilegeManager() \
throws Exception { </span><span class="cx"> // Given
</span><ins>+ String name = "test";
</ins><span class="cx"> Privilege policy = new StubPrivilege();
</span><span class="cx">
</span><span class="cx"> // When
</span><del>- Privilege response = testStore.update(policy);
</del><ins>+ Privilege response = testStore.update(name, policy);
</ins><span class="cx">
</span><span class="cx"> // Then
</span><del>- verify(mockManager).modifyPrivilege(policy);
</del><ins>+ verify(mockManager).modifyPrivilege(name, policy);
</ins><span class="cx"> assertThat(response).isSameAs(policy);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchesAME3423openamopenamoauth2"></a>
<div class="propset"><h4>Property changes: \
branches/AME-3423/openam/openam-oauth2</h4> <pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-2629/openam/openam-oauth2:7585-7632
</span><span class="cx">/branches/AME-3405-session-read-from-cts/openam/openam-oauth2:8749-8823
</span><span class="cx">/branches/AME-3612-pcunnington/openam/openam-oauth2:9534-9723
</span><span class="cx">/branches/AME-3719/openam/openam-oauth2:9517-9879
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam/openam-oauth2:9663-9819
</span><span class="cx">/branches/CTS-Async/openam/openam-oauth2:8847-9739
</span><span class="cx">/branches/IIS7PostData/openam/openam-oauth2:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam/openam-oauth2:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam/openam-oauth2:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam/openam-oauth2:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam/openam-oauth2:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam/openam-oauth2:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam/openam-oauth2:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam/openam-oauth2:9750-10171
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam/openam-oauth2:7834-7844
</span><span class="cx">/branches/ame4272/openam/openam-oauth2:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam/openam-oauth2:7508-7697
</span><span class="cx">/branches/andyAme3102/openam/openam-oauth2:8312-8413
</span><span class="cx">/branches/maven_merge/openam/openam-oauth2:2556-2558,2756-3124
</span><span class="cx">/branches/oidc_authn/openam-oauth2:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam/openam-oauth2:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam/openam-oauth2:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam/openam-oauth2:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam/openam-oauth2:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam/openam-oauth2:6767-6804
</span><span class="cx">/branches/openam_10.1.0_SAML2_FIXES/openam-oauth2:3725-3740
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-oauth2:3128-3527
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam/openam-oauth2:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam/openam-oauth2:4141-4379
</span><span class="cx">/branches/openid_connect_implementation/openam-oauth2:4140-5165
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam/openam-oauth2:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam/openam-oauth2:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/openam/openam-oauth2:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam/openam-oauth2:8314-8341
</span><span class="cx">/branches/rest_sts_view_bean/openam-oauth2:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam/openam-oauth2:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam/openam-oauth2:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam/openam-oauth2:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam/openam-oauth2:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam/openam-oauth2:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam/openam-oauth2:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam/openam-oauth2:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam/openam-oauth2:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam/openam-oauth2:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam/openam-oauth2:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam/openam-oauth2:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam/openam-oauth2:6247-6257
</span><span class="cx">/branches/sts_oidc_saml_redux/openam-oauth2:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence/openam-oauth2:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners/openam-oauth2:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service/openam-oauth2:8706,8717-8720, \
8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2/openam-oauth2:8844-8887,8894-9000
</span><span class="cx">/trunk/openam/openam-oauth2:3127-3577,10107-10111,10114-10116 \
,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + \
/branches/AME-2526-SFO-between-sites/openam/openam-oauth2:7510-8258 </span><span \
class="cx">/branches/AME-2629/openam/openam-oauth2:7585-7632 </span><span \
class="cx">/branches/AME-3405-session-read-from-cts/openam/openam-oauth2:8749-8823 \
</span><span class="cx">/branches/AME-3612-pcunnington/openam/openam-oauth2:9534-9723 \
</span><span class="cx">/branches/AME-3719/openam/openam-oauth2:9517-9879 \
</span><span class="cx">/branches/AME-3726-script-sandboxing/openam/openam-oauth2:9663-9819
</span><span class="cx">/branches/CTS-Async/openam/openam-oauth2:8847-9739
</span><span class="cx">/branches/IIS7PostData/openam/openam-oauth2:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam/openam-oauth2:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam/openam-oauth2:6910-6946
</span><span class="cx">/branches/OPENAM-3130-session-quota/openam/openam-oauth2:6958-6972
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam/openam-oauth2:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam/openam-oauth2:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam/openam-oauth2:8747-8835
</span><span class="cx">/branches/OPENAM-4028-connection-pool/openam/openam-oauth2:9750-10171
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/openam/openam-oauth2:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam/openam-oauth2:7834-7844
</span><span class="cx">/branches/ame4272/openam/openam-oauth2:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam/openam-oauth2:7508-7697
</span><span class="cx">/branches/andyAme3102/openam/openam-oauth2:8312-8413
</span><span class="cx">/branches/maven_merge/openam/openam-oauth2:2556-2558,2756-3124
</span><span class="cx">/branches/oidc_authn/openam-oauth2:8507,8540,8557-8559,8565-8566
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam/openam-oauth2:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam/openam-oauth2:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam/openam-oauth2:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam/openam-oauth2:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam/openam-oauth2:6767-6804
</span><span class="cx">/branches/openam_10.1.0_SAML2_FIXES/openam-oauth2:3725-3740
</span><span class="cx">/branches/openam_10.1.0_jeff/openam-oauth2:3128-3527
</span><span class="cx">/branches/openam_10.1.0_xacml3_JAS/openam/openam-oauth2:4039-4140
</span><span class="cx">/branches/openam_10.2.0_xacml3_JAS/openam/openam-oauth2:4141-4379
</span><span class="cx">/branches/openid_connect_implementation/openam-oauth2:4140-5165
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam/openam-oauth2:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam/openam-oauth2:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/openam/openam-oauth2:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam/openam-oauth2:8314-8341
</span><span class="cx">/branches/rest_sts_view_bean/openam-oauth2:9690-9965
</span><span class="cx">/branches/rwapshott-AME-1739/openam/openam-oauth2:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam/openam-oauth2:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam/openam-oauth2:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam/openam-oauth2:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2027-cts-oids-should-follow-fr-oid-scheme/openam/openam-oauth2:5609-5614
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam/openam-oauth2:6086-6319
</span><span class="cx">/branches/rwapshott-ame-2311-index-names/openam/openam-oauth2:6058-6069
</span><span class="cx">/branches/rwapshott-ame-258-cts-replication/openam/openam-oauth2:5548-6055
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam/openam-oauth2:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam/openam-oauth2:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam/openam-oauth2:6170-6194
</span><span class="cx">/branches/rwapshott-openam-2729-saml2-error/openam/openam-oauth2:6247-6257
</span><span class="cx">/branches/sts_oidc_saml_redux/openam-oauth2:8417-8422,8424,8440,8445-8446,8460,8490,8498
</span><span class="cx">/branches/sts_restart_persistence/openam-oauth2:9003-9005,9009-9414
</span><span class="cx">/branches/sts_service_listeners/openam-oauth2:9968-10031,10047-10048,10053
</span><span class="cx">/branches/sts_token_gen_service/openam-oauth2:8706,8717-8720, \
8723-8725,8727-8728,8731,8737,8740-8742,8759-8760,8774-8776,8796-8797,8800-8801,8818-8819,8821
</span><span class="cx">/branches/sts_token_gen_service2/openam-oauth2:8844-8887,8894-9000
</span><span class="cx">/trunk/openam/openam-oauth2:3127-3577,10107-10111,10114-10116 \
,10119,10129-10131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,1 \
0182-10185,10191,10193,10196-10201,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2OAuthTokenStorejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OAuthTokenStore.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OAuthTokenStore.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OAuthTokenStore.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -114,8 +114,8 @@
</span><span class="cx"> * @return A JsonValue of the query results.
</span><span class="cx"> * @throws CoreTokenException If there is a problem \
performing the query. </span><span class="cx"> */
</span><del>- public JsonValue query(Map<String, Object> queryParameters) \
throws CoreTokenException {
- Collection<Token> tokens = cts.query(convertRequest(queryParameters));
</del><ins>+ public JsonValue query(Map<String, Object> queryParameters, \
TokenFilter.Type type) throws CoreTokenException { + Collection<Token> \
tokens = cts.query(convertRequest(queryParameters, type)); </ins><span class="cx"> \
return convertResults(tokens); </span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -123,11 +123,12 @@
</span><span class="cx"> * Converts the Map of filter parameters into an LDAP \
filter. </span><span class="cx"> *
</span><span class="cx"> * @param filters A Map of filter parameters.
</span><ins>+ * @param type The type of filter required (and/or).
</ins><span class="cx"> * @return A Mapping of CoreTokenField to Objects to \
query by. </span><span class="cx"> */
</span><del>- private TokenFilter convertRequest(Map<String, Object> \
filters) { </del><ins>+ private TokenFilter convertRequest(Map<String, \
Object> filters, TokenFilter.Type type) { + \
TokenFilterBuilder.FilterAttributeBuilder builder = new \
TokenFilterBuilder().type(type); </ins><span class="cx">
</span><del>- TokenFilterBuilder.FilterAttributeBuilder builder = new \
TokenFilterBuilder().or(); </del><span class="cx"> for (OAuthTokenField field \
: OAuthTokenField.values()) { </span><span class="cx"> if \
(filters.containsKey(field.getOAuthField())) { </span><span class="cx"> \
builder.withAttribute(field.getField(), filters.get(field.getOAuthField())); \
</span></span></pre></div> <a \
id="branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2OpenAMOAuth2ProviderSettingsFactoryjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMOAuth2ProviderSettingsFactory.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMOAuth2ProviderSettingsFactory.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMOAuth2ProviderSettingsFactory.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -61,6 +61,16 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * Only to be used internally by AM.
+ *
+ * @param realm The realm.
+ * @return The OAuth2ProviderSettings instance.
+ */
+ public OAuth2ProviderSettings get(String realm) {
+ return getInstance(realmNormaliser.normalise(realm), null);
+ }
+
+ /**
</ins><span class="cx"> * Gets the instance of the OAuth2ProviderSettings.
</span><span class="cx"> * <br/>
</span><span class="cx"> * Cache each provider settings on the realm it was \
created for. </span></span></pre></div>
<a id="branchesAME3423openamopenamoauth2srcmainjavaorgforgerockopenamoauth2OpenAMTokenStorejava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMTokenStore.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMTokenStore.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMTokenStore.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> import \
org.forgerock.oauth2.core.exceptions.InvalidGrantException; </span><span class="cx"> \
import org.forgerock.oauth2.core.exceptions.InvalidRequestException; </span><span \
class="cx"> import org.forgerock.oauth2.core.exceptions.ServerException; \
</span><ins>+import org.forgerock.openam.cts.api.filter.TokenFilter; </ins><span \
class="cx"> import org.forgerock.openam.cts.exceptions.CoreTokenException; \
</span><span class="cx"> import \
org.forgerock.openam.openidconnect.OpenAMOpenIdConnectToken; </span><span class="cx"> \
import org.forgerock.openidconnect.OpenIdConnectClientRegistration; </span><span \
class="lines">@@ -284,7 +285,7 @@ </span><span class="cx"> \
query.put(OAuth2Constants.CoreTokenParams.REFRESH_TOKEN, tokenId); </span><span \
class="cx"> </span><span class="cx"> try {
</span><del>- results = tokenStore.query(query);
</del><ins>+ results = tokenStore.query(query, TokenFilter.Type.OR);
</ins><span class="cx"> } catch (CoreTokenException e) {
</span><span class="cx"> logger.error("Unable to query refresh token \
corresponding to id: " + tokenId, e); </span><span class="cx"> throw \
new InvalidRequestException(); </span></span></pre></div>
<a id="branchesAME3423openamopenamscriptingsrcmainjavaorgforgerockopenamscriptingsandboxGroovySandboxValueFilterjava"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-scripting/src/main/java/org/forgerock/openam/scripting/sandbox/GroovySandboxValueFilter.java \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-scripting/src/main/java/org/forgerock/openam/scripting/sandbox/GroovySandboxValueFilter.java 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-scripting/src/main/java/org/forgerock/openam/scripting/sandbox/GroovySandboxValueFilter.java 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -53,7 +53,13 @@
</span><span class="cx"> return null;
</span><span class="cx"> }
</span><span class="cx"> // For a static call or constructor then the target \
will be the class, otherwise it will be an object instance </span><del>- final \
Class<?> clazz = target instanceof Class ? (Class<?>) target : \
target.getClass(); </del><ins>+ Class<?> clazz = target instanceof Class \
? (Class<?>) target : target.getClass(); +
+ // OPENAM-4347: Treat array types as their component type for the purposes \
of sandboxing. + if (clazz.isArray()) {
+ clazz = clazz.getComponentType();
+ }
+
</ins><span class="cx"> final String className = clazz.getName();
</span><span class="cx">
</span><span class="cx"> if (classShutter.visibleToScripts(className)) {
</span></span></pre></div>
<a id="branchesAME3423openamopenamserveronlysrcmainresourcesMETAINFservicescomgoogleinjectAbstractModule"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-server-only/src/main/resources/META-INF/services/com.google.inject.AbstractModule \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-server-only/src/main/resources/META-INF/services/com.google.inject.AbstractModule 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-server-only/src/main/resources/META-INF/services/com.google.inject.AbstractModule 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -1 +1,17 @@
</span><del>-org.forgerock.openam.core.guice.CoreGuiceModule
</del><span class="cx">\ No newline at end of file
</span><ins>+#
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance \
with the +# License.
+#
+# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for \
the +# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file \
and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the \
following below the CDDL +# Header, with the fields enclosed by brackets [] replaced \
by your own identifying +# information: "Portions copyright [year] [name of \
copyright owner]". +#
+# Copyright 2014 ForgeRock AS.
+#
+org.forgerock.openam.core.guice.CoreGuiceModule
+org.forgerock.openam.core.guice.DataLayerGuiceModule
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamuipolicysrcmainjsorgforgerockopenamuipolicyManageApplicationsViewjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManageApplicationsView.js \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManageApplicationsView.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManageApplicationsView.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -41,28 +41,38 @@
</span><span class="cx"> return '<a href="#app/' + \
cellvalue + '">' + cellvalue + '</a>'; </span><span class="cx"> \
}, </span><span class="cx"> policyLinkFormatter = function \
(cellvalue, options, rowObject) { </span><del>- return '<a \
href="#app/' + cellvalue + '/policies/">View</a>'; </del><ins>+ \
return '<a href="#app/' + cellvalue + '/policies/" \
class="icon-search"></a>'; </ins><span class="cx"> \
}; </span><span class="cx">
</span><span class="cx"> this.parentRender(function () {
</span><span class="cx"> var options = {
</span><del>- view: this,
- id: '#manageApps',
- url: '/openam/json/applications?_queryFilter=true',
- colNames: ['Name', 'Realm', 'Type', 'Last Modified', \
'Policies'],
- colModel: [
- {name: 'name', formatter: appLinkFormatter, width: 260},
- {name: 'realm', width: 70},
- {name: 'applicationType', width: 260},
- {name: 'lastModifiedDate', width: 260},
- {name: 'name', formatter: policyLinkFormatter, width: 70}
- ],
- width: '920',
- pager: '#appsPager',
- callback: callback
- };
</del><ins>+ url: \
'/openam/json/applications?_queryFilter=true', + colNames: \
['Name', 'Description', 'Realm', 'Type', 'Author', 'Created', 'Modified By', + \
'Last Modified', 'Actions', 'Conditions', 'Resources', 'Subjects', 'Override Rule', \
'Policies'], + colModel: [
+ {name: 'name', width: 250, formatter: appLinkFormatter, \
frozen: true}, + {name: 'description', width: 150},
+ {name: 'realm', width: 150},
+ {name: 'applicationType', width: 250},
+ {name: 'createdBy', width: 250},
+ {name: 'creationDate', width: 150, formatter: \
uiUtils.commonJQGridFormatters.dateFormatter}, + {name: \
'lastModifiedBy', width: 250}, + {name: \
'lastModifiedDate', width: 150, formatter: \
uiUtils.commonJQGridFormatters.dateFormatter}, + {name: \
'actions', width: 250, formatter: uiUtils.commonJQGridFormatters.objectFormatter}, + \
{name: 'conditions', width: 150, formatter: \
uiUtils.commonJQGridFormatters.arrayFormatter}, + {name: \
'resources', width: 250, formatter: uiUtils.commonJQGridFormatters.arrayFormatter}, + \
{name: 'subjects', width: 150, formatter: \
uiUtils.commonJQGridFormatters.arrayFormatter}, + {name: \
'entitlementCombiner', width: 100}, + {name: 'name', \
width: 30, formatter: policyLinkFormatter} + ],
+ width: 920,
+ shrinkToFit: false,
+ pager: '#appsPager'
</ins><span class="cx">
</span><del>- uiUtils.buildRestResponseBasedJQGrid(options);
</del><ins>+ },
+ grid = uiUtils.buildRestResponseBasedJQGrid(this, '#manageApps', \
options, callback); +
+ grid.jqGrid('setFrozenColumns');
</ins><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx"> });
</span></span></pre></div>
<a id="branchesAME3423openamopenamuipolicysrcmainjsorgforgerockopenamuipolicyManagePoliciesViewjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManagePoliciesView.js \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManagePoliciesView.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-policy/src/main/js/org/forgerock/openam/ui/policy/ManagePoliciesView.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -48,20 +48,28 @@
</span><span class="cx"> \
this.$el.find('#managePoliciesTitle').text("Manage " + appName + " \
Policies"); </span><span class="cx">
</span><span class="cx"> var options = {
</span><del>- view: this,
- id: '#managePolicies',
- url: '/openam/json/policies?_queryFilter=' + \
encodeURIComponent('applicationName eq "' + appName + '"'),
- colNames: ['Name', 'Last Modified'],
- colModel: [
- {name: 'name', formatter: policyLinkFormatter, width: 460},
- {name: 'lastModified', width: 460}
- ],
- width: '920',
- pager: '#policiesPager',
- callback: callback
- };
</del><ins>+ url: '/openam/json/policies?_queryFilter=' + \
encodeURIComponent('applicationName eq "' + appName + '"'), + \
colNames: ['Name', 'Description', 'Author', 'Created', 'Modified By', 'Last \
Modified', 'Actions', + 'Resources', 'Resource \
Attributes', 'Subject'], + colModel: [
+ {name: 'name', width: 250, frozen: true, formatter: \
policyLinkFormatter}, + {name: 'description', width: 150},
+ {name: 'createdBy', width: 250},
+ {name: 'creationDate', width: 150, formatter: \
uiUtils.commonJQGridFormatters.dateFormatter}, + {name: \
'lastModifiedBy', width: 250}, + {name: 'lastModified', \
width: 150, formatter: uiUtils.commonJQGridFormatters.dateFormatter}, + \
{name: 'actionValues', width: 250, formatter: \
uiUtils.commonJQGridFormatters.objectFormatter}, + {name: \
'resources', width: 250, formatter: uiUtils.commonJQGridFormatters.arrayFormatter}, + \
{name: 'resourceAttributes', width: 150, formatter: \
uiUtils.commonJQGridFormatters.arrayFormatter}, + {name: \
'subject', width: 150, formatter: uiUtils.commonJQGridFormatters.objectFormatter} + \
], + width: 920,
+ shrinkToFit: false,
+ pager: '#policiesPager'
+ },
+ grid = uiUtils.buildRestResponseBasedJQGrid(this, \
'#managePolicies', options, callback); </ins><span class="cx">
</span><del>- uiUtils.buildRestResponseBasedJQGrid(options);
</del><ins>+ grid.jqGrid('setFrozenColumns');
</ins><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx"> });
</span></span></pre></div>
<a id="branchesAME3423openamopenamuipolicysrcmainresourcescsspolicycommonless"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-policy/src/main/resources/css/policy/common.less \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-policy/src/main/resources/css/policy/common.less 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-policy/src/main/resources/css/policy/common.less 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -238,11 +238,30 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> .ui-jqgrid {
</span><ins>+ tr.ui-row-ltr td {
+ vertical-align: top;
+ }
</ins><span class="cx">
</span><span class="cx"> #manageApps_applicationType, \
td[aria-describedby="manageApps_applicationType"], \
td[aria-describedby="manageApps_name"] { </span><span class="cx"> \
text-overflow: ellipsis; </span><span class="cx"> white-space: nowrap;
</span><span class="cx"> overflow: hidden;
</span><span class="cx"> }
</span><ins>+ #manageApps td[aria-describedby="manageApps_name"] {
+ text-align: center;
+ .icon-search{
+ text-decoration: none;
+ font-size: 16px;
+ vertical-align: middle;
+ color: #80b7ab;
+ }
+ }
+ .ui-state-hover a{
+ color: #fff !important;
+ }
</ins><span class="cx">
</span><ins>+}
+
+.frozen-bdiv.ui-jqgrid-bdiv {
+ height: auto !important;
</ins><span class="cx"> }
</span><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamuipolicysrctestqunitpolicyjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-policy/src/test/qunit/policy.js (10295 => \
10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-policy/src/test/qunit/policy.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-policy/src/test/qunit/policy.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -332,6 +332,9 @@
</span><span class="cx"> QUnit.ok(rowData.length > 0, "At \
least one application listed in the table"); </span><span class="cx"> \
QUnit.ok(rowData.length === table.find("tr[id]").length, "Number of \
rows in grid match number displayed"); </span><span class="cx">
</span><ins>+ QUnit.ok(table.jqGrid('getGridParam', \
'colNames').length === table.find("tr[id]")[0].children.length, + \
'Total number of columns displayed matches number of columns requested'); +
</ins><span class="cx"> // Pagination
</span><span class="cx"> QUnit.ok($('#appsPager', \
manageAppsView.$el).length === 1, 'Pager is present'); </span><span class="cx">
</span><span class="lines">@@ -585,6 +588,9 @@
</span><span class="cx">
</span><span class="cx"> \
QUnit.ok(managePolView.$el.find('#backToApps').length, "Back button is \
available"); </span><span class="cx">
</span><ins>+ QUnit.ok(table.jqGrid('getGridParam', \
'colNames').length === table.find("tr[id]")[0].children.length, + \
'Total number of columns displayed matches number of columns requested'); +
</ins><span class="cx"> // Pagination
</span><span class="cx"> QUnit.ok($('#policiesPager', \
managePolView.$el).length === 1, 'Pager is present'); </span><span class="cx">
</span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardDashboardViewjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/DashboardView.js \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/DashboardView.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/DashboardView.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -30,8 +30,9 @@
</span><span class="cx"> \
define("org/forgerock/openam/ui/dashboard/DashboardView", [ </span><span \
class="cx"> "org/forgerock/commons/ui/common/main/AbstractView", \
</span><span class="cx"> \
"org/forgerock/openam/ui/dashboard/MyApplicationsView", </span><del>- \
"org/forgerock/openam/ui/dashboard/TrustedDevicesView"
-], function(AbstractView, MyApplicationsView, TrustedDevicesView) {
</del><ins>+ "org/forgerock/openam/ui/dashboard/TrustedDevicesView",
+ "org/forgerock/openam/ui/dashboard/OAuthTokensView"
+], function(AbstractView, MyApplicationsView, TrustedDevicesView, OAuthTokensView) {
</ins><span class="cx">
</span><span class="cx"> var Dashboard = AbstractView.extend({
</span><span class="cx"> template: \
"templates/openam/DashboardTemplate.html", </span><span class="lines">@@ \
-41,6 +42,7 @@ </span><span class="cx">
</span><span class="cx"> MyApplicationsView.render();
</span><span class="cx"> TrustedDevicesView.render();
</span><ins>+ OAuthTokensView.render();
</ins><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx"> });
</span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardOAuthToke \
nsDelegatejsfromrev10253trunkopenamopenamuiriasrcmainjsorgforgerockopenamuidashboardOAuthTokensDelegatejs"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensDelegate.js \
(from rev 10253, trunk/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensDelegate.js) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensDelegate.js \
(rev 0)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensDelegate.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,55 @@
</span><ins>+/**
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright 2014 ForgeRock AS.
+ *
+ * The contents of this file are subject to the terms
+ * of the Common Development and Distribution License
+ * (the License). You may not use this file except in
+ * compliance with the License.
+ *
+ * You can obtain a copy of the License at
+ * http://forgerock.org/license/CDDLv1.0.html
+ * See the License for the specific language governing
+ * permission and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL
+ * Header Notice in each file and include the License file
+ * at http://forgerock.org/license/CDDLv1.0.html
+ * If applicable, add the following below the CDDL Header,
+ * with the fields enclosed by brackets [] replaced by
+ * your own identifying information:
+ * "Portions Copyrighted [year] [name of copyright owner]"
+ */
+
+/*global $, define, _ */
+
+define("org/forgerock/openam/ui/dashboard/OAuthTokensDelegate", [
+ "org/forgerock/commons/ui/common/util/Constants",
+ "org/forgerock/commons/ui/common/main/AbstractDelegate",
+ "org/forgerock/commons/ui/common/main/Configuration"
+], function(constants, AbstractDelegate, conf) {
+
+ var obj = new AbstractDelegate(constants.host + '/' + constants.context + \
'/frrest/'); +
+ obj.getOAuthTokens = function() {
+ return obj.serviceCall({
+ url: 'oauth2/token/?_queryId=access_token',
+ headers: {"Cache-Control": "no-cache", \
"Accept-API-Version": "protocol=1.0,resource=1.0"} + });
+ };
+
+ obj.deleteOAuthToken = function(id) {
+ return obj.serviceCall({
+ url: 'oauth2/token/' + id + '?_action=revoke',
+ type: "POST",
+ headers: {"Accept-API-Version": \
"protocol=1.0,resource=1.0"} + });
+ };
+
+
+ return obj;
+});
+
+
+
</ins></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardOAuthToke \
nsViewjsfromrev10253trunkopenamopenamuiriasrcmainjsorgforgerockopenamuidashboardOAuthTokensViewjs"></a>
<div class="copfile"><h4>Copied: \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensView.js \
(from rev 10253, trunk/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensView.js) \
(0 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensView.js \
(rev 0)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/OAuthTokensView.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -0,0 +1,65 @@
</span><ins>+/**
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright 2014 ForgeRock AS.
+ *
+ * The contents of this file are subject to the terms
+ * of the Common Development and Distribution License
+ * (the License). You may not use this file except in
+ * compliance with the License.
+ *
+ * You can obtain a copy of the License at
+ * http://forgerock.org/license/CDDLv1.0.html
+ * See the License for the specific language governing
+ * permission and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL
+ * Header Notice in each file and include the License file
+ * at http://forgerock.org/license/CDDLv1.0.html
+ * If applicable, add the following below the CDDL Header,
+ * with the fields enclosed by brackets [] replaced by
+ * your own identifying information:
+ * "Portions Copyrighted [year] [name of copyright owner]"
+ */
+
+/*global define, $, form2js, _ */
+
+define("org/forgerock/openam/ui/dashboard/OAuthTokensView", [
+ "org/forgerock/commons/ui/common/main/AbstractView",
+ "org/forgerock/openam/ui/dashboard/OAuthTokensDelegate"
+], function (AbstractView, OAuthTokensDelegate) {
+
+ var OAuthToken = AbstractView.extend({
+ template: "templates/openam/oauth2/TokensTemplate.html",
+ noBaseTemplate: true,
+ element: '#myOAuthTokens',
+ events: { 'click a.deleteToken': 'deleteToken' },
+ render: function () {
+
+ var self = this;
+ OAuthTokensDelegate.getOAuthTokens()
+ .then(function (data) {
+ self.data.tokens = data.result;
+ self.parentRender();
+ });
+ },
+
+ deleteToken: function (e) {
+ e.preventDefault();
+ var self = this;
+ OAuthTokensDelegate.deleteOAuthToken(e.currentTarget.id)
+ .then(function () {
+ console.log('Deleted access token');
+ self.render();
+ }, function () {
+ console.error("Failed to delete access token");
+ });
+ }
+ })
+ ;
+
+ return new OAuthToken();
+})
+;
+
+
</ins></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuidashboardmainjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/main.js \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/main.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/dashboard/main.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -29,5 +29,7 @@
</span><span class="cx"> "./MyApplicationsView",
</span><span class="cx"> "./TrustedDevicesDelegate",
</span><span class="cx"> "./TrustedDevicesView",
</span><del>- "./DashboardView"
</del><ins>+ "./DashboardView",
+ "./OAuthTokensDelegate",
+ "./OAuthTokensView"
</ins><span class="cx"> ]);
</span><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainjsorgforgerockopenamuiuserloginRESTLoginViewjs"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginView.js \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginView.js 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginView.js 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -36,8 +36,9 @@
</span><span class="cx"> \
"org/forgerock/commons/ui/common/util/CookieHelper", </span><span \
class="cx"> "org/forgerock/commons/ui/common/util/UIUtils", \
</span><span class="cx"> \
"org/forgerock/commons/ui/common/main/i18nManager", </span><del>- \
"org/forgerock/openam/ui/user/login/RESTLoginHelper"
-], function(AbstractView, authNDelegate, validatorsManager, eventManager, constants, \
conf, sessionManager, router, cookieHelper, uiUtils, i18nManager,restLoginHelper) { \
</del><ins>+ "org/forgerock/openam/ui/user/login/RESTLoginHelper", + \
"org/forgerock/commons/ui/common/main/SpinnerManager" +], \
function(AbstractView, authNDelegate, validatorsManager, eventManager, constants, \
conf, sessionManager, router, cookieHelper, uiUtils, i18nManager, restLoginHelper, \
spinnerManager) { </ins><span class="cx">
</span><span class="cx"> var LoginView = AbstractView.extend({
</span><span class="cx"> template: \
"templates/openam/RESTLoginTemplate.html", </span><span class="lines">@@ \
-100,7 +101,7 @@ </span><span class="cx"> \
eventManager.sendEvent(constants.EVENT_LOGIN_REQUEST, submitContent); </span><span \
class="cx"> }, </span><span class="cx"> render: function(args, \
callback) { </span><del>- var
</del><ins>+ var
</ins><span class="cx"> urlParams = {},//deserialized querystring \
params </span><span class="cx"> promise = $.Deferred();
</span><span class="cx">
</span><span class="lines">@@ -224,34 +225,34 @@
</span><span class="cx"> // attempt to load a \
stage-specific template to render this form. If not found, use the generic one. \
</span><span class="cx"> uiUtils </span><span class="cx"> \
.fillTemplateWithData("templates/openam/authn/" + reqs.stage + \
".html", </span><del>- \
_.extend(conf.globalData, this.data),
- _.bind(function (populatedTemplate) {
- if (typeof populatedTemplate === \
"string") { // a rendered template will be a string; an error will be an \
object
- this.template = \
"templates/openam/authn/" + reqs.stage + ".html";
- } else {
- this.template = this.genericTemplate;
- }
</del><ins>+ _.extend(conf.globalData, this.data),
+ _.bind(function (populatedTemplate) {
+ if (typeof populatedTemplate === \
"string") { // a rendered template will be a string; an error will be an \
object + this.template = \
"templates/openam/authn/" + reqs.stage + ".html"; + \
} else { + this.template = \
this.genericTemplate; + }
</ins><span class="cx">
</span><del>- this.data.showForgotPassword = \
false;
- this.data.showRegister = false;
- this.data.showSpacer = false;
</del><ins>+ this.data.showForgotPassword = false;
+ this.data.showRegister = false;
+ this.data.showSpacer = false;
</ins><span class="cx">
</span><del>- \
if(conf.globalData.forgotPassword === "true"){
- this.data.showForgotPassword = true;
</del><ins>+ if(conf.globalData.forgotPassword === \
"true"){ + \
this.data.showForgotPassword = true; + }
+ if(conf.globalData.selfRegistration === \
"true"){ + \
if(this.data.showForgotPassword){ + \
this.data.showSpacer = true; </ins><span class="cx"> \
} </span><del>- \
if(conf.globalData.selfRegistration === "true"){
- if(this.data.showForgotPassword){
- this.data.showSpacer = true;
- }
- this.data.showRegister = true;
- }
- this.parentRender(_.bind(function() {
- this.reloadData();
- // resolve a promise when all templates \
will be loaded
- promise.resolve();
- }, this));
- }, this)
- );
</del><ins>+ this.data.showRegister = true;
+ }
+ this.parentRender(_.bind(function() {
+ this.reloadData();
+ // resolve a promise when all templates will \
be loaded + promise.resolve();
+ }, this));
+ }, this)
+ );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span><span class="lines">@@ -262,13 +263,13 @@
</span><span class="cx"> this.parentRender();
</span><span class="cx"> }, this));
</span><span class="cx">
</span><del>- promise
- .done(function() {
- if (cookieHelper.getCookie('invalidRealm')) {
- cookieHelper.deleteCookie('invalidRealm');
- \
eventManager.sendEvent(constants.EVENT_DISPLAY_MESSAGE_REQUEST, \
"invalidRealm");
- }
- });
</del><ins>+ promise
+ .done(function() {
+ if (cookieHelper.getCookie('invalidRealm')) {
+ cookieHelper.deleteCookie('invalidRealm');
+ \
eventManager.sendEvent(constants.EVENT_DISPLAY_MESSAGE_REQUEST, \
"invalidRealm"); + }
+ });
</ins><span class="cx">
</span><span class="cx"> },
</span><span class="cx"> reloadData: function () {
</span><span class="lines">@@ -313,7 +314,8 @@
</span><span class="cx"> var result = "",
</span><span class="cx"> cb = this,
</span><span class="cx"> prompt,
</span><del>- options;
</del><ins>+ options,
+ hideButton;
</ins><span class="cx">
</span><span class="cx"> prompt = _.find(cb.output, function (o) { return \
o.name === "prompt"; }); </span><span class="cx"> if (prompt \
&& prompt.value !== undefined && prompt.value.length) { </span><span \
class="lines">@@ -339,7 +341,10 @@ </span><span class="cx"> \
options.type = _.find(cb.output, function (o) { return o.name === \
"messageType"; }); </span><span class="cx">
</span><span class="cx"> if (options.type.value === "4") { \
//4 is our magic number for a <script>, taken from \
ScriptTextOutputCallback.java </span><del>- result += '<script \
type="text/javascript">' + options.message.value + '</script>'; \
</del><ins>+ hideButton = \
"if(document.getElementsByClassName('button')[0] != undefined){document" + \
+ ".getElementsByClassName" + + \
"('button')[0].style.visibility = 'hidden';}"; + result \
+= "<script type='text/javascript'>" + hideButton + \
options.message.value + "</script>"; </ins><span class="cx"> \
} else { </span><span class="cx"> result += '<div \
id="callback_' + cb.input.index + '" class="textOutputCallback ' + \
options.type.value + '">' + options.message.value + '</div>'; \
</span><span class="cx"> } </span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainresourcescssopenamdashboardless"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/css/openam/dashboard.less \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/css/openam/dashboard.less 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/resources/css/openam/dashboard.less 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -46,4 +46,33 @@
</span><span class="cx"> &:nth-child(even){ background-color:#fff; }
</span><span class="cx"> &:hover{ background-color:#ffe; }
</span><span class="cx"> }
</span><ins>+
+}#oAuthTokens {
+
+ table {
+ border-collapse: collapse;
+ width:100%;
+ }
+
+ table, th {
+ border: 1px solid #ccc;
+ padding: 10px 0;
+ }
+
+ th {
+ background-color:#ddd;
+ &:last-child{ width:120px; }
+ }
+
+ td {
+ border-left: 1px solid #ccc;
+ padding: 10px;
+ &:last-child{ text-align:center; }
+ }
+
+ tr {
+ &:nth-child(odd){ background-color:#eee; }
+ &:nth-child(even){ background-color:#fff; }
+ &:hover{ background-color:#ffe; }
+ }
</ins><span class="cx"> }
</span><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainresourceslocalesentranslationjson"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/locales/en/translation.json \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/locales/en/translation.json 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/resources/locales/en/translation.json 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -165,7 +165,7 @@
</span><span class="cx"> },
</span><span class="cx"> "oauth": {
</span><span class="cx"> "clientID" : "Client ID",
</span><del>- "tokenList" : "Token List",
</del><ins>+ "tokenList" : "Authorized Apps",
</ins><span class="cx"> "remainingTokens" : "remaining \
tokens", </span><span class="cx"> "tokenID" : "Token \
ID", </span><span class="cx"> "expireDate" : "Expire \
Date", </span><span class="lines">@@ -349,6 +349,14 @@
</span><span class="cx"> "deleteDevice" : "Delete \
Device" </span><span class="cx"> }
</span><span class="cx"> },
</span><ins>+ "oAuth2" : {
+ "tokens" : {
+ "appName" : "Application",
+ "scope" : "Scope",
+ "expiryDate" : "Expiry Date",
+ "deleteToken" : "Revoke Access"
+ }
+ },
</ins><span class="cx"> "authentication": {
</span><span class="cx"> "input": {
</span><span class="cx"> "name": "Username",
</span><span class="lines">@@ -432,4 +440,4 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>-}
</del><span class="cx">\ No newline at end of file
</span><ins>+}
</ins></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainresourcestemplatesopenamDashboardTemplatehtml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/DashboardTemplate.html \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/DashboardTemplate.html 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/DashboardTemplate.html 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -2,5 +2,6 @@
</span><span class="cx">
</span><span class="cx"> <div id="myApplications"></div>
</span><span class="cx"> <div id="myTrustedDevices"></div>
</span><ins>+ <div id="myOAuthTokens"></div>
</ins><span class="cx">
</span><span class="cx"> </div>
</span><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamopenamuiriasrcmainresourcestemplatesopenamoauth2TokensTemplatehtml"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/oauth2/TokensTemplate.html \
(10295 => 10296)</h4> <pre class="diff"><span>
<span class="info">--- \
branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/oauth2/TokensTemplate.html 2014-08-28 \
15:11:32 UTC (rev 10295)
+++ branches/AME-3423/openam/openam-ui-ria/src/main/resources/templates/openam/oauth2/TokensTemplate.html 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -1,13 +1,26 @@
</span><del>-<div id="tokens" class="content-bg">
- <h2>{{t "templates.oauth.tokenList"}}</h2>
- <table id="tokensTable" class="radious">
- <tr>
- <th width="40"><input type="checkbox" \
/></th>
- <th width="210"></th>
- <th width="210"></th>
- <th width="210"></th>
- <th width="210"></th>
- <th width="210"></th>
- </tr>
- </table>
</del><ins>+<div id="oAuthTokens">
+ {{#if tokens}}
+ <h2 class="header">{{t \
"templates.oauth.tokenList"}}</h2> + <div \
class="content-bg"> + <table>
+
+ <tr>
+ <th scope="col">{{t \
"openam.oAuth2.tokens.appName"}}</th> + <th \
scope="col">{{t "openam.oAuth2.tokens.scope"}}</th> + \
<th scope="col">{{t \
"openam.oAuth2.tokens.expiryDate"}}</th> + <th \
scope="col"></th> + </tr>
+
+ {{#each tokens}}
+ <tr>
+ <td>{{this.display_name}} </td>
+ <td>{{this.scopes}} </td>
+ <td>{{this.expireTime}} </td>
+ <td><a class="deleteToken" href="#" \
id="{{this.id}}">{{t \
"openam.oAuth2.tokens.deleteToken"}}</a></td> + \
</tr> + {{/each}}
+
+ </table>
+ </div>
+ {{/if}}
</ins><span class="cx"> </div>
</span><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="branchesAME3423openamagents"></a>
<div class="propset"><h4>Property changes: branches/AME-3423/openam-agents</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-2526-SFO-between-sites/openam-agents:7510-8258
</span><span class="cx">/branches/AME-3612-pcunnington/openam-agents:9534-9723
</span><span class="cx">/branches/AME-3719/openam-agents:9517-9879
</span><span class="cx">/branches/IIS7PostData/openam-agents:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam-agents:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam-agents:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam-agents:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam-agents:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam-agents:8747-8835
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam-agents:7834-7844
</span><span class="cx">/branches/ame4272/openam-agents:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam-agents:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory/openam-agents:5311-5328
</span><span class="cx">/branches/andyOpenam1708/openam-agents:5576-5592
</span><span class="cx">/branches/andyOpenam2373/openam-agents:5600-5706
</span><span class="cx">/branches/apforrest-ame1316/openam-agents:4881-5305
</span><span class="cx">/branches/maven_merge/openam-agents:2556-3124
</span><span class="cx">/branches/mdr_javaagents_mvn/openam-agents:5293-5729
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam-agents:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam-agents:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam-agents:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam-agents:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam-agents:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam-agents:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam-agents:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350/openam-agents:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344/openam-agents:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2/openam-agents:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam-agents:8314-8341
</span><span class="cx">/branches/policyimprovements/openam-agents:5513-5515
</span><span class="cx">/branches/rwapshott-AME-1739/openam-agents:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam-agents:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam-agents:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam-agents:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam-agents:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam-agents:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam-agents:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam-agents:6170-6194
</span><span class="cx">/trunk/openam-agents:10107-10111,10114-10116,10119,10129-1013 \
1,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + /branches/10.1.0-Xpress/openam-agents:3888-3892
</span><span class="cx">/branches/AME-2526-SFO-between-sites/openam-agents:7510-8258
</span><span class="cx">/branches/AME-3612-pcunnington/openam-agents:9534-9723
</span><span class="cx">/branches/AME-3719/openam-agents:9517-9879
</span><span class="cx">/branches/IIS7PostData/openam-agents:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/openam-agents:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/openam-agents:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/openam-agents:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/openam-agents:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/openam-agents:8747-8835
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/openam-agents:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/openam-agents:7834-7844
</span><span class="cx">/branches/ame4272/openam-agents:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/openam-agents:7508-7697
</span><span class="cx">/branches/andy-ame1316-connectionfactory/openam-agents:5311-5328
</span><span class="cx">/branches/andyOpenam1708/openam-agents:5576-5592
</span><span class="cx">/branches/andyOpenam2373/openam-agents:5600-5706
</span><span class="cx">/branches/apforrest-ame1316/openam-agents:4881-5305
</span><span class="cx">/branches/maven_merge/openam-agents:2556-3124
</span><span class="cx">/branches/mdr_javaagents_mvn/openam-agents:5293-5729
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/openam-agents:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/openam-agents:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/openam-agents:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/openam-agents:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/openam-agents:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/openam-agents:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/openam-agents:8476-8577
</span><span class="cx">/branches/pcunnington-AME-350/openam-agents:4165-4344
</span><span class="cx">/branches/pcunnington-ame-344/openam-agents:4651-5199
</span><span class="cx">/branches/pcunnington-oauth2/openam-agents:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/openam-agents:8314-8341
</span><span class="cx">/branches/policyimprovements/openam-agents:5513-5515
</span><span class="cx">/branches/rwapshott-AME-1739/openam-agents:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/openam-agents:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/openam-agents:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/openam-agents:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/openam-agents:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/openam-agents:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/openam-agents:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/openam-agents:6170-6194
</span><span class="cx">/trunk/openam-agents:10107-10111,10114-10116,10119,10129-1013 \
1,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191, \
10193,10196-10201,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423opensso"></a>
<div class="propset"><h4>Property changes: branches/AME-3423/opensso</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-3612-pcunnington/opensso:9534-9723
</span><span class="cx">/branches/AME-3719/opensso:9517-9879
</span><span class="cx">/branches/IIS7PostData/opensso:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/opensso:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/opensso:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/opensso:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/opensso:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/opensso:8747-8835
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/opensso:7834-7844
</span><span class="cx">/branches/allanCSDK:64-163
</span><span class="cx">/branches/ame4272/opensso:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/opensso:7508-7697
</span><span class="cx">/branches/maven_merge/opensso:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/opensso:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/opensso:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/opensso:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/opensso:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/opensso:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/opensso:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/opensso:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/opensso:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/opensso:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/opensso:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/opensso:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/opensso:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/opensso:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/opensso:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/opensso:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/opensso:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/opensso:6170-6194
</span><span class="cx">/trunk/opensso:10107-10111,10114-10116,10119,10129-10131,1013 \
4-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + /branches/AME-2526-SFO-between-sites/opensso:7510-8258
</span><span class="cx">/branches/AME-3612-pcunnington/opensso:9534-9723
</span><span class="cx">/branches/AME-3719/opensso:9517-9879
</span><span class="cx">/branches/IIS7PostData/opensso:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/opensso:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/opensso:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/opensso:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/opensso:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/opensso:8747-8835
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/opensso:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/opensso:7834-7844
</span><span class="cx">/branches/allanCSDK:64-163
</span><span class="cx">/branches/ame4272/opensso:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/opensso:7508-7697
</span><span class="cx">/branches/maven_merge/opensso:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/opensso:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/opensso:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/opensso:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/opensso:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/opensso:6767-6804
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/opensso:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/opensso:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/opensso:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/opensso:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/opensso:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/opensso:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/opensso:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/opensso:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/opensso:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/opensso:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/opensso:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/opensso:6170-6194
</span><span class="cx">/trunk/opensso:10107-10111,10114-10116,10119,10129-10131,1013 \
4-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193, \
10196-10201,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423openssoproducts"></a>
<div class="propset"><h4>Property changes: branches/AME-3423/opensso/products</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4>Modified: svn:mergeinfo</h4></div>
<span class="cx">/branches/AME-3612-pcunnington/opensso/products:9534-9723
</span><span class="cx">/branches/AME-3719/opensso/products:9517-9879
</span><span class="cx">/branches/IIS7PostData/opensso/products:224-261
</span><span class="cx">/branches/OPENAM-2961-forgot-password-404/opensso/products:8322-8362
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/opensso/products:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/opensso/products:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/opensso/products:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/opensso/products:8747-8835
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/opensso/products:7834-7844
</span><span class="cx">/branches/ame4272/opensso/products:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/opensso/products:7508-7697
</span><span class="cx">/branches/j2eePostData/opensso/products:482-520
</span><span class="cx">/branches/maven_merge/opensso/products:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/opensso/products:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/opensso/products:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/opensso/products:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/opensso/products:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/opensso/products:6767-6804
</span><span class="cx">/branches/opends23_build002/products:132-181
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/opensso/products:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/opensso/products:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/opensso/products:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/opensso/products:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/opensso/products:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/opensso/products:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/opensso/products:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/opensso/products:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/opensso/products:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/opensso/products:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/opensso/products:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/opensso/products:6170-6194
</span><span class="cx">/trunk/opensso/products:10107-10111,10114-10116,10119,10129-1 \
0131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,10191,10193,10196-10201,10204,10212
</span><span class="cx"> + \
/branches/AME-2526-SFO-between-sites/opensso/products:7510-8258 </span><span \
class="cx">/branches/AME-3612-pcunnington/opensso/products:9534-9723 </span><span \
class="cx">/branches/AME-3719/opensso/products:9517-9879 </span><span \
class="cx">/branches/IIS7PostData/opensso/products:224-261 </span><span \
class="cx">/branches/OPENAM-2961-forgot-password-404/opensso/products:8322-8362 \
</span><span class="cx">/branches/OPENAM-3097-sessions-not-deleted/opensso/products:6910-6946
</span><span class="cx">/branches/OPENAM-3283-CTS-thread-exceptions/opensso/products:7270-7369
</span><span class="cx">/branches/OPENAM-3425-class-cast-exception/opensso/products:8333-8359
</span><span class="cx">/branches/OPENAM-3782-forgotten-password-changes/opensso/products:8747-8835
</span><span class="cx">/branches/OPENAM-4384-ssoadm-classpath/opensso/products:10263-10264
</span><span class="cx">/branches/OPENAM-OPENAM-3528-client-side-session-validation/opensso/products:7834-7844
</span><span class="cx">/branches/ame4272/opensso/products:10073-10101
</span><span class="cx">/branches/andy-ame-2227-v2/opensso/products:7508-7697
</span><span class="cx">/branches/j2eePostData/opensso/products:482-520
</span><span class="cx">/branches/maven_merge/opensso/products:2556-3124
</span><span class="cx">/branches/openam-3049-cts-reaper-connection-usage/opensso/products:6658-6745
</span><span class="cx">/branches/openam-3053-cts-tab-exception/opensso/products:6672-6721
</span><span class="cx">/branches/openam-3072-cts-configuration/opensso/products:6691-6714
</span><span class="cx">/branches/openam-3092-store-mode-error/opensso/products:6729-6733
</span><span class="cx">/branches/openam-3110-create-or-update-bug/opensso/products:6767-6804
</span><span class="cx">/branches/opends23_build002/products:132-181
</span><span class="cx">/branches/pcunnington-AME-3115-refactor/opensso/products:8348-8473
</span><span class="cx">/branches/pcunnington-AME-3158/opensso/products:8476-8577
</span><span class="cx">/branches/pcunnington-oauth2/opensso/products:8710-8793
</span><span class="cx">/branches/phcunnington-AME-3114/opensso/products:8314-8341
</span><span class="cx">/branches/rwapshott-AME-1739/opensso/products:5331-5353
</span><span class="cx">/branches/rwapshott-AME-215/opensso/products:4091-4155
</span><span class="cx">/branches/rwapshott-AME-257/opensso/products:4047-4126
</span><span class="cx">/branches/rwapshott-AME-804/opensso/products:4267-5404
</span><span class="cx">/branches/rwapshott-ame-2160-session-size/opensso/products:6086-6319
</span><span class="cx">/branches/rwapshott-openam-2198-session-resource-protection/opensso/products:5628-5824
</span><span class="cx">/branches/rwapshott-openam-2526/opensso/products:5442-5484
</span><span class="cx">/branches/rwapshott-openam-2716-cts-invalid-chars/opensso/products:6170-6194
</span><span class="cx">/trunk/opensso/products:10107-10111,10114-10116,10119,10129-1 \
0131,10134-10136,10138-10143,10146,10159-10161,10172,10174-10176,10179,10182-10185,101 \
91,10193,10196-10201,10204,10212,10214,10217-10218,10222,10224,10229-10230,10243-10244,10249,10251,10253-10255,10258-10259,10265,10274,10276,10282,10288
</span><a id="branchesAME3423openssoproductswebagentsamsourceurlcpp"></a>
<div class="modfile"><h4>Modified: \
branches/AME-3423/opensso/products/webagents/am/source/url.cpp (10295 => 10296)</h4> \
<pre class="diff"><span> <span class="info">--- \
branches/AME-3423/opensso/products/webagents/am/source/url.cpp 2014-08-28 15:11:32 \
UTC (rev 10295)
+++ branches/AME-3423/opensso/products/webagents/am/source/url.cpp 2014-08-28 \
15:42:34 UTC (rev 10296) </span><span class="lines">@@ -202,7 +202,18 @@
</span><span class="cx">
</span><span class="cx"> /* parse uri */
</span><span class="cx"> if (pathStart != uriEnd) {
</span><del>- uri = std::string(pathStart, queryStart);
</del><ins>+ std::string uriTmp = std::string(pathStart, queryStart);
+ const char *u = uriTmp.c_str();
+ char last = 0;
+ uri.reserve(uriTmp.size());
+ while (*u != '\0') {
+ // replace all consecutive '/' with a single '/'
+ if (*u != '/' || (*u == '/' && last != '/')) {
+ uri.push_back(*u);
+ }
+ last = *u;
+ u++;
+ }
</ins><span class="cx"> if (pathInfo.size() > 0) {
</span><span class="cx"> std::string uriDec;
</span><span class="cx"> std::size_t pPos = uri.rfind(pathInfo);
</span><span class="lines">@@ -303,6 +314,7 @@
</span><span class="cx"> {
</span><span class="cx"> std::string retVal;
</span><span class="cx"> if(qParams.size() > 0) {
</span><ins>+ retVal.append("?");
</ins><span class="cx"> KeyValueMap::const_iterator iter = qParams.begin();
</span><span class="cx"> for(; iter != qParams.end(); ++iter) {
</span><span class="cx"> const KeyValueMap::key_type &key = \
iter->first; </span><span class="lines">@@ -328,20 +340,18 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx">
</span><del>-
</del><span class="cx"> /**
</span><span class="cx"> * Throws InternalException if the query parameter has an \
invalid format. </span><span class="cx"> */
</span><del>-void URL::splitQParams(const std::string &qparam)
-{
</del><ins>+void URL::splitQParams(const std::string &qparam) {
</ins><span class="cx"> try {
</span><del>- qParams.parseKeyValuePairString(qparam, '&', '=', icase);
</del><ins>+ qParams.parseKeyValuePairString(qparam[0] != '?' ? qparam : \
qparam.substr(1), + '&', '=', true, icase);
+ } catch (...) {
+ throw InternalException("URL::splitQParams",
+ "Invalid key value pair",
+ AM_INVALID_ARGUMENT);
</ins><span class="cx"> }
</span><del>- catch (...) {
- throw InternalException("URL::splitQParams",
- "Invalid key value pair",
- AM_INVALID_ARGUMENT);
- }
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void URL::removeQueryParameter(const std::string &key) {
</span></span></pre>
</div>
</div>
<div id="footer">Copyright (c) by ForgeRock. All rights reserved.</div>
</body>
</html>
_______________________________________________
CommitOpenAM mailing list
CommitOpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/commitopenam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic