Privilege Manager policy language supports the use of LDAP calls to obtain data on the following platforms:
Privilege Manager LDAP functions follow, as closely as possible, the API outlined in RFC 1823 to ensure compatibility and ease of understanding.
The feature_enabled() function indicates whether the LDAP functions are available on a particular policy server. (See feature_enabled for details.)
The following example illustrates the use of the LDAP functions.
if (!feature_enabled(FEATURE_LDAP) {
print("LDAP support is not available on this policy server");
} else {
ld_user = "cn=Directory Manager";
ld_passwd = "password";
ld_host = "ldapserver";
BASEDN="ou=People,dc=skynet,dc=local";
SCOPE="onelevel";
FILTER="(objectClass=*)";
ATTRLIST={};
ATTRONLY=false;
print( "LDAP Server: " + ld_host );
print( " User DN: " + ld_user );
print( " Password: " + ld_passwd );
print( "" );
print( " Base DN: " + BASEDN );
print( " Scope: " + SCOPE );
print( " Filter: " + FILTER );
print( "" );
# Open a connection to the directory server
ldapid = ldap_open( ld_host );
if( ldapid < 0 ) {
print( "ldap_open failed" );
reject;
}
# bind to the directory
rc = ldap_bind( ldapid, ld_user, ld_passwd );
if( rc==0 ) {
# perform the search
ld_results = ldap_search( ldapid, BASEDN, SCOPE, FILTER, ATTRLIST, ATTRONLY );
if( ld_results >= 0 ) {
# how many results have been returned?
num = ldap_count_entries( ldapid, ld_results );
str = sprintf( "Num results = %d", num );
print(str);
print("");
print("RESULTS");
print("");
if( num>0 ) {
# Grab the first entry from the results
lentry = ldap_first_entry( ldapid, ld_results );
while( lentry ) {
# print the DN
dn = ldap_get_dn( ldapid, ld_results );
print("---- START OF ENTRY (" + dn + ") ----");
e = ldap_explode_dn( dn );
print( " Exploded DN: " + join( e, ', ' ) );
e = ldap_explode_dn( dn, 1 );
print( "Exploded DN, no type names: " + join( e, ', ' ) );
print( " User Friendly form: " + ldap_dn2ufn( dn ) );
print("");
oc = ldap_get_values( ldapid, lentry, "objectClass" );
if( "inetorgperson" in oc ) {
gn = ldap_get_values( ldapid, lentry, "givenname" );
sn = ldap_get_values( ldapid, lentry, "sn" );
print( " Found a person, Name = " + gn[0] + " " + sn[0] );
}
attrs = ldap_get_attributes( ldapid, lentry );
print( "Attributes: " + join(attrs, ", ") );
# Move through each attibute for the entry
attr = ldap_first_attribute( ldapid, lentry );
while( attr != '' ) {
print(" ATTR: " + attr );
# Print the values for the given attribute
values = ldap_get_values( ldapid, lentry, attr );
print( " VALUES = { " + join(values, ", ") + " }" );
# move to the next attibute
attr = ldap_next_attribute( ldapid, lentry );
}
# move to the next entry
lentry = ldap_next_entry( ldapid, ld_results );
print("---- END OF ENTRY (" + dn + ") ---- ");
print("");
}
print("");
}
print("-- END OF RESULTS --");
}
} else {
print( "ldap_bind failed" );
reject;
}
rc = ldap_unbind( ldapid );
str = sprintf( "rc = %d", rc );
print(str);
}
These are the built-in list functions available to use within the policy file:
| Name | Description |
|---|---|
| append | Append to a list. |
| insert | Insert a string or list into a list. |
| join | Concatenate a list into a string. |
| length | Return the length of a string, list, or array. |
| lsubst | Substitute part of a string with another string throughout all or part of a list. |
| range | Select a range of entries in a list |
| replace | Replace one or more strings in a list. |
| search | Search a list for a string. |
| split | Convert a string into a list. |
| splitSubst | Convert a string into a list |
list append( list dest, list|string src1 [, list|string src2, ...])
append creates a list constructed by appending the specified strings or lists src1, src2, etc. to the end of the list dest and returns a new list.
trustedusers = {"jamie", "cory", "robyn"};
a = append(trustedusers, "adrian");
sets a to the following list:
{"jamie", "cory", "robyn", "adrian"} list insert( list dest, int index, string src1, [, string src2, ...] )
insert constructs a list by inserting strings into a list at the specified position. Note that the first element in the list is index: 0. If the index is greater than the length of the specified list (for example, 999), then the strings append to the end of the list.
Returns the newly constructed list.
trustedusers={"jamie", "cory", "robyn"};
a=insert(trustedusers, 1, "leslie");
sets a to the list:
{"jamie", "leslie", "cory", "robyn"}
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy