Hi Gayanshan, What is the purpose of defining the immutable attributes of Active Directory in the "Immutable Attributes" property? How is this property used?
Regards, Johann. On Sat, Feb 1, 2020 at 11:04 PM Gayashan Bombuwala <[email protected]> wrote: > Hi Johann, Darshana, > > This was implemented in the product in [1]. > In this implementation, we introduced two hooks for processing user > attributes in the AbstarctUserStoreManager level. > > 1. To handle the processing of the user attributes after reading from the > user store [2]. > 2. To handle the processing of the user attributes before writing to the > user store [3]. > > A unique ID variant [4], [5] of each of the above methods [2], [3] was > introduced as well in order to comply with the new unique ID user store > implementations. > > The behaviour of these hooks can be decided in a specific user store level. > As per the implementation [1], we have implemented the behaviour of these > hooks in UniqueIDActiveDirecotryUserStoreManager and > ActiveDirectoryUserStoreManager [6], [7]. > > We have introduced two new user store properties to support the > implementation. > 1. Immutable Attributes > 2. Timestamp Attributes > > Immutable Attributes property is used to identify the user store > maintained immutable attributes in Active Directory such as objectGuid, > whenChanged, whenCreated. > Timestamp Attributes property is used to identify the attributes in Active > Directory which belong to the "Generalized Time" data type and need to be > converted to the standard date format before used within WSO2 iS (e.g. > whenChanged, whenCreated). > The usage of these two user store properties is documented in [8]. > > [1] https://github.com/wso2/carbon-kernel/pull/2514 > [2] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7488 > [3] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7500 > [4] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7512 > [5] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L7524 > [6] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L912 > [7] > https://github.com/wso2/carbon-kernel/blob/b5048093ea69a24a24a71e99e62e4b1dfc412796/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L935 > [8] > https://is.docs.wso2.com/en/latest/setup/configuring-a-read-write-active-directory-user-store/#properties-used-in-read-write-active-directory-userstore-manager > > Best Regards, > Gayashan > > On Sat, Feb 1, 2020 at 9:13 PM Darshana Gunawardana <[email protected]> > wrote: > >> Hi Gayashan, >> >> Is this implemented in the product now? If so can you share details on >> the final approach you took. >> >> Thanks, >> >> On Thu, Jan 2, 2020 at 9:37 AM Johann Nallathamby <[email protected]> >> wrote: >> >>> Hi Gayashan, >>> >>> On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> Currently when managing users in Active Directory user store with SCIM, >>>> we have mapped the SCIM core attributes to different attributes[1, 2] >>>> supported by SCIM. >>>> >>>> e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)-> >>>> http://wso2.org/claims/userid (local claim) -> homePostalAddress >>>> (Active Directory attribute) >>>> >>>> However, there are a set of attributes maintained by Active Directory >>>> which we can use to map some of core SCIM attributes. We have considered >>>> the following attributes for the moment. >>>> >>>> 1. objectGuid (AD maintained attribute) -> >>>> urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute) >>>> 2. whenCreated (AD maintained attribute) -> >>>> urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute) >>>> 3. whenModified (AD maintained attribute)- -> >>>> urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute) >>>> >>>> We need to handle the mapping of these attributes in two scenarios. >>>> >>>> 1. When reading values from the user store. >>>> 2. When writing values to the user store. >>>> >>>> >>>> When reading from the user store we can introduce a hook to handle the >>>> mapping of these special attributes. We can implement the hook in >>>> AbstractUserStoreManager since local claim to user store property mapping >>>> is done in that[3] level. When the attributes are mapped we may need to do >>>> a conversion between data types for some attributes (e.g. objectGuid >>>> property is stored in AD as an octetSting [3]). This hook will be a method >>>> with the following signature. >>>> >>>> protected void processRetrievedSpecialClaims (Map<String, String> >>>> specialClaims) >>>> >>> >>> Why do we need to have "special" in the method name? Shouldn't all >>> attribute processing go through this method? Why limit this to certain >>> claims? We don't need to decide beforehand what claims have to go through >>> this method. If someone wants to handle certain claim in special way later >>> on they can extend this particular method. >>> >>> Regards, >>> Johann. >>> >>> >>>> >>>> However, when writing values to the user store, we need to handle the >>>> special claims in the user store level [5]. We can do data type conversion >>>> for special claim values here as well if required. >>>> We will introduce an abstract hook in the AbstractUserStoreManager >>>> level but will provide separate implementations in the user store level. >>>> This >>>> hook will be a method with the following signature. >>>> >>>> protected void processSpecialClaimsForUpdating (Map<String, String> >>>> specialClaims) >>>> >>>> Note that the above mentioned new behaviour will only be executed if a >>>> specific user store property is enabled. >>>> Please let us know if you have any concerns regarding this approach. >>>> >>>> Best Regards, >>>> Gayashan >>>> >>>> [1] >>>> https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning >>>> [2] http://www.kouti.com/tables/userattributes.htm >>>> [3] >>>> https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet >>>> [4] >>>> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388 >>>> [5] >>>> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616 >>>> >>>> -- >>>> *Gayashan Bombuwala* >>>> Software Engineer | WSO2 >>>> >>>> Email: [email protected] >>>> Phone: +94770548334 >>>> >>>> [image: https://wso2.com/signature] <https://wso2.com/signature> >>>> >>> >>> >>> -- >>> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect >>> | WSO2 Inc. >>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >>> [image: Signature.jpg] >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: [email protected] <[email protected]>* >> *Mobile: +94718566859*Lean . Enterprise . Middleware >> > > > -- > *Gayashan Bombuwala* > Software Engineer | WSO2 > > Email: [email protected] > Phone: +94770548334 > > [image: https://wso2.com/signature] <https://wso2.com/signature> > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
