Specify the attributes to add to the credential
The attributes to add to the credential are configured in several stanzas.
About this task
Add this information to the WebSEAL configuration file.
Review the following example entry.
[TAM_CRED_ATTRS_SVC]
eperson = azn_cred_registry_id
group = cn=enterprise, o=tivoli
[TAM_CRED_ATTRS_SVC:eperson]
tagvalue_credattrs_lastname = sn
tagvalue_credattrs_employeetype = employeetype
tagvalue_credattrs_address = homepostaladdress
tagvalue_credattrs_email = mail
[TAM_CRED_ATTRS_SVC:group]
tagvalue_credattrs_businesscategory = businesscategory
The stanza name [TAM_CRED_ATTRS_SVC] is the Service ID. Inside this stanza are sources of attributes to be retrieved. The source names, such as eperson and group are used to identify the source location in the registry. You need to define these. The values for these sources are registry identifiers that exist in the registry. The values can be existing credential attribute names. If this is the case, the service automatically finds and uses the respective values.
Procedure
For example, in an LDAP user registry, the DN for a user might be
cn=joeuser, o=tivoli
For this user, the LDAP user registry entries might be:
sn=Smith
employeetype=bankteller
homepostaladdress="3004 Mission St Santa Cruz CA 95060"
mail=joeuser@bigco.com
For the group cn=enterprise,o=tivoli, the LDAP group registry entry might be:
businesscategory=finance
Using these example configuration entries, the attribute list returned has the following entries:
Attribute name | Attribute value |
---|---|
credattrs_lastname | Smith |
credattrs_employeetype | bankteller |
credattrs_address | 3004 Mission St Santa Cruz CA 95060 |
credattrs_email | joeuser@example.com |
credattrs_businesscategory | finance |
Note that the service, source, and attributes can be multi-valued. If you specify the same attribute name as a stanza entry keyword, then the attributes retrieved will be added as a multi-valued attribute even when they come from different sources.
For example, more than one entitlement service can be chained together. This enables values retrieved from one service to be used as input values for another service. Likewise, attributes can be retrieved from more than one DN in the user registry. Thus, using the example above, you could add values from multiple users (DNs) to one credattrs_businesscategory attribute, if you wanted a list of all the businesscategory entries for a group of users.
[myID]
source = azn_cred_authzn_id
[myID:source]
myemployeeinfo = lastname
myemployeeinfo = employeetype