LDAP integration - code samples

It is a list of code samples applicable to the LDAP integration configuration. In this section:

  • Correlation Rule - code sample
  • Provisioning Rule - Name - code sample
  • Provisioning Rule - sn - code sample
  • Provisioning Rule - objectCategory - code sample
  • Provisioning Rule - givenName - code sample
  • Provisioning Rule - objectClass - code sample
  • Provisioning Rule - userPrincipalName - code sample
  • Leaver Rule - code sample

Correlation Rule

The following correlation rule establishes an Identity as the owner of the LDAP account on the basis of the similarity if determined between the Identity’s HR Source Account Given Name and Surname, on the one hand; and on the other are the givenName and sn properties of the LDAP account.


     var accountGivenName = readOnlyAccess360DbContext.AccountStringAdditionalProperties
    .Where(x => x.AccountId == accountId && !x.Terminated && x.Name == "givenName")
    .OrderByDescending(x => x.LastUpdateTimestamp)
    .Select(x => x.Value)
    .FirstOrDefault();
        
    var accountsn = readOnlyAccess360DbContext.AccountStringAdditionalProperties
    .Where(x => x.AccountId == accountId && !x.Terminated && x.Name == "sn")
    .OrderByDescending(x => x.LastUpdateTimestamp)
    .Select(x => x.Value)
    .FirstOrDefault();      
    if (!string.IsNullOrEmpty(accountsn) && !string.IsNullOrEmpty(accountGivenName))
    {
     var ownerIdentityId = readOnlyAccess360DbContext.Identities
     .Where(x => !x.Terminated && x.HrSourceAccount.StringAdditionalProperties
     .Any(p => !p.Terminated && p.Name == "Given Name" && p.Value == accountGivenName)
                        && x.HrSourceAccount.StringAdditionalProperties
     .Any(p => !p.Terminated && p.Name == "Surname" && p.Value == accountsn))
     .Select(x => x.Id)
     .SingleOrDefault();
     if (ownerIdentityId != default)
        {
            return new(ownerIdentityId, OwnerType.Identity);
        }
     } 
    return null;

Name

For the Name property of an LDAP account, the following Provisioning Rule establishes the Name property of the Identity; and then the name is concatenated in the beginning with a prefix determining the type of the account.


    var name = identity.Name.Replace(" ","");
    name = name.Length > 6 ? name.Substring(0, 6) : name;
    name = name + "_com";
    if (accountType == AccountType.Temporary) name = "tmp_" + name;
    if (accountType == AccountType.PersonalPrivileged) name = "adm_" + name;
    if (accountType == AccountType.PrivilegedService) name = "adm_s_" + name;
    return name;

sn

For the sn property of an LDAP account to be created and\or updated with, the following Provisioning Rule establishes the last word taken from the Name property of an Identity.


    var indexOfSpace = identity.Name.IndexOf(' ');
    if(indexOfSpace != -1)
        {
            return identity.Name.Substring(indexOfSpace + 1);
        }
    return identity.Name;

objectCategory

    return "CN=Person,CN=Schema,CN=Configuration,DC=oid,DC=test";

givenName

For the givenName property of an LDAP account to be created and\or updated with, the following Provisioning Rule establishes the first word taken from the Name property of an Identity.


    var indexOfSpace = identity.Name.IndexOf(' ');
    if(indexOfSpace != -1)
        {
            return identity.Name.Substring(0, indexOfSpace);
        }
    return identity.Name;

objectClass

return new List<string>() {"uesr", "top", "person", "organizationalPerson"};

userPrincipalName

The following Provisioning Rule sets the userPrincipalName property in the same way as the Name property of the LDAP account.


   var name = identity.Name.Replace(" ","");
    name = name.Length > 6 ? name.Substring(0, 6) : name;
    name = name + "_com";
    if (accountType == AccountType.Temporary) name = "tmp_" + name;
    if (accountType == AccountType.PersonalPrivileged) name = "adm_" + name;
    if (accountType == AccountType.PrivilegedService) name = "adm_s_" + name;
   return name;

Leaver Rule

There are two Leaver Rule examples below to showcase an option out of the available ones for the LDAP integration. The first example establishes the .LockAndRemoveEntitlements option used to allow some Entitlements to be left within the terminated locked account. What Entitlement to be left is defined with the entitlementIdsToRemove parameter, which in the code sample below specifies the default Domain Users group to leave, while everything else will be revoked before the terminated LDAP account gets locked.


  var entitlementIdsToRemove = readOnlyAccess360DbContext.AccountEntitlements
  .Where(x => !x.Terminated && x.AccountId == accountId)
  .Select(x => x.EntitlementGrant)
  .Where(x => !x.Terminated)
  .Select(x => x.Entitlement)
  .Where(x => !x.Terminated)
  .Select(x => new {x.Id, x.Permission, x.Resource})
  .Where(x => x.Permission.Name != "Domain Users")
  .Select(x => x.Id)
  .ToList();

  return (AccountTerminationBehavior.LockAndRemoveEntitlements, null, entitlementIdsToRemove);

The second example showcases the .Delete option used when it is required to delete the LDAP account when the Identity gets terminated.


   return (AccountTerminationBehavior.Delete, null);