IBM Security Verify

Expand all | Collapse all

UserLookupHelper and Active Directory

  • 1.  UserLookupHelper and Active Directory

    Posted Mon June 29, 2020 06:37 PM

    Hi

     

    From info_map: UserLookupHelper is useful for authenticating users located in remote ISAM registry; we have been doing it recently and it works great. But now we are at the point of trying to authenticate users that reside in other LDAP user registry type that are non-ISAM registries, like Active Directory. And we started to hesitate if we are using the good helper.

    Can we do this and is the same helper UserLookupHelper() our gateway to success ? or we must use a different helper/approach ? Any example exists our there ?

    The issue seems that the Helper is asking for a management domain which obviously does not exists in such remote AD registries.

    Thanks



    ------------------------------
    Sylvain Gilbert
    ------------------------------


  • 2.  RE: UserLookupHelper and Active Directory

    Posted Mon June 29, 2020 10:23 PM
    Hi Sylvain, Yes you can use ULH in pretoken mapping rule to get users and groups from external directories. I have personally done this by creating a server connection to AD and SDS LDAP both (non-federated) then implemented the js in the pretoken mapping rule, The SDS I had to get nested groups that example is below also.
    Here is the AD example
    Create a server connection to your AD directory for example, named MyCoAD, and add the following to your pretoken mapping rule, this will use the server connection and do the lookup defined.
    var servername = "MyCoAD"
    var myadldap = ServerConnectionFactory.getLdapConnectionByName(servername);
    var userhlpr = new UserLookupHelper();
                   userhlpr.init(true);  
    					
    var searched = userhlpr.search("SAMAccountName", username, 10);
    	if (searched.length < 1) {
    		IDMappingExtUtils.traceString("User not found " + searched[0] + " from UserLookupHelper() "+ username +".");
    		} else {
    		IDMappingExtUtils.traceString("Found user " + searched[0] + " from UserLookupHelper() "+ username +".");
    var ldapuser = userhlpr.getUserByNativeId(searched[0]); if (ldapuser !=null) { IDMappingExtUtils.traceString(" User found !! " ); }			
            if (ldapuser ==null) {
    		IDMappingExtUtils.traceString("User not found " + ldapuser.getId()+ " from UserLookupHelper.getUserByNativeId() .");
    		} else {
    		IDMappingExtUtils.traceString("Found user " + ldapuser.getId() + " from UserLookupHelper.getUserByNativeId() .");

    Here is the SDS nested group example.

    var sdsservername = "SDSLdap"
    var sdsldap = ServerConnectionFactory.getLdapConnectionByName(sdsservername);
    var sdsuserhlpr = new UserLookupHelper();
    sdsuserhlpr.init(sdsldap, "(&(objectclass=ibm-nestedGroup))", "Default");
    	IDMappingExtUtils.traceString("getting SDS groups ..");	
    var searched = sdsuserhlpr.search("cn", matched_groups, 10);
    if (searched.length < 1) {
    	IDMappingExtUtils.traceString("sds group not found " + searched[0] + " from UserLookupHelper() "+ matched_groups +".");
    } else {
    	IDMappingExtUtils.traceString("Found Match! " + searched[0] + " from UserLookupHelper() "+ matched_groups +".");

    Hopefully this is enough to get you started. It took some patience and lots of tracing! Enjoy!



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------



  • 3.  RE: UserLookupHelper and Active Directory

    Posted Tue June 30, 2020 03:48 AM
    Hi Sylvain,

    In Verify Access 10.0.0 we added a "native LDAP helper", so you could consider to use that helper instead of the ULH.
    I guess the main difference is that you can do actions like add/set/remove attributes in the LDAP plus that you do have to configure the LDAP server in Verify Access. 
    You must get the javadoc from the link below, as the on-board Javadoc does not contain the documentation on this helper; something that will be fixed in a next fixpack or so.
    https://www.ibm.com/support/pages/node/6213574

    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 4.  RE: UserLookupHelper and Active Directory

    Posted Tue June 30, 2020 04:29 AM
    Hi Peter,
    does that mean the LDAP Helper is available with ISAM 9.0.7 as well?
    Thanks,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 5.  RE: UserLookupHelper and Active Directory

    Posted Tue June 30, 2020 09:02 AM
    Edited by Peter Volckaert Tue June 30, 2020 09:58 AM
    Hi Jens, the "native LDAP helper" is all new, and it's available starting from Verify Access 10.0.0 on.
    Of course, UserLookupHelper has been available for quite a while, and is still available in Verify Access 10.0.0

    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 6.  RE: UserLookupHelper and Active Directory

    Posted Wed July 01, 2020 07:50 AM
    Edited by Jens Petersen Wed July 01, 2020 07:51 AM
    Hi Peter,
    ok, which version of ISAM supports Verify Access 10.0.0? We've tried but had no luck with ISAM 7.0.1
    Best,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 7.  RE: UserLookupHelper and Active Directory

    Posted Thu July 02, 2020 02:29 AM
    Hi Jens,

    Verify Access 10.0.0 is simply the current release of ISAM - and could as well be given a name such as ISAM 9.0.8 or so.
    So: only Verify Access 10.0.0 (and future releases) will have the native LDAP helper. You will not find it in any of the previous releases such as 7 or 9.0.7, and there are no plans to backport it.

    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 8.  RE: UserLookupHelper and Active Directory

    Posted Thu July 02, 2020 04:22 AM
    Hi peter,

    ok I missed that you guys changed the name again for ISAM to very Access ;). Found the doc at the knowledge center.

    Thanks,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------