Related Tips & Info

How to modify user LDAP attributes on local authentication with NetIQ Access Manager

csr
0 Likes

Introduction


 

Many organizations need or desire to process or filter user attributes after user authentication before share those attributes with any other service. Use cases are,



  1. Modify user attributes like changing email domain (runtime in memory) before sending any user information to Access Gateway.

  • On Federation with third party SP when NAM acting as IDP, modify the user attributes to send special attribute or custom attribute values.

This can be achieved in multiple ways with NetIQ Access Manager.
  1. Writing external attribute source and consume this attribute in above use cases. NetIQ Access Manager – Adding External Data to SAML Assertions

  • Writing custom authentication class to modify the user attributes and make them available for above use cases.

  • Third method explained below is, how to modify or add attributes for user after authentication with NAM in simple steps with minimal coding. This approach is applied for NAM 4.0.1 onwards only.



Setup Information


 

NetIQ Access Manager Identity Server setup details


  1. Download ldap_attr_modify.zip file from the cool solution

  • Extract zip file

  • Copy the jar file to IDP server, file location to be copied is "/opt/novell/nam/idp/webapps/WEB-INF/lib"

  • Restart IDP

  • Find "attrfilter.jsp" in extracted file list

  • Open "attrfilter.jsp" in notepad or in any of your favorite java IDE like eclipse etc.,

  • If file find below statements

    /**
     	*	LDAPAttribute names array to be modified.
     	*
     	*/
    	final String m_attributeNames[] = {"givenName","carLicense"};

  • Edit attributeNames array with your set of attributes to be added/modified for user. Make sure you use LDAP attribute name match while typing the name here. In above example "givenName" and "carLicense" are LDAP attributes planned to be modified.

  • Find following method signature in the same JSP file

    private String getModifiedLDAPAttrValue(String attrName, String oldValue)

  • In "getModifiedLDAPAttrValue" method, parameter "oldValue" represents value read from user store. Parameter "newValue" value has to be prepared here. Write a java code how new value will be computed, either it can be based "oldValue" or totally new value.

  • Now User attribute modification code is read to use, copy the modified your customized copy of "attrfilter.jsp" to IDP, file location will be "/opt/novell/nam/idp/webapps/nidp/jsp"

  • Now your code is ready to use. But it needs additional configuration at Admin console to make it complete

  • Login to Admin Console

  • Select contract where user will be authenticated under IDP configuration ' local tab ' contracts

  • In contract page select "Login Redirect URL" text field (this field is added from NetIQ Access Manager 4.0.1, new field added on UI )

  • Fill the following value, 
    https://<<IDP dns and port>>/nidp/jsp/attrfilter.jsp?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>
    E.g.,  https//namtest.com/nidp/jsp/attrfilter.jsp?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>


ldapattr-1



  • Click OK and update IDP configuration.

  • Now test your setup by authenticating user using contract configured with "Login Redirect URL" for user attribute modification. One sample test is, Create sample php or any web file and deploy on any server and accelerate this service and do Identity injection as custom headers to this service test page, test should print/write back to browser with complete request to what are injected



Using Custom LDAP attribute setup details



Use Case example:



Prepare custom attribute by joining two LDAP attributes, this custom attribute can be sent via federation to third party or NetIQ Access Gateway server.



Steps:


  1. Login to Admin Console

  • Select shared settings tab and custom attributes section

  • Under "LDAP Attribute Names" section click on "New", Popup window shows up

  • Enter your custom attribute name for example "mycustom1" and click "OK'

  • Add this attribute to your existing attributeset or create new and assign "mycustom1" LDAP attribute


ldapattr-2



  • Use an above attributeset with IDFF for NetIQ Access Gateway policies or map this attribute with other federations like SAML2


ldapattr-3



  • Now custom code has to be added to "attrfilter.jsp"

  • Example code is already added in jsp, uncomment below line in jsp (line 30)
    setCustomAttributeValue(request,"mycustom1");

  • If you have crated custom attribute name as "mycustom1", simply add this attribute to identity injection policy and test it.

  • Example attribute modification in method "setCustomAttributeValue()" in JSP will add two attributes (givenName, carLicense) with ":"



Note: Modified attribute values might be available with Role policy, Not tested.



Please share your comments!!


Labels:

How To-Best Practice
Comment List
  • Be aware that this technique requires an HTTP session so "sessionless" authentication such as WS-Trust cannot use this method to customize attributes.
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.