How to modify user LDAP attributes on local authentication with NetIQ Access Manager




Many organizations need or desire to process or filter user attributes after user authentication before share those attributes with any other service. Use cases are,

  1. Modify user attributes like changing email domain (runtime in memory) before sending any user information to Access Gateway.

  • On Federation with third party SP when NAM acting as IDP, modify the user attributes to send special attribute or custom attribute values.

This can be achieved in multiple ways with NetIQ Access Manager.
  1. Writing external attribute source and consume this attribute in above use cases. NetIQ Access Manager – Adding External Data to SAML Assertions

  • Writing custom authentication class to modify the user attributes and make them available for above use cases.

  • Third method explained below is, how to modify or add attributes for user after authentication with NAM in simple steps with minimal coding. This approach is applied for NAM 4.0.1 onwards only.

Setup Information


NetIQ Access Manager Identity Server setup details

  1. Download file from the cool solution

  • Extract zip file

  • Copy the jar file to IDP server, file location to be copied is "/opt/novell/nam/idp/webapps/WEB-INF/lib"

  • Restart IDP

  • Find "attrfilter.jsp" in extracted file list

  • Open "attrfilter.jsp" in notepad or in any of your favorite java IDE like eclipse etc.,

  • If file find below statements

    * LDAPAttribute names array to be modified.
    final String m_attributeNames[] = {"givenName","carLicense"};

  • Edit attributeNames array with your set of attributes to be added/modified for user. Make sure you use LDAP attribute name match while typing the name here. In above example "givenName" and "carLicense" are LDAP attributes planned to be modified.

  • Find following method signature in the same JSP file

    private String getModifiedLDAPAttrValue(String attrName, String oldValue)

  • In "getModifiedLDAPAttrValue" method, parameter "oldValue" represents value read from user store. Parameter "newValue" value has to be prepared here. Write a java code how new value will be computed, either it can be based "oldValue" or totally new value.

  • Now User attribute modification code is read to use, copy the modified your customized copy of "attrfilter.jsp" to IDP, file location will be "/opt/novell/nam/idp/webapps/nidp/jsp"

  • Now your code is ready to use. But it needs additional configuration at Admin console to make it complete

  • Login to Admin Console

  • Select contract where user will be authenticated under IDP configuration ' local tab ' contracts

  • In contract page select "Login Redirect URL" text field (this field is added from NetIQ Access Manager 4.0.1, new field added on UI )

  • Fill the following value,
    https://<<IDP dns and port>>/nidp/jsp/attrfilter.jsp?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>
    E.g., https//<USERID>&store=<STOREID>&returl=<RETURN_URL>


  • Click OK and update IDP configuration.

  • Now test your setup by authenticating user using contract configured with "Login Redirect URL" for user attribute modification. One sample test is, Create sample php or any web file and deploy on any server and accelerate this service and do Identity injection as custom headers to this service test page, test should print/write back to browser with complete request to what are injected

Using Custom LDAP attribute setup details

Use Case example:

Prepare custom attribute by joining two LDAP attributes, this custom attribute can be sent via federation to third party or NetIQ Access Gateway server.


  1. Login to Admin Console

  • Select shared settings tab and custom attributes section

  • Under "LDAP Attribute Names" section click on "New", Popup window shows up

  • Enter your custom attribute name for example "mycustom1" and click "OK'

  • Add this attribute to your existing attributeset or create new and assign "mycustom1" LDAP attribute


  • Use an above attributeset with IDFF for NetIQ Access Gateway policies or map this attribute with other federations like SAML2


  • Now custom code has to be added to "attrfilter.jsp"

  • Example code is already added in jsp, uncomment below line in jsp (line 30)

  • If you have crated custom attribute name as "mycustom1", simply add this attribute to identity injection policy and test it.

  • Example attribute modification in method "setCustomAttributeValue()" in JSP will add two attributes (givenName, carLicense) with ":"

Note: Modified attribute values might be available with Role policy, Not tested.

Please share your comments!!


How To-Best Practice
Comment List
  • Be aware that this technique requires an HTTP session so "sessionless" authentication such as WS-Trust cannot use this method to customize attributes.