How To Add inetOrgPerson objectClass to all Users Created with a Custom JNDI Connector

Part Two

Problem Statement

When you create a connector with Symantec Identity Manager Connector Xpress (for an LDAP directory) it will be able to create, manage and delete entries in your target LDAP without issues. The problem that may not be immediately apparent, however, is that the defined connector only adds users with the object classes that are defined within the connector. Based on our previous example, the connector will not add objectClass=inetOrgPerson and this can be a problem for downstream consumers. 

From our previous article, we added users with Structural Class imUser and Auxiliary Class imUserAux. Under normal LDAP rules, this is ok. The inheritance classes are assumed. However, some applications will be looking specifically for users with objectClass=inetOrgPerson. Connector Xpress, OOTB cannot add inetOrgPerson to the list of object classes for managed users because it is only managing those classes defined in your connector metadata, BUT there is an interesting workaround to solve this problem – to add inetOrgPerson to the object class list of all LDAP entries managed with your custom connector.

The remainder of this document will address how to add inetOrgPerson as one of the object classes while adding users via a Connector Xpress connector which is only specifically addressing imUser and imUserAux object classes. These steps document how to edit the dynamic connector metadata. Every screen in the UI will warn against doing this. It is ok as long as you understand what you are doing and edit exactly as directed.

Use Case

You have previously created a LDAP connector. You have specified object classes as Connector Xpress allows (which does not include inetOrgPerson) but you need your new entries to all include that object class specifically listed for your downstream consumers of this external LDAP directory.

Need to Know

These steps rely on the implementer having knowledge of Connector Xpress and modifying and deploying connectors generated with Connector Xpress. For full documentation, please refer to this document.

Prerequisites

You already have a JNDI connector that follows a format similar to what has been described in Part A (Create and Deploy a Custom LDAP Connector to Manage an Additional Symantec Identity Suite User Directory) of this two-part Connector Definition series.

The remainder of these instructions presume you are editing an existing JNDI connector that does not yet support adding a specific object class entry for inetOrgPerson as an object class.

Note: For the remainder of this document, we will be working with a connector named “ESI External User Store”. In your environment, you will be working against the connector that you have previously created and want to add the support to add inetOrgPerson for all entries.

Instructions

Add inetOrgPerson as an Object Class

Connector Xpress does not directly support adding inetOrgPerson within the UI, so these next steps show how to edit the connector metadata directly and add it.

While editing your existing deployed JNDI connector, which may have started with only imUser and imUserAux (or possibly other) auxiliary classes, add an additional auxiliary class (in our case we will use dxRoleBasedConfig).

Note: you can choose any additional auxiliary class. Keep track of the class you use and replace dxRoleBasedConfig while following the remaining steps.

Select the object class by clicking the Auxiliary drop-down field.

After the addition of this extra class, your connector screen should look like:

Re-Deploy / Test this simple connector change and test the basic functionality of your existing connector to ensure adding this additional class has not affected your original work.

Edit and Redploy the Metadata. 

Edit

We will now “convert” dxRoleBasedConfig to inetOrgPerson. This involves getting into the screens which Connector Xpress says “don’t do”. 

On the right-hand side of the Connector Xpress screen, select your endpoint, right-click and select “Edit metadata…”.

Expand your connector type (in our example ESI External User Store).

Now we will look for and edit two entries within the metadata that specifically reference “dxRoleBasedConfig” (or whichever auxiliary class you may have selected above). We know that these entries will be found under:

<namespaceName> / Classes / eTDYNAccount / Metadata / connectorMapToAuxiliary 

and

<namespaceName> / Classes / eTDYNAccount / Properties / Metadata / defaultPolicyValue 

Expand Classes / eTDYNAccount / Metadata / connectorMapToAuxiliary.

Change the string value dxRoleBasedConfig to inetOrgPerson

Expand Classes / eTDYNAccount / Properties / Metadata / defaultPolicyValue. Again, change string value dxRoleBasedConfig to inetOrgPerson.

The resulting screen will look like:

Deploy and Test

Deploy again (metadata should auto-update, but let’s deploy again to be certain) and then edit again (according to instructions above) to ensure these changes have persisted to the Provisioning Server.

Perform additional testing including adding users to a Role for this endpoint. Ensure that the users created in the endpoint contain all the object classes, including inetOrgPerson.

Create Screens and Tasks for Symantec Identity Manager

Follow the Connector Xpress guide to create Roles/Tasks/Screens. The steps are explained in further detail in the guide.

As a summary (specific for the Symantec Identity Suite vApp – your paths on a standalone install will be different):

Generate and Copy:

cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/RoleDefinitionGenerator/bin


./RoleDefGenerator.sh -h <server> -u etaadmin “ESI External User Store”.

 

Copy the ESI_External_User_Store.jar to:

cp ESI_External_User_Store.jar /opt/CA/VirtualAppliance/custom/IdentityManager/iam_im.ear_user_console.war_WEB-INF_lib

 

Restart the app server(s).

Deploy

Finally, go into the Symantec Identity Manager Management Console UI. Navigate to Environments > identityEnv (or name of your IME if not the vApp) > Role and Task Settings. Click Import…. Check the box beside ESI External User Store (or the name you set for your endpoint). The first time, there won’t be an Installed Version listed. If this connector is an update, remember to jog the version number within the Connector Xpress UI so that the app server will detect a change and load the latest information.

Conclusion

You should now have a custom JNDI connector that supports creating and managing an external LDAP AND should automatically add inetOrgPerson as a managed objectClass for new entries created via the connector. 

Looking for additional help with a custom JNDI connector or Symantec Identity Manager? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including identity management. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow To Add inetOrgPerson objectClass to all Users Created with a Custom JNDI Connector

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *