Symantec IGA

Expand all | Collapse all

attributes with two objectClasses

  • 1.  attributes with two objectClasses

    Posted May 23, 2016 08:11 AM

    Hi,

    How provision can happen with the attributes of two objectclass into a JNDI. I have tried with 2 ways but either of way is throwing malformed attribute error.

    1. two objectClasses mapped with their attributes

    2.one of the ObjectClass usedwith Account Screen for attribute sending into JNDI.

     

    Had an experience with this kind of usecase...? Please suggest me on this........

     

     

    Thanks.



  • 2.  Re: attributes with two objectClasses

    Posted May 23, 2016 11:29 AM

    Hello SanthoshAkula,

     

    1) As long as the objectClasses has all the required attributes this way should work.

    2) Would you be able to elaborate on this? It looks like a mapping in provisioning manager is not map correctly. I am not sure what you mean by your statement of " one of the ObjectClass used with Account Screen for attribute sending into JNDI.

     

    Thanks,

    Andrew Nguyen



  • 3.  Re: attributes with two objectClasses

    Posted May 23, 2016 01:24 PM

    Hello Andrew,

     

    Thank you so much for the reply...

    Customer has two objectClasses makes the combination have all required attributes for LDAP. it is mandatory to use both ObjecctClass's attributes to provision account in LDAP. How can i use the two object class attributes under the account Class.

     

    Thanks again...



  • 4.  Re: attributes with two objectClasses

    Broadcom Employee
    Posted May 23, 2016 10:00 PM

    Are you using ConnectorXpress connector? You can do multiple objectClasses from a JNDI connector based on ConnectorXpress but you can only have one structural objectClass. This is simple JNDI standard. You can have only objectClass as structural and others as auxiliary. Are you sure you have only one structural objectClass?



  • 5.  Re: attributes with two objectClasses

    Posted May 26, 2016 03:07 AM

    Hello Praveen,

     

    Yes I am using ConnXP. Here I have to use two structural objectClass ;-).

    1. One ObjectClass  have mandatory attributes say like CN and SN

    2. Second one have other mandatory attributes those are required for login to the application.[Say AID and Sso attribute etc...].

     

    Here i have to use 1 & 2 ObjectClass to create a user in their directory. Please let us know how this can be possible.

     

    Thanks again ....



  • 6.  Re: attributes with two objectClasses

    Posted May 26, 2016 09:29 AM

    The second objectclass would need to be an auxiliary objectclass and then you would add the one structural and one auxiliary objectclass. Or the second objectclass would be structural but derived from the first one and then you would only add this one derived structural objectclass.



  • 7.  Re: attributes with two objectClasses

    Posted May 26, 2016 11:28 AM

    No auxiliary objectclass has present . Only two structural.

     

    One ObjectClass - this is for user identification, by using below attributes we can address that user has been created with Name

         +CN - Mandatory [MUST]

         +Sn - mandatory [MUST]

         + user password - [MAY]

     

    Second ObjectClass

         + ID [Must]

         +authPwd [MUST]

         +SSO attribute [MUST]

         + xxxx [MAY] etc...

     

    If you create a user in LDAP then user must be with ONE+Second Objectclass attributes. So user can access the application by authenticate with his  CN+authPwd in the application form.

     

    Thanks again



  • 8.  Re: attributes with two objectClasses

    Posted Jun 16, 2016 06:32 AM

    Hi Kristen,

     

    Still i am looking an Answer for this question.

    My question is, LDAP endpoint have two objectClasses and want to create a user in LDAP by using those ObjectClass's attributes.The same structure had explained above for logical representation.

    Anyone can help me on this....



  • 9.  Re: attributes with two objectClasses

    Broadcom Employee
    Posted Jun 16, 2016 08:47 AM

    You will have to modify your LDAP design. You can't have two structural objectClasses. Either you club them both or make either one as auxiliary.



  • 10.  Re: attributes with two objectClasses

    Posted Jun 17, 2016 01:29 AM

    Hi Praveen,

    "Either you club them both", its mean both objectclass under in same Name...? Please confirm me...

    If this is the case then how we can proceed/build by using LDAP custom endpoint creation with clubbed structural objectclass...!!!

     

    Your inputs will help us to proceed further solution

     

    Thanks,

    Santhosh Akula



  • 11.  Re: attributes with two objectClasses

    Posted Jun 22, 2016 05:11 AM

    Hi,

    anyone can help me on this or any suggestions would also helpful...

     

    Thanks again...



  • 12.  Re: attributes with two objectClasses

    Posted Jun 22, 2016 07:58 AM

    Not clear on what more you need help with. This is what I wrote back on May 26. You cannot have two structural objectclasses.

     

    The second objectclass would need to be an auxiliary objectclass and then you would add the one structural and one auxiliary objectclass. Or the second objectclass would be structural but derived from the first one and then you would only add this one derived structural objectclass.



  • 13.  Re: attributes with two objectClasses
    Best Answer

    Broadcom Employee
    Posted Jun 22, 2016 09:35 AM

    Hi Santosh,

     

    I had a similar problem sometime back with CX LDAP endpoint. The constraint is, Connector can be built over 1 STRUC OC with multiple AUX OCs.

     

    However, still there are two options with you:

     

    Option 1: Two Connectors

    Create two CX JDAP custom connectors. Once created, create their separate Account Templates. While provisioning, single Provisioning Role can be attached with these two separate Account Templates. Connector will make separate entries for CRUD operation but in single application.

    Pros: Clean solution and easy to maintain.

    Cons: Explore & Correlate (E/C) operations have to handled in a well planned manner

     

    Option 2: Operation Bindings (OB)

    Create only single connector with any 1 STRUC OC which has max no. of attrs. For updating to other attrs, OB needs to be used which is nothing but JavaScripts using JNDI code. JS can make entries and do CRUD operations in LDAP. Business logic has to be written for that.

    Pros: Single Connector, no problem with E/C operations

    Cons: Development code needs to maintained and certified everytime change/upgrade happens

     

    Hope that helps.

     

    Regards,

    Sumeet

     

     



  • 14.  Re: attributes with two objectClasses

    Broadcom Employee
    Posted Jun 22, 2016 03:57 PM

    Sumeet,


    Those are indeed very good points. Thanks for sharing them.


    Santosh,


    You can look into Sumeet's suggestion if you don't want to change design of your ldap(keep only structural class, rest as auxiliary). 



  • 15.  Re: attributes with two objectClasses

    Posted Jun 23, 2016 06:05 AM

    Hi Sumeet,

     

    . Since two months i am looking for a solution and even contacted CA support but no luck.

    Really.... i have no words to you to express my sincere thanks ...

     

    Thank you soooooo..... much for your valuable solution and this will help to others as well..

     

    Thanks again to Sumeet and all.

     

    Thanks,

    Santhosh Akula



  • 16.  Re: attributes with two objectClasses

    Broadcom Employee
    Posted Jun 23, 2016 07:30 AM

    No problem, welcome Santosh.

     

    Regards,

    Sumeet