Skip to main content

developerworkslabel >  Tivoli  >  forumlabel  >  Security Management  >  developerWorks

TDI LDAP adapter - modify search filter to exclude certain groups    Point your RSS reader here for a feed of the latest messages in this thread


     
 
 
loginbox.header
 loginbox.welcomelabel loginbox.guestlabel
loginbox.signin
This question is answered.

Reply to this Thread Reply to this Thread Post New Thread Post New Thread useraction.watchpage useraction.watchpage useraction.settings useraction.settings help.pagetitle help.pagetitle
Permlink Replies: 10 - Pages: 1 - Last Post: Nov 10, 2009 4:43 PM Last Post By: jlyin
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Oct 30, 2009 02:23:28 PM 		 
Click to report abuse...   Click to reply to this thread Reply
Hi I have a requirement to modify the out of box TDI LDAP adapter. We want to exclude any groups that have objectclass=ibm-nestedGroup and the user account membership returned in the recon by user from the nested group. Has anyone done that before? Thank you!
yn2000

Posts: 437
Registered: Aug 03, 2005 04:28:21 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 02, 2009 08:36:46 AM   in response to: jlyin in response to: jlyinthread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
The out of box adapter does not processing nested group, doesn't it?
Rgds. YN.
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 02, 2009 09:25:44 AM   in response to: yn2000 in response to: yn2000thread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Hi YN, The out of box does process nested groups. I just ran a recon with the out of box adapter, it brought back all the nested groups. Thanks!!
yn2000

Posts: 437
Registered: Aug 03, 2005 04:28:21 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 03, 2009 06:53:23 AM   in response to: jlyin in response to: jlyinthread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Ahhh you meant the name of the group is being reconciled to ITIM. But, have you checked whether ITIM process the member of the nested group? For example: U1 member of G1. U2 member of G2. G2 member of G1. Then after reconcile, U1 and U2 became the member of G1? I don't think so, because I don't see any loop in the Assembly Line.
Not only that, if you observe the target LDAP more thoroughly, I believe that the superior objectclass of your nested group is the group objectclass that you use for a filter. Or something like that. What's more, if that is the case, then you should not filter out the nested group objectclass, because inside the nested group entry, there could be a user member that you'll filtered out. For example: U1 and G2 are member of G1. If G1 entry is excluded, then U1 membership to G1 will also be excluded.
Rgds. YN.
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 04, 2009 11:48:39 AM   in response to: yn2000 in response to: yn2000thread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
In this LDAP enviornment, no memebers should be assigned directly to any NESTED groups. To be a part of the NESTED GROUP, memeber needs to be a part of the UN-NESTED GROUP that is part of the NESTED GROUP.

For example:

NESTED GROUP A
UN-NESTED GROUP B (MEMBER A)

This way MEMBER A is a part of GROUP B, and also GROUP A.

In ITIM, we expect the recon will bring back GROUP B but not GROUP A... and also MEMBER A. Under MEMBER A's account we only expect to see UN-NESTED GROUP B (but NOT NESTED GROUP A).

Further more, if a person were incorrectly placed into a nested group - ITIM recon will need to remove the user out of the nested group based on the fact the provisioning policy does not connect to GROUP A.

Do you think this is doable? Thank you so much for your time!!
yn2000

Posts: 437
Registered: Aug 03, 2005 04:28:21 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 04, 2009 12:58:30 PM   in response to: jlyin in response to: jlyinthread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
It is doable, but it is not an easy ITDI scripting. For example: req.#2: recon needs to remove the user out of nested group. How could you that? Based on req.#1 there is no nested group data in ITIM system. It's like asking Provisioning Policy to remove group membership of a user from a group that does not exist. Therefore you need to perform all of the data manipulation in the ITDI scipting, such as ignoring entry if the objectclass=ibm-nestedGroup and replace the member attribute with cn=nobody when you found objectclass=ibm-nestedGroup.

The solution will be simpler if you are allowed to modify existing LDAP data to inject something like ibm-staticGroup objectclass for the un-nested group, so that your ITIM configuration can be designated to handle ibm-staticGroup objectclass only. It is somewhat painful process in the beginning, but it generates design clarity, including less maintenance process in the future.
Rgds. YN.
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 04, 2009 02:30:58 PM   in response to: yn2000 in response to: yn2000thread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Hi YN, thanks for helping...

Since we already have another custom LDAP adapter, my boss was actually thinking not to make another custom ldap adapter, otherwise there will be three different LDAP adapters. so I was thinking to make the modification in the out of box ldap and was hoping we can still use it for the other regular LDAP environments. But after reading your answer, I feel this is not possible. so I will have to make another custom LDAP specifically for this LDAP enviornment.

I like your idea of having the new objectclass for unnested groups... but dont know if the business will want to do that. will check with them anyway...

if i will have to go down the path to perform data manipulation in the tdi scripts to ingnore objectclass=ibm-nestedGroup, how do I do this? I can do this in BeforeGetNext hook.

My other question is, can I do this i the filter: so the recon will bring in the unnested groups? thanks -
(&(objectclass=groupofuniquenames)(!(objectclass=ibm-nestedGroup)))
yn2000

Posts: 437
Registered: Aug 03, 2005 04:28:21 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 04, 2009 07:04:47 PM   in response to: jlyin in response to: jlyinthread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Non tested:
One: (&(objectclass=groupofuniquenames)(!(objectclass=ibm-nestedGroup))) in the search filter of conLDAPGroup.
Two: ret.filter = "(&" + "(&(objectclass=groupofuniquenames)(!(objectclass=ibm-nestedGroup)))(" + UNIQUEMEMBER + "=" + work.getString(Packages.com.ibm.di.utils.LDAPAdapterUtils.USER_DN) + "))"; in Link Creteria of conLDAPMembership.
Rgds. YN.
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 06, 2009 11:33:22 AM   in response to: yn2000 in response to: yn2000thread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Hi YN, Thank you so much for helping.

I am able to bring in just the UN-NESTED groups now :-) This is what I did in the LDAPSearch AL's prolog. In the section for "group iterator connector and initialize", I had to change gConnConfig.setParameter

FROM:
gConnConfig.setParameter(
Packages.com.ibm.di.utils.LDAPAdapterUtils.LDAP_SEARCH_FILTER,
"(" + Packages.com.ibm.di.utils.LDAPAdapterUtils.OBJECTCLASS + "=" + gGrpObjectClass + ")");

TO:
gConnConfig.setParameter(
Packages.com.ibm.di.utils.LDAPAdapterUtils.LDAP_SEARCH_FILTER,
"(&(objectclass=groupofuniquenames)(!(objectclass=ibm-nestedGroup)))");

However I am having problem bring any users... I didnt apply your second suggestion, because I was just told that we want to bring in all accounts regardless its in a nested or un-nested group. This is the warning message I am getting from ITIM recon:
CTGIMD014I 37 reconciliation entries were not processed for the following accounts: eruid=null; eruid=null; eruid=null;........

I am still trying to figure out what goes wrong with bringing the users, and they all have valid userid not NULL..

Thank you so much for your help and have a great weekend!

Lori
yn2000

Posts: 437
Registered: Aug 03, 2005 04:28:21 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 06, 2009 12:16:48 PM   in response to: jlyin in response to: jlyinthread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
The second suggestion is not for filtering the user, but filtering the group membership of a user.
Please try that. Hopefully it is correlated with your error.
Rgds. YN.
jlyin

Posts: 102
Registered: Aug 17, 2007 12:36:32 PM
Re: TDI LDAP adapter - modify search filter to exclude certain groups
Posted: Nov 10, 2009 04:43:44 PM   in response to: yn2000 in response to: yn2000thread.responsepost 		 
Click to report abuse...   Click to reply to this thread Reply
Hi YN,

I didn't have to include the second seggestion for group memebership. The recon is excluding the nested group, but ITIM needs to know when an user is in a nested group. I was able to get the adapter working by just adding the filer on the out of box adapter. Thank you so much!
Pages: 1
Go Back Back to Thread List

Update your My developerWorks profile and start connecting with others.

Point your RSS reader here for a feed of the latest messages in all forums