Hi Joao,
I just tested this quickly in my environment. I added the following to my Reverse Proxy configuration (some already existed actually):
-- This already existed -----------
[TAM_CRED_ATTRS_SVC]
#
# This stanza is used to configure the credential attributes entitlement
# service. This entitlement service can be used to add attributes to the
# credential which are based on LDAP attributes of the authenticated user.
#
# Entries in this stanza are used to define the sources of attributes to be
# retrieved. The source names, such as user and group, are used to identify
# the source location in the registry. You need to define these. The values
# for these sources are registry identifiers that exist in the registry. The
# values can be existing credential attribute names. If this is the case,
# the service automatically finds and uses the respective values.
#
# For example:
# eperson = azn_cred_registry_id
# organisationalPerson = azn_cred_registry_id
#
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
# [TAM_CRED_ATTRS_SVC:eperson]
# emailAddress = mail
# mobileNumber = mobile
#
# [TAM_CRED_ATTRS_SVC:organisationalPerson]
# emailAddress = mail
# mobileNumber = mobile
#
eperson = azn_cred_registry_id
inetOrgPerson = azn_cred_registry_id
--------
----- modified this to add entries I wanted -----
[TAM_CRED_ATTRS_SVC:eperson]
emailAddress = mail
mobileNumber = mobile
ad_groups = memberOfdisplay_name = displayName--------
With this done, I can see the following is added to credential when I login with AD Basic User:
ad_groups[0] : CN=Administrators,CN=Builtin,DC=demo,DC=com
display_name[0]: Fred Bloggs
With these values in the user credential it should be easy to extract them in mapping rules.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue November 17, 2020 04:20 AM
From: Joao Goncalves
Subject: Getting Groups from AD basic users
I am looking at the Reverse Proxy configuration file, and I don't know in which stanza to place AZN_CRED_ATTRS (or AZN_CRED_ATTR?)
I can find this stanza.
[TAM_CRED_ATTRS_SVC]
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
# [TAM_CRED_ATTRS_SVC:eperson]
# emailAddress = mail
# mobileNumber = mobile
Regarding the displayName is in fact the correct attribute name.
Regarding the group information, I just need a comma separated list, like, "staff,bin,auditor".
I can see the the group information in the Active directory contains memberOf.
In my previous tests with full users, the groups were imported without any additional configuration. By I can see that for basic users, there is more I must do. I just don't know how I can import those attributes by default, although I now how to get the using the Attribute Source option, where I can add specific attributes to STSUU. But I would rather have ISAM get them immediately when the user logins in and ISAM gets the attributes.
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
Original Message:
Sent: Tue November 17, 2020 03:43 AM
From: Jon Harry
Subject: Getting Groups from AD basic users
Joao,
Accessing any attribute of the user should be a case of either adding AZN_CRED_ATTR configuration to Reverse Proxy (to populate the attribute into user credential at login time) or using Identity Source configuration (to make attribute available to OAuth/Federation mapping rules). You say "display_name" but I think the standard attribute in AD would be "displayName"?
The credential that is built following authentication will only include groups that are known to Verify Access. That means that they have been "import"ed (and so show up if you do a "group list" command).
If you want to have access to full group information without import, you'd need to read group information as a standard attribute from the user record. Usually group membership in LDAP is obtained by looking up "members" attribute of the group object which is not helpful. However, many LDAPs have a special (usually dynamically calculated) attribute on user object that returns group memberships.
In Active Directory it is the "memberOf" attribute. (in IBM Directory Server it is "ibm-allGroups"). Perhaps you can reference this attribute (as above) to retrieve all groups?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon November 16, 2020 04:47 PM
From: Joao Goncalves
Subject: Getting Groups from AD basic users
I am authenticating users from AD successfully.
When I look into the STSUU, I cannot find AZN_CRED_GROUPS.
If I add this to the Attribute Source using Credential Type AZN_CRED_GROUPS, I still don't get the groups.
I will also need the display_name.
But is there a restriction to getting the groups if the users are basic users and not full users?
Do I have to extract the groups and display name by defining the Attribute Source using the LDAP type?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------