PingDirectory

Configuring attributes and attribute search on the PingDirectory server

Use the Delegated Admin installation file to configure attributes and attribute search.

About this task

The file that installs Delegated Admin specifies the following values:

  • Object class of user entries through structural-ldap-objectclass:inetOrgPerson

  • Number of user attributes to expose

    Delegated Admin supports the following attribute types:

    • Boolean

    • Integer

    • String

    • DateTime

    • distinguished name (DN)

    • Custom attributes

    • Constructed attributes

    • Multivalued attributes

Steps

  1. If necessary, change the attribute that is designated as the primary attribute.

    Example:

    $ bin/dsconfig set-rest-resource-type-prop \
      --type-name users \
      --set primary-display-attribute-type:mail
  2. Configure any additional user attributes to appear in Delegated Admin by specifying the Lightweight Directory Access Protocol (LDAP) attribute type to expose and by providing a display name for it.

    Example:

    $ bin/dsconfig create-delegated-admin-attribute \
      --type-name users \
      --attribute-type customAttr \
      --set "display-name:My custom attribute"
  3. Configure attributes with distinguished name (DN) syntax on resource types to provide a reference from one resource to another.

    Such an attribute is the standard LDAP manager attribute.

    The referencing resource doesn’t have to be the same type of resource as the referenced resource. Delegated Admin allows the referenced resource to be selected without displaying the actual value of the DN.

    Example:

    In this example, the manager attribute is included in the users resource type, and its value is constrained to reference only resources of type managers. The managers REST Resource Type is assumed to have already been defined.

    $ bin/dsconfig create-delegated-admin-attribute \
      --type-name users \
      --attribute-type manager \
      --set display-name:Manager \
      --set reference-resource-type:managers

    Example:

    Additionally, the Delegated Admin resource rights for the administrator must provide either read or reference permission to managers.

    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name Admin \
      --rest-resource-type managers \
      --set enabled:true \
      --set admin-permission:reference \
      --set admin-scope:all-resources-in-base

    For more information about resource rights and permissions, see Configuring delegated administrator rights on the PingDirectory server.

  4. Use the following command to set the search filter, where %% represents the search text entered in the web application.

    Example:

    $ bin/dsconfig set-rest-resource-type-prop \
      --type-name users \
      --set 'search-filter-pattern:(|(cn=*%%*)(mail=%%*)(uid=%%*))'

    When search text is entered in Delegated Admin, the property search-filter-pattern specifies which attributes to search in the PingDirectory server. To satisfy the query, define the appropriate attribute indexes for the PingDirectory server. For more information, see the PingDirectory Server Administration Guide.

  5. To manage users whose profiles feature a large number of attributes, place the attributes in logical groupings, called attribute categories, and give them a specific display order.

    Example:

    The following commands create attribute categories and specify their display order.

    $ bin/dsconfig create-delegated-admin-attribute-category \
      --display-name "Basic Information" \
      --set display-order-index:1
    
    $ bin/dsconfig create-delegated-admin-attribute-category \
      --display-name "Contact Information" \
      --set display-order-index:2
    
    $ bin/dsconfig create-delegated-admin-attribute-category \
      --display-name "Other Attributes" \
      --set display-order-index:3
  6. The following example commands assign attributes to a category and specify the display order of each attribute within its category.

    Example:

    $ bin/dsconfig set-delegated-admin-attribute-prop \
      --type-name users \
      --attribute-type cn \
      --set "attribute-category:Basic Information" \
      --set display-order-index:1
    
    $ bin/dsconfig set-delegated-admin-attribute-prop \
      --type-name users \
      --attribute-type sn \
      --set "attribute-category:Basic Information" \
      --set display-order-index:2

    Unassigned attributes are displayed in a miscellaneous category.

  7. For multivalued LDAP attributes, indicate whether the application should present them as multivalued.

    If not specified, the attributes are presented in the application as single-valued, even if the LDAP schema definition for the attribute allows multiple values.

    This setting does not apply to attributes that are handled by custom UI form fields.

    Example:

    $ bin/dsconfig set-delegated-admin-attribute-prop \
     --type-name users \
     --attribute-type mail \
     --set multi-valued:true

Constructed attributes

A constructed attribute is an attribute whose value is computed from values that are assigned to other attributes. For example, the system might construct a full- or common-name attribute, cn, from values that are assigned to the standard givenName and sn attributes, as follows:

dsconfig create-constructed-attribute \
  --attribute-name ReqConstructedCN --set attribute-type:cn \
  --set 'value-pattern:{givenName} {sn}'

Beginning with Delegated Admin 3.5.0 and PingDirectory server 7.3.0.1, the value of a constructed attribute can be updated automatically whenever the value of a source attribute is created or when it is edited.

dsconfig set-rest-resource-type-prop \
  --type-name users  \
  --set post-create-constructed-attribute:ReqConstructedCN  \
  --set update-constructed-attribute:ReqConstructedCN

In these examples, a change to the value of givenName or sn forces a corresponding change to the value of cn. Attributes that contribute to a required constructed attribute are identified in the UI as Required even if they were not originally designated as such. Because cn is a required attribute in this example, givenName and sn are also required.

An attribute’s capability of being changed after its creation is called its mutability.

As with standard attributes, constructed attributes are stored as LDAP attributes in a database like the PingDirectory server.

Setting an attribute to read-only

About this task

Beginning with Delegated Admin 3.5.0 and PingDirectory 7.3.0.1, you can set user access to standard and constructed attributes to read-only and read/write. You should restrict access to constructed attributes to read-only. Read-only attributes do not appear on the UI pages that are associated with the creation of users groups and other objects.

Steps

  • Use the dsconfig tool to set a standard or constructed attribute as read-only.

    Example:

    dsconfig set-delegated-admin-attribute \
      --type-name users  \
      --attribute-type modifyTimestamp  \
      --set mutability:read-only

    Example:

    The following example resets a standard or constructed attribute from read-only to read/write:

    dsconfig set-delegated-admin-attribute \
      --type-name users  \
      --attribute-type modifyTimestamp  \
      --reset mutability