Hello to everybody

I have implemented IBM SDS 6.4 like authentication tool for Portal Server 8.5 (yes old version, bussines). Security has asked me to get some information from the admin users such as:

• creation date
• last access
• role
• id
• status

I have tested Server audit log but I have not find all the information requested. 

My questions is how to get such information using only SDS, not cognos or another tool.

Thank you for your help.

regards

------------------------------
Ismael Gutierrez E
IT Consutant Senior

Please, stay safe!
Take care of you and your loved ones.
------------------------------

Let me take a shot at this - although I am convinced that the expectations from Security is not going to be fulfilled...
So let me explain that first - when looking at how you portal is authenticating/authorization it is the portal that defines some of the attributes e.g. id/role/status and maps that to some back-end system- in your case an ldap server - so you need to have that knowledge to answer some of the questions.

So let's answer the easy ones :

• creation date is stored as an operation attribute createtimestamp - to read this you need to mention it explicitly as an attribute on your ldapsearch operation
• last access is a little tricky - what does that mean - last bind or what - you need to make this clear to your Security folks - but assuming you can map this to a last bind look here : https://www.ibm.com/docs/en/sdse/6.4.0?topic=administering-last-successful-authentication-time-stamp-plug-in
• role is also not very accurate - but normally this would mean group membership - you get that from the operational attribute ibm-Allgroups - take a look here (although it is for the z/OS version it also applies to 6.4 distributed...) : https://www.ibm.com/docs/en/zos/2.1.0?topic=examples-querying-group-membership
• id - this depends on the setup in your portal - normally that would either be you RDN or an attribute - SDS supports advanced ways with unique value attributes (start here and check the next chapters also https://www.ibm.com/docs/en/sdse/6.4.0?topic=security-bind-unique-attribute-value ) - normally the cn or uid are used as ID attributes - but as said this is defined in the Portal
• status - what is meant here ? If you have implemented a password policy this should help you : https://www.ibm.com/docs/en/sdse/6.3.0?topic=SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd533.htm - again this is using operational attributes...

In general it seems that the policies have not been considered when setting up your portal - that is unfortunate because doing this as an afterthought is not optimal and MAY require changes to you setup. I normally would go for a combination of ISDS audit log with a well defined audit level combined with the attributes as outlined above - but nothing of this is working out without also having the using application (here you portal) in the loop...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Fri October 08, 2021 08:01 PM
From: Ismael Gutierrez
Subject: How to get information from Security Directory Server 6.4 users

Hello to everybody

I have implemented IBM SDS 6.4 like authentication tool for Portal Server 8.5 (yes old version, bussines). Security has asked me to get some information from the admin users such as:

• creation date
• last access
• role
• id
• status

I have tested Server audit log but I have not find all the information requested. 

My questions is how to get such information using only SDS, not cognos or another tool.

Thank you for your help.

regards

------------------------------
Ismael Gutierrez E
IT Consutant Senior

Please, stay safe!
Take care of you and your loved ones.
------------------------------