Question about Schema query from IDM policy


Hello,
I'm looking for method to query eDir schema from IDM policy.
I have to validate, if attribute name injected to me by external app,
available in my IDM Vault schema.

LDAP query will not help me here: LDAP attribute name can be different
from NCP attribute name.

This is not trivial, but interesting challenge! :)

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

  • You can see the NDAP schema name from LDAP. Is that not valid still for
    some reason?

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • On 10/7/2015 6:27 PM, ab wrote:
    > You can see the NDAP schema name from LDAP. Is that not valid still for
    > some reason?


    If your app provides getSchema() functionality reliably, then you could
    use dxcmd via Java and call the Refresh App Schema, on some reasonable
    schedule, and then look in DirXML-ApplicationSchema for your attribute.



  • Thank you folks,
    I looked to the schema LDAP extract and I don't think, that it will be
    trivial task. :(
    Ideally I need nodeset with all ncp attribute names.

    Currently I can't see simple (right) way to get it...

    I will continue work on business logic of the driver and maybe later (I
    hope) will look again for attribute "validation" part...
    My preference to use in my code simple and elegant solutions :)

    >
    > dn: cn=schema
    > objectClass: subschema
    > objectClass: top
    > attributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'Internal NDS policy
    > forces this to be single-valued' SYNTAX
    > 1.3.6.1.4.1.1466.115.121.1.40{128} USAGE directoryOperation )
    > attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'Operational
    > Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
    > NO-USER-MODIFICATION USAGE directoryOperation )
    > attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'Operational
    > Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
    > NO-USER-MODIFICATION USAGE directoryOperation )
    > attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'Operational
    > Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation
    > )
    > attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC
    > 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
    > SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
    > attributeTypes: ( 2.16.840.1.113719.1.27.4.49 NAME 'subordinateCount'
    > DESC 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    > SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
    > ...
    > attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
    > 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
    > X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )
    > ...
    > attributeTypes: ( 2.5.4.8 NAME ( 'st' '*stateOrProvinceName*' ) SYNTAX
    > 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1'
    > X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )
    > attributeTypes: ( 2.5.4.4 NAME ( 'sn' '*surname*' ) SYNTAX
    > 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'Surname' X-NDS_LOWER_BOUND
    > '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1'
    > )
    >



    --
    If you find this post helpful, please show your appreciation by clicking
    on the star below :cool:
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=54421

  • On 10/9/2015 11:24 AM, al b wrote:
    >
    > Thank you folks,
    > I looked to the schema LDAP extract and I don't think, that it will be
    > trivial task. :(
    > Ideally I need nodeset with all ncp attribute names.
    >
    > Currently I can't see simple (right) way to get it...
    >
    > I will continue work on business logic of the driver and maybe later (I
    > hope) will look again for attribute "validation" part...
    > My preference to use in my code simple and elegant solutions :)


    You get the status level=error back with a 610 Illegal attribute if you
    try to write it to a test user. Run a test (startup? Job?) that writes
    to a test user the attr, and then check the result, either 610 error or
    success?


    >>
    >> dn: cn=schema
    >> objectClass: subschema
    >> objectClass: top
    >> attributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'Internal NDS policy
    >> forces this to be single-valued' SYNTAX
    >> 1.3.6.1.4.1.1466.115.121.1.40{128} USAGE directoryOperation )
    >> attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'Operational
    >> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
    >> NO-USER-MODIFICATION USAGE directoryOperation )
    >> attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'Operational
    >> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
    >> NO-USER-MODIFICATION USAGE directoryOperation )
    >> attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'Operational
    >> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation
    >> )
    >> attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC
    >> 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
    >> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
    >> attributeTypes: ( 2.16.840.1.113719.1.27.4.49 NAME 'subordinateCount'
    >> DESC 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    >> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
    >> ...
    >> attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
    >> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
    >> X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )
    >> ...
    >> attributeTypes: ( 2.5.4.8 NAME ( 'st' '*stateOrProvinceName*' ) SYNTAX
    >> 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1'
    >> X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )
    >> attributeTypes: ( 2.5.4.4 NAME ( 'sn' '*surname*' ) SYNTAX
    >> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'Surname' X-NDS_LOWER_BOUND
    >> '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1'
    >> )
    >>

    >
    >


  • On Wed, 07 Oct 2015 21:24:01 0000, al b wrote:

    > I'm looking for method to query eDir schema from IDM policy. I have to
    > validate, if attribute name injected to me by external app, available in
    > my IDM Vault schema.


    Non trivial, but you could try setting the attribute and checking to see
    if the return is an error. Or set it, and then try to read it, to see if
    it's there.


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.microfocus.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.
  • al b wrote:

    > > attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
    > > 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
    > > X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )


    CN is about the most complex you can get: NDAP and LDAP names are different,
    and there are multiple LDAP names. I'd try to loop over attributeTypes, look
    for the X-NDS-NAME, if not available take the first NAME. Two regex
    replacements should be enough to get this done.

  • Thank you, David.
    Yes I can do it (and definitely it will work), but if attribute name is
    wrong, I will be able to catch it only after error.

    I thinking about some logic, that will catch this wrong attribute name
    "early" (without attempt to write attribute to the vault)


    --
    If you find this post helpful, please show your appreciation by clicking
    on the star below :cool:
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=54421


  • This is first idea, that came to my mind, but I dropped it for the next
    reasons:
    1. Lot of our attributes defined in different AUX classes. I can't
    "attach" different AUX classes (sometime "conflicting" classes like
    XXX:person, XXX:nonperson, etc) to same test object. This driver will
    handle updates for all object classes.
    2. I can't validate attribute name during "start-up" - I just don't know
    which attribute name ("free form" string) application will "inject" to
    approval queue.

    Idea was compare this "injected attribute name" with nodeset of all
    attributes in my schema and continue to the business logic only if I
    "pass" attribute name validation step.

    3. This is not critical part, I can have driver working without
    "validation", but this is "nice to have" functionality.


    --
    If you find this post helpful, please show your appreciation by clicking
    on the star below :cool:
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=54421


  • Hi Lozar,
    I know you like great regex guru!
    I hope that it will not be a great impudence to ask for a code sample?
    ;)

    Alex


    --
    If you find this post helpful, please show your appreciation by clicking
    on the star below :cool:
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=54421

  • al b wrote:

    > I hope that it will not be a great impudence to ask for a code sample?




    <rule>
    <description>Get Edirectory schema</description>
    <comment name="author" xml:space="preserve">Lothar Haeger</comment>
    <conditions>
    <and>
    <if-xpath op="not-true">operation-data/schema</if-xpath>
    </and>
    </conditions>
    <actions>
    <do-append-xml-element expression=".[not(operation-data)]"
    name="operation-data"/>
    <do-append-xml-element expression="operation-data[not(schema]" name="schema"/>
    <do-clone-xpath dest-expression="operation-data/schema"
    src-expression="es:bh_LdapSearch($LdapHost, $LdapPort, $LdapUseTls,
    $LdapTlsKeystore, $LdapTlsStorepass, $LdapLogin, $LdapPassword, 'cn=schema',
    'base', 'objectClass=*', 'objectClasses,attributeTypes', 0)/attr"/>
    <do-for-each>
    <arg-node-set>
    <token-xpath expression="operation-data/schema/attr/value"/>
    </arg-node-set>
    <arg-actions>
    <do-set-xml-attr expression="$current-node" name="attr-name">
    <arg-string>
    <token-replace-first regex=". NAME \(? *'(. ?)'. " replace-with="$1">
    <token-replace-first regex=". X-NDS_NAME '(. ?)'.*" replace-with="$1">
    <token-local-variable name="current-node"/>
    </token-replace-first>
    </token-replace-first>
    </arg-string>
    </do-set-xml-attr>
    </arg-actions>
    </do-for-each>
    <do-set-local-variable name="knownAttributeNames" scope="policy">
    <arg-node-set>
    <token-xpath
    expression="operation-data/attr[@attr-name='attributeTypes']/value/@attr-name"/>
    </arg-node-set>
    </do-set-local-variable>
    </actions>
    </rule>