Hi Laurent,
thank you very much for your answer!
Yes, we only have this challenge with basic users.
For full users, we can use the relevant attributes from the secauthority user metadata (e.g. secPwdUnlockTime, secPwdFailures etc.), but that is of course not possible with basic users.
Nevertheless, the SDS has operational attributes that it automatically sets (based on the configured password policy), and that we could use to achieve our goal.
The attributes are definitely there (at least when the user account is locked). This can be seen e.g. when inspecting the LDAP user with Apache Directory Studio:
But the problem is, I can't access those attributes from within the InfoMap in the same way that we access "normal" (non-operational) attributes (e.g. with user.getAttribute("nameOfAttribute").
I assume that this is due to the reason that the SDS is only returning operational attributes when explicitly requested, but I can't find any documentation on how to do that (except for
https://community.ibm.com/community/user/security/blogs/nishant-singhai1/2020/05/14/examples-of-common-ldap-search , but this is for the SDS-internal
idsldapsearch-tool. There it says: "+ A plus sign indicates that the operational attributes should be returned.")If you have any solution ideas, I would greatly appreciate them!
Thank you and best regards,
Sascha
------------------------------
Sascha Nägele
------------------------------
Original Message:
Sent: Fri November 11, 2022 04:32 AM
From: Laurent LA Asselborn
Subject: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap
Hi Sascha,
If you are using basic users I am not sure that they have this attribute. Usually this attribute is set on the user object under secauthority=default, and basic users don't have an entry in this subtree.
Can you check if you are using basic users which only exist in one subtree, or if they are full users which also have an entry under secauthority=default.
I suppose you have checked that this attribute actually exists in your LDAP?
------------------------------
Laurent LA Asselborn
Original Message:
Sent: Thu November 10, 2022 05:06 AM
From: Sascha Nägele
Subject: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap
Hi everyone,
from within an InfoMap, we are currently trying to retrieve operational attributes of basic users (or more specifically, the "pwdAccountLockedTime" attribute) stored in a Security Directory Server.
Is there any way to achieve this?
We are using the UserLookupHelper to get the user from the directory, but I didn't see any option to retrieve and access the operational attributes of the user as well.
My next idea was then to solve this by using the ldap.utils introduced with the 10.0.1 ISVA version, but I haven't found any documentation or examples on how to retrieve operational attributes that way.
The use case is that we would like to send an email to a user in case the user account gets locked because of too many password tries, but we only like to do that once. So we need to check first if the account was already locked, and for that reason, we would like to use the "pwdAccountLockedTime" operational attribute of the SDS.
Thank you very much for any help!
Best regards,
Sascha
------------------------------
Sascha Nägele
------------------------------