Version: 2.7
Category: Output
Extended Category: LDAP
Action Package: Standard Actions
Description
Auto populate an attribute value by executing an LDAP URL. Can be used for auto updating groups.
Parameter |
Description |
Example |
LDAP URL Attribute |
The attribute that contains the LDAP URL’s |
url |
Update Attribute |
The attribute that should contain the result from the LDAP URL’s |
member |
Update Immediately |
Update immediately. true/false (Default: true) |
true |
Replace Members (false/true) |
Make a replace of all the members (true) or a delete/add for the removed/new members (false). Requires the session attribute for member. Default: false. |
false |
Update if Search Value is Empty (false/true) |
Remove all values in the attribute if the LDAP URL returns an empty result. (Default: false) |
true |
Secondary LDAP URL Attribute (Add Only) |
Attribute that can contain one or more LDAP URL’s or static DN’s that always should be added to the search result. |
wbemPath |
(Advanced) Query Data Source |
If the LDAP query should be run on another data source than the default one. |
OpenDJ |
(Advanced) Query Data Source Matching Attribute |
The attribute that should be matched against the source data source to get the source DN |
samaccountname |
(Advanced) Source Data Source Matching Attribute |
The attribute that should be matched against the query data source to get the source DN |
uid |
(Advanced) Source Data Source Search Base |
The search base in the source data Source to match query DN’s from. |
o=company |
(Advanced) Remove Duplicate Matches (true/false) |
If the search result in the query data source contains more than one object with the same value in the match attribute, all but one of the duplicate objects will be removed (true) or all objects will remain (false). Default: false. |
true |
Extended Debug (false/true) |
If all entries should be dumped to log if an error occurs |
false |
Use only one connection (true/false) |
If the same data source is used for both source and query, and a big load of groups are to be populated, you may get inactivity problems when using only one connection for both reading and writing data. Set this to false to create a new connection for every LDAP transaction. (true/false) Default: true |
true |
Audit Log (true/false) |
If the changes made in the LDAP directory should be logged in the audit log. (true/false) Default: true. |
false |
Max No of Objects in Commit |
The LDAP directory might have a maximum of how many values that it can handle in one commit. If the desired amount of values are higher than the allowed maximum, PIP will make multiple commits until all values have been committed. Default: 50000. |
o=company |
Use Cases
Example 1: Update groups
Auto populate an attribute value by executing an LDAP URL. Can be used for auto updating groups.
Parameter |
Value |
LDAP URL Attribute |
url |
Update Attribute |
member |
Update Immediately |
[BLANK] |
Replace Members (false/true) |
[BLANK] |
Update if Search Value is Empty (false/true) |
true |
Secondary LDAP URL Attribute (Add Only) |
wbemPath |
(Advanced) Query Data Source |
[BLANK] |
(Advanced) Query Data Source Matching Attribute |
[BLANK] |
(Advanced) Source Data Source Matching Attribute |
[BLANK] |
(Advanced) Source Data Source Search Base |
[BLANK] |
(Advanced) Remove Duplicate Matches (true/false) |
[BLANK] |
Extended Debug (false/true) |
[BLANK] |
Use only one connection (true/false) |
[BLANK] |
Audit Log (true/false) |
[BLANK] |
Max No of Objects in Commit |
[BLANK] |
The last option can be used to nestle groups together. In this example we have chosen the multivalue attribute wbempath. This attribute should contain a DN or a LDAP query that point out which group/groups that we should add this group to the member list.
For instance, populate the a group objects url attribute with ldap:///DC=company,DC=local??sub?(title=developer) to include all objects that matches this query.
Example 2: Synchronize groups from another LDAP directory
This example is using the Auto Attribute Populator to synchronize group members from one directory to another.
The policy containing this action is initiated by a query for groups from the target directory that has the url attribute configured example:
(&(objectclass=group)(url=*))
The url attribute in the target directory is configured with the ldap search that will match the users in the source directory. Example:
ldap:///OU=Users,dc=company,dc=local??sub?(isMemberOf=cn=Group1,OU=Users,dc=company,dc=local)
Please note that matching users has to exist in both directories. In this scenario cn from OpenDJ is equal to sAMAccountName in the Active Directory.
Parameter |
Value |
LDAP URL Attribute |
url |
Update Attribute |
member |
Update Immediately |
true |
Replace Members (false/true) |
false |
Update if Search Value is Empty (false/true) |
true |
Secondary LDAP URL Attribute (Add Only) |
|
(Advanced) Query Data Source |
OpenDJ |
(Advanced) Query Data Source Matching Attribute |
cn |
(Advanced) Source Data Source Matching Attribute |
sAMAccountName |
(Advanced) Source Data Source Search Base |
dc=company,dc=local |
(Advanced) Remove Duplicate Matches (true/false) |
[BLANK] |
Extended Debug (false/true) |
true |
Use only one connection (true/false) |
true |
Audit Log (true/false) |
[BLANK] |
Max No of Objects in Commit |
[BLANK] |
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se