用于编写采用策略的 JavaScript 示例

IBM® Security Identity Manager 和 管理员可以使用 JavaScript 示例来编写采用策略。

示例 1

以下示例显示一个简单脚本,该脚本用于将帐户用户标识与人员的别名字段进行匹配。 

var ps = new PersonSearch();
return ps.searchByFilter("","(eraliases="+subject.eruid[0]+")",2);

示例 2

此示例是较为复杂的样本,您可以将其用于孤立帐户采用。 此脚本使用下面三种战略来推断帐户的所有者:
  1. 找到单个其 eraliases 条目与帐户 eruid 字段相匹配的人员。
  2. 如果此动作生成多个匹配项,并且新条目具有 cn 字段,请在匹配列表中找到其 cn 字段与帐户 cn 字段相匹配的项。
  3. 如果第一步中未获得任何匹配项,请在主服务(例如 Windows Active Directory 服务)中查找匹配帐户(同一 eruid)。 如果此帐户具有所有者,请使用该人员。 如果这三个战略都失败,那么将返回 Null,这会生成孤立帐户。
    注: 日志消息将写入脚本类别的消息日志。

var entryUid = subject.eruid[0];
Enrole.log("script", "Starting script for eruid=" + entryUid);
/* change the following value to the name of the master service: */
/* var masterServiceName = "Master AD Service";
*/
var masterServiceName = "NT4 (local)";
/* change the following value to the service profile name of the master service: 
    This change is required only if the profile of master service and profile of the
    service for which the adoption policy is defined are different */
/* var serviceProfileNameOfMasterService = "ADProfile";
*/
var scriptResult = null;
var personsearch = new PersonSearch();
var filter = "(eraliases=" + entryUid + ")";
var psResult = personsearch.searchByFilter("", filter,2);
if (psResult.length == 1) {
	/* found one person with matching alias */
	Enrole.log("script", "single match for eraliases=" + entryUid);
	scriptResult = psResult;
}
else if (psResult.length > 1) {
	/* more than one person matched alias.
	 * if the account has a "cn" attribute value, see if this matches 
the "cn" of one of them
	 */
	Enrole.log("script", "multiple matchs for eraliases=" + entryUid);
	var entryCn = subject.cn;
	if (typeof entryCn != "undefined") {
		Enrole.log("script", "checking cn=" + entryCn[0]);
		for (idx=0; idx<psResult.length; ++idx) {
			var cn1 = psResult[idx].getProperty("cn");
			if (cn1.length != 0 && cn1[0] == entryCn[0]) {
				/* we found a match for the cn */
				scriptResult = psResult[idx];
				break;
			}
		}
	}
	else {
		Enrole.log("script", "cn field not defined for eruid=" + entryUid);
	}
}
else {
	/* no person matched specified alias.
	    See if there is a matching account uid in the company Active Directory */
	var acctSearch = new AccountSearch();
	 /* Method acctSearch.searchByUidAndService(entryUid, masterServiceName) is used
       if the profile of the master service is same as the profile of the service 
       for which the adoption policy is defined.
       If the profile of master service and the profile of the service for which the
       adoption policy is defined are different then the profile name of the master 
       service is passed to the searchByUidAndService() method as follows–
       var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName,
       serviceProfileNameOfMasterService); */
   var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName);
   if (asResult != null && asResult.length == 1) {
		/* found a matching AD account -- use this accounts owner, 
if it is not an orphan */
		var owner = asResult[0].getProperty("owner");
		if (owner.length == 1) {
			var owner_dn = owner[0];
			Enrole.log("script", "single match for service " + masterServiceName + " uid=" 
       + entryUid + ", returning person with dn=" + owner_dn);
			scriptResult = new Person(owner_dn);
		}
		else {
			Enrole.log("script", "service " + masterServiceName + " uid=" 
       + entryUid + " is an orphan");
		}
	}
	else {
		Enrole.log("script", "No match or more than one match for uid=" + entryUid 
     + " on master service " + masterServiceName);
	}
}
return scriptResult;
/* end of script */

示例 3

以下示例用于核实人员的姓名(在 Linux 中,为 gecos 字段)是否与其在 IBM Security Identity Manager、 和 中的全名相匹配。 

/*
 * OrphanAdoption JavaScript
 */

if (subject["gecos"] == null) {
    return null;
} else {
    var buf = "(|";
 
    for (i = 0; i < subject["gecos"].length; i++) {
        buf += "(cn=" + subject["gecos"][i] + ")";
    }

    buf += ")";

    var ps = new PersonSearch();
    /* Have to use sub-tree search type (2) */
    return ps.searchByFilter("Person", buf, 2);
}

示例 4

此示例使用新的 JavaScript API ExtendedPerson 将“root”帐户作为“系统”帐户采用,并将其他帐户作为“个人”帐户采用。 
/*
 * OrphanAdoption JavaScript
 */

if ((subject[ "eruid"]==null)){
    return null;
} else if (subject["eruid"]!=null){
    var buff='(|'; 
    for (i=0;i<subject["eruid"].length;i++){
        buff+='(uid='+subject["eruid"][i]+')';
    }
    buff+=')';

    var ps = new PersonSearch(); 
    var searchResult = ps.searchByFilter("",buff, 2);
    if (searchResult!=null && searchResult.length==1) {
        var person = searchResult[0];

        // If it is a "root" account, adopt it as a "System" account;
        // otherwise, adopt it as an "Individual" account by default.
        if (subject.eruid[0] == "root") {
            return new ExtendedPerson(person, "System"); 
        } else {
            return person;
        }
    } else if (searchResult!=null && searchResult.length>1) {
        return searchResult;
    } else {
        return null;
    }
}