PhenixID

PSD1199 – Use data on the logged in user to list users in an external LDAP

Fact

  • PhenixID Identity Manager (PIM)
  • PSD1152 – Manage objects based on attributes from other objects
    • Tab External filter to IM Web & Predefined Search
  • PSD1085 – Search, edit or create objects in an external LDAP directory
    • Tab External filter to Predefined Search

Overview

Use attribute values from a PIM logged in user in one LDAP directory to find and list users in an another LDAP.
Let say that you are and admin (e.g. demo/LarsF) in one LDAP (e.g. demo) with a value in attribute businessCategory that should be used to match all students (e.g. LDAP2/AgnetaStudent) with the same value in carLicense in another directory (e.g. LDAP2). See screenshot below.

To accomplish this we will:

  1. Configure multiDB so you can search in another LDAP (e.g. LDAP2).
  2. Extract an attribute and value of the logged in user.

Solution

This instruction will use configuration from PSD1152 & PSD1085 respectively and combining them to a new solution.

Configure MultiDB for the other LDAP directory

Configure MultiDB external LDAP as instructed in PSD1085 heading 1, 1.1 & 1.2. In our scenario this will get access of the students in LDAP2.

Add external filter included in PSD1152

Download and implement the filter as instructed in PSD1152 heading 4 & 5

Add the two filters to the Predefined search

  1. Open IM Configurator
  2. Open or create a Predefined search.
  3. Click Tools – Tab External Filters
  4. Add filter name psd.LinkedLDAPQueryPDSearchFilter
  5. Add filter name filter.ExternalSearch
  6. NOTE!. The order of the filters are important. See screenshot below.
  7. Click OK
  8. Save and close the form.

Configure the filter to extract a value from logged in user

In our scenario you need to extract the value from businessCategory from the logged in user. To do this with will use the psd.LinkedLDAPQueryPDSearchFilter together with MyDN. (if you like to know more about MyDN, please read PSD1145).

In your predefined search form, add the four controls mentioned below.

Control 1 – preSearchFilter
1. Add a text field control to the search
2. Type preSearchFilter in Attribute name: and Title:
3. In Default Value: add (for this use case) the value distinguishedName=MyDN.
4. Click the check box for parameter Hidden and Display Only
This will find the logged in user object in the internal LDAP
5. See screenshot below

Control 2 – preSearchAttributes
1. Add a text field control to the search
2. Type preSearchAttributes in Attribute name: and Title:
3. In Default Value: add (for this use case) the value businessCategory.
businessCategory is used to hold (in this use case) the school from the logged in user in the internal LDAP.
4. Click the check box for parameter Hidden and Display Only
5. See screenshot below

Control 3 – preSearchBase
1. Add a text field control to the search
2. Type preSearchBase in Attribute name: and Title:
3. In Default Value: add (for this use case) of the base search of the LDAP of the logged in user. (in this case demo)
4. Click the check box for parameter Hidden and Display Only
5. See screenshot below

Configure the filter to search in other LDAP

Control 4 – connection
1. Add a text field control to the search
2. Type connection in Attribute name: and Title:
3. In Default Value: add (for this use case) the value External LDAP.
External LDAP is (in this use case) the information in the MultiDB parameter MultiDB_1_Name used in the configuring of the external LDAP in PSD1085 heading 1.1
4. Click the check box for parameter Hidden and Display Only
5. See screenshot below

The value LDAP2 must be the same as the polices in DSEditor.properties for the mulitDB LDAP. See earlier on PSD where this was configured is you have missed it. Below is the policy for this use case as an example.

MULTIDB_1_NAME=LDAP2
MULTIDB_1_HOST=127.0.0.1
MULTIDB_1_PORT=53079
MULTIDB_1_SSL=false
MULTIDB_1_ADMINDN=CN=admin,DC=LDAP2,DC=local
MULTIDB_1_ADMINPWD=admin_password
MULTIDB_DEBUG=true

Configure the Optional SearchFilter

  1. Open IM Configurator and your predefined search
  2. Click Tools – Tab Properties
  3. Add in Optional SearchFilter the filter for this use case:
    (&(objectclass=person)(carLicense=[businessCategory]))
    • carLicense is the matching attribute on objects in External LDAP that we want a list of in this Predefined Search
    • businessCategory is the attribut defined earlier from logged in user in Internal LDAP.
  4. Use a Search base based on your environment in the External LDAP.

Conclusion

The Predefined search should now fetch information in the businessCategory attribute from the logged in user in Internal LDAP.
And match that to any user with the same information in the carLicense attribute in the External LDAP.
And finally present a list of matched users from the External LDAP.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se