Hi,

Is there a generic ldapsearch util in ISVA? I know of these two classes, but they don't meet my needs:

com.ibm.security.access.ldap.utils.AttributeUtil
com.ibm.security.access.user.UserLookupHelper

I am implementing the OAuth token exchange service and I need to do an LDAP lookup (in an LDAP different from the primary ISVA LDAP) of group memberships. More precisely I have to find all the groups of a specific subbranch of which the user is a member.
The LDAP search would be: scope=sub, base=baseDN, filter=(member={userDN})
The problem here is getting the userDN. While I'm able to find the user using AttributeUtil, I'm not able to get his DN. The NamingEnumeration returned by this class only contains the user attributes, but not the DN of the result.
As a workaround, I used the UserLookupHelper which returns the "native id", which is the DN. This worked fine while using the main ISVA LDAP server, but I was not able to initialize the UserLookupHelper with a different server connection. The search was still done on the primary LDAP server. Even explicitely calling shutdown() before initializing did not help.

Any hints on a different class I could use or how to correctly initialize the UserLookupHelper?

I initialized the UserLookupHelper like this:

ulh.init(new ServerConnectionFactory().getLdapConnectionByName​(ldapServer), "Default");

I'm not to sure about the parameter for mgmtDomain as this is not an ISVA LDAP.

Kind regards and thanks in advance,

Laurent

Hi,

Is there a generic ldapsearch util in ISVA? I know of these two classes, but they don't meet my needs:

com.ibm.security.access.ldap.utils.AttributeUtil
com.ibm.security.access.user.UserLookupHelper

I am implementing the OAuth token exchange service and I need to do an LDAP lookup (in an LDAP different from the primary ISVA LDAP) of group memberships. More precisely I have to find all the groups of a specific subbranch of which the user is a member.
The LDAP search would be: scope=sub, base=baseDN, filter=(member={userDN})
The problem here is getting the userDN. While I'm able to find the user using AttributeUtil, I'm not able to get his DN. The NamingEnumeration returned by this class only contains the user attributes, but not the DN of the result.
As a workaround, I used the UserLookupHelper which returns the "native id", which is the DN. This worked fine while using the main ISVA LDAP server, but I was not able to initialize the UserLookupHelper with a different server connection. The search was still done on the primary LDAP server. Even explicitely calling shutdown() before initializing did not help.

Any hints on a different class I could use or how to correctly initialize the UserLookupHelper?

I initialized the UserLookupHelper like this:

ulh.init(new ServerConnectionFactory().getLdapConnectionByName​(ldapServer), "Default");

I'm not to sure about the parameter for mgmtDomain as this is not an ISVA LDAP.

Kind regards and thanks in advance,

Laurent

Hi,

Unless you are on an older version of ISVA, but otherwise I would suggest to use the native LDAP utils.  That requires to configure a server connection (AAC or Federation menu Global settings \ Server Connections).   Create a connection of type LDAP and provide all the necessary data.  Below snippets should be able to retrieve the user and his group membership.  

var initialUserName = stsuu.getPrincipalName();var ldapCtx = new AttributeUtil();ldapCtx.init("SERVERCONNECTIONNAME","OU=Users,OU=XXX,DC=YY,DC=ZZ");var tmpname = extractUsername(initialUserName);IDMappingExtUtils.traceString("Extracted name: " + tmpname);

var searchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" +tmpname+"))";

var ldapResult = ldapCtx.search("OU=Users,OU=XXX,DC=YYY,DC=ZZZ",searchFilter);IDMappingExtUtils.traceString("LDAP result of Active Directory: " + ldapResult);var result = ldapResult.getNamingEnumeration();

var ldapCtx = new AttributeUtil();ldapCtx.init("SERVERCONNECTIONNAME","OU=Groups,OU=XXX,DC=yyyy,DC=zzzz");var searchFilterGroups = "(& (objectClass=group)(member=" +dn+"))";// Perform search for group membership.var ldapResult = ldapCtx.search("OU=Groups,OU=XXXX,DC=YYYY,DC=ZZZ",searchFilterGroups);var result = ldapResult.getNamingEnumeration();var result = ldapResult.getNamingEnumeration();var groupdn ='';if (result != null) {// Loop through the returned attributeslet i = 0;while(result.hasMore()) {		var resultEntry = result.next();		groupdn = ''+ resultEntry.getNameInNamespace();    var grp = extractGroup(groupdn);    var grpname = subStr(grp,'CN=') ;

Hope this helps

Kind regards

Serge Vereecke

IBM

Hi,

Is there a generic ldapsearch util in ISVA? I know of these two classes, but they don't meet my needs:

com.ibm.security.access.ldap.utils.AttributeUtil
com.ibm.security.access.user.UserLookupHelper

I am implementing the OAuth token exchange service and I need to do an LDAP lookup (in an LDAP different from the primary ISVA LDAP) of group memberships. More precisely I have to find all the groups of a specific subbranch of which the user is a member.
The LDAP search would be: scope=sub, base=baseDN, filter=(member={userDN})
The problem here is getting the userDN. While I'm able to find the user using AttributeUtil, I'm not able to get his DN. The NamingEnumeration returned by this class only contains the user attributes, but not the DN of the result.
As a workaround, I used the UserLookupHelper which returns the "native id", which is the DN. This worked fine while using the main ISVA LDAP server, but I was not able to initialize the UserLookupHelper with a different server connection. The search was still done on the primary LDAP server. Even explicitely calling shutdown() before initializing did not help.

Any hints on a different class I could use or how to correctly initialize the UserLookupHelper?

I initialized the UserLookupHelper like this:

ulh.init(new ServerConnectionFactory().getLdapConnectionByName​(ldapServer), "Default");

I'm not to sure about the parameter for mgmtDomain as this is not an ISVA LDAP.

Kind regards and thanks in advance,

Laurent