Custom attributes
These sample deployments demonstrate using PingDS as a shared identity store for PingAM and PingIDM. The PingDS setup profile that configures PingDS as a shared identity store defines all the platform attributes required by PingAM and PingIDM.
Many deployments use additional custom attributes in identity profiles. The following examples show how to add a custom attribute, and how to configure PingAM and PingIDM to use it.
|
This example adds a custom attribute that the platform can retrieve with a user profile. This custom attribute is not searchable, and therefore not indexed. |
Before you start, create a demo account for test purposes in your sample deployment:
-
Browse to the platform End User UI page of the sample deployment, and click Create an account.
-
Create a user with user identifier
demo, and whatever other attributes you like. -
Find this user’s entry in the PingDS shared identity repository:
/path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word \ --baseDn ou=identities \ "(uid=demo)"Notice that the user’s entry is named for its
fr-idm-uuidattribute.
Define the attribute in PingDS
You define the attribute in PingDS as an attribute type in the LDAP schema. In LDAP, an entry’s object classes define which attributes it can have. You therefore also define an object class that lets the entry have the custom attribute.
The example custom attribute is a multi-valued directory string attribute named customAttribute.
The auxiliary object class that lets the entry have the attribute is named customAttributeOC:
-
In PingDS, add LDAP schema for the new attribute and object class alongside other LDAP schema definitions:
/path/to/opendj/bin/ldapmodify \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word << EOF dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( customAttribute-oid NAME 'customAttribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) - add: objectClasses objectClasses: ( customAttributeOC-oid NAME 'customAttributeOC' SUP top AUXILIARY MAY customAttribute ) EOFBy default, PingDS writes these definitions to the file
/path/to/opendj/db/schema/99-user.ldif. -
Test that you can add a custom attribute to the
demouser entry.Use the
fr-idm-uuidthat you got when searching foruid=demoinou=identities:/path/to/opendj/bin/ldapmodify \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word << EOF dn: fr-idm-uuid=<fr-idm-uuid-for-demo-user>,ou=people,ou=identities changetype: modify add: objectClass objectClass: customAttributeOC - add: customAttribute customAttribute: Testing 1, 2... EOF -
Read the
demouser entry to check your work:/path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word \ --baseDn ou=identities \ "(uid=demo)" \ customAttribute dn: fr-idm-uuid=<fr-idm-uuid-for-demo-user>,ou=people,ou=identities customAttribute: Testing 1, 2...Notice that the value of
customAttributeis set toTesting 1, 2....
LDAP schema features are much richer than this simple example can demonstrate. For details about LDAP schema in PingDS, see LDAP schema.
Update PingAM to use the attribute
Update the PingAM configuration to make PingAM aware of the new object class and attribute:
-
Sign in to the platform admin UI as
amAdmin.The password used in the documentation to set up the platform is
Passw0rd. -
Under Native Consoles, select Access Management to open the PingAM admin console.
-
In the
alpharealm, under Identity Stores > OpenDJ > User Configuration, update these settings:- LDAP User Object Class
-
Add
customAttributeOC. - LDAP User Attributes
-
Add
customAttribute.
-
Save your work.
For additional details, see Adding user profile attributes.
Update PingIDM to use the attribute
Update the PingIDM configuration to make PingIDM aware of the attribute:
-
In the
conf/managed.jsonfile, underuser>schema>order, add the custom attribute to the list:"customAttribute", -
In the
conf/managed.jsonfile, underuser>schema>properties, define a property corresponding to the custom attribute:"customAttribute" : { "title" : "Custom Attribute", "type" : "string", "viewable" : true, "searchable" : false, "userEditable" : true },Notice that this property is not searchable; meaning, it does not need to be indexed.
-
In the
conf/repo.ds.jsonfile, underresourceMapping>explicitMapping>managed/user>objectClasses, add the object class:"customAttributeOC", -
In the
conf/repo.ds.jsonfile, underresourceMapping>explicitMapping>managed/user>properties, add a mapping for the attribute:"customAttribute" : { "type" : "simple", "ldapAttribute" : "customAttribute" }, -
Restart PingIDM to take the changes to the
conf/repo.ds.jsonfile into account.
For additional details, see Create and modify object types, and Explicit mappings (PingDS).
