login about faq

There is a section in MobileID admin manual with the title “User Account Updates” where it is discussed how to get the account changes to be done directly to the LDAP/AD instead of the Meta DB.


*5.7 User Account Updates

By default, whenever MobileID needs to update some information on a user account, i.e. token synchronization keys, update password list, maintain failure counts, etc., the information is updated to a local SQL database, regardless of where the actual user account were stored (typically in LDAP).

Whether updates are performed on a SQL database, namely User Meta Database, or directory to a LDAP account, is transparent from administration perspective and requires no extra deployment. However, there are significant benefits to performing updates directly to LDAP accounts:

  1. LDAP server automatically replicates updated information.
  2. Single centralized storage for all end user account information.

Update mode is toggled in MobileID by enabling/disabling Meta Database parameter in Default Parameters System Parameters General.

Note

direct LDAP updates require RW permissions for the LDAP connector account.

Note

direct LDAP updates require a dedicated wLoginUserData (or alias) string attribute in user account schema.*


What is this “wLoginUserData” string attribute in the last Note section?

asked Jun 13 '12 at 13:11

SSH%20KB's gravatar image

SSH KB ♦
509249246237

edited Jun 13 '12 at 13:18


For mobileid to be able to store information on the end user account in AD, there has to exist an available attribute in the AD account object.

In a similar manner as there exists an available attribute for i.e. “Street Name”.

Any available (empty) attribute can be used, say “Description”, in which case an alias just has to be set to mobileid – since mobileid expects to always read/write an attribute called wLoginuserData, but the alias is to tell mobileid to use say that Description instead.

Please note that GREAT ATTENTION has to be taken not to choose an alias that would conflict with another application. That is, if you chose Street Name and mobileid would update its own meta data to, some other application would possibly break as it would expect to find a valid street name inside the attribute.

The safest way is to “extend” the AD schema to include “wLoginUserData” attribute, as that way one can be sure that there are no conflicting applications that would depend on the attribute.

link

answered Jun 13 '12 at 13:13

SSH%20KB's gravatar image

SSH KB ♦
509249246237

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×55

Asked: Jun 13 '12 at 13:11

Seen: 2,200 times

Last updated: Jun 13 '12 at 13:18

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.