IBM Security Verify

 View Only
  • 1.  How to use the NativeLDAP Helper Class

    Posted Fri July 24, 2020 10:43 AM

     

     

    In the IBM Security Verify Access appliance, there is an existing functionality for UserLookupHelper. The purpose of this blog is to address a customer request for Native LDAP features, so that the nativeLookup APIs can be introduced in Verify Access.

     

    There is no much business abstract as these APIs are quite similar to the APIs of NativeLDAP DirContext. Use the NativeLDAPHelper as the utility to CRUD the attribute from LDAP.

     

    The following mapping_rule.js sample program illustrates the usage of the NativeLDAP helper class:

     

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

     

    // Importing the native LDAP utility JAVA class to the JS engine

     

    importPackage(Packages.com.ibm.security.access.ldap.utils);

    importPackage(Packages.javax.naming.directory);

    //re-write Principal name with type as email nameid format

    var principalName = stsuu.getPrincipalName();

    var attrUtil = new AttributeUtil();

     

    // Initializing the utility with various connection parameter with the init method

    Note: In this example, it takes the 'IdPLdadper' properties from LMI Server Connections.

     

    attrUtil.init('IdPLdadper','secAuthority=Default');

     

    // Preparing the attributes to create specific sub context

    var matchAttrs = new BasicAttributes(true);

    matchAttrs.put(new BasicAttribute("objectclass", "domain"));

    matchAttrs.put(new BasicAttribute("dc", "test"));

    var name = "dc=test,dc=iswga";

    var res7 = attrUtil.createSubContext(name,matchAttrs);

    IDMappingExtUtils.traceString("after creating sub context : " + res7);

    var matchAttrs = new BasicAttributes(true);

    matchAttrs.put(new BasicAttribute("uid", "testuser3"));

    matchAttrs.put(new BasicAttribute("cn", "Test"));

    matchAttrs.put(new BasicAttribute("cn", "testuser3"));

    matchAttrs.put(new BasicAttribute("sn", "User3"));

    matchAttrs.put(new BasicAttribute("displayName", "testuser3 User"));

    matchAttrs.put(new

    BasicAttribute('userPassword','{SSHA}viIpzG9woq6O5vKfl4/U/8NjLZSzqc/k3hUfaw=='));

    matchAttrs.put(new BasicAttribute("objectclass", "top"));

    matchAttrs.put(new BasicAttribute("objectclass", "person"));

    matchAttrs.put(new BasicAttribute("objectclass", "organizationalPerson"));

    matchAttrs.put(new BasicAttribute("objectclass", "inetorgperson"));

    var name = "cn=testuser3,dc=test,dc=iswga";

    var res4 = attrUtil.createSubContext(name,matchAttrs);

    IDMappingExtUtils.traceString("after creating sub context : " + res4);

     

     

     

     

     

     

     

     

    Using the query to do the search and iterating each attribute

    var filter = "(&(objectclass=secGroup)(secAuthority=Default))";

    var res5 = attrUtil.search( 'secAuthority=Default',   filter)

    var result = res5.getNamingEnumeration();

    IDMappingExtUtils.traceString("after search result : " + result);

    while (result.hasMore()) {

        var attrs = result.next().getAttributes();

        IDMappingExtUtils.traceString("Iterating each attributes : " + attrs);

    }

     

    // Removing an attribute

    var res = attrUtil.removeAttribute('cn=testuser,dc=iswga','homePhone','555-12345');

    IDMappingExtUtils.traceString("after editting : " + res);

    // Below code is to add certain new attribute

    var res1 = attrUtil.addAttributeValue('cn=testuser,dc=iswga','homePhone','555-12345');

    IDMappingExtUtils.traceString("after adding : " + res1);

     

    // Retrieving an attribute

    var res6 =

    attrUtil.getAttributeValue('principalName=testuser,cn=Users,secAuthority=Default',

    ['principalName','secDomainId']);

    IDMappingExtUtils.traceString("after getting with 2 attributes: " + res6);

     

    For more information, see https://www.ibm.com/support/pages/node/6213574

     



    ------------------------------
    Zhiyu (Bill) Gao
    ------------------------------


  • 2.  RE: How to use the NativeLDAP Helper Class

    Posted Mon August 03, 2020 05:33 AM
    Just FYI, the "Java Whitelist" in Verify Access has a bug which means that although these classes are available in STS mapping rules, they are not accessible in InfoMap Authentication Mechanisms.  A fix is available from support (you will need to open a case).  It should also be included in the 1st "Interim Fix" for v10.0.0.0 when that is released.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: How to use the NativeLDAP Helper Class

    Posted Tue August 04, 2020 06:43 AM
    Hi John,
    thanks for the hands up. I was just wasting some days trying to get it work :(.
    -Jens

    ------------------------------
    Jens Petersen
    ------------------------------