Version: 1.7
Category: Output
Extended Category: LDAP
Action Package: Extended Actions
Description
This action removes or makes the current object member of given LDAP objects contained in the incoming session object. The Action rely on a session attribute containing objects (DN strings of objects) exist in the session when the Action is triggered.
| Parameter | Description | Value |
| Session Attribute Containing DN Objects | [Mandatory] Attribute of the incoming session object which contain for example, DNs to Active Directory groups. | member |
| DN Location | [Optional] The attribute where the DN (the becoming object member) is stored. Leave blank to retrieve the DN from the session object name. | distinguishedName |
| LDAP Object MemberOf Attribute | [Optional] The ldap object memberOf attribute (on a user for instance) of the incoming session object which contain for example, DNs to Active Directory groups. Default value=memberOf | groupMembership |
| LDAP Object Member Attribute | [Optional] The ldap object member attribute (on a group for instance) where the DNs of member objects (users for instance) are stored. Default value=member | uniqueMember |
| Check if Member is MemberOf of Object (true/false) | [Optional] Perform a check if the becoming member already is a member of the object. If false, no check is performed and object is added (or removed) directly. The directory may complain if the object already exist. Default value=true | false |
| Alternative Data Source | [Optional] Use an alternative LDAP data source then the specified default policy database. | My Active Directory |
| LDAP Directory | [Optional] LDAP directory other than Active Directory. Example: Type ‘eDirectory’ for eDirectory or ‘STANDARD’ for any other LDAP directory than Microsoft Active Directory. Default value=AD | eDirectory |
| Add or Remove Member from Object (add/remove) | [Optional] Defines whether an object should be added or removed from container objects. The default value is set to ‘add’ which will add members and ‘remove’ will remove members. Default value=add | remove |
| Read Member Attribute Once Only (true/false) | [Optional] Set to ‘true’ if the object with the member attribute (containing groups for example) only should be read once. Keep the default setting ‘false’ if user templates are used (several objects containing different groups. Default value=false | true |
Use Cases
Example 1 – LDAP User Becoming Member of LDAP Groups
A user is supposed to become a member of a couple groups to get system permissions to some of the company’s IT system.
A typical LDAP search (or any other way to obtain this information to the session) is used to find the object (in this case in Active Directory) that contains the information about the user’s upcoming group affiliation.
In this case “memberOf” is read which contains the DN-strings pointing to the current groups that the user will become a member of. In the example, the DN strings are stored in the session attribute SESSIONMemberOf.
Used Session Attributes:
| Session Attribute | Value |
| SESSIONMemberOf | cn=groupobj,ou=groups,dc=company,o=local cn=groupname,ou=city,dc=company,o=local |
Used settings:
| Parameter | Value |
| Session Attribute Containing DN Objects | SESSIONMemberOf |
Result: The user becomes a member of the given groups.
Example 2 – User Object From a SQL Data Source Becoming Member of LDAP Groups
A user is supposed to become a member of a couple groups to get system permissions to some of the company’s IT system.
A typical SQL query is used to find the object that contains the information about the user’s upcoming group affiliation.
In this case “memberOf” has to be populated in some way with DN strings to LDAP group objects that the user will become a member of.
In the example, the DN strings are stored in the session attribute SESSIONMemberOf.
Since the policy doesn’t have a default LDAP connection, the LDAP destination directory has to configured in Alternative Data Source.
Used Session Attributes:
| Session Attribute | Value |
| SESSIONMemberOf | cn=groupobj,ou=groups,dc=company,o=local cn=groupname,ou=city,dc=company,o=local |
| SESSIONDistinguishedName | cn=user,ou=users,dc=company,o=local |
Used settings:
| Parameter | Value |
| Session Attribute Containing DN Objects | SESSIONMemberOf |
| DN Location | SESSIONDistinguishedName |
| Alternative Data Source | My Active Directory |
Result: The user becomes a member of the given groups.
Example 3 – Remove LDAP Users from LDAP Groups
A user is supposed to be removed from a couple groups to get rid of system permissions to some of the company’s IT system.
A typical LDAP search (or any other way to obtain this information to the session) is used to find the object (in this case in Active Directory) that contains the information about the user’s upcoming group affiliation.
In this case “memberOf” is read which contains the DN-strings pointing to the current groups that the user will become a member of. In the example, the DN strings are stored in the session attribute SESSIONMemberOf.
Used Session Attributes:
| Session Attribute | Value |
| SESSIONMemberOf | cn=groupobj,ou=groups,dc=company,o=local cn=groupname,ou=city,dc=company,o=local |
User settings:
| Parameter | Value |
| Session Attribute Containing DN Objects | SESSIONMemberOf |
| Add or Remove Member from Object (add/remove) | remove |
Result: The user’s membership of the given groups is removed.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se