Changing the passwordfetch returned username?

Hi All,

I have a Risk Based Auth Contract executing a flow as follows;

1) Kerberos Contract (Kerberos Method followed by passwordFetch method)

2) If the user is a member of a particular group, additional auth is required (radius contract / method etc).

To succeed on the radius contract I need to provide username + pin/token. The JSP of the radius contract asks for only the pin/token and the preceding passwordfetch component is providing the username which is hidden on the radius jsp/form.

This works fine when using an eDirectory user store where the CN value is mapped to the username expected at the radius end. For example, CN=jsmith in eDirectory and username in radius server is jsmith.

But when the eDirectory user store has the CN value mapped to a value such as "john smith" and the radius end expects "jsmith" it fails.

I'm wondering whether there is anyway we can control the returned attribute from the passwordfetch class/method. In this example, I need to retrieve the uniqueID attribute from eDirectory as opposed to CN.

1 Reply
Absent Member.
Absent Member.

I don't think you can change attribute that is returned from PasswordFetch. But maybe you can use RADIUS_LOOKUP_ATTR property to configure which LDAP attribute value should be sent to backend RADIUS server as username.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.