OpenAM Administration Guide---笔记

一共28章，638页，预计三天多看完，现在周二下午3：33，看到周五吧
我很喜欢立flag的，哈哈哈哈
看这本书的目的，
1、在通过openAm登录后，反馈回来的信息中加入一个字断，比如id（需要根据用户返回此用户的id，因此需要了解openAM的数据存储和查询）
2、找到openAM是否具有判断用户第一次登录的功能，如果有，那么在返回的信息中加入第一次登录的标记；如果没有，那么加上这个功能
3、理解openAM中，如何使用数据目录（openDj），如果导入数据，为其他功能做准备

这本手册的主要功能如下：单点登录和认证，密码重置，帐户锁定，通过域名单点登录和联合（？？？联合啥意思）
This guide shows you how to configure, maintain, and troubleshoot OpenAM for
single sign on and authorization, password reset, account lockout, cross-domain
single sign on, and federation.

官网 https://www.forgerock.com
有文档，有安装包，有source code，有社区（https://forgerock.org），还有技术支持（花钱的吆）

好了，前言看完了，看正文
第一章 Administration Interfaces and Tools
This chapter provides a brief introduction to the web-based OpenAM console. It
also lists and describes each command-line interface (CLI) administration tool.
描述了各个命令行接口（CLI）和管理工具
In addition, OpenAM has set a cookie in your browser
that lasts until the session expires, you logout, or you close your browser.
openAM的cookie的生命周期默认为会话（session）结束时消失，如果有特殊需求，那么需要改cookie的生命周期，这个可以分别在网站里改，openAM还不知道怎么改，等看到了再补充

When you log in to the OpenAM console as a non-administrative end user, you
do not have access to the administrative console. Your access is limited to selfservice
profile pages and user dashboard.
非管理者进入时，没有进入控制台等权限，权限在selfservice profile pages 和 user dashboard可以设置

安装openAM辅助工具
我就安装了一个ssoAdminTools
关于ssoAdminTools的安装，如下
[root@openam ~]# cd ‘/root/work/environment/openamTools/SSOAdminTools’
[root@openam SSOAdminTools]# ls
legal-notices lib README.setup resources setup setup.bat template
[root@openam SSOAdminTools]# ./setup
［。。。省略打印输出］
Do you accept the license? y
OpenAM 服务器的配置文件的路径 [/root/openam]:/root/openam
调试目录 [/root/work/environment/openamTools/SSOAdminTools/debug]:/root/work/environment/openamTools/SSOAdminTools/debug
日志目录 [/root/work/environment/openamTools/SSOAdminTools/log]:/root/work/environment/openamTools/SSOAdminTools/log
在以下目录下正确设置脚本: /root/work/environment/openamTools/SSOAdminTools/openam
调试目录为 /root/work/environment/openamTools/SSOAdminTools/debug。
日志目录为 /root/work/environment/openamTools/SSOAdminTools/log。
该 tools.zip 的版本为: OpenAM 13.0.0
您的服务器实例的版本为: OpenAM 13.0.0 Build 5d4589530d (2016-January-14 21:15)

方括号里提示什么你copy什么就好，如果是在linux系统下的终端，copy命令是control＋shift＋c。

还没弄明白怎么用这个工具，感觉大体意思是可以看下面这两个页面，不过，这俩页面在我安工具之前就可以访问啊，真是日了狗了。而且不理解的是，http://openam.example.com:8080/openam/ssoadm.jsp这个页面，追自动跳转到这个网页http://openam.example.com:8080/openam/showServerConfig.jsp可以看当前的配置，但是只有第一次可以调整，第二次访问直接就进控制台，郁闷。。。
另一个个页面http://openam.example.com:8080/openam/services.jsp
可以看一些解释，关于把console配置转化为sso命令
In order to translate configuration changes made in OpenAM console to ssoadm commands, you must first match the GUI settings to service attributes used by ssoadm.

继续根据指导书进行配置，当根据1.3设置了
Procedure 1.1. To Enable ssoadm.jsp
1. Log in as OpenAM administrator, amadmin.
2. Click Configuration > Servers and Sites > Servers > URL of your server.
3. Click Advanced to display the Advanced Properties table, and then click Add.
In the text boxes that appear, include the following information, and then
click Save:
Property Name
ssoadm.disabled
Property Value
false
4. To see if the change worked, navigate to the URL of OpenAM with the /
ssoadm.jsp URI. For the aforementioned URL, you would navigate to http://
openam.example.com:8080/openam/ssoadm.jsp.
之后，访问
http://openam.example.com:8080/openam/ssoadm.jsp出现了不一样的画面
可以进行服务器的配置。

Chapter 2 Defining Authentication Services
An authentication service confirms the identity of a user or a client application.
This chapter describes how to configure authentication in OpenAM.
认证的目的是为了确认客户端的身份，这一章描述了如果在openAM里配置认证服务。

对于多个认证可以可以链接的认证链，认证链中一个认证失败就不可以通过
To successfully complete an authentication chain at least
one pass flag must have been achieved, and there must be no fail flags.

在认证链的基础上，openAM可以实现2.3 Configuring Social Authentication
如用google帐号登录等，没细看

2.4 Configuring Authentication Modules
The OpenAM console provides two places where the OpenAM administrator can
configure authentication modules:
1. Under Configuration > Authentication, you configure global attributes for the
Core Authentication module.
2. Under Realms > Realm Name > Authentication > Modules, you configure
modules for your realm.