4 Replies Latest reply on Aug 31, 2010 7:02 PM by artmunro

Ldap (Active Directory) fields and user attributes

javaspack Apr 12, 2010 6:46 PM

I have a test GateIn implementation using Active Directory on JBoss 5.1. I can login and see the AD users in the portal and everything seems to be good.

However, I would like to retrieve additional data from AD for my users but am unable to get them to show up. Anytime I view a user's profile (under Group/Orgainization/Users and group management), the new data is not there. It looked as simple as adding another <attribute> to the USER identity object. By default, there are 3 attributes for the User object (firstName, lastName and email)

Specifically, what I would like to is retrieve the 'title' field from AD and use it for the 'Job Title' field for the user in the portal. What I did was add a new attribute to the list of attributes that looks like this:

<code>

              <attribute>
                <name>jobTitle</name>
                <mapping>title</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
                <isUnique>true</isUnique>
              </attribute>

</code>

I have also tried postalCode, phoneNumber and few others just to see if I could any of them to work. Is this even possible?

1. Re: Ldap (Active Directory) fields and user attributes

javaspack Apr 12, 2010 7:20 PM (in response to javaspack)

Looks like I found a partial answer. The 'name' attribute needs to match some constant from the P3PConstants class
(http://docs.jboss.org/jbportal/v2.7.0/javadoc-bundle/common/constant-values.html). Even though the docs is from v2.7, it still appears to work.

However, looking at the 3 default mappings, they don't use those constants. Based on what I'm using, the name 'firstName' should be 'user.name.given' and not just firstName. Do those 3 default mappings not work?

Based on this, I'm not sure I understand how the whole attribute/mapping is supposed to work.
Actions

2. Re: Ldap (Active Directory) fields and user attributes

bdaw Apr 13, 2010 2:58 AM (in response to javaspack)

I'm affraid that management portlet displays only hardcoded attributes defined in the UserProfile interface. Attributes that you map in the configuration should be available using the API:

PortalContainer container = PortalContainer.getInstance();
OrganizationService orgService = (OrganizationService) container.getComponentInstanceOfType(OrganizationService.class);

UserHandler userHandler = orgService.getUserHandler();
User user = userHandler.findUserByName(request.getUserPrincipal().getName());

UserProfileHandler profileHandler = orgService.getUserProfileHandler();
UserProfile profile = profileHandler.findUserProfileByName(user.getUserName());

3. Re: Ldap (Active Directory) fields and user attributes

javaspack Apr 14, 2010 5:46 PM (in response to bdaw)
Maybe I'm not being clear, which I often do.

I am trying to modify the picketlink-idm-ad-sso-ro-config.xml so that I can retrieve additional user data from Active Directory.
In this file, under

   <identity-object-type>
      <name>USER</name>

there is a user attribute defined:

       <attribute>
         <name>firstName</name>
         <mapping>givenName</mapping>
         <type>text</type>
         <isRequired>false</isRequired>
         <isMultivalued>false</isMultivalued>
         <isReadOnly>false</isReadOnly>
       </attribute>

So, using that example, I added one of my own:

       <attribute>
         <name>user.employer</name>
         <mapping>company</mapping>
         <type>text</type>
         <isRequired>false</isRequired>
         <isMultivalued>false</isMultivalued>
         <isReadOnly>false</isReadOnly>
         <isUnique>true</isUnique>
       </attribute>

I was unable to get this to work until I set <name> to be user.employer. Now it works just like I want. This value shows up when I edit the user profile, but it won't let me change it in the Admin UI. I have to change it in AD. However, any value that I don't define in the attributes CAN be changed in the admin UI.

This allows me to use AD as the main repository where user data is stored across applications (very good), while allowing me to modify portal specific properties, or those I don't want to retrieve from AD with the Admin UI.

I have tested this and can find no problems with it. I have used several of the constants from the P3PConstants class, and in each case it gets my data from AD.

Howerver, based on your response Boleslaw, this shouldn't work? The fact that is does is great. My only problem was finding that constants file to figure out what value I should be using.
Actions
4. Re: Ldap (Active Directory) fields and user attributes

artmunro Aug 31, 2010 7:02 PM (in response to javaspack)

Any chance you figured out what the additional attribute names are? Please see my posting...
http://community.jboss.org/message/559907

Im also mapped to LDAP and want to store all the user info in the LDAP

thanks,
Art
Actions

Go to original post