Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Hi Jon

Thank you a lot for your help. For our need, its imperatif to keep the same password when updating the userId. As I understand, the import will clear the password, right?! So you recommend LDAP APIs? Which one should I use for ISAM 9?

Thank you again.

------------------------------
Marcelo Godois
------------------------------

Original Message:
Sent: Fri July 10, 2020 06:43 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Hi Marcelo,

Deleting the user from Access Manager (but not from inetorgperson in LDAP) and then re-importing will not clear the password.  The password is part of the inetorgperson object.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue July 21, 2020 10:55 AM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Hi Jon

Thank you a lot for your help. For our need, its imperatif to keep the same password when updating the userId. As I understand, the import will clear the password, right?! So you recommend LDAP APIs? Which one should I use for ISAM 9?

Thank you again.

------------------------------
Marcelo Godois

Original Message:
Sent: Fri July 10, 2020 06:43 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Great Jon!!! That works!

The only thing is the fact the 'uid' remains the old one. Would that be a problem?

For example:

• my imported TAM rgyUser id becomes: NEW.USER@TEST.NET (which is good :)
• the attribute 'uid' remains OLD.USER@TEST.NET
• my nativeId remains: uid=OLD.USER@TEST.NET,ou=People,DC=CA,DC=tenantB

Thank you a lot!

------------------------------
Marcelo Godois
------------------------------

Original Message:
Sent: Tue July 21, 2020 11:00 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Hi Marcelo,

Deleting the user from Access Manager (but not from inetorgperson in LDAP) and then re-importing will not clear the password.  The password is part of the inetorgperson object.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue July 21, 2020 10:55 AM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Hi Jon

Thank you a lot for your help. For our need, its imperatif to keep the same password when updating the userId. As I understand, the import will clear the password, right?! So you recommend LDAP APIs? Which one should I use for ISAM 9?

Thank you again.

------------------------------
Marcelo Godois

Original Message:
Sent: Fri July 10, 2020 06:43 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Hello,

If the RDN of the LDAP entry is using the uid then this can't be changed with simple attribute manipulation.  That requires a ModifyRDN LDAP call which (as far as I know) can only be done via LDAP APIs.

If you need the UID to also be changed, you will need to use native LDAP APIs.  I don't have much experience of this but I'm sure you can search for ModifyRDN call.

You're process would need to be:
1) delete the ISAM user (as you're doing now)
2) Modify the RDN with LDAP call (also update uid attribute perhaps)
3) import user to ISAM again

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri July 24, 2020 12:37 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Great Jon!!! That works!

The only thing is the fact the 'uid' remains the old one. Would that be a problem?

For example:

• my imported TAM rgyUser id becomes: NEW.USER@TEST.NET (which is good :)
• the attribute 'uid' remains OLD.USER@TEST.NET
• my nativeId remains: uid=OLD.USER@TEST.NET,ou=People,DC=CA,DC=tenantB

Thank you a lot!

------------------------------
Marcelo Godois

Original Message:
Sent: Tue July 21, 2020 11:00 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Hi Marcelo,

Deleting the user from Access Manager (but not from inetorgperson in LDAP) and then re-importing will not clear the password.  The password is part of the inetorgperson object.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue July 21, 2020 10:55 AM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Hi Jon

Thank you a lot for your help. For our need, its imperatif to keep the same password when updating the userId. As I understand, the import will clear the password, right?! So you recommend LDAP APIs? Which one should I use for ISAM 9?

Thank you again.

------------------------------
Marcelo Godois

Original Message:
Sent: Fri July 10, 2020 06:43 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------

Hi Marcelo,
that depends on your use case. As John mentioned the UID attribute is part of the „LDAP" object, not of the WebSEAL „LDAP Repository". The later you find under secAuthirity=Default. „Default" ist default ;), that means if you changed it during initial set um of your ISAM's runtime it'll have a different name. Under this path you find a couple of containers holding different objects WebSEAL uses for decisions. Under users you find your WebSEAL users with the attribute principal name. This is the Attribute of the login name for WebSEAL, while the password is taken from the „LDAP" Objects Attribute userPassword. So, if you are using full not basic users, you  an just change principalName. That's actually what happens by reimporting the user. The easiest way would be exporting your registry to a LDIF, editing it (e. G. Script) and reimporting to LDAP with LDAP modify. If needed you can use the same method for the native LDAP object. 

Best,
Jens 

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: Fri July 24, 2020 12:37 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Great Jon!!! That works!

The only thing is the fact the 'uid' remains the old one. Would that be a problem?

For example:

• my imported TAM rgyUser id becomes: NEW.USER@TEST.NET (which is good :)
• the attribute 'uid' remains OLD.USER@TEST.NET
• my nativeId remains: uid=OLD.USER@TEST.NET,ou=People,DC=CA,DC=tenantB

Thank you a lot!

------------------------------
Marcelo Godois

Original Message:
Sent: Tue July 21, 2020 11:00 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Hi Marcelo,

Deleting the user from Access Manager (but not from inetorgperson in LDAP) and then re-importing will not clear the password.  The password is part of the inetorgperson object.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue July 21, 2020 10:55 AM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Hi Jon

Thank you a lot for your help. For our need, its imperatif to keep the same password when updating the userId. As I understand, the import will clear the password, right?! So you recommend LDAP APIs? Which one should I use for ISAM 9?

Thank you again.

------------------------------
Marcelo Godois

Original Message:
Sent: Fri July 10, 2020 06:43 AM
From: Jon Harry
Subject: ISAM java API - How to change userId or move password to another user.

Marcelo,

One approach to this is to delete the user from Access Manager but specify NOT to delete the users LDAP record.  Then import the user again using the new name.  Note that this approach will remove some data (like password policy, GSO data).  An alternative approach is to use LDAP APIs to directly modify the inetorgperson and secUser objects to change the required fields.  That will maintain all the LDAP data.

If you use Advanced Access Control you should note that user data stored in the Runtime Database is indexed on username.  In that case, username is considered immutable and I'm not sure there is any easy way to change it.  In that case you might need to look at a way to change what the user logs in with without changing the underlying username that Access Manager is using internally.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 09, 2020 12:54 PM
From: Marcelo Godois
Subject: ISAM java API - How to change userId or move password to another user.

Good afternoon

We need to update the user ID keeping the same password. How could I accomplish that using ISAM Java API?

- Creating a new account transfering the encrypted password from the old to the new one. OR
- Updating the userId for the existing account.

One of both would be great. 

Thank you

------------------------------
Marcelo Godois
------------------------------