0 votes

Hello

Are Custom attributes an Active Directory schema extension, or are they stored in the Adaxes database ?

If stored in the database, can they then be read/changed using the SPML Integration ?

- Thanks

by (2.6k points)

1 Answer

0 votes
by (216k points)

Hello,

Adaxes custom attributes are stored on an instance of AD LDS that serves as Adaxes service backend. They can be modified using the SPML Provider, but first you need to describe the attributes in the SPML Provider schema. To do this:

  1. Open file SpmlSchema.xml with a text editor (e.g. notepad.exe). It is located in the directory for Adaxes SPML Web Application, which is C:\Program Files\Softerra\Adaxes 3\SPML Web Service by default.

  2. Add a definition for the attribute you want to use. For this purpose, add a new attributeDefinition XML node to element schema\schema and set the following parameters:

    • type - specifies the type of the attribute that you want to use. For example, if you want to use a string (text) attribute, specify xsd:string. Or, if you want to use a binary attribute, specify xsd:base64Binary.
    • name - specify the LDAP display name of the attribute, for example, adm-CustomAttributeText1.
    • description - specify a description for the attribute.

    For example, a definition for attribute CustomAttributeText1 can look like this:

     <i class="text-italic"><?xml version="1.0"?>
     <schema xmlns:xsi="<a class="url" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xmlns:xsd="<a class="url" href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>" xmlns="urn:oasis:names:tc:SPML:2:0">
       <schema xmlns="urn:oasis:names:tc:SPML:2:0:DSML">
         ...
         <attributeDefinition type="xsd:string" name="objectCategory" description="Object Category" />
         <strong class="text-bold"><attributeDefinition type="xsd:string" name="adm-CustomAttributeText1" description="My Description" /></strong>
       </schema></i>
  3. Add the attribute to the class of AD objects with which you want to use it. For example, if you want to specify a custom attribute of users, add a new attributeDefinitionReference element to element schema\schema\objecClassDefinition name="user"\memberAttributes. Set the following parameters:

    • name - specify the LDAP display name of the attribute, for example, adm-CustomAttributeText1.
    • required - specify false (meaning that the attribute is not required to create a new user).

    For example, to add attribute CustomAttributeText1 to the user object class, add a line as follows:

     <?xml version="1.0"?>
     <schema xmlns:xsi="<a class="url" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xmlns:xsd="<a class="url" href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>" xmlns="urn:oasis:names:tc:SPML:2:0">
       ...
         <objectClassDefinition name="<strong class="text-bold">user</strong>">
           <memberAttributes>
             ...
             <attributeDefinitionReference name="distinguishedName" required="false" />
             <strong class="text-bold"><attributeDefinitionReference name="adm-CustomAttributeText1" required="false" /></strong>
           </memberAttributes>
         </objectClassDefinition>
  4. Save the file.

0

Hello

I have an additional question regarding custom attributes.

I can foresee - based on incoming user requests for storing additional information in AD/ADaxes - that we in time may risk running out of custom attributes (in a user friendly context) with a friendly name, because the friendly name given to a custom attribute, in the file AttributeFriendlyNames2.eng.xml, will be shown on all object types.

How do we give custom attributes a friendly name for each object type (OU, Group, User) seperately ?

- Thanks

0

Hello

Another one on Custom Attributes ;)

Support wrote: "The thing is that currently Adaxes custom attributes are not included in LDAP searches for performance considerations."

When will Custom Attributes be included in LDAP searches and filters ?

Adaxes has a great potential saving additional information about OU's, groups and users.
First of all, we do not need to make a schema extension om the Active Directory, if stored there instead.
Secondly, we save money not using 3. party systems storing the same informations.
However, to get full value of the stored information in Adaxes, they need to be accessable the same way as other LDAP properties.

For example. We store a boolean value in CustomAttributeBoolean1. On the GUI we could make a Home Page Action to show all users having this attribute set to true or false, creating a simple LDAP filter. That is - if Custom attributes were supported in LDAP filters :D

- Thanks

0

Hello,

How do we give custom attributes a friendly name for each object type (OU, Group, User) seperately ?

Yes, that's possible. For this purpose, you need to add the specificFriendlyName element for each object class you need to the friendlyNameItem element of the desired property. Specify the desired object class name via the objectClass parameter of the specificFriendlyName attribute.

In the following example, attribute CustomAttributeBoolean1 will be displayed as Create Office 365 account for users, Mail-enable for groups and My checkbox for all other object types:

<i class="text-italic"><friendlyNameItem>
    <ldapName>adm-CustomAttributeBoolean1</ldapName>
    <friendlyName>My checkbox</friendlyName>
    <specificFriendlyName objectClass="<strong class="text-bold">user</strong>">Create Office 365 account</specificFriendlyName>
    <specificFriendlyName objectClass="<strong class="text-bold">group</strong>">Mail-enable</specificFriendlyName>
  </friendlyNameItem></i>

When will Custom Attributes be included in LDAP searches and filters ?

Currently, we are not planning that. Regardless of all the advantages, one huge drawback would be a tremendous effect on the performance.

0

Thanks, it works.

Currently, we are not planning that. Regardless of all the advantages, one huge drawback would be a tremendous effect on the performance.

Maybe we are talking past eachother ?

Currently we use "adm-CustomAttributeText1" to filter the users shown i lists.

Then, why can't we use e.g. "adm-CustomAttributeBoolean1" as filter, to only show users with that attribute set to e.g. "%adm-CustomAttributeBoolean1%=true" ?

- Thanks

0

Hello,

Then, why can't we use e.g. "adm-CustomAttributeBoolean1" as filter, to only show users with that attribute set to e.g. "%adm-CustomAttributeBoolean1%=true" ?

No, you won't be able to use that. The thing is that if you use value references in the Web Interface configuration, they are resolved into property values of the currently logged in user.

Thus, in your example:

  • If a user whose CustomAttributeBoolean1 attribute is set to True logs in, the resulting filter is (true=true);
  • If a user whose CustomAttributeBoolean1 attribute is set to False logs in, the resulting filter is (false=true).
0

Hello,

Adaxes custom attributes are stored on an instance of AD LDS that serves as Adaxes service backend. They can be modified using the SPML Provider, but first you need to describe the attributes in the SPML Provider schema. To do this:

  1. Open file SpmlSchema.xml with a text editor (e.g. notepad.exe). It is located in the directory for Adaxes SPML Web Application, which is C:\Program Files\Softerra\Adaxes 3\SPML Web Service by default.

  2. Add a definition for the attribute you want to use. For this purpose, add a new attributeDefinition XML node to element schema\schema and set the following parameters:

    • type - specifies the type of the attribute that you want to use. For example, if you want to use a string (text) attribute, specify xsd:string. Or, if you want to use a binary attribute, specify xsd:base64Binary.
    • name - specify the LDAP display name of the attribute, for example, adm-CustomAttributeText1.
    • description - specify a description for the attribute.

    For example, a definition for attribute CustomAttributeText1 can look like this:

     <i class="text-italic"><?xml version="1.0"?>
     <schema xmlns:xsi="<a class="url" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xmlns:xsd="<a class="url" href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>" xmlns="urn:oasis:names:tc:SPML:2:0">
       <schema xmlns="urn:oasis:names:tc:SPML:2:0:DSML">
         ...
         <attributeDefinition type="xsd:string" name="objectCategory" description="Object Category" />
         <strong class="text-bold"><attributeDefinition type="xsd:string" name="adm-CustomAttributeText1" description="My Description" /></strong>
       </schema></i>
  3. Add the attribute to the class of AD objects with which you want to use it. For example, if you want to specify a custom attribute of users, add a new attributeDefinitionReference element to element schema\schema\objecClassDefinition name="user"\memberAttributes. Set the following parameters:

    • name - specify the LDAP display name of the attribute, for example, adm-CustomAttributeText1.
    • required - specify false (meaning that the attribute is not required to create a new user).

    For example, to add attribute CustomAttributeText1 to the user object class, add a line as follows:

     <?xml version="1.0"?>
     <schema xmlns:xsi="<a class="url" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xmlns:xsd="<a class="url" href="http://www.w3.org/2001/XMLSchema">http://www.w3.org/2001/XMLSchema</a>" xmlns="urn:oasis:names:tc:SPML:2:0">
       ...
         <objectClassDefinition name="<strong class="text-bold">user</strong>">
           <memberAttributes>
             ...
             <attributeDefinitionReference name="distinguishedName" required="false" />
             <strong class="text-bold"><attributeDefinitionReference name="adm-CustomAttributeText1" required="false" /></strong>
           </memberAttributes>
         </objectClassDefinition>
  4. Save the file.

Hi Support,

does that mean I can expand the number of custom attribute any?

Thx

0

Hello,

Well, sort of. You can define different names for custom attributes depending on the AD object type. This means that you can use the same custom attributes for different purposes with objects of different types.

Related questions

0 votes
1 answer

Im trying to rename "Extension attribute 1 and 2" to something legible for users. Is there a way to cahnge the dsiaply name myslef like how other attributes are done?

asked Feb 17, 2023 by raul.ramirez (210 points)
0 votes
1 answer

Hi, I am looking to build a report whereby all users within a specific OU (Disabled and forwarding). The report will return users who have been inactive for 90 days along with ... do this. Could someone give me the script to be able to do this please? Thanks!

asked Dec 20, 2022 by gareth.aylward (180 points)
0 votes
1 answer

Hello, We really like the new Azure AD functionality in Adaxes. Is it possible (or planned) to managed Azure AD Custom Security Attributes (currently in Preview) using Adaxes? We have ... an AAD only user so we'd like to start with Azure attrbiutes if we can.

asked Dec 9, 2022 by Gavin.Raymen (40 points)
0 votes
1 answer

Hi I know this isn't currently possible, but is the ability to use Adaxes custom attributes in a Business Unit Criteria something you are looking into? It would make the business units far more powerful and usable than they currently are. Thanks Matt

asked Nov 30, 2022 by chappers77 (2.0k points)
0 votes
1 answer

Is it possible to add Exchange custom attributes to users self-service portal and allow users to edit/modify them? Background, we're looking at setting up Office ... service account to perform the updates. We would prefer not changing permissions if possible.

asked Sep 15, 2022 by Subz (20 points)
3,550 questions
3,241 answers
8,235 comments
547,827 users