Attributes to add to the credential
The attributes to add to the credential are configured in several stanzas.
Add this information to the WebSEAL configuration file.
Review the following example entry.
[TAM_CRED_ATTRS_SVC] eperson = azn_cred_registry_id group = cn=enterprise, o=tivoli [TAM_CRED_ATTRS_SVC:eperson] tagvalue_credattrs_lastname = sn tagvalue_credattrs_employeetype = employeetype tagvalue_credattrs_address = homepostaladdress tagvalue_credattrs_email = mail [TAM_CRED_ATTRS_SVC:group] tagvalue_credattrs_businesscategory = businesscategoryThe stanza name [TAM_CRED_ATTRS_SVC] is the Service ID. Inside this stanza are sources of attributes to be retrieved. The source names, such as eperson and group are used to identify the source location in the registry. You need to define these. The values for these sources are registry identifiers that exist in the registry. The values can be existing credential attribute names. If this is the case, the service automatically finds and uses the respective values.
Configure the registry attributes for each of the sources under the service stanza in a separate stanza. The syntax of the separate stanza is the service ID library name followed by a colon (:) and then the source name. This connection is necessary because more than one service can be configured in the same file. The configuration file entries contain mappings of user registry attributes to user-defined credential attributes.
For example, in an LDAP user registry, the DN for a user might be
cn=joeuser, o=tivoli
For this user, the LDAP user registry entries might be:
sn=Smith employeetype=bankteller homepostaladdress="3004 Mission St Santa Cruz CA 95060" mail=joeuser@bigco.com
For the group cn=enterprise,o=tivoli, the LDAP group registry entry might be:
businesscategory=finance
Use these example configuration entries, the attribute list returned has the following entries:
Attribute name Attribute value credattrs_lastname Smith credattrs_employeetype bankteller credattrs_address 3004 Mission St Santa Cruz CA 95060 credattrs_email joeuser@example.com credattrs_businesscategory finance
Note the service, source, and attributes can be multi-valued. If we specify the same attribute name as a stanza entry keyword, then the attributes retrieved will be added as a multi-valued attribute even when they come from different sources.
For example, more than one entitlement service can be chained together. This enables values retrieved from one service to be used as input values for another service. Likewise, attributes can be retrieved from more than one DN in the user registry. Thus, using the example above, you could add values from multiple users (DNs) to one credattrs_businesscategory attribute, if we wanted a list of all the businesscategory entries for a group of users. For example, if we want to build an attribute called myemployeeinfo to add to the credential, and we want this attribute to contain the last name and employee type of everyone that authenticates, you could then define the following:
[myID] source = azn_cred_authzn_id [myID:source] myemployeeinfo = lastname myemployeeinfo = employeetypeParent topic: Configure a registry attribute entitlement service