ForgeRock Identity Platform 7.5

Custom attributes

These sample deployments demonstrate using DS as a shared identity store for AM and IDM. The DS setup profile that configures DS as a shared identity store defines all the platform attributes required by AM and IDM.

Many deployments use additional custom attributes in identity profiles. The following examples show how to add a custom attribute, and how to configure AM and IDM to use it.

This example adds a custom attribute that the platform can retrieve with a user profile. This custom attribute is not searchable, and therefore not indexed.

Before you start, create a demo account for test purposes in your sample deployment:

  1. Browse to the platform End User UI page of the sample deployment, and click Create an account.

  2. Create a user with user identifier demo, and whatever other attributes you like.

  3. Find this user’s entry in the DS shared identity repository:

    /path/to/opendj/bin/ldapsearch \
    --hostname directory.example.com \
    --port 1636 \
    --useSsl \
    --usePkcs12TrustStore /path/to/opendj/config/keystore \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDn uid=admin \
    --bindPassword str0ngAdm1nPa55word \
    --baseDn ou=identities \
    "(uid=demo)"

    Notice that the user’s entry is named for its fr-idm-uuid attribute.

Define the attribute in DS

You define the attribute in DS as an attribute type in the LDAP schema. In LDAP, an entry’s object classes define which attributes it can have. You therefore also define an object class that lets the entry have the custom attribute.

The example custom attribute is a multi-valued directory string attribute named customAttribute. The auxiliary object class that lets the entry have the attribute is named customAttributeOC:

  1. In DS, add LDAP schema for the new attribute and object class alongside other LDAP schema definitions:

    /path/to/opendj/bin/ldapmodify \
    --hostname directory.example.com \
    --port 1636 \
    --useSsl \
    --usePkcs12TrustStore /path/to/opendj/config/keystore \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDn uid=admin \
    --bindPassword str0ngAdm1nPa55word << EOF
    dn: cn=schema
    changetype: modify
    add: attributeTypes
    attributeTypes: ( customAttribute-oid
      NAME 'customAttribute'
      EQUALITY caseIgnoreMatch
      ORDERING caseIgnoreOrderingMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
      USAGE userApplications )
    -
    add: objectClasses
    objectClasses: ( customAttributeOC-oid
      NAME 'customAttributeOC'
      SUP top
      AUXILIARY
      MAY customAttribute )
    EOF

    By default, DS writes these definitions to the file /path/to/opendj/db/schema/99-user.ldif.

  2. Test that you can add a custom attribute to the demo user entry.

    Use the fr-idm-uuid that you got when searching for uid=demo in ou=identities:

    /path/to/opendj/bin/ldapmodify \
    --hostname directory.example.com \
    --port 1636 \
    --useSsl \
    --usePkcs12TrustStore /path/to/opendj/config/keystore \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDn uid=admin \
    --bindPassword str0ngAdm1nPa55word << EOF
    dn: fr-idm-uuid=<fr-idm-uuid-for-demo-user>,ou=people,ou=identities
    changetype: modify
    add: objectClass
    objectClass: customAttributeOC
    -
    add: customAttribute
    customAttribute: Testing 1, 2...
    EOF
  3. Read the demo user entry to check your work:

    /path/to/opendj/bin/ldapsearch \
    --hostname directory.example.com \
    --port 1636 \
    --useSsl \
    --usePkcs12TrustStore /path/to/opendj/config/keystore \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDn uid=admin \
    --bindPassword str0ngAdm1nPa55word \
    --baseDn ou=identities \
    "(uid=demo)" \
    customAttribute
    dn: fr-idm-uuid=<fr-idm-uuid-for-demo-user>,ou=people,ou=identities
    customAttribute: Testing 1, 2...

    Notice that the value of customAttribute is set to Testing 1, 2....

LDAP schema features are much richer than this simple example can demonstrate. For details about LDAP schema in DS, see LDAP schema.

Update AM to use the attribute

Update the AM configuration to make AM aware of the new object class and attribute:

  1. Sign in to the platform admin UI as amAdmin.

    The password used in the documentation to set up the platform is Passw0rd.

  2. Under Native Consoles, select Access Management to open the AM admin console.

  3. In the alpha realm, under Identity Stores > OpenDJ > User Configuration, update these settings:

    LDAP User Object Class

    Add customAttributeOC.

    LDAP User Attributes

    Add customAttribute.

  4. Save your work.

For additional details, see Adding user profile attributes.

Update IDM to use the attribute

Update the IDM configuration to make IDM aware of the attribute:

  1. In the conf/managed.json file, under user > schema > order, add the custom attribute to the list:

    "customAttribute",
  2. In the conf/managed.json file, under user > schema > properties, define a property corresponding to the custom attribute:

    "customAttribute" : {
     "title" : "Custom Attribute",
     "type" : "string",
     "viewable" : true,
     "searchable" : false,
     "userEditable" : true
    },

    Notice that this property is not searchable; meaning, it does not need to be indexed.

  3. In the conf/repo.ds.json file, under resourceMapping > explicitMapping > managed/user > objectClasses, add the object class:

    "customAttributeOC",
  4. In the conf/repo.ds.json file, under resourceMapping > explicitMapping > managed/user > properties, add a mapping for the attribute:

    "customAttribute" : {
     "type" : "simple",
     "ldapAttribute" : "customAttribute"
    },
  5. Restart IDM to take the changes to the conf/repo.ds.json file into account.

For additional details, see Create and modify object types, and Explicit mappings (DS).

View the results

After configuring DS, AM, and IDM to use the custom attribute:

  1. Browse to the platform End User UI, and sign in as the demo user.

  2. Click Edit Your Profile, and then click Edit Personal Info.

    Notice that your custom attribute is visible with the value you set:

    demo with custom attribute