Starting point: I have a WebSphere with federated security (there is an Active Directory behind it). I am trying to fetch a VMM user uid by his/her email address, but I a don't know how it's VMM (schema) attributes are mapped to the AD (schema) attributes of the underlying Active Directory entity (person, organizationalPerson objectClass, mail attribute.
(By describing it in a different way: If one have a look at the WAS console, in the "Users and Groups" -> "Manage Users" there is a table where there is an E-Mail column, so it is somehow mapped. But, by clicking on the ( "Global Security" -> "(federated repositories) configure button" -> (there is a table, you can select the)) LDAP1 row, and checking the table in "Federated repositories property names to LDAP attributes mapping", I don't find that the 'E-Mail' column how has been mapped to the AD attribute. Maybe there is an implicit mapping?)
So, the starting question is this:
How to find this on the WAS console? Or, maybe via wsadmin (scripts)?
So, because of this, I tried to move forward and now I would try to find it using the VMM API, but I don't find in the official documentation the answer to the second question:
Is it possible to fetch somehow the assigned / available attributes of an WebSphere VMM entity (Virtual member manager)?
There is a lot of examples about how to fetch the attributes when you know their name, but there is nothing about this...
Yes, I know that is is a bit XY problem, but please guide me a bit. Many thanks in advance.
To provide some code sample too, I am trying to fetch the user's uid by using the following code:
public String testFetch(String email) throws Exception
{
String returnAttr = "uid";
// here in the search expression what should I wrire instead of the 'mail'?
String vmmSearchExpr = String.format("@xsi:type='PersonAccount' and mail='%s'", email);
DataObject root = SDOHelper.createRootDataObject();
DataObject searchCtrl = SDOHelper.createControlDataObject(root, null, SchemaConstants.DO_SEARCH_CONTROL);
searchCtrl.setString(SchemaConstants.PROP_SEARCH_EXPRESSION, vmmSearchExpr);
@SuppressWarnings("unchecked")
List<String> props = searchCtrl.getList(SchemaConstants.PROP_PROPERTIES);
props.add(returnAttr);
Service service = new LocalServiceProvider(null);
DataObject searchRoot = service.search(root);
String result = "";
List<?> entities = searchRoot.getList(SchemaConstants.DO_ENTITIES);
if (entities.size() > 1) throw new RuntimeException("multiple users for an identity:" + vmmSearchExpr);
if (entities.size() > 0)
{
DataObject objdo = (DataObject) entities.get(0);
result = objdo.getString(returnAttr);
}else{
log("Got empty list There is no result.");
}
return result;
}
A possible solution is to add a new federal repository supported property (Name: mail, Property name: mail, Entity types: PersonAccount):
After a WAS restart I was able to use the search expression
@xsi:type='PersonAccount' and mail='<email address>'
and the code above to fetch the corresponding uid to the given email address. It seems there is some info in the c:\IBM\WebSphere\AppServer\etc\wim\setup\wimdbproperties.xml, as if the "ibm-primaryEmail" would be the property that contains the email address, albeit I was not able to find my uid when I specified this instead of the "mail" attribute name.