CA API Gateway 9.1

9.4 9.1

Write LDAP Assertion

The Write LDAP Assertion allows you to update LDAP entries and attributes on the LDAP server using LDIF. Using this assertion, you can:
gateway
The
Write LDAP Assertion 
allows you to update LDAP entries and attributes on the LDAP server using LDIF. Using this assertion, you can:
  • Create a LDAP DN/entry and create attributes (single or multi-valued) within the DN.
  • Update attributes (single or multi-valued) within the DN.
  • Modify the DN or rename the DN.
  • Delete the DN/entry and delete attributes (single or multi-valued) within the DN.
The Write LDAP assertion is intended for system administrators or technical users well versed with the LDAP structure. This assertion does not validate data against the LDAP schema before sending the update request to the LDAP server.
This assertion uses the LDAP Identity Provider to manage the connection to the LDAP server; Simple LDAP is not supported.
Prerequisites:
  • Familiarity with LDIF (click here for examples of LDIF statements)
  • Knowledge of LDAP server's schema
  • Knowledge of the structure of the LDAP tree
  • Knowledge of the required attributes when creating a container/DN/entry;
  • Required fields specified by the LDAP schema
  • The LDAP Identity Provider allows updates
Contents:
Context Variables
This assertion populates the following context variable:
Variable
Description
${
<prefix>
 
.error.msg}
Returns any errors after executing the assertion, in the raw format as provided by the LDAP provider.
Cluster Properties
None
Properties
Setting
What you should know...
LDAP Connector
Select the LDAP Identity Provider to update. Only those with write permissions are listed here.
The write permission is set in Step 1 of the LDAP Identity Provider Wizard, in the "Allow updates from" check box.
DN
Specify the DN to change here. This DN must be located with the Write Base DN specified in the LDAP Identity Provider Wizard. You may specify context variables.
Attempting to change any DN that lies outside of the permitted Write Base DN causes this assertion to fail.
Changetype
Choose the operation to perform:
Add
,
Delete
,
Modify
,
Modrdn
Attributes and Values
Set the Attributes and Values for the change types Add, Modify, and Modrdn. You may reference context variables for the Value, but not the Attribute.
Examples:
  • Attribute = 'objectClass', Value = 'posixAccount'
  • Attribute = 'sn', Value = '${uid}'
(1) You can write binary data to an attribute. The binary data can be accessed by context variables but are stored in Base64-encoded format. Append
;converttobinary
 to the attribute name. This instructs the assertion to convert the Base64-encoded data to binary when writing to the attribute. (2) For multi-valued attributes like 'description', you can add multiple entries to the list or modify multiple entries at once.
For security, you cannot enter the entire LDIF statement at once. You must enter each item separately.
Prefix
Enter a prefix to add to the context variable created by this assertion. The default prefix is
ldapWrite
.
Changetype: Add
To add an attribute:
  1. Select the Changetype
    Add
    .
  2. Click
    Add
    .
  3. Enter the Attribute and Value and click
    OK
    .
Screen Shot 11-10-17 at 08.57 AM.PNG
Changetype: Modify
To add, replace, or delete attributes:
  1. Select the Changetype
    Modify
    .
  2. Click
    Add
    .
  3. Add entries that describe the Modify operations to perform. These operations available are:
    add
    ,
    replace
    ,
    delete
    . Separate each operation with a hyphen. You can add multiple entries for attributes that are multi-valued.
write_ldap_modify_changetype.png
Changetype: Delete
To delete an LDAP Container:
  1. Enter the DN.
  2. Select Changetype
    Delete
    .
  3. Do not specify any Attributes or Values.
Example:
In the following example, the container "Heidi" specified in the DN is deleted:
Screen Shot 11-08-17 at 12.36 PM.PNG
Changetype: Modrdn
To modify the RDN or DN:
  1. Enter the DN.
  2. Select Changetype
    Modrdn
    .
  3. Add an entry with Attribute=
    newrdn
    . This attribute accepts either 'rdn' or 'dn' values. The Write LDAP assertion verifies that the DN specified is within the write base (specified in the LDAP Identity Provider Wizard).
Screen Shot 11-10-17 at 09.46 AM.PNG
Working with Binary Attributes
You can pass binary attributes to the Write LDAP assertion using context variables, in a Base64-encode format, in Base64-encoded format using context variables. To indicate that the value being set to the attribute needs to be converted to binary, append
;convertToBinary
 (not case sensitive) to the attribute name. This instructs the Gateway to convert the Base64-encoded value back to binary before sending to the LDAP provider.
The following binary attributes also require
;binary
 to be added to the attribute name:
  • userCertificate
  • cACertificate
  • authorityRevocationList
  • certificateRevocationList
  • crossCertificatePair
For more information, refer to RFC 2256.
Examples:
To add a new userCertificate attribute:
  1. Select the Changetype
    Add
    .
  2. Click
    Add
    .
  3. Enter Attribute=
    userCertificate;binary;convertToBinary
     and Value=
    ${cert}
    .
  4. Click
    OK
    .
Where the context variable "${cert}" contains the user certificate in Base64-encoded format.
To update an existing userCertificate
attribute:
  1. Select the Changetype
    Modify
    .
  2. Click
    Add
    .
  3. Enter Attribute=
    replace
     and Value=
    userCertificate;binary
  4. Enter Attribute=
    userCertificate;binary;convertToBinary
     and Value=
    ${cert}
    .
Screen Shot 11-09-17 at 11.20 AM.PNG
The following binary attributes are recognized as binary, but do
not
 require the
;binary
 suffix:
  • photo
  • personalSignature
  • audio
  • jpegPhoto
  • javaSerializedData
  • thumbnailPhoto
  • thumbnailLogo
  • userPassword
For example, to add a new
jpegPhoto
 attribute:
Screen Shot 11-09-17 at 11.24 AM.PNG
To update an existing
jpegPhoto
 attribute:
Screen Shot 11-09-17 at 11.26 AM.PNG
Frequently Asked Questions
Question
Answer
Why can't I select my LDAP Identity Provider in this assertion?
Only LDAP Identity Providers that have write permission enabled can be selected here. To do this, see Step 1 in the LDAP Identity Provider Wizard.
Can I update passwords using this assertion?
Yes, you can update passwords. They are usually located in the userPassword attribute. Note that the password is in plain text, as the assertion does not encrypt. Be sure that updating of sensitive information is done over SSL.
Can I update certificates using this assertion?
Yes, you can update certificates. They are stored in the userCertificate attribute.
I am having problems updating distinguished names.
Check that the name is in UTF-8 format. According to RFC28496, distinguished names, relative distinguished names, and attribute values of DirectoryString syntax must be valid UTF-8 strings.

Content feedback and comments