PhenixID

Auto Attribute Populator

Version: 2.7

Category: Output

Extended Category: LDAP

Action Package: Standard Actions

Description

Auto populate an attribute value by executing an LDAP URL. Can be used for auto updating groups.

Parameter

Description

Example

LDAP URL Attribute

The attribute that contains the LDAP URL’s

url

Update Attribute

The attribute that should contain the result from the LDAP URL’s

member

Update Immediately

Update immediately. true/false (Default: true)

true

Replace Members (false/true)

Make a replace of all the members (true) or a delete/add for the removed/new members (false). Requires the session attribute for member. Default: false.

false

Update if Search Value is Empty (false/true)

Remove all values in the attribute if the LDAP URL returns an empty result. (Default: false)

true

Secondary LDAP URL Attribute

(Add Only)

Attribute that can contain one or more LDAP URL’s or static DN’s that always should be added to the search result.

wbemPath

(Advanced) Query Data Source

If the LDAP query should be run on another data source than the default one.

OpenDJ

(Advanced) Query Data Source Matching Attribute

The attribute that should be matched against the source data source to get the source DN

samaccountname

(Advanced) Source Data Source Matching Attribute

The attribute that should be matched against the query data source to get the source DN

uid

(Advanced) Source Data Source Search Base

The search base in the source data Source to match query DN’s from.

o=company

(Advanced) Remove Duplicate Matches (true/false)

If the search result in the query data source contains more than one object with the same value in the match attribute, all but one of the duplicate objects will be removed (true) or all objects will remain (false). Default: false.

true

Extended Debug (false/true)

If all entries should be dumped to log if an error occurs

false

Use only one connection (true/false)

If the same data source is used for both source and query, and a big load of groups are to be populated, you may get inactivity problems when using only one connection for both reading and writing data. Set this to false to create a new connection for every LDAP transaction. (true/false) Default: true

true

Audit Log (true/false)

If the changes made in the LDAP directory should be logged in the audit log. (true/false) Default: true.

false

Max No of Objects in Commit

The LDAP directory might have a maximum of how many values that it can handle in one commit. If the desired amount of values are higher than the allowed maximum, PIP will make multiple commits until all values have been committed. Default: 50000.

o=company

Use Cases

Example 1: Update groups

Auto populate an attribute value by executing an LDAP URL. Can be used for auto updating groups.

Parameter

Value

LDAP URL Attribute

url

Update Attribute

member

Update Immediately

[BLANK]

Replace Members (false/true)

[BLANK]

Update if Search Value is Empty (false/true)

true

Secondary LDAP URL Attribute (Add Only)

wbemPath

(Advanced) Query Data Source

[BLANK]

(Advanced) Query Data Source Matching Attribute

[BLANK]

(Advanced) Source Data Source Matching Attribute

[BLANK]

(Advanced) Source Data Source Search Base

[BLANK]

(Advanced) Remove Duplicate Matches (true/false)

[BLANK]

Extended Debug (false/true)

[BLANK]

Use only one connection (true/false)

[BLANK]

Audit Log (true/false)

[BLANK]

Max No of Objects in Commit

[BLANK]

The last option can be used to nestle groups together. In this example we have chosen the multivalue attribute wbempath. This attribute should contain a DN or a LDAP query that point out which group/groups that we should add this group to the member list.

For instance, populate the a group objects url attribute with ldap:///DC=company,DC=local??sub?(title=developer) to include all objects that matches this query.

Example 2: Synchronize groups from another LDAP directory

This example is using the Auto Attribute Populator to synchronize group members from one directory to another.

The policy containing this action is initiated by a query for groups from the target directory that has the url attribute configured example:

(&(objectclass=group)(url=*))

The url attribute in the target directory is configured with the ldap search that will match the users in the source directory. Example:

ldap:///OU=Users,dc=company,dc=local??sub?(isMemberOf=cn=Group1,OU=Users,dc=company,dc=local)

Please note that matching users has to exist in both directories. In this scenario cn from OpenDJ is equal to sAMAccountName in the Active Directory.

Parameter

Value

LDAP URL Attribute

url

Update Attribute

member

Update Immediately

true

Replace Members (false/true)

false

Update if Search Value is Empty (false/true)

true

Secondary LDAP URL Attribute (Add Only)

 

(Advanced) Query Data Source

OpenDJ

(Advanced) Query Data Source Matching Attribute

cn

(Advanced) Source Data Source Matching Attribute

sAMAccountName

(Advanced) Source Data Source Search Base

dc=company,dc=local

(Advanced) Remove Duplicate Matches (true/false)

[BLANK]

Extended Debug (false/true)

true

Use only one connection (true/false)

true

Audit Log (true/false)

[BLANK]

Max No of Objects in Commit

[BLANK]


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se