能够安装OpenAm但无法登录

Question

我只想安装openAm，因此能够通过ansible脚本（Github link）安装。我使用了maven存储库中的OpenAm 14快照。但是，在成功运行脚本后，我无法使用凭据登录。

amAdmin /密码

我重新检查并将变量设置如下

amadmin_password: password

如果我需要做更多其他事，请告诉我。

目标机器未显示错误迹象。但登录失败

我查看了创建的嵌入式ldap。我还没有找到用户amAdmin

代码直接取自forgerock发布的github，但我已将其剥离仅运行openam。请找到task / main.yml文件。所有依赖文件都可以在github中假设。目前它可以连接到外部LDAP并创建嵌入式LDAP。该脚本在运行期间成功

- file: path="{{ install_root}}" owner="{{ fr_user }}" state="directory"

- file: path={{ install_root}}/openam owner={{fr_user}} state="directory"

- name: Create staging  directory
  file: path=/var/staging state=directory owner={{ fr_user }}  mode=0777

- name: Download openam snapshot
  shell: 'wget http://maven.forgerock.org/repo/releases/org/forgerock/openam/openam-server/12.0.0/openam-server-12.0.0.war -O /var/staging/openam.war creates=/var/stag$
  register: openam_downloaded


- name: Deploy war to tomcat
  command: creates="{{ tomcat_openam_dir }}/webapps/openam" cp "{{ staging_dir }}/openam.war" "{{ tomcat_openam_dir}}/webapps/openam.war"

- name: copy service from openam to init.d to install it as service
  template: src=openam.service dest="/etc/init.d/openam.service"  mode=0777

- name: Updates all the release candidate as defaults
  shell: 'update-rc.d openam.service defaults'
  register: allRC_Updated

  - file: path="{{ install_root}}" owner="{{ fr_user }}" state="directory"


- file: path={{ install_root}}/openam owner={{fr_user}} state="directory"

- name: Ensure openam tomcat instance is running
  service: name="openam.service" state=restarted enabled=yes

- name: Wait for openam war to be fully deployed before running configurator
  wait_for: port="{{openam_server_port}}" delay=10

- wait_for: port={{openam_server_port}} delay=30

- name: Run ssoconfigure
  ssoconfigure: server_url="http://{{openam_fqdn}}:{{openam_server_port}}"
    deployment_uri="/openam"
    base_dir="{{install_root}}/openam"
    directory_server="{{embedded_dj_host}}"
    root_suffix="o=openam"
    directory_admin_port="{{embedded_dj_admin_port}}"
    directory_jmx_port="{{embedded_dj_jmx_port}}"
    directory_port="{{embedded_dj_ldap_port}}"
    ds_dirmgrdn="{{embedded_dj_dirmgr}}"
    data_store="embedded"
    ds_dirmgrpasswd="{{embedded_dj_password}}"
    userstore_ssl="SIMPLE"
    userstore_host="{{opendj_host}}"
    userstore_port="{{opendj_ldap_port}}"
    userstore_suffix="{{opendj_basedn}}"
    userstore_mgrdn="{{opendj_dirmgr}}"
    userstore_passwd="{{opendj_password}}"
    amldapuserpasswd="{{amldapuser_password}}"
    cookie_domain="{{openam_cookie_domain}}"
    admin_pwd="{{amadmin_password}}"
    acceptlicense="true"
    am_enc_key="AQICY6Za5J5noktyqnhW10JiPVNUdKuiZYwS"
    lb_site_name="sitea"
    lb_primary_url="{{openam_site_url}}"

- file: recurse=yes state=directory  owner="{{ fr_user }}"  path="{{ install_root}}" mode=0775

我已经从名为ssoadm（task / main.yml）的forgerock github位置再添加一个角色，如下所示。我在同一台机器上运行了这两个角色。我认为没有变化。

- file: name="{{ install_root}}/ssoadmin" owner={{ fr_user }} state=directory

- name: Download ssoadmintools snapshot
  shell: 'wget http://maven.forgerock.org/repo/releases/org/forgerock/openam/openam-distribution-ssoadmintools/12.0.0/openam-distribution-ssoadmintools-12.0.0.zip -O /$
  register: ssoadmintools_downloaded

- unarchive: src={{ staging_dir }}/ssoadmintools.zip dest="{{ install_root}}/ssoadmin" copy=no

- file: path="{{ install_root }}/ssoadmin" owner="{{ fr_user}}" mode=0777 recurse=yes

- name: setup ssoadm tools
  command: chdir={{ install_root }}/ssoadmin {{ install_root }}/ssoadmin/setup -p {{ install_root }}/openam --acceptLicense
  environment:
    JAVA_HOME:  /opt/java/oracle/jdk1.7.0_71

- template: src=ssoadm-patch dest="{{install_root}}/ssoadmin/openam/bin/" mode=0755 owner={{fr_user}}
- command: chdir="{{install_root}}/ssoadmin/openam/bin" ./ssoadm-patch

- file: recurse=yes state=directory  owner="{{ fr_user }}" path="{{ install_root}}/ssoadmin" mode=0775

Answer 1

您使用哪个Cookie域进行安装？ 在ansible脚本中，cookie域在名为“openam_cookie_domain”的属性中指定。您还可以通过转到“openam / json / serverinfo / *”

来查看设置了哪个cookie域

“。amazonaws.com”被归类为顶级域名，因此无法设置cookie。如果OpenAM服务器无法正确设置cookie，则身份验证将失败。

最好的选择是完全使用不同的域（即“.example.com”），否则您可以使用亚马逊实例FQDN（“ec2-XXX.compute1.amazonaws.com”）作为您的cookie域。

Answer 2

在Amazon Cloud中运行OpenAM时，您必须使用基于主机的cookie（从platformservice中删除所有cookie域），因为Amazon将它们列为公共后缀（请参阅https://publicsuffix.org/list/public_suffix_list.dat），因此浏览器必须删除由OpenAM。

您需要安装ssoadm并使用

ssoadm -u amadmin -f PATH_TO_PWDFILE remove-attr-defs -s iPlanetAMPlatformService -t global -a iplanet-am-platform-cookie-domains