This topic has 3 replies, 2 voices, and was last updated 6 years, 5 months ago by ipulkit.

  • Author
    Posts
  • #10191
     ipulkit
    Participant

    I was wondering how patching a managed user with a different ldapGroup works when ldapGroups is not even a part of the managed user schema, and yet is somehow present in the mapping.

    I might be missing an obvious point, please enlighten me !

    #10217
     laurent.bristiel
    Participant

    Hi,
    ldapGroups is indeed not defined in managed.json schema, but it does not matter because any property can be used in our managed objects (https://forgerock.org/openidm/doc/bootstrap/integrators-guide/#working-with-managed-users mentions the way objects are stored). The schema just defines a list of meta-information and constraints/policy on some of the properties but you can use any other property. Note that in a properly configured environment, the schema would probably define all the property that your system will use. Note also that if you use explicit mapping you can not use properties that were not properly created in the schema (explicit mapping:https://forgerock.org/openidm/doc/bootstrap/integrators-guide/index.html#explicit-mappings)
    Hope this helps,
    Laurent

    #10220
     ipulkit
    Participant

    Your response comes at a great time ! I was going thru sample 2d and it made me completely lose the sense of know-how I have attained during a considerable course of time (still long way to go, make that double long :D)

    On sample 2d, the managed object group has a blank schema when you open the managed.json but now I know how it manages to work anyway.

    I will come back to you with more clarifications after I am done fully comprehending your explanation.

    #10227
     ipulkit
    Participant

    Another point is, there is no way one would be able to pull this off via the GUI. The target/source properties would not show up in the list when you try adding attributes to a mapping. FR did the restraining there but its inconsistent as a whole, like another AD recon issue I have reported (bypasses schema policies)

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?