Skip to main content

attributes

The attributes KVGroup maps generic names (meta-attributes) to real attributes on the target system. The exception to this is Bravura Security Fabric 's shortidAttr, which is always hard-coded to the LDAP target's "cn" attribute.

The contents of the attributes group is a series of nested KVGroups that define the mapping. The key of a nested group is the name of a meta-attribute. The key name is the name of an actual attribute on the LDAP target.

Write the attributes KVGroup in the format:

  "attributes" "" = {
     "<meta-attribute>" "<actual attribute>" = {
       "type" = "<type>"
       "autochecked" = "<true|false>"
       "autochanged" = "<true|false>"
       "string-true" = "<true boolean value>" # for string type
       "string-false" = "<false boolean value>" # for string type
       "string-attr" = "<attribute>"
       "string-value" = "<value>"
       "mod-value" = "<value>"
       "mod-true" = "<add|delete>"
       "mod-false" = "<add|delete>"
       "reverse" = "<true|false>" # apply logical 'not' to boolean values
                                  # for all types
       "access" = "<read, write or all>"
       "prefix" = "<prefix>"
     }
     ...
  }

Where:

  • type is a string representing the attribute’s type. See attribute types {LDAP}

  • autochecked tells Bravura Security Fabric whether or not the LDAP server automatically checks the attribute

    Set the value to true if the LDAP server automatically checks the attribute on LDAP bind operations. Set the value to false if the Bravura Security Fabric connector must explicitly check the attribute.

  • autochanged tells Bravura Security Fabric whether or not the LDAP server automatically updates the attribute

    Set the value to true if the LDAP server automatically updates the attribute on password reset operations. Set the value to false if the Bravura Security Fabric connector must explicitly update the attribute.

  • string-true specifies how the target represents true , for example y or yes .

  • string-false specifies how the target represents false, for example n or no .

  • string-attr is a string attribute used to copy or move its value into an attribute using mod-value.

  • string-value holds any string value, used by mod-value to modify an attribute.

  • mod-value allows an existing attribute to be modified.

    Set the value to add to add an attribute with string-value or replace (default) to replace the attribute with string-value .

    Set the value to copy or move to copy or move the value from string-attr to the attribute.

    Set the value to delete to remove an attribute containing string-value . To remove all the values in the attribute, use delete-all-values .

    The r eplace option provides a workaround unlock mechanism for Oracle DSEE.

  • mod-true and mod-false tells whether to modify an existing attribute.

    Set the value to add if you want to append a new value to the attribute. Set the value to delete to remove a value from the attribute. This is dependent on the values defined in string-true or string-false .

    Generally, mod-true should be set to add, and mod-false should be set to delete.

  • reverse changes the logical operation for boolean values. This can be used to apply the boolean values to Bravura Security Fabric operations; for example, a target system switch "administratively blocked" can be reversed to apply to the Bravura Identity isenabled operation.

  • access indicates whether the attribute is used to read, write, or read and write the status of a meta attribute.

  • prefix the DN (Distinguished Name) of the object in which the attribute exists

    Normally, attributes are in the User object and the prefix value should be blank ("").

You can include any of the following meta-attribute groups:

  • password-expired a Boolean attribute that directly states whether a password is expired

  • next-password-change a timestamp attribute that specifies when the password expires

  • last-password-change a timestamp attribute that specifies when the password was last changed

  • account-disabled a Boolean attribute that specifies if the account is disabled

  • invalid-logins-counter an integer attribute specifying the number of consecutive failed login attempts

  • account-locked a Boolean attribute that specifies if the account is locked

  • account-lock-reset a timestamp attribute that specifies when intruder lockout is automatically removed.

  • operation-per/operation-pre/operation-post a string attribute that sets a custom attribute during an operation. With the exception of operation-post , these are triggered prior to executing the operation.

    Use operation-per for reset operations. For all other operations, use operation-pre and operation-post.

  • attribute Allows to be able to configure customized attribute configurations.

    The example below for dspwsuserlink will expose special encoding and decoding for the Binary attribute. The dspswuserlink is treated as a GUID attribute and will decode the binary value as a GUID type when listing and encode the attribute back into binary format as Base 64 on a create or update.

    The example below for telephoneNumber shows how to represent auxiliary attributes within relative DNs under an account or group DN. The object (such as a user for example) will have an auxiliary object designated by the value for " prefix ", in this case "cn=Home Address ". It will then have an objectClass for the required set of custom auxiliary attributes. The value for "attribute" is the actual attribute name on the LDAP server. The value for " targetAttr " is the attribute name that is added as an account attribute on the Bravura Security Fabric server for a target system level override attribute.

Example:

  "attributes" "" =  {
        "account-locked" "some-arbitrary-attr" = {
          "type" = "STRING"
          "autochecked" = "false"
          "autochanged" = "false"
          "string-true" = ""
          "string-false" = "ACTIVATED"
   #       "reverse" = "true"
          "prefix" = ""
        }
         "password-expired" "expiry-attr" = {
           "prefix" = ""
           "type" = "STRING"
           "mod-true" = "add"
           "mod-false" = "delete"
           "string-true" = "NOEXPIRE"
           "string-false" = "NOEXPIRE"
           "autochecked" = "true"
           "autochanged" = "false"
          }
         "operation-per" "accountunlocktime" = {
           "operation" = "unlock"
           "type" = "STRING"
           "mod-value" = "delete-all-values"
           "prefix" = ""
         }
         "attribute" "dspswuserlink" = {
           "type" = "GUID"
         }
         "attribute" "telephoneNumber" = {
           "objectClass" = "address"
           "prefix" = "cn=Home Address"
           "targetAttr" = "homeTelephoneNumber"
         }
     }
In this section: