IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  UserHelper

    Posted Tue September 08, 2020 06:52 AM
    Hi all,

    can anybody confirm that the UserLookup Helper runs with basic user without any impact? So can we use the code developed on ISAM Users when we switch to basic User or do we need to change anything?

    Thanks for suggestions,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------


  • 2.  RE: UserHelper

    Posted Tue September 08, 2020 09:50 AM

    Hi

    What we learn in the past months, is that you need to have a principal ISAM User Registry configured (with secuser objects) but other "basic" accounts can be locked up as well in secondary user registry such as Active Directory, using the same UserLookupHelper() object. But the way you initialize it is different.

    For you ISAM Principal user registry, it can be as simple as this:

                ldapUserEmailAttribute = "mail";

                ldapFilter="(&(objectclass=ABCEmployee)( ldapUserEmailAttribute=*))";

                hlpr = new UserLookupHelper();

                hlpr.init(ldapConnection, ldapFilter, "tenantE");

     

    Whereas users that reside in secondary user registries (such as Active Directory), you can initialize you userLookupHelper() as follow:

     

                hlpr = new UserLookupHelper();

                hlpr.init(false);

     

    In the above case, the configuration is seeded from the ldap.conf configuration file (see Federated User Registry link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2/com.ibm.isam.doc/admin/task/tsk_manage_lite_users.html).

     

    We have high hopes that in ISVA V10, we will be able to leverage the new NativeLDAPHelper() object to handle users located in secondary user registries with a more "direct" approach as opposed than relying on the Federated Directory approach.

     

    Hope this helps.



    ------------------------------
    Hi

    What we learn in the past months, is that you need to have a principal ISAM User Registry configured (with secuser objects) but other "basic" accounts can be locked up as well in secondary user registry such as Active Directory, using the same UserLookupHelper() object. But the way you initialize it is different.

    For you ISAM Principal user registry, it can be as simple as this:
    ldapUserEmailAttribute = "mail";
    ldapFilter="(&(objectclass=ABCEmployee)( ldapUserEmailAttribute=*))";
    hlpr = new UserLookupHelper();
    hlpr.init(ldapServerConnection, ldapFilter, "tenantE");

    Whereas users that reside in secondary user registries (such as Active Directory), you can initialize you userLookupHelper() as follow:

    hlpr = new UserLookupHelper();
    hlpr.init(false);

    In the above case, the configuration (server name, etc) is seeded from the ldap.conf configuration file (see Federated Directories link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2/com.ibm.isam.doc/admin/task/tsk_manage_lite_users.html) where your ISAM Liberty (InfoMap module for instance) is running from.

    Once the ldap helper is initialized, the user object returned pretty much behaves the same (user.authenticate(), user.getId() , user.getAttribute(), … ), except the schema is different of course between a native secuser and a basic user. The code after the UserLookupHelper is pretty much similar, except in cases we know we deal with basic user, we are looking for a different set of extra attributes.

    We have high hopes that in ISVA V10, we will be able to leverage the new NativeLDAPHelper() object to handle users located in secondary user registries with a more "direct" approach as opposed than relying on the Federated Directory approach.


    Please ensure that you perform minimal testing to ensure to really capture very well your use case requirements.

    Hope this helps.

    ------------------------------

    Original Message


  • 3.  RE: UserHelper

    Posted Tue September 08, 2020 11:11 AM
    Hi Sylvian,

    that's the behavior I expected. Basically that would mean I couldn't use basic Users within the same LDAP as the registry sits, as when I remember right federated Directory doesn't support federating the same LDAP Host the registry is using. I also setting some hope to the new native LDAP Helper but that means changing the code. Well gives a chance to use the branching option as well :).

    Thanks for your reply,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


  • 4.  RE: UserHelper

    Posted Tue September 08, 2020 11:31 AM
    Hi Jens

    I would think then that if you setup a duplicate DNS entry (or just in your local host entry file) of the LDAP primary host, but for the use of basic user access (secondary), could it work injecting that duplicate server entry in ldap.conf? 

    primary-ldap-host.abc.com (for secuser access)
    basicuser-ldap-host.abc.com (for basic user access)

    Both pointing to same server.

    Not tested it. Long shot.


    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


  • 5.  RE: UserHelper

    Posted Tue September 08, 2020 12:07 PM
    good point, I'm giving that a try

    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message