Getting all ActiveDirectory groups using OpenSSO Client SDK

Question

Hi,

I hope someone here has experience with Sun OpenSSO (now ForgeRock OpenAM).

I'm trying to get all groups in ActiveDirectory using the OpenSSO Client SDK in Java / JBoss EAP 5.0.

I tried the following by combining various samples and code snippets I could find on the web, but this fails and eventually logs "Memberships for identities other than Users is not allowed." The basic approach was to use AMIdentityRepository -> getRealmIdentity() -> getMemberships(IdType.GROUP) :

SSOTokenManager manager = SSOTokenManager.getInstance();
String tokenString = URLDecoder.decode(tokenID, "ISO-8859-1");
SSOToken token = manager.createSSOToken(tokenString);
if (manager.isValidToken(token)) {
    SSOToken adminToken = (SSOToken)AccessController.
        doPrivileged(AdminTokenAction.getInstance());
 AMIdentityRepository rep = new AMIdentityRepository(adminToken, "/");
 AMIdentity identity = rep.getRealmIdentity();
 Set groups = identity.getMemberships(IdType.GROUP);
}

Note I'm not trying to determine if a user is a member of a group or to retrieve a user's groups - I'm trying to get a list of ALL groups.

Any suggestions would be appreciated - thanks!

Answer 1

Instead of rep.getRealmIdentity() and then calling getMemberships(IdType.GROUP), use searchIdentities and getSearchResults like:

SSOToken token = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository ir = new AMIdentityRepository(token, "/");
IdSearchResults results = ir.searchIdentities(IdType.GROUP, "*", new IdSearchControl());
Set<AMIdentity> groups = results.getSearchResults();    
for (AMIdentity group : groups) {
    logger.debug("Group Name : " + group.getName());
}