Skip to main content

LDAP Attribute Scripts

Read this chapter to learn how to write a script file that, when included in the target address for an LDAP directory, includes additional attributes and values for the LDAP connector.

Overview

The attributes defined in an LDAP script are typically used by Bravura Security Fabric to map generic names (meta-attributes) to real attributes on the LDAP target system.

Meta-attributes are hard-coded names that are internal to Bravura Security Fabric . Typically, these attributes are used to set or reset the "status" of a user during a password reset or an account update or create operation. For example, you can map an actual attribute to the user’s:

  • failed-login-counter or password-age meta-attribute (used for expiry purposes).

  • account-disabled meta-attribute (used to enable or disable the user).

There are 2 categories of attributes that can be defined in the LDAP script file, account attributes and policy attributes. Sometimes account attributes depend on a policy. For example, the next-password-change attribute relies on the policy defined by passwordMaxAge . If the next-password-change attribute is not automatically updated by the LDAP server, Bravura Security Fabric must explicitly update the attribute after a successful reset or when a new user is created. Bravura Security Fabric calculates the value of next-password-change by adding the passwordMaxAge value to the current time.

In this section: