Search code examples
javawebsphere

VMM how to find or fetch VMM entity attribute mapping / attribute names


Starting point: I have a WebSphere with federated security (there is an Active Directory behind it). I am trying to fetch a VMM user uid by his/her email address, but I a don't know how it's VMM (schema) attributes are mapped to the AD (schema) attributes of the underlying Active Directory entity (person, organizationalPerson objectClass, mail attribute.

(By describing it in a different way: If one have a look at the WAS console, in the "Users and Groups" -> "Manage Users" there is a table where there is an E-Mail column, so it is somehow mapped. But, by clicking on the ( "Global Security" -> "(federated repositories) configure button" -> (there is a table, you can select the)) LDAP1 row, and checking the table in "Federated repositories property names to LDAP attributes mapping", I don't find that the 'E-Mail' column how has been mapped to the AD attribute. Maybe there is an implicit mapping?)

So, the starting question is this:

How to find this on the WAS console? Or, maybe via wsadmin (scripts)?

So, because of this, I tried to move forward and now I would try to find it using the VMM API, but I don't find in the official documentation the answer to the second question:

Is it possible to fetch somehow the assigned / available attributes of an WebSphere VMM entity (Virtual member manager)?

There is a lot of examples about how to fetch the attributes when you know their name, but there is nothing about this...

Yes, I know that is is a bit XY problem, but please guide me a bit. Many thanks in advance.

To provide some code sample too, I am trying to fetch the user's uid by using the following code:

    public String testFetch(String email) throws Exception
    {
     
        String returnAttr = "uid";
        // here in the search expression what should I wrire instead of the 'mail'?
        String vmmSearchExpr = String.format("@xsi:type='PersonAccount' and mail='%s'", email);
        DataObject root = SDOHelper.createRootDataObject();
        DataObject searchCtrl = SDOHelper.createControlDataObject(root, null, SchemaConstants.DO_SEARCH_CONTROL);
        searchCtrl.setString(SchemaConstants.PROP_SEARCH_EXPRESSION, vmmSearchExpr);
        @SuppressWarnings("unchecked")
        List<String> props = searchCtrl.getList(SchemaConstants.PROP_PROPERTIES);
        props.add(returnAttr);
        Service service = new LocalServiceProvider(null);
        DataObject searchRoot = service.search(root);
        String result = "";
        List<?> entities = searchRoot.getList(SchemaConstants.DO_ENTITIES);
        if (entities.size() > 1) throw new RuntimeException("multiple users for an identity:" + vmmSearchExpr);
        if (entities.size() > 0)
        {
            DataObject objdo = (DataObject) entities.get(0);
            result = objdo.getString(returnAttr);
        }else{
            log("Got empty list There is no result.");
        }
        return result;
    }

Solution

  • A possible solution is to add a new federal repository supported property (Name: mail, Property name: mail, Entity types: PersonAccount):

    mail property

    After a WAS restart I was able to use the search expression

    @xsi:type='PersonAccount' and mail='<email address>'
    

    and the code above to fetch the corresponding uid to the given email address. It seems there is some info in the c:\IBM\WebSphere\AppServer\etc\wim\setup\wimdbproperties.xml, as if the "ibm-primaryEmail" would be the property that contains the email address, albeit I was not able to find my uid when I specified this instead of the "mail" attribute name.