Configuring attributes and attribute search on the PingDirectory server
Use the Delegated Admin installation file to configure attributes and attribute search.
About this task
The file that installs Delegated Admin specifies the following values:
-
Object class of user entries through
structural-ldap-objectclass:inetOrgPerson
-
Number of user attributes to expose
Delegated Admin supports the following attribute types:
-
Boolean
-
Integer
-
String
-
DateTime
-
distinguished name (DN)
-
Custom attributes
-
Constructed attributes
-
Multivalued attributes
-
Steps
-
If necessary, change the attribute that is designated as the primary attribute.
Example:
$ bin/dsconfig set-rest-resource-type-prop \ --type-name users \ --set primary-display-attribute-type:mail
-
Configure any additional user attributes to appear in Delegated Admin by specifying the Lightweight Directory Access Protocol (LDAP) attribute type to expose and by providing a display name for it.
Example:
$ bin/dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type customAttr \ --set "display-name:My custom attribute"
-
Configure attributes with distinguished name (DN) syntax on resource types to provide a reference from one resource to another.
Such an attribute is the standard LDAP
manager
attribute.The referencing resource doesn’t have to be the same type of resource as the referenced resource. Delegated Admin allows the referenced resource to be selected without displaying the actual value of the DN.
Example:
In this example, the
manager
attribute is included in the users resource type, and its value is constrained to reference only resources of typemanagers
. Themanagers
REST Resource Type is assumed to have already been defined.$ bin/dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type manager \ --set display-name:Manager \ --set reference-resource-type:managers
Example:
Additionally, the Delegated Admin resource rights for the administrator must provide either read or reference permission to
managers
.$ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name Admin \ --rest-resource-type managers \ --set enabled:true \ --set admin-permission:reference \ --set admin-scope:all-resources-in-base
For more information about resource rights and permissions, see Configuring delegated administrator rights on the PingDirectory server.
-
Use the following command to set the search filter, where
%%
represents the search text entered in the web application.Example:
$ bin/dsconfig set-rest-resource-type-prop \ --type-name users \ --set 'search-filter-pattern:(|(cn=*%%*)(mail=%%*)(uid=%%*))'
When search text is entered in Delegated Admin, the property
search-filter-pattern
specifies which attributes to search in the PingDirectory server. To satisfy the query, define the appropriate attribute indexes for the PingDirectory server. For more information, see the PingDirectory Server Administration Guide. -
To manage users whose profiles feature a large number of attributes, place the attributes in logical groupings, called attribute categories, and give them a specific display order.
Example:
The following commands create attribute categories and specify their display order.
$ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Basic Information" \ --set display-order-index:1 $ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Contact Information" \ --set display-order-index:2 $ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Other Attributes" \ --set display-order-index:3
-
The following example commands assign attributes to a category and specify the display order of each attribute within its category.
Example:
$ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type cn \ --set "attribute-category:Basic Information" \ --set display-order-index:1 $ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type sn \ --set "attribute-category:Basic Information" \ --set display-order-index:2
Unassigned attributes are displayed in a miscellaneous category.
-
For multivalued LDAP attributes, indicate whether the application should present them as multivalued.
If not specified, the attributes are presented in the application as single-valued, even if the LDAP schema definition for the attribute allows multiple values.
This setting does not apply to attributes that are handled by custom UI form fields.
Example:
$ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type mail \ --set multi-valued:true
Constructed attributes
A constructed attribute is an attribute whose value is computed from values that are assigned to other attributes. For example, the system might construct a full- or common-name attribute, cn
, from values that are assigned to the standard givenName
and sn
attributes, as follows:
dsconfig create-constructed-attribute \ --attribute-name ReqConstructedCN --set attribute-type:cn \ --set 'value-pattern:{givenName} {sn}'
Beginning with Delegated Admin 3.5.0 and PingDirectory server 7.3.0.1, the value of a constructed attribute can be updated automatically whenever the value of a source attribute is created or when it is edited.
dsconfig set-rest-resource-type-prop \ --type-name users \ --set post-create-constructed-attribute:ReqConstructedCN \ --set update-constructed-attribute:ReqConstructedCN
In these examples, a change to the value of givenName
or sn
forces a corresponding change to the value of cn
. Attributes that contribute to a required constructed attribute are identified in the UI as Required even if they were not originally designated as such. Because cn
is a required attribute in this example, givenName
and sn
are also required.
An attribute’s capability of being changed after its creation is called its mutability. |
As with standard attributes, constructed attributes are stored as LDAP attributes in a database like the PingDirectory server.
Setting an attribute to read-only
About this task
Beginning with Delegated Admin 3.5.0 and PingDirectory 7.3.0.1, you can set user access to standard and constructed attributes to read-only
and read/write
. You should restrict access to constructed attributes to read-only
. Read-only attributes do not appear on the UI pages that are associated with the creation of users groups and other objects.
Steps
-
Use the
dsconfig
tool to set a standard or constructed attribute asread-only
.Example:
dsconfig set-delegated-admin-attribute \ --type-name users \ --attribute-type modifyTimestamp \ --set mutability:read-only
Example:
The following example resets a standard or constructed attribute from
read-only
toread/write
:dsconfig set-delegated-admin-attribute \ --type-name users \ --attribute-type modifyTimestamp \ --reset mutability