IBM Verify

 View Only
Expand all | Collapse all

ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

  • 1.  ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

    Posted Thu November 10, 2022 05:07 AM
    Hi everyone,

    from within an InfoMap, we are currently trying to retrieve operational attributes of basic users (or more specifically, the "pwdAccountLockedTime" attribute) stored in a Security Directory Server.
    Is there any way to achieve this?

    We are using the UserLookupHelper to get the user from the directory, but I didn't see any option to retrieve and access the operational attributes of the user as well.
    My next idea was then to solve this by using the ldap.utils introduced with the 10.0.1 ISVA version, but I haven't found any documentation or examples on how to retrieve operational attributes that way.

    The use case is that we would like to send an email to a user in case the user account gets locked because of too many password tries, but we only like to do that once. So we need to check first if the account was already locked, and for that reason, we would like to use the "pwdAccountLockedTime" operational attribute of the SDS.

    Thank you very much for any help!

    Best regards,
    Sascha

    ------------------------------
    Sascha Nägele
    ------------------------------


  • 2.  RE: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

    Posted Fri November 11, 2022 04:33 AM
    Hi Sascha,

    If you are using basic users I am not sure that they have this attribute. Usually this attribute is set on the user object under secauthority=default, and basic users don't have an entry in this subtree.
    Can you check if you are using basic users which only exist in one subtree, or if they are full users which also have an entry under secauthority=default.
    I suppose you have checked that this attribute actually exists in your LDAP?

    ------------------------------
    Laurent LA Asselborn
    ------------------------------



  • 3.  RE: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

    Posted Fri November 11, 2022 06:56 AM
    Hi Laurent,

    thank you very much for your answer!
    Yes, we only have this challenge with basic users. 
    For full users, we can use the relevant attributes from the secauthority user metadata (e.g. secPwdUnlockTime, secPwdFailures etc.), but that is of course not possible with basic users.
    Nevertheless, the SDS has operational attributes that it automatically sets (based on the configured password policy), and that we could use to achieve our goal.
    The attributes are definitely there (at least when the user account is locked). This can be seen e.g. when inspecting the LDAP user with Apache Directory Studio:

    But the problem is, I can't access those attributes from within the InfoMap in the same way that we access "normal" (non-operational) attributes (e.g. with user.getAttribute("nameOfAttribute").
    I assume that this is due to the reason that the SDS is only returning operational attributes when explicitly requested, but I can't find any documentation on how to do that (except for https://community.ibm.com/community/user/security/blogs/nishant-singhai1/2020/05/14/examples-of-common-ldap-search , but this is for the SDS-internal idsldapsearch-tool. There it says: "+ A plus sign indicates that the operational attributes should be returned.")

    If you have any solution ideas, I would greatly appreciate them!

    Thank you and best regards,
    Sascha

    ------------------------------
    Sascha Nägele
    ------------------------------



  • 4.  RE: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

    Posted Wed January 25, 2023 10:17 AM
    So just in case someone else has this issue and is looking for a solution:
    I was not able to solve accessing the operational attributes of the SDS from the ISVA using the UserLookuphelper or the ldap.utils, but instead, it is possible to access them by using the SCIM interface of the ISVA.

    For that purpose, you just have to set up the SCIM interface for the desired SDS, e.g. as described in the MMFA cookbook.
    Afterward, you have to add all the operational attributes that you like to access to a new or existing user object (e.g. inetOrgPerson) class within the SDS (e.g. by the web administration tool, find the instructions here: https://www.ibm.com/docs/en/sdsu/8.0.1?topic=modification-using-web-administration).

    As soon as you added those, you can now select them in the attribute mapping of the ISVA SCIM configuration (AAC --> SCIM configuration --> Custom Schema Extensions, create a new schema there, then add the attributes as SourceType LDAP and you should be able to see the operational attributes in the "source attribute" dropdown. You can find the documentation here:

    https://www.ibm.com/docs/en/sva/10.0.4?topic=configuration-custom-schema-extensions



    ------------------------------
    Sascha Nägele
    ------------------------------