This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
samathew
Absent Member.
Absent Member.
‎2018-05-02 20:40
465 views

How to capture a DN reference rename event in a object

Hi,
I have a DN role object as follows
dn: cn=IAM_ROLE_Test_Rename_R1,ou=roles,ou=Applications,ou=xxxx

Now the users are storing this role in attribute which is of type dn as follows

cn: user1
sn: lastName
fn: firstname
role: cn=IAM_ROLE_Test_Rename_R1,ou=roles,ou=Applications,ou=xxxx

Now when I rename the above role "IAM_ROLE_Test_Rename_R1" under ou=roles,ou=Applications,ou=xxxx to "IAM_ROLE_Test_Rename_RNew", the DN reference in user also change to new DN as below
New role DN
dn: cn=IAM_ROLE_Test_Rename_RNew,ou=roles,ou=Applications,ou=xxxx

and user role value is
cn: user1
sn: lastName
fn: firstname
role: cn=IAM_ROLE_Test_Rename_RNew,ou=roles,ou=Applications,ou=xxxx

Now my question is I have policy in my driver which looks for user role attribute update and do some actions
What I found is when I rename a role, the DN reference in user is getting updated but it is not generating any event for the driver to consume.

Is there a way I can capture a DN reference update of an object in the driver?

thanks
Mathew
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
3 Replies
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-05-02 20:51

On 5/2/2018 3:44 PM, samathew wrote:
>
> Hi,
> I have a DN role object as follows
> dn: cn=IAM_ROLE_Test_Rename_R1,ou=roles,ou=Applications,ou=xxxx
>
> Now the users are storing this role in attribute which is of type dn as
> follows
>
> cn: user1
> sn: lastName
> fn: firstname
> role: cn=IAM_ROLE_Test_Rename_R1,ou=roles,ou=Applications,ou=xxxx
>
> Now when I rename the above role "IAM_ROLE_Test_Rename_R1" under
> ou=roles,ou=Applications,ou=xxxx to "IAM_ROLE_Test_Rename_RNew", the DN
> reference in user also change to new DN as below
> New role DN
> dn: cn=IAM_ROLE_Test_Rename_RNew,ou=roles,ou=Applications,ou=xxxx
>
> and user role value is
> cn: user1
> sn: lastName
> fn: firstname
> role: cn=IAM_ROLE_Test_Rename_RNew,ou=roles,ou=Applications,ou=xxxx
>
> Now my question is I have policy in my driver which looks for user role
> attribute update and do some actions
> What I found is when I rename a role, the DN reference in user is
> getting updated but it is not generating any event for the driver to
> consume.
>
> Is there a way I can capture a DN reference update of an object in the
> driver?

Your filter would have to watch for nrfRole objects and the CN (I Think
it is CN) that is changing. Though actually, that is a rename event, so
you would have to watch in a driver, for the nrfRole objects, and catch
rename events.

The objects which REFERENCE that DN will not generate an event when it
changes.

It helps if you realize that DN syntax attributes are actually 32 bit
ints, and stored that way in the directory.

So the attr manager, holding a DN reference, does not store the text
Manager.ou.ou.o rather it holds an object ID value.

Every time you LOOK at a DN reference attribute, eDir looks up the
pretty name for that object (Very quickly).

Thus a rename does NOT change any of those integer values stored on
objects. So no events on those objcts.

0 Likes
Reply
Report Inappropriate Content
lhaeger
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-05-02 20:53

samathew wrote:

> Now my question is I have policy in my driver which looks for user role
> attribute update and do some actions
> What I found is when I rename a role, the DN reference in user is
> getting updated but it is not generating any event for the driver to
> consume.

That is because the referenced object does not change and the reference stored
on the user object is a pointer to the target object, not the DN string
containing the name of it. So if you need to trigger on a role rename, put your
role object class into the filter and it's naming attribute (CN, as it seems).
You can generate User events from that by looping over the role members if that
fits your requirements better

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Reply
Report Inappropriate Content
samathew
Absent Member.
Absent Member.
‎2018-05-02 21:23

Thank you both for the prompt reply and explaining the DN reference design.

The confirmation I was looking for was when a DN reference is updated it will not generate an event in that user.
My driver looks only for user object and in the user branch. Also role is not a nrfRole object but a simple custom attribute, so it doesn't have all the users which having this role.
So in this case if driver look the role cn rename driver need to query for all users who are using this DN to have some logic on those users.

Will follow it up if I need to go further on this use case.

thanks
Sanu
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.