Hi Franz,
This is the dump of the conn object:
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - CTGDIS003I *** Start dumping Entry
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - Operation: modify
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - Entry attributes:
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - secDN (replace): 'uid=testaccount,ou=corporate,o=company,c=nl'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - sn (replace): 'Brink, Paul'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - mail (replace): '
paul.brink@company.nl'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - secAcctValid (replace): 'true'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - cn (replace): 'Paul'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - principalName (replace): 'testaccount'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - description (replace): 'BY TDI 05/01/21 08:54'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - secPwdValid (replace): 'false'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - userPassword (replace): 'zXiUpZkObE5837'
2021-01-05 08:54:32,571 INFO [AssemblyLine.AssemblyLines/AL_ADToTAM] - CTGDIS004I *** Finished dumping Entry
Regards,
------------------------------
Paul van den Brink
------------------------------
Original Message:
Sent: Mon January 04, 2021 10:43 AM
From: Franz Wolfhagen
Subject: SDI ISAMConnector
What is your conn object in the ISAM Connector - can you show that - you can dump it in the Before Add hook like this :
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Mon January 04, 2021 09:53 AM
From: Paul van den Brink
Subject: SDI ISAMConnector
Hi Franz,
The object classes are fully populated:
$ ldapsearch -D cn=root -w passw0rd -h tam-dev.nl.company.com -p 389 -b ou=corporate,o=company,c=nl "(uid=testaccount)" "*"
uid=testaccount,ou=corporate,o=company,c=nl
uid=testaccount
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetOrgPerson
objectClass=ePerson
description=BY TDI 04/01/21 15:26
sn=Brink, Paul
cn=testaccount
I came across this article and managed to enable the rgy logging:
https://www.ibm.com/support/pages/how-enable-isam-registry-direct-logging-security-directory-integrator
This log still gave me no clue. Find it attached.
The mail attribute is not mentioned in the rgyDirect.log.0 file.
I wander if I need to provide a list with additional (non standard) attributes to the ISAMConnector so it knows that they need to be processed.
Also I noticed now that the cn which I provide in the AL is not honored, it always uses the principalName instead.
Regards,
------------------------------
Paul van den Brink
Original Message:
Sent: Mon January 04, 2021 08:46 AM
From: Franz Wolfhagen
Subject: SDI ISAMConnector
Looking at your audit log :
entry: uid=testaccount,ou=corporate,o=company,c=nl
attributes: uid, userPassword, objectClass, description, sn, cn
This tells me that mail somehow is not updated. This does tell anything about the reason although...
One guess could be your objectclass is not fully populated - the mail attribute is from inetOrgPerson - but the whole set is ["top","person","organizationalPerson","inetOrgPerson"] in SDI term - is that the same in your case ?
We can rule out ACLs as you are running as sec_master.
If you run your code through the SDI debugger you can see the conn object - does this show the correct mail value (you can also dump the conn object in a relevant hook e.g. before add) .
I am not sure your attempt to use the log4j logger will work - the instructions are talking about java logging - so you would probably need to add it to the server startup script of your SDI installation - also be aware that etc/log4j.properties may not b the one referenced in your solution.propeties (this is the case when you run ISIM/IGI adapters).
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Mon January 04, 2021 08:09 AM
From: Paul van den Brink
Subject: SDI ISAMConnector
Hi Franz,
Thanks for taking an interest in this issue.
Yes the creation of the user with the standard attributes works.
The audit.log is not giving me any clue, you can see the user being added, but the mail attribute is is not.
AuditV3--2021-01-04T13:47:56.949000+1:00--V3 Add--bindDN: cn=SecurityMaster,secAuthority=Default--client: 10.38.66.254:1658--connectionID: 916--received: 2021-01-04T13:47:56.929000+1:00--Success
operationResponseTime: 20
timeOnWorkQ: 0
rdbmLockWaitTime: 0
clientIOTime: 0
entry: uid=testaccount,ou=corporate,o=company,c=nl
attributes: uid, userPassword, objectClass, description, sn, cn
AuditV3--2021-01-04T13:47:56.963000+1:00--V3 Add--bindDN: cn=SecurityMaster,secAuthority=Default--client: 10.38.66.254:1658--connectionID: 916--received: 2021-01-04T13:47:56.952000+1:00--Success
operationResponseTime: 11
timeOnWorkQ: 0
rdbmLockWaitTime: 0
clientIOTime: 0
entry: principalName=testaccount,cn=Users,secAuthority=employee,cn=Subdomains,secAuthority=Default
attributes: secLoginType, secDomainId, secPwdValid, principalName, objectClass, secAcctValid, secDN, secHasPolicy, secUUID, secAuthority, secPwdLastChanged
I've tried to enable logging for rgy component but failed. I've added the following lines in the log4j.properties file in the etc directory of sdi:
log4j.logger.com.tivoli.pd.rgy.authz=DEBUG
log4j.logger.com.tivoli.pd.rgy.ldap=DEBUG
No additional line were visible in the log.
Regards,
------------------------------
Paul van den Brink
Original Message:
Sent: Mon January 04, 2021 03:55 AM
From: Franz Wolfhagen
Subject: SDI ISAMConnector
It is difficult to understand why SDI is not doing as expected from your description.
I have worked with the ISAM V2 Connector a couple of times - and the only problem I have had was in the membership handling which I had to recode and sent back to the lab for correction :-).
The major difference between the old and the new ISAM connector is the underlying API - the old one uses the Java API and is limited by that whereas the is using the RGY API which is basically an ldap wrapper API.
So first questions will be :
- Are you on latest SDI level
- Are you running JRE 8
- Does switching on debugging in SDI show something
- Have you tried to trace the RGY API as documented here : https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.5/com.ibm.isam.doc/develop/adminj/ameb_adminjava_guide/concept/con_err_trace_log.html
I am asking on the assumption that you can create a user with the standard attributes (i.e. your RGY API setup is working correctly) - but only the mail attribute is failing.
You may also want to check the ibmslapd.log on the SDS side (or even better if you audit switched on the audit log) as this may reveal the root cause.
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Mon January 04, 2021 02:59 AM
From: Paul van den Brink
Subject: SDI ISAMConnector
Hi,
Need some help with SDI.
We are using SDI for years already to populate ISAM (using SDS) with accounts found in AD. To do this we use the "IBMSecurityAccessManagerConnector", which works fine and does the job.
Now the business also wants to populate the mail attribute of the accounts found in AD. So I turned to the newer "IBMSecurityAccessManagerv2Connector" because (I'll quote the manual here) "It also provides access to most of the underlying registry
user attributes and the attributes available through the traditional IBM Security Access Manager Java API".
But whatever I try, the mail attribute in the SDS ldap entry stays empty.
- I've verified that work.mail has the accurate value read from AD
- I've tried the AddOnly mode and the Update mode
Below a screenprint of the adapter settings.
Can someone help me with a working example or point me in the right direction?
Regards,
------------------------------
Paul van den Brink
------------------------------