Hi Sylvain, Yes you can use ULH in pretoken mapping rule to get users and groups from external directories. I have personally done this by creating a server connection to AD and SDS LDAP both (non-federated) then implemented the js in the pretoken mapping rule, The SDS I had to get nested groups that example is below also.
Here is the AD example
Create a server connection to your AD directory for example, named MyCoAD, and add the following to your pretoken mapping rule, this will use the server connection and do the lookup defined.
var servername = "MyCoAD"
var myadldap = ServerConnectionFactory.getLdapConnectionByName(servername);
var userhlpr = new UserLookupHelper();
userhlpr.init(true);
var searched = userhlpr.search("SAMAccountName", username, 10);
if (searched.length < 1) {
IDMappingExtUtils.traceString("User not found " + searched[0] + " from UserLookupHelper() "+ username +".");
} else {
IDMappingExtUtils.traceString("Found user " + searched[0] + " from UserLookupHelper() "+ username +".");
var ldapuser = userhlpr.getUserByNativeId(searched[0]); if (ldapuser !=null) { IDMappingExtUtils.traceString(" User found !! " ); }
if (ldapuser ==null) {
IDMappingExtUtils.traceString("User not found " + ldapuser.getId()+ " from UserLookupHelper.getUserByNativeId() .");
} else {
IDMappingExtUtils.traceString("Found user " + ldapuser.getId() + " from UserLookupHelper.getUserByNativeId() .");
Here is the SDS nested group example.
var sdsservername = "SDSLdap"
var sdsldap = ServerConnectionFactory.getLdapConnectionByName(sdsservername);
var sdsuserhlpr = new UserLookupHelper();
sdsuserhlpr.init(sdsldap, "(&(objectclass=ibm-nestedGroup))", "Default");
IDMappingExtUtils.traceString("getting SDS groups ..");
var searched = sdsuserhlpr.search("cn", matched_groups, 10);
if (searched.length < 1) {
IDMappingExtUtils.traceString("sds group not found " + searched[0] + " from UserLookupHelper() "+ matched_groups +".");
} else {
IDMappingExtUtils.traceString("Found Match! " + searched[0] + " from UserLookupHelper() "+ matched_groups +".");
Hopefully this is enough to get you started. It took some patience and lots of tracing! Enjoy!
------------------------------
Robert Graham
Cloud Security Consultant
IAM Modernization
IBM Expert Labs
US
------------------------------
Original Message:
Sent: Mon June 29, 2020 06:36 PM
From: Sylvain Gilbert
Subject: UserLookupHelper and Active Directory
Hi
From info_map: UserLookupHelper is useful for authenticating users located in remote ISAM registry; we have been doing it recently and it works great. But now we are at the point of trying to authenticate users that reside in other LDAP user registry type that are non-ISAM registries, like Active Directory. And we started to hesitate if we are using the good helper.
Can we do this and is the same helper UserLookupHelper() our gateway to success ? or we must use a different helper/approach ? Any example exists our there ?
The issue seems that the Helper is asking for a management domain which obviously does not exists in such remote AD registries.
Thanks
------------------------------
Sylvain Gilbert
------------------------------