Child pages
  • Attributes and the ssoadm command
Skip to end of metadata
Go to start of metadata

Possible outdated information

PLEASE NOTE: This page may be out of date and could contain inaccuracies. In future it may be significantly revised or removed altogether.

Using the ssoadm command

Have you ever been frustrated by the ssoadm command. You know how to change a setting in the GUI, but how can you set the property on the command line? This document tells you how!

Updating a global attribute using ssoadm

First you need to determine the setting you want to change, in this example lets decide we want to change the maximum session time.

Is it a global attribute?

If the attribute is a global attribute then it is shown under the Configuration tab and not under the Access Control tab.

If we login to the OpenAM console and navigate to the Configuration >> Global >> Session service we see the following service defaults.

Dynamic attributes shown under the configuration tab are the default values for this service. If you have not associated a service with a realm then these are the values that will be used by OpenAM.

So we want to change the default Maximum Session Time attribute value to 240. To use the ssoadm command to do this we need to know the internal name of the attribute within OpenAM. This is a simple process, if you know how.

Find the correct service

In the console we can see that this service is called Session so we can use that as our starting point. We need to find the following information before we can run the ssoadm command.

  • The name of the service where the attribute is stored.
  • The name of the attribute we want to update.

What does OPENAM_DEPLOY_DIR mean?

Replace this with the path to where you have deployed OpenAM. For example: /Users/steve/tomcat6/webapps/openam.

Firstly lets match the name of the service in the console to the service's properties file. The property file will lead us to the information we required.

$ cd OPENAM_DEPLOY_DIR/WEB-INF/classes
$ grep Session *.properties | grep description
amSession.properties:iplanet-am-session-service-description=Session

This determines that the name of the service definition file is amSession. The OpenAM service definition files are stored in the same directory as the properties files.

Find the correct attribute

Now we have found the correct service to search, we need to find the specific attribute. Search the property file for the attribute name; Maximum Session Time in our example.

$ grep "Maximum Session Time" amSession.properties
a101=Maximum Session Time

Now you need to find the name of the attribute, run another grep command.

meere:classes steve$ grep -a5 -b5 a101 amSession.xml
10463-    <Dynamic>
10477-        <AttributeSchema name="iplanet-am-session-max-session-time"
10545-            type="single"
10571-            syntax="number_range"
10605-            rangeStart="1" rangeEnd="2147483647"
10654:            i18nKey="a101">
10682-            <DefaultValues>
10710-                <Value>120</Value>
10745-            </DefaultValues>
10774-        </AttributeSchema>
10801-                <AttributeSchema name="iplanet-am-session-max-idle-time"

The attribute name is iplanet-am-session-max-session-time. The final piece of information we need is the name of the service, time for another grep command.

$ grep "Service name=" amSession.xml
    <Service name="iPlanetAMSessionService" version="1.0">

So this means the service name is iPlanetAMSessionService and armed with this information we can run the ssoadm command.

Run the ssoadm command

Run the ssoadm command as usual.

$ ./ssoadm set-attr-defs -u amadmin -f ./passwd -s iPlanetAMSessionService -t dynamic
-a "iplanet-am-session-max-session-time=240"

What does the -t flag mean?

This tells ssoadm the section of the service definition the attribute resides; from the console we have global, organization (means realm) and dynamic.

Updating a realm attribute using ssoadm

If we wanted to perform exactly the same action on the same attribute, but at the realm level then you need to perform the same steps as shown above to determine the name of the service and the name of the attribute. The ssoadm command you run is different.

$ ./ssoadm set-realm-svc-attrs -u amadmin -f ./passwd -e /test -s iPlanetAMSessionService
-a "iplanet-am-session-max-session-time=240"

This will set the attribute on the Session service in the test sub-realm. The / indicates the test sub-realm is directly beneath the top-level realm.

  • No labels