Currently Being Moderated

LDAP.png

Every now and then you need to access AD/LDAP from IDM within a script. In a recent case, we needed to find out if a user in IDM already had an Active Directory account, so I wrote this script which would check.  The script will use three separate attributes to check if there is a match, specifically MSKEYVALUE, DISPLAYNAME and EMAIL.  Why these three? Mostly because in our use case, two of the attributes were guaranteed to be unique based on IDM and AD respectively and the third attribute was designed to be unique based on the process used to create it. Normally, DISPLAYNAME is not guaranteed to be unique in IDM and in most other applications.

 

The script itself is designed to be called from a to Identity Store pass with the attributes to be checked as a multi-valued parameter separated by '!!' as follows:

 

toIDS for uGetLDAPDN.png

Note that I've also updated DESCRIPTION so that the IDM administrator can tell that this account will probably need to be checked to make sure that the correct match was made. You might want to use other means of calling this out depending on the use case.

 

Here is the script that I developed:

 

// Main function: Z_GetDN

 

function Z_GetDN(Par){

//OutString = uLDAPGetDN(<LDAP URL>);

 

//LDAP Search components

var LDAP_SEARCH = "?distinguishedName?sub?"

var LDAP_SEARCHURL = "ldap://" + "%$rep.LDAP_HOST%" + ":" + "%$rep.LDAP_PORT%" + "/" + "%$rep.LDAP_STARTING_POINT%" + LDAP_SEARCH;

 

//Check if we have a "good" value. For our purposes good is the first one we find.

//While noDataFlag is 0, we HAVE NOT found a good value.

var noDataFlag = 0;

 

//This will hold the returned DN:

var ReturnedDN = '';

 

//Split and workwith incoming parameter

ParData = Par.split('!!');

//MSKEYVALUE

var strMSKEYVALUE = ParData[0];

if (strMSKEYVALUE.length > 0 && noDataFlag == 0){

    var EmployeeID_LDAP = LDAP_SEARCHURL + "(employeeID=" + strMSKEYVALUE + ")";

    EmployeeID_DN = uLDAPGetDN(EmployeeID_LDAP,"%$rep.LDAP_LOGIN%","%$rep.LDAP_PASSWORD%");

//Check to make sure the returned value is not an error.

    if (EmployeeID_DN != '!ERROR: #0'){

        uWarning ("Match in Directory found for strMSKEYVALUE.");

        uWarning("strMSKEYVALUE: " + strMSKEYVALUE);

        uWarning ("EmployeeID_LDAP: " + EmployeeID_LDAP);

        uWarning ("EmployeeID_DN=" + EmployeeID_DN);

        ReturnedDN = EmployeeID_DN;       

        noDataFlag = 1;

    } else {

        noDataFlag = 0;

    }

}

 

//DISPLAYNAME

var strDISPLAYNAME = ParData[1];

if (strDISPLAYNAME.length > 0 && noDataFlag == 0){

    var DisplayName_LDAP = LDAP_SEARCHURL + "(displayname=" + strDISPLAYNAME + ")";

    DisplayName_DN = uLDAPGetDN(DisplayName_LDAP,"%$rep.LDAP_LOGIN%","%$rep.LDAP_PASSWORD%");   

//Check to make sure the returned value is not an error.

    if (DisplayName_DN != '!ERROR: #0'){

        uWarning ("Match in Directory found for strDISPLAYNAME.");

        uWarning("strDISPLAYNAME: " + strDISPLAYNAME);

        uWarning ("DisplayName_LDAP: " + DisplayName_LDAP);

        uWarning ("DisplayName_DN=" + DisplayName_DN);

        ReturnedDN = DisplayName_DN;       

        noDataFlag = 1;

    } else {

        noDataFlag = 0;

    }

}

 

//EMAIL

var strEMAIL = ParData[2];

if (strEMAIL.length > 0 && noDataFlag == 0){

 

    var Email_LDAP = LDAP_SEARCHURL + "?distinguishedName?sub?(mail=" + strEMAIL + ")";

    Email_DN = uLDAPGetDN(Email_LDAP,"%$rep.LDAP_LOGIN%","%$rep.LDAP_PASSWORD%");

 

//Check to make sure the returned value is not an error.

    if (Email_DN != '!ERROR: #0'){

        uWarning ("Match in Directory found for strEMAIL.");

        uWarning("strEMAIL: " + strEMAIL);

        uWarning ("Email_LDAP: " + Email_LDAP);

        uWarning ("Email_DN=" + Email_DN);

        ReturnedDN = Email_DN;

        noDataFlag = 1;

    } else {

        noDataFlag = 0;

    }

}

 

if (noDataFlag == 0){

    uWarning ("No match found in the Directory for the specified attributes.");

    uWarning ("DATA: " + Par);

    ReturnedDN = "!DN Not Found";

}

 

//Return the results

 

return ReturnedDN;

}

 

Now let's break this script up into sections so that we can find out what makes it tick...

 

In the first section, not too much is happening, just declaring some variables that we'll use later on. possibly the most exciting thing here is that we setup the LDAP Search Components.  I broke out the LDAP_SEARCH component from the LDAP_SEARCHURL for flexibility reasons, mostly to make it easier to change the returned attributes if needed for future versions/variants of this script.

 

function Z_GetDN(Par){

//OutString = uLDAPGetDN(<LDAP URL>);

 

//LDAP Search components

var LDAP_SEARCH = "?distinguishedName?sub?"

var LDAP_SEARCHURL = "ldap://" + "%$rep.LDAP_HOST%" + ":" + "%$rep.LDAP_PORT%" + "/" + "%$rep.LDAP_STARTING_POINT%" + LDAP_SEARCH;

 

//Check if we have a "good" value. For our purposes good is the first one we find.

//While noDataFlag is 0, we HAVE NOT found a good value.

var noDataFlag = 0;

 

//This will hold the returned DN:

var ReturnedDN = '';

 

The next section simply splits the incoming Parameter into its component parts, we'll be working with them shortly

 

//Split and workwith incoming parameter

ParData = Par.split('!!');

 

Told you it would not be long, here we are dealing with the first part of the string.  You can see that the first thing we do is make sure we obtained some sort of data by making sure that we have a populated string.  We also check the setting of the variable noDataFlag. If this is all good, we can go ahead and buildout the complete LDAP query and submit it from the script via the built-in uLDAPGetDN function.

 

Once this is done, we will evaluate the results and if no error is found, the ReturnedDN variable is updated along with the noDataFlag so that the other queries in this script will not be executed.

 

//MSKEYVALUE

var strMSKEYVALUE = ParData[0];

if (strMSKEYVALUE.length > 0 && noDataFlag == 0){

    var EmployeeID_LDAP = LDAP_SEARCHURL + "(employeeID=" + strMSKEYVALUE + ")";

    EmployeeID_DN = uLDAPGetDN(EmployeeID_LDAP,"%$rep.LDAP_LOGIN%","%$rep.LDAP_PASSWORD%");

//Check to make sure the returned value is not an error.

    if (EmployeeID_DN != '!ERROR: #0'){

        uWarning ("Match in Directory found for strMSKEYVALUE.");

        uWarning("strMSKEYVALUE: " + strMSKEYVALUE);

        uWarning ("EmployeeID_LDAP: " + EmployeeID_LDAP);

        uWarning ("EmployeeID_DN=" + EmployeeID_DN);

        ReturnedDN = EmployeeID_DN;       

        noDataFlag = 1;

    } else {

        noDataFlag = 0;

    }

}

 

The next two blocks of code deal with DISPLAYNAME (ParData[1]) and EMAIL (ParData[2]) and are set up in the same fashion as above so I will not break them out in this posting to save space. This brings us to the final block of code, which sets the ReturnedDN value to "!DN Not Found" if we have not made a match.  Then we simply return the value of ReturnedDN to IDM.

 

}

 

if (noDataFlag == 0){

    uWarning ("No match found in the Directory for the specified attributes.");

    uWarning ("DATA: " + Par);

    ReturnedDN = "!DN Not Found";

}

 

//Return the results

 

return ReturnedDN;

}

 

Our work is complete.  Hope this helps someone out!

Comments

Actions

Filter Blog

By author:
By date:
By tag: