Directory Object Search

Have you ever wanted to perform an LDAP search in a workflow to check for … well let’s just say a duplicate UNIX UID.
In this example the account add workflow is checking to make sure the Unix UID is not in use by another account. The requirements in this instance are that UNIX UID can only be used once in a service. Once the duplicate is found the next step is up to you but in this case the account add was rejected.

First thing you have to do is expose the dataservices model. Add the following line to scriptframework.properties.

ITIM.java.access.dataservices=com.ibm.itim.dataservices.model.*

Example Script in Workflow Script Node:

This script node is from an Account Add workflow. The script gets the service DN and erposixuid from the new account. The service DN and UNIX UID are used to verify the UNIX UID has not been used before in the same service. The Directory Object Search will search ITIM’s LDAP as you can see from the search base. There are also a couple examples to get the account attributes.

/* Search the current service for an account with the same unix uid */

var myAccount = account.get();
var myPerson = owner.get();

var unixUidMatch = ‘false’;
var dupAccountList = ”;
errorInd.set(‘false’);

/* Get Service DN */
var myServiceDN = myAccount.getProperty(“erservice”)[0];

var myInputPosixUid = myAccount.getProperty(“erposixuid”);
if (myInputPosixUid != null && myInputPosixUid.length > 0)
myInputPosixUid = myInputPosixUid[0];
else
myInputPosixUid = “unknown”;

if (myInputPosixUid != “unknown”) {
/* Search Accounts within Service for unix UID */
var searchFilter = ‘(&(erservice=’ + myServiceDN + ‘)(erposixuid=’ + myInputPosixUid + ‘))’;
var searchBase = ‘ou=accounts,erglobalid=00000000000000000000,ou=XXX,O=XXX’;
var base = new com.ibm.itim.dataservices.model.DistinguishedName(searchBase);

var params = new com.ibm.itim.dataservices.model.SearchParameters();
var search = new com.ibm.itim.dataservices.model.DirectoryObjectSearch();
var results = search.fetch(base, searchFilter, params).iterator();

while (results.hasNext()) {
/* Duplicate Unix UID Found */
var dirObj = results.next().getDirectoryObject();
/* Get Account Object */
var mySearchAccount = new Account(dirObj.getDistinguishedName().toString());

var mySearchEruid = mySearchAccount.getProperty(‘eruid’);
if (mySearchEruid != null && mySearchEruid.length > 0) {
mySearchEruid = mySearchEruid[0];
if (unixUidMatch == ‘true’)
dupAccountList = dupAccountList + ‘ ,’+ mySearchEruid;
else
dupAccountList = mySearchEruid;
}
unixUidMatch = ‘true’;
}

OR

while (results.hasNext()) {
var dirObj = results.next().getDirectoryObject();
var myDupAccountID = dirObj.getAttribute(“eruid”);
if (myDupAccountID!=null) {
myDupAccountID = myDupAccountID.getValueString();
}
}

Oracle Internet Directory: Bulk Loading a Large User Base

During a planned environment migration, the need to move a large number of users quickly becomes paramount. There are several mechanisms to do this with OID, but most of them take far too long and have a huge hit on performance. Take for example, importing an LDIF file through the ODSM console. With a file containing roughly 600,000 users, this would take an average of 33 hours! Enter the bulkload tool. From start to finish, the same import takes under 10 minutes. How is that for an improvement? But, we don’t want to discuss all the benefits of the bulkload tool do we? Just show me how to do it, right? Here is how:

  1. Set ORACLE_HOME to your OID home (ex: /u01/app/oracle/Middleware/Oracle_IDM1)
  2. Set ORACLE_INSTANCE to your OID instance home (ex: /u01/app/oracle/Middleware/asinst_1)
  3. Copy your LDIF file to $ORACLE_HOME/ldap/bin
  4. Stop your OID instance
  5. Run the following command:

./bulkload connect=”oiddb” check=”TRUE” generate=”TRUE” file=”$ORACLE_HOME/ldap/bin/users.ldif”

Note: The “connect” string can be found in the tnsnames.ora file located in $ORACLE_INSTANCE/config. Despite what the documentation says, it is NOT the service name. It is the name at the beginning of the string.

  1. You will be prompted for the OID password. This is the ODS schema password.
  1. The script will build all the files it requires under $ORACLE_INSTANCE/OID/load. Basically, it builds data files for every attribute/objectclass in use. Non-indexed attributes will not be shown…but worry not, they will be written.
  1. Now, time to do the actual import. Run the following command from the same location:

./bulkload connect=”oiddb” load=”TRUE”

  1. Sit back, relax, and watch how quickly the import executes
  2. Restart OID, and connect to ODSM to verify the number of entries.
  3. Marvel at your ingenuity

20/20 Vision: Identity and Access For The Next Decade

20_20 banner Dallas

As attacks become more difficult to detect and defend, and threats
continue to grow, no organization is immune from security breaches.
We anticipate a shift around identity and access management (IAM) as
enterprises cope with increased regulatory compliance requirements,
insider and external threats, cloud integration, and more.

IBM Security threat aware IAM solutions help prepare you for current and
future security challenges with identity intelligence and secure online
access in mobile, cloud, mainframe, and social environments.

Explore IBM Security identity and access management
Join IBM and Pathmaker Group and learn how to:
• Use security intelligence to improve user oversight and compliance.
• Respond effectively to the rising number of identity focused attacks.
• Safeguard access within mobile, cloud, mainframe and social
environments.
• Protect against advanced insider threats.
Don’t miss this chance to network with your peers, talk to IBM security
experts, and get practical advice for your own IAM environment.

agenda

 

A Sobering Day for All CEOs

Sadly, the CEO presiding over Target during the recent data breach resigned today.  See USA today article.

This series of unfortunate events for Target begs a key question relating to the risks every company CEO faces today. Did Target leadership ask the right questions about overall IT security and the risk every company faces?

Protecting a company from Cyber bad guys is a never ending battle.  It’s a game of leap frog with some serious consequences if you get behind.  With all the opportunity for full-time, professionally paid, government backed hackers to spend all day every day figuring out new ways to wreck a company, the priority for combating this enemy needs to be pretty high on the list for every CIO and CEO.  But it’s not just about spending all the money you can afford to spend.  It’s about understanding where to spend the money on the right technology.

How do leaders responsible for protecting a company sort out all the noise from the real threats?  This has become a constant exercise in analyzing risk and applying financial priorities accordingly.

As fast as the bad guys are coming up with new ways to exploit a target, new innovative minds are working to counter their moves.  Many of these great technologies are being folded into a portfolio of products and solutions that can be layered across an enterprise to protect and prevent the latest threats from creating the worst kind of headlines.

IBM has been on a major buying spree for the last several years snapping up some of the best and brightest technologies and resources across the globe.  They are quickly assembling an array of tools that are being shaped into the worlds best security risk analysis platform.  By leveraging this risk-based assessment direction, IT leaders can depend on technologies that will not only provide the intelligence about where to address risk, but can be assured that these technologies are probably the best that money can buy.

IBM is currently the third largest security company in the world with the goal of being the largest and the best.  As a Premier IBM Business Partner, we see this investment first hand.  See ComputerWorld’s perspective.

PathMaker Group serves our customers by planning, implementing, and managing these security solutions across the enterprise.  IT Security is a rapidly changing, complex business and our partnership with IBM helps us keep our customers one step ahead of the bad guys.

Processing Multiple Attribute Values with the TDI 7.1 FOR-EACH Attribute Connector

In previous versions of the IBM TDI product the task of processing a report or directory integration has been a challenge when working with attributes that may have more than one value.

One such example that we see frequently with the ISIM product is the erroles attribute assigned to the ISIM Person record. Luckily with IBM TDI 7.1 we have a new connector type that allows us to easily process these called the FOR-EACH Attribute loop. The following is a demonstration of how this function connector works in a simple report generating TDI.

In this example we will be Iterating all Person records contained in ISIM. The connector looks like this:

image1top

The Search Base & Search Filter should something along the lines of:

image2

(Note: with a Search Filter of (erroles=*) only Person Records that contain at least 1 role will be selected).

The next step is to make use of the FOR-EACH Attribute connector. The iterator has already loaded the work.erroles object which may contain multiple values. This attribute contains the DN of the role assigned to the ISIM Person which we will need to translate into a Role Name (errolename).

We will need to define a Work Attribute Name & a Loop Attribute Name. The Work attribute is the incoming multi-value attribute from the iterator, in this case erroles. The Loop Attribute Name is the single value attribute at the coordinate for the current loop count.

image3

Once this has been defined, we can add connectors below to lookup & then record the data for each pass of the Role Loop. First we do a lookup using the DN of the role (loopRole) to resolve the role’s name (errolename).

image4

image5

Since the work.errolename value will be over-written with each pass of the Role Loop, we will need to store, or write the value to file before finishing the loop & moving on to the next value of erroles. In this example I have inserted a File Connector to write the report as it is being passed through the loop. However there are other options available such as storing the values in an array eg. work.errolename & then looping through them using JavaScript in a connector further on in the TDI.

image6

Gartner Identity and Access Management Summit

How Can a Company Guarantee a Successful, Strategic Identity Access Management Program?

The Gartner Identity and Access Management Summit is right around the corner and leaders from all over the world will be coming to try to get this question answered.  Here are a few ideas from our ten years in the industry.

Strategic Identity and Access Management (“IAM”) projects can be difficult and the new challenges with mobile, social, and cloud compound the problem.  Protecting the perimeter is not enough anymore.  Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM.  To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan.  Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports.  But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

Read more

Using Tivoli Federated Identity Manager to Get What You Want

  1. You want to enhance your company’s business-to-business and business-to-consumer collaborations with centralized user access management through application integration and secure authentication.
  2. You want to improve the experience of users at your company and lower costs through business-to-consumer user self-care and federated access control to on and off premises applications.
  3. You want to enable single sign-on (SSO) for external users to internal applications and for internal users to cloud-based applications.
  4. You want to provide web fraud detection and prevention capabilities through risk-based access control.

You want a lot!!!!!    Lucky for you there is …………

Tivoli Federated Identity Manager (TFIM)

IBM Tivoli Federated Identity Manager is an access-management solution that provides web and federated SSO to end users across multiple applications.  TFIM allows collaboration across an organization’s business ecosystem and plays a key role in businesses extending their application access to business partners, customers and consumers. TFIM provides the ability for internal users to access externally hosted applications, including cloud-based applications and business partner applications. Read more

Identity and Access Management Best Practices Webinar

How Levi leveraged Identity Management infrastructure to enable “just in time” fully automated privileged system access

Presented by:

  • Chuck Lankford, Global Director of Security at Levi Strauss & Co.
  • Chris Fields, Vice President of Security Strategy, PathMaker Group
  • Ravi Srinivasan, Director of IBM Security, Strategy, and Product Management

In our 50 minute webinar you will:

  • Learn about the latest market trends in Identity and Access Management
  • See why the IBM IAM Suite is one of the hottest sellers in the last six months
  • See what’s new with the IBM IAM Suite including upcoming features and capabilities
  • Hear what customers are buying and why
  • Learn the five most common benefits from a robust IAM infrastructure
  • Learn about best practices for implementing provisioning, access management, federation
  • Hear customer use cases and their key business drivers for IAM

Chuck_Lankford

About the key presenter, Chuck Lankford:

Chuck is the Director of Global Information Security for Levi Strauss & Co. and has responsibility for protecting LS&Co. from threats to the confidentiality, integrity and availability of LS&CO systems, information and infrastructure. Chuck has been with LS&Co. more than 10 years has served in global IT leadership roles for 17 years. Prior to joining LS&Co. Chuck was Director of Global Networking for network products manufacturer 3Com (Santa Clara, CA) where he architected and managed 3Com’s global voice, data and video networks. Chuck holds numerous certifications including Certified Information Security Systems Professional (CISSP), Certified Ethical Hacker, Certified Information Systems Auditor (CISA) and Certified Information Systems Risk Consultant (CISRC).test

Chris_Fields

About Chris Fields:

Chris has held his CISSP certification since 2003 and is the Identity Management Architect & Visionary responsible for setting the strategic direction and architecture approach for all of our IBM identity and access management projects. He is also responsible for managing partner relationships with identity management vendors. Chris’ love of technology makes everything about his job enjoyable. Mentoring and expanding the technical skill sets of his employees is the most enjoyable aspect of his daily activities. Equally enjoyable is the time spent helping clients to understand the industry and discuss viable options for them to begin and mature their identity and access management infrastructures.

Ravi_SrinivasanAbout Ravi Srinivasan:

Ravi manages the IBM identity, access and mainframe security portfolio strategy and product management based in Austin, Texas. He has over 15 years of experience in product management, market strategy, and development in software and services industries. Ravi meets and consults with senior management, lines of business owners and IT operations management around the world on their key security, risk, and compliance initiatives. He’s also a frequent speaker at trade, analyst conferences and customer events to share a worldwide customer perspective and insights on secure mobile, cloud and social business transformations. Ravi mentors several security services practitioners and product managers to develop practical solution approach to changing security, risk and compliance needs.

7th Stage (Security) of IS growth, Part II

A little background:

Now that you’ve been in the CIO’s position for your first quarter, it is time to prepare for your first review with the board of directors.  The agenda for the IS presentation will cover key factors that you discovered in your operations, your accomplishments and your plans for the next year.  Since this is the quarter for your next year’s budget, it should contain the funding needed to accomplish the IS plan.

One of the key factors in the review of your operations was discovering the lack of security focus and non-compliance issues that made the operations vulnerable to unwanted intrusion in your network.  Listed in your accomplishments is the Security Assessment study and recommendations provided by PathMaker Group when you engaged them for a study of your IS environment.  One of their recommendations was to deploy IBM’s Security products for managing Identify and Application Access in your enterprise network.  This is an important undertaking as your company will replace the outdated security monitoring with IBM’s Showcase Solution to keep unwanted intruders out while making it easier for the authorized users to have easy access to their applications.  As a result of PathMaker Group’s findings and recommendations, you asked them to submit a proposal for the corrective solution using IBM Security Products and PMG Professional Services to deploy them in your IS Network.

This section of your review was very well received by the board of directors and they gave you the approval to get started.

Read more