Knowledge Partner
Knowledge Partner
483 views

Question about Schema query from IDM policy


Hello,
I'm looking for method to query eDir schema from IDM policy.
I have to validate, if attribute name injected to me by external app,
available in my IDM Vault schema.

LDAP query will not help me here: LDAP attribute name can be different
from NCP attribute name.

This is not trivial, but interesting challenge! 🙂

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

Labels (1)
0 Likes
13 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

You can see the NDAP schema name from LDAP. Is that not valid still for
some reason?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

On 10/7/2015 6:27 PM, ab wrote:
> You can see the NDAP schema name from LDAP. Is that not valid still for
> some reason?


If your app provides getSchema() functionality reliably, then you could
use dxcmd via Java and call the Refresh App Schema, on some reasonable
schedule, and then look in DirXML-ApplicationSchema for your attribute.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


Thank you folks,
I looked to the schema LDAP extract and I don't think, that it will be
trivial task. 😞
Ideally I need nodeset with all ncp attribute names.

Currently I can't see simple (right) way to get it...

I will continue work on business logic of the driver and maybe later (I
hope) will look again for attribute "validation" part...
My preference to use in my code simple and elegant solutions 🙂

>
> dn: cn=schema
> objectClass: subschema
> objectClass: top
> attributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'Internal NDS policy
> forces this to be single-valued' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40{128} USAGE directoryOperation )
> attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'Operational
> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
> NO-USER-MODIFICATION USAGE directoryOperation )
> attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'Operational
> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
> NO-USER-MODIFICATION USAGE directoryOperation )
> attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'Operational
> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation
> )
> attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC
> 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
> attributeTypes: ( 2.16.840.1.113719.1.27.4.49 NAME 'subordinateCount'
> DESC 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
> ...
> attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
> X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )
> ...
> attributeTypes: ( 2.5.4.8 NAME ( 'st' '*stateOrProvinceName*' ) SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1'
> X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )
> attributeTypes: ( 2.5.4.4 NAME ( 'sn' '*surname*' ) SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'Surname' X-NDS_LOWER_BOUND
> '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1'
> )
>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

On 10/9/2015 11:24 AM, al b wrote:
>
> Thank you folks,
> I looked to the schema LDAP extract and I don't think, that it will be
> trivial task. 😞
> Ideally I need nodeset with all ncp attribute names.
>
> Currently I can't see simple (right) way to get it...
>
> I will continue work on business logic of the driver and maybe later (I
> hope) will look again for attribute "validation" part...
> My preference to use in my code simple and elegant solutions 🙂


You get the status level=error back with a 610 Illegal attribute if you
try to write it to a test user. Run a test (startup? Job?) that writes
to a test user the attr, and then check the result, either 610 error or
success?


>>
>> dn: cn=schema
>> objectClass: subschema
>> objectClass: top
>> attributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'Internal NDS policy
>> forces this to be single-valued' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.40{128} USAGE directoryOperation )
>> attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'Operational
>> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
>> NO-USER-MODIFICATION USAGE directoryOperation )
>> attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'Operational
>> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
>> NO-USER-MODIFICATION USAGE directoryOperation )
>> attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'Operational
>> Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation
>> )
>> attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC
>> 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
>> attributeTypes: ( 2.16.840.1.113719.1.27.4.49 NAME 'subordinateCount'
>> DESC 'Operational Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
>> ...
>> attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
>> X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )
>> ...
>> attributeTypes: ( 2.5.4.8 NAME ( 'st' '*stateOrProvinceName*' ) SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1'
>> X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )
>> attributeTypes: ( 2.5.4.4 NAME ( 'sn' '*surname*' ) SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'Surname' X-NDS_LOWER_BOUND
>> '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1'
>> )
>>

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


This is first idea, that came to my mind, but I dropped it for the next
reasons:
1. Lot of our attributes defined in different AUX classes. I can't
"attach" different AUX classes (sometime "conflicting" classes like
XXX:person, XXX:nonperson, etc) to same test object. This driver will
handle updates for all object classes.
2. I can't validate attribute name during "start-up" - I just don't know
which attribute name ("free form" string) application will "inject" to
approval queue.

Idea was compare this "injected attribute name" with nodeset of all
attributes in my schema and continue to the business logic only if I
"pass" attribute name validation step.

3. This is not critical part, I can have driver working without
"validation", but this is "nice to have" functionality.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

al b wrote:

> > attributeTypes: ( 2.5.4.3 NAME ( 'cn' '*commonName*' ) SYNTAX
> > 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1'
> > X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )


CN is about the most complex you can get: NDAP and LDAP names are different,
and there are multiple LDAP names. I'd try to loop over attributeTypes, look
for the X-NDS-NAME, if not available take the first NAME. Two regex
replacements should be enough to get this done.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


Hi Lozar,
I know you like great regex guru!
I hope that it will not be a great impudence to ask for a code sample?
😉

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

al b wrote:

> I hope that it will not be a great impudence to ask for a code sample?




<rule>
<description>Get Edirectory schema</description>
<comment name="author" xml:space="preserve">Lothar Haeger</comment>
<conditions>
<and>
<if-xpath op="not-true">operation-data/schema</if-xpath>
</and>
</conditions>
<actions>
<do-append-xml-element expression=".[not(operation-data)]"
name="operation-data"/>
<do-append-xml-element expression="operation-data[not(schema]" name="schema"/>
<do-clone-xpath dest-expression="operation-data/schema"
src-expression="es:bh_LdapSearch($LdapHost, $LdapPort, $LdapUseTls,
$LdapTlsKeystore, $LdapTlsStorepass, $LdapLogin, $LdapPassword, 'cn=schema',
'base', 'objectClass=*', 'objectClasses,attributeTypes', 0)/attr"/>
<do-for-each>
<arg-node-set>
<token-xpath expression="operation-data/schema/attr/value"/>
</arg-node-set>
<arg-actions>
<do-set-xml-attr expression="$current-node" name="attr-name">
<arg-string>
<token-replace-first regex=".+ NAME \(? *'(.+?)'.+" replace-with="$1">
<token-replace-first regex=".+ X-NDS_NAME '(.+?)'.*" replace-with="$1">
<token-local-variable name="current-node"/>
</token-replace-first>
</token-replace-first>
</arg-string>
</do-set-xml-attr>
</arg-actions>
</do-for-each>
<do-set-local-variable name="knownAttributeNames" scope="policy">
<arg-node-set>
<token-xpath
expression="operation-data/attr[@attr-name='attributeTypes']/value/@attr-name"/>
</arg-node-set>
</do-set-local-variable>
</actions>
</rule>
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


Hi Lothar,
You did my day!!!
I knew, that this pretty complex for everybody task is "peace of cake"
for you!!!
Thank you very much!!!

I just corrected 2 small parts of code (I believe it is just mistype)
and everything started work like a charm!
> <rule>
> <description>Get Edirectory schema</description>
> <comment name="author" xml:space="preserve">Lothar Haeger</comment>
> <conditions>
> <and>
> <if-xpath op="not-true">operation-data/schema</if-xpath>
> </and>
> </conditions>
> <actions>
> <do-append-xml-element expression=".[not(operation-data)]"
> name="operation-data"/>
> <do-append-xml-element expression="operation-data[not(schema)]"
> name="schema"/>
> <do-clone-xpath dest-expression="operation-data/schema"
> src-expression="es:bh_LdapSearch($LdapHost, $LdapPort, $LdapUseTls,
> $LdapTlsKeystore, $LdapTlsStorepass, $LdapLogin, $LdapPassword,
> 'cn=schema', 'base', 'objectClass=*', 'objectClasses,attributeTypes',
> 0)/attr"/>
> <do-for-each>
> <arg-node-set>
> <token-xpath expression="operation-data/schema/attr/value"/>
> </arg-node-set>
> <arg-actions>
> <do-set-xml-attr expression="$current-node" name="attr-name">
> <arg-string>
> <token-replace-first regex=".+ NAME \(? *'(.+?)'.+"
> replace-with="$1">
> <token-replace-first regex=".+ X-NDS_NAME '(.+?)'.*"
> replace-with="$1">
> <token-local-variable name="current-node"/>
> </token-replace-first>
> </token-replace-first>
> </arg-string>
> </do-set-xml-attr>
> </arg-actions>
> </do-for-each>
> <do-set-local-variable name="knownAttributeNames" scope="policy">
> <arg-node-set>
> <token-xpath
> expression="operation-data/schema/attr[@attr-name='attributeTypes']/value/@attr-name"/>
> </arg-node-set>
> </do-set-local-variable>
> </actions>
> </rule>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

al b wrote:

> I knew, that this pretty complex for everybody task is "peace of cake"
> for you!!!


I had enough war of cake with regex, too, but you can't fight getting used to
them in a decade of working with IDM. 😉

> I just corrected 2 small parts of code (I believe it is just mistype)
> and everything started work like a charm!


Did not really test this, sorry.

______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


lhaeger;261497 Wrote:
>
> Did not really test this.


Real expert don't need to test own solution! They knew, that this
solution will work! :cool:

> What kind of tools does a Real Programmer use? In theory, a Real
> Programmer could run his programs by keying them into the front panel of
> the computer. Back in the days when computers had front panels, this
> was actually done occasionally. Your typical Real Programmer knew the
> entire
> bootstrap loader by memory in hex, and toggled it in whenever it got
> destroyed by his program.
>
> "Real Programmers Don't Use PASCAL" Ed Post
>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy

On Wed, 07 Oct 2015 21:24:01 +0000, al b wrote:

> I'm looking for method to query eDir schema from IDM policy. I have to
> validate, if attribute name injected to me by external app, available in
> my IDM Vault schema.


Non trivial, but you could try setting the attribute and checking to see
if the return is an error. Or set it, and then try to read it, to see if
it's there.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about Schema query from IDM policy


Thank you, David.
Yes I can do it (and definitely it will work), but if attribute name is
wrong, I will be able to catch it only after error.

I thinking about some logic, that will catch this wrong attribute name
"early" (without attempt to write attribute to the vault)


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54421

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.