Writing an LDAP attribute script
The LDAP attribute script is written using KVGroups. There are three primary KVGroups:
"" "" = {
"address" "" = {
...
}
"policies" "" = {
...
}
"attributes" "" = {
...
}
}The following sections describe each KVGroup.
address
The address KVGroup allows you to specify arguments for the LDAP connector, using key-value pairs.
Write the address KVGroup in the format:
"address" "" = {
"<key>" = "<value>"
...
}Note
listUniquifyObjects support implemented in Connector Pack 4.4.0.
You can include any of following keys. Each key is optional:
deleteSubs Set to true to be able to delete users that have auxiliary objects and attributes. The default value is false .
listMembersByAccount Set to true to list group memberships based on attributes in an account object instead of attributes in a group object. The default value is false .
Use in combination with the "memberAttr" and "memberidAttr" keys within the "accounts" kvgroup.
Use this option to reversely look up group memberships from account objects instead of typically from group objects. The groups (such as a group id) will instead be held within custom account attributes for the users/accounts.
Note
Adding and removing group members is currently not supported for this method when listMembersByAccount is set to true.
listUniquifyObjects Skip over duplicate records if they are encountered from multiple schemas or other configurations. The default is false .
passattr the attribute where the password is stored (Default: userpassword )
pageSupported overrides the server queried page support value. The value is either true or false . The default is true .
pageSize configures the page size limit queried from the server. The default value is 500.
pwtruncate truncates password to a set value for the verify and reset operation. After a reset operation, the user can log in with the truncated password, as well as the remaining full length password. Any password shorter than the value of pwtruncate will not be accepted.
pwhash the name of a Win32 executable program used to hash the password, or one of the following password hashing functions:
{SSHA}– Salted SHA-1 (Secure Hash Algorithm){SHA}– SHA-1 (Secure Hash Algorithm){SMD5}– Salted MD5 (Message Digest Algorithm){MD5}– MD5 (Message Digest Algorithm){CRYPT}– Unix crypt{UNIX}– Same as Unix crypt, but with a prefix of {UNIX} rather than {CRYPT}""– when set to a blank value, the password is sent to the LDAP server as plain text and it is the responsibility of the DSA to hash the password.Warning
Do not specify a password hashing function unless you are sure that it is supported by your particular LDAP system. Specifying an unsupported function will cause a new LDAP password to be invalid.
The default value is SSHA.
See Password hashing programs and scripts for more information.
pwprefix text to be appended to the pwhash
pwpostfix text to be prepended to the pwhash
verify the host name or IP address of a server to use for verifications and user listing
You can include multiple verify keys if more than one server is used.
searchDnForAttributes Set to true to use the DN for account attribute searches. This performs an unpaged search. The default value is false .
stableidAttr The attribute to use as the most stable ID that the connector will use to list from. Default value is dn .
verifyHostname Specify multiple servers in a multi-key-value pair format to verify against. If one of the servers is unavailable, it will attempt to bind to the next available server.
verifyBindOnly Set to true to verify an account’s credentials using the bind operation only. Set to false to verify using password comparison, then falling back to bind. The default value is true .
proxyAuthOnReset switch of proxy authentication on the reset operation. The value is either true or false (Default: false) .
This facilitates an administration-less reset by proxy authenticating to the users account first, before issuing a password reset. The password is then reset by the user.
mailAttr the attribute used as loading email address
The value of this attribute would be a valid attribute on LDAP directory server.
Allows the administrator to specify (override) the default mail attribute (Default: mail).
rdnAttr the attribute for group objects that exposes the ability to specify an alternate rdn attribute other than "CN" on create in order to return the correct case for DNs.
sasl applies SASL (Simple Authentication Security Layer) binding. If not specified, the option is disabled so that simple binding is applied.
This KVGroup includes a pair of keys and values:
enable If set to true, SASL binding is enabled and applied.
fastBind Applies a subset of SASL binding and applicable only when SASL binding is enabled. If both SASL and fastBind are set to true, SASL fast binding is enabled and applied.
accounts determines what user accounts are returned when requested, in the format:
"accounts" "" = { "objectClass" "person" = { "filter" = "objectClass=person" # the filter for a user search "shortidAttr" = "uid" # the login ID attribute "descAttr" = "cn" # the attribute used as the user's full name "memberAttr" = "" # The custom attribute to use to hold the group id. "memberidAttr" = "" # The attribute used to define the group member attribute, for example "cn" for a group id. } }groups determines what groups are returned when requested, in the format:
"groups" "" = { "objectClass" "groupOfUniqueNames" = { # the object class for groups. When listing groups, the object class is used to determine whether a group member is a person or a group (contained within a parent group). "filter" = "objectClass=groupOfUniqueNames" # the filter to use when listing groups "shortidAttr" = "cn" # the group ID attribute "rdnAttr" = "cn" # can be used for an alternate rdn attribute "descAttr" = "description" # the attribute used as the group's description "memberAttr" = "uniqueMember" # the attribute of a group which holds its members "memberidAttr" = "dn" # the format to identify the group memberships "managerAttr" = "owner" # The attribute for the owner of the group } }resources determines what computer server and workstation resource information are returned when requested, in the format:
"resources" "ls_compwkstn" = { # List computers as workstations "filter" = "<filter object>=<value>" # An alternate filter for workstation search "attrName" = "<LDAP attribute Name>" # This attribute is the computer # name, having a unique value to be distinguished from others "attrAdditional" "<attribute>" = { "multivalue" = "<true>|<false>" # Listed as multi-valued if set to true } "attrAdditional" "<attribute>" = { # More than one attrAdditional can # be requested to returned. ... } ... } "resource" "ls_compsvr" = { # List computers as servers. "filter" = "objectClass=computers" "attrName" = "cn" # This attribute is the computer # name, having a unique value to be distinguished from others "attrAdditional" "IPAddr" = { "multivalue" = "true" } "attrAdditional" "<attribute>" = { # More than one attrAdditional can # be requested to returned. ... } ... }
policies
The policies KVGroup provides values that are used both to interpret and to set user attribute values in order to determine or set expiry and lockout.
Policy items may be defined by mapping a meta-attribute to a real attribute on the LDAP server, or by supplying a literal value.
The contents of the policies KVGroup can include:
The base, scope, and filter key-value pairs
These key-value pairs tell the LDAP connector how to search for policy attributes. They are required if any of the meta-attributes map to actual attributes.
Nested KVGroups for meta-attributes that map to actual attributes
Nested KVGroups for meta-attributes that map to literal values
Write the policies KVGroup in the format:
"policies" "" = {
"base" = "<search base>"
"scope" = "<search scope>"
"filter" = "<search filter>"
"attribute" "<meta-attribute>" = {
"attribute" = "<attribute>" # value obtained from the server
"type" = "<type>"
}
...
"attribute" "meta-attribute" = {
"value" = "<literal value>" # literal value
"type" = "<type>"
}
...
}Where:
base is the DN for the starting point of the search scope is the scope of the search
The scope is one of:
base – search only the entry specified by the base key
onelevel – search only the immediate children of the entry specified by the base key
subtree – search the base and all of its descendants
filter is the search filter to use attribute (key-value pair) is the name of an actual attribute on the LDAP server
You can only specify one of attribute or value.
value is the literal value for the meta-attribute
You can only specify one of attribute or value.
type is a string representing the attributes’ "type". See attribute types.
The policies that you can define are:
passwordMaxAge the amount of time before a password automatically expires
passwordMaxFailure gives the number of failures before intruder lockout occurs
For example, If the value is 3, then intruder lockout happens on the 3rd failed attempt.
accountUnlockTime when an account is intruder locked, accountUnlockTime specifies the time interval after which the account is automatically unlocked
attributes
The attributes KVGroup maps generic names (meta-attributes) to real attributes on the target system. The exception to this is Bravura Security Fabric 's shortidAttr, which is always hard-coded to the LDAP target's "cn" attribute.
The contents of the attributes group is a series of nested KVGroups that define the mapping. The key of a nested group is the name of a meta-attribute. The key name is the name of an actual attribute on the LDAP target.
Write the attributes KVGroup in the format:
"attributes" "" = {
"<meta-attribute>" "<actual attribute>" = {
"type" = "<type>"
"autochecked" = "<true|false>"
"autochanged" = "<true|false>"
"string-true" = "<true boolean value>" # for string type
"string-false" = "<false boolean value>" # for string type
"string-attr" = "<attribute>"
"string-value" = "<value>"
"mod-value" = "<value>"
"mod-true" = "<add|delete>"
"mod-false" = "<add|delete>"
"reverse" = "<true|false>" # apply logical 'not' to boolean values
# for all types
"access" = "<read, write or all>"
"prefix" = "<prefix>"
}
...
}Where:
type is a string representing the attribute’s type. See attribute types {LDAP}
autochecked tells Bravura Security Fabric whether or not the LDAP server automatically checks the attribute
Set the value to true if the LDAP server automatically checks the attribute on LDAP bind operations. Set the value to false if the Bravura Security Fabric connector must explicitly check the attribute.
autochanged tells Bravura Security Fabric whether or not the LDAP server automatically updates the attribute
Set the value to true if the LDAP server automatically updates the attribute on password reset operations. Set the value to false if the Bravura Security Fabric connector must explicitly update the attribute.
string-true specifies how the target represents true , for example y or yes .
string-false specifies how the target represents false, for example n or no .
string-attr is a string attribute used to copy or move its value into an attribute using mod-value.
string-value holds any string value, used by mod-value to modify an attribute.
mod-value allows an existing attribute to be modified.
Set the value to add to add an attribute with string-value or replace (default) to replace the attribute with string-value .
Set the value to copy or move to copy or move the value from string-attr to the attribute.
Set the value to delete to remove an attribute containing string-value . To remove all the values in the attribute, use delete-all-values .
The r eplace option provides a workaround unlock mechanism for Oracle DSEE.
mod-true and mod-false tells whether to modify an existing attribute.
Set the value to add if you want to append a new value to the attribute. Set the value to delete to remove a value from the attribute. This is dependent on the values defined in string-true or string-false .
Generally, mod-true should be set to add, and mod-false should be set to delete.
reverse changes the logical operation for boolean values. This can be used to apply the boolean values to Bravura Security Fabric operations; for example, a target system switch "administratively blocked" can be reversed to apply to the Bravura Identity isenabled operation.
access indicates whether the attribute is used to read, write, or read and write the status of a meta attribute.
prefix the DN (Distinguished Name) of the object in which the attribute exists
Normally, attributes are in the User object and the prefix value should be blank ("").
You can include any of the following meta-attribute groups:
password-expired a Boolean attribute that directly states whether a password is expired
next-password-change a timestamp attribute that specifies when the password expires
last-password-change a timestamp attribute that specifies when the password was last changed
account-disabled a Boolean attribute that specifies if the account is disabled
invalid-logins-counter an integer attribute specifying the number of consecutive failed login attempts
account-locked a Boolean attribute that specifies if the account is locked
account-lock-reset a timestamp attribute that specifies when intruder lockout is automatically removed.
operation-per/operation-pre/operation-post a string attribute that sets a custom attribute during an operation. With the exception of operation-post , these are triggered prior to executing the operation.
Use operation-per for reset operations. For all other operations, use operation-pre and operation-post.
attribute Allows to be able to configure customized attribute configurations.
The example below for dspwsuserlink will expose special encoding and decoding for the Binary attribute. The dspswuserlink is treated as a GUID attribute and will decode the binary value as a GUID type when listing and encode the attribute back into binary format as Base 64 on a create or update.
The example below for telephoneNumber shows how to represent auxiliary attributes within relative DNs under an account or group DN. The object (such as a user for example) will have an auxiliary object designated by the value for " prefix ", in this case "cn=Home Address ". It will then have an objectClass for the required set of custom auxiliary attributes. The value for "attribute" is the actual attribute name on the LDAP server. The value for " targetAttr " is the attribute name that is added as an account attribute on the Bravura Security Fabric server for a target system level override attribute.
Example:
"attributes" "" = {
"account-locked" "some-arbitrary-attr" = {
"type" = "STRING"
"autochecked" = "false"
"autochanged" = "false"
"string-true" = ""
"string-false" = "ACTIVATED"
# "reverse" = "true"
"prefix" = ""
}
"password-expired" "expiry-attr" = {
"prefix" = ""
"type" = "STRING"
"mod-true" = "add"
"mod-false" = "delete"
"string-true" = "NOEXPIRE"
"string-false" = "NOEXPIRE"
"autochecked" = "true"
"autochanged" = "false"
}
"operation-per" "accountunlocktime" = {
"operation" = "unlock"
"type" = "STRING"
"mod-value" = "delete-all-values"
"prefix" = ""
}
"attribute" "dspswuserlink" = {
"type" = "GUID"
}
"attribute" "telephoneNumber" = {
"objectClass" = "address"
"prefix" = "cn=Home Address"
"targetAttr" = "homeTelephoneNumber"
}
}attribute types
Types are used in both the attributes and policies KVGroups. The valid type strings are:
INTEGER an integer type
STRING a string type
BOOLEAN a Boolean type
YYYYMMDDHHMMSS generalized time in the server’s local time zone
YYYYMMDDHHMMSSZ generalized time in the UTC time zone
YYYYMMDDHHMMSS.0Z generalized time in the UTC time zone with explicit fractional seconds of zero.
UNIXSECOND timestamp in seconds since the Unix epoch UNIXDAY timestamp in days since the Unix epoch
DAY time interval in days
HOUR time interval in hours
MINUTE time interval in minutes SECONDS time interval in seconds
FILETIME contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Note
Type strings are case insensitive; you can use string or STRING.