Privilege Manager policy language supports the use of LDAP calls to obtain data on the following platforms:
Privilege Manager LDAP functions follow, as closely as possible, the API outlined in RFC 1823 to ensure compatibility and ease of understanding.
The feature_enabled() function indicates whether the LDAP functions are available on a particular policy server. (See feature_enabled for details.)
The following example illustrates the use of the LDAP functions.
if (!feature_enabled(FEATURE_LDAP) { print("LDAP support is not available on this policy server"); } else { ld_user = "cn=Directory Manager"; ld_passwd = "password"; ld_host = "ldapserver"; BASEDN="ou=People,dc=skynet,dc=local"; SCOPE="onelevel"; FILTER="(objectClass=*)"; ATTRLIST={}; ATTRONLY=false; print( "LDAP Server: " + ld_host ); print( " User DN: " + ld_user ); print( " Password: " + ld_passwd ); print( "" ); print( " Base DN: " + BASEDN ); print( " Scope: " + SCOPE ); print( " Filter: " + FILTER ); print( "" ); # Open a connection to the directory server ldapid = ldap_open( ld_host ); if( ldapid < 0 ) { print( "ldap_open failed" ); reject; } # bind to the directory rc = ldap_bind( ldapid, ld_user, ld_passwd ); if( rc==0 ) { # perform the search ld_results = ldap_search( ldapid, BASEDN, SCOPE, FILTER, ATTRLIST, ATTRONLY ); if( ld_results >= 0 ) { # how many results have been returned? num = ldap_count_entries( ldapid, ld_results ); str = sprintf( "Num results = %d", num ); print(str); print(""); print("RESULTS"); print(""); if( num>0 ) { # Grab the first entry from the results lentry = ldap_first_entry( ldapid, ld_results ); while( lentry ) { # print the DN dn = ldap_get_dn( ldapid, ld_results ); print("---- START OF ENTRY (" + dn + ") ----"); e = ldap_explode_dn( dn ); print( " Exploded DN: " + join( e, ', ' ) ); e = ldap_explode_dn( dn, 1 ); print( "Exploded DN, no type names: " + join( e, ', ' ) ); print( " User Friendly form: " + ldap_dn2ufn( dn ) ); print(""); oc = ldap_get_values( ldapid, lentry, "objectClass" ); if( "inetorgperson" in oc ) { gn = ldap_get_values( ldapid, lentry, "givenname" ); sn = ldap_get_values( ldapid, lentry, "sn" ); print( " Found a person, Name = " + gn[0] + " " + sn[0] ); } attrs = ldap_get_attributes( ldapid, lentry ); print( "Attributes: " + join(attrs, ", ") ); # Move through each attibute for the entry attr = ldap_first_attribute( ldapid, lentry ); while( attr != '' ) { print(" ATTR: " + attr ); # Print the values for the given attribute values = ldap_get_values( ldapid, lentry, attr ); print( " VALUES = { " + join(values, ", ") + " }" ); # move to the next attibute attr = ldap_next_attribute( ldapid, lentry ); } # move to the next entry lentry = ldap_next_entry( ldapid, ld_results ); print("---- END OF ENTRY (" + dn + ") ---- "); print(""); } print(""); } print("-- END OF RESULTS --"); } } else { print( "ldap_bind failed" ); reject; } rc = ldap_unbind( ldapid ); str = sprintf( "rc = %d", rc ); print(str); }
These are the built-in list functions available to use within the policy file:
Name | Description |
---|---|
append | Append to a list. |
insert | Insert a string or list into a list. |
join | Concatenate a list into a string. |
length | Return the length of a string, list, or array. |
lsubst | Substitute part of a string with another string throughout all or part of a list. |
range | Select a range of entries in a list |
replace | Replace one or more strings in a list. |
search | Search a list for a string. |
split | Convert a string into a list. |
splitSubst | Convert a string into a list |
list append( list dest, list|string src1 [, list|string src2, ...])
append creates a list constructed by appending the specified strings or lists src1, src2, etc. to the end of the list dest and returns a new list.
trustedusers = {"jamie", "cory", "robyn"}; a = append(trustedusers, "adrian");
sets a to the following list:
{"jamie", "cory", "robyn", "adrian"}
list insert( list dest, int index, string src1, [, string src2, ...] )
insert constructs a list by inserting strings into a list at the specified position. Note that the first element in the list is index: 0. If the index is greater than the length of the specified list (for example, 999), then the strings append to the end of the list.
Returns the newly constructed list.
trustedusers={"jamie", "cory", "robyn"}; a=insert(trustedusers, 1, "leslie");
sets a to the list:
{"jamie", "leslie", "cory", "robyn"}
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy