fp_idmworks Super Contributor.
Super Contributor.
407 views

LDAP query extensionable match filter

Anybody know how to do an extensionable match filter to return nrf based ID values, or DirXML-Entitlement values?


Identity Governance reports warnings of duplicates found when doing a collection. It indicates a permisionId value with something like:

{"permisionId"."{\"ID\".\"3069B28A954543453\", \"ID2"\.\"cn=costcenter-A23423423,ou=groups........


I am wanting to search eDirectory against the nrf attributes or entitlement attributes for the ID value listed above in hopes of finding the duplicate assignments. However, with it being a structured attribute and with the nrf attributes holding data prior to the ID and after the ID, I can't do a *<ID value>* in the filter.

I'm assuming there is an OID LDAP control search..
Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP query extensionable match filter

fp IDMWORKS <fp_IDMWORKS@no-mx.forums.microfocus.com> wrote:
>

Anybody know how to do an extensionable match filter to return nrf based
ID values, or DirXML-Entitlement values?
>
>


I dont think extebsible match filter will be much help l here

I usually write a script (Python is my preference right now for this) that
parses out path stylrcattrs and allows cross referential checks to validate
xml content in these blogs against what is expected.

> Identity Governance reports warnings of duplicates found when doing a

collection. It indicates a permisionId value with something like:
>
> {"permisionId"."{\"ID\".\"3069B28A954543453\",

\"ID2"\.\"cn=costcenter-A23423423,ou=groups........
>
>
> I am wanting to search eDirectory against the nrf attributes or

entitlement attributes for the ID value listed above in hopes of finding
the duplicate assignments. However, with it being a structured attribute
and with the nrf attributes holding data prior to the ID and after the
ID, I can't do a *<ID value>* in the filter.
>


There is a path syntax magic number (that matches the namespace element no
matter what integers it is). Maybe you could combine that with a ^idvalue*

Attr=Cn=abcd#4278190086#^idvalue*

I know that works for assocs. can’t recall if it works overall.

> I'm assuming there is an OID LDAP control search..


What kind of control were you thinking of?

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: LDAP query extensionable match filter

I am not sure what control to try to use. I haven't worked with controls much. I do see Identity Governance using controls on their LDAP searches, which makes it hard to know what data it is pulling.

I like the idea of a python script to go through it. Right now I am working around it with an Apache Directory Studio export of all nrfAssignedResources and DirXML-Entitlements to a notepad++ file to search for the duplicate permission ID's.

I duplicated a given situation by assigning a dynamic group to a RBPM Role and then also a static assignment to the user. I will have to gather additional data and hopefully build python script that will do an ldap search for you and then find and report the duplicates in a friendly format so that security teams may have an idea on where the permission is a duplicated. I see some instances with a customer where they have 21 duplicate permissions. That was on a group, so there may have been some nesting or dynamic group involvement there as well, hard to say at this point.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.