IdentityMinder role assignment (Multi-valued attributes don’t contain?!)

CA IdentityMinder is a great application for managing identities and assigning roles and tasks.  All of these identities end up residing on some form of LDAP or a relational database with very specific schemas and “well known” attribute assignments.

One of the most used well known attributes is “admin roles”. It is supposed to be assigned to an attribute that is multi-valued, since people could have multiple roles.  For example, in my sample environment I used registeredAddress attribute to hold my admin roles.

However, when dealing with these kind of attributes one has to pay close attention to the search criteria.  For example, you could see something like below for role membership

“Admin roles” Contains “Windows Administrator”

This assignment was not working for my role assignments and took me a few tries to figure it out.

The problem with the above assignment is that not all directories and corresponding searches could return valid entries.

For example, if you are using OpenLDAP as your user-store the above criteria will not work.  Browsing the LDAP directly, I could see the “Windows Administrator” as one of the values in my user’s registeredAddress attribute. But IdentityMinder was not showing this role for my user. So I decided to use what drives IdentityMinder itself –  LdapSearch.

C:OpenLDAPbin>ldapsearch -D “uid=SuperAdmin,ou=People,ou=Employee,ou=NeteAuto,dc=pasha,dc=test” -b “dc=pasha,dc=test” -W “(&(registeredAddress=*Windows Administrator*)(objectClass=inetOrgPerson))”

returned nothing. However when I spell out the admin role name only, it works.

C:OpenLDAPbin>ldapsearch -D “uid=SuperAdmin,ou=People,ou=Employee,ou=NeteAuto,dc=pasha,dc=test” -b “dc=pasha,dc=test” -W “(&(registeredAddress=Windows Administrator)(objectClass=inetOrgPerson))”

# emptest, People, Employee, NeteAuto, pasha.test
dn: uid=emptest,ou=People,ou=Employee,ou=NeteAuto,dc=pasha,dc=test
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: emp
uid: emptest
homeDirectory: /emptest
loginShell: bash
cn: emptest
uidNumber: 58939
sn: test
registeredAddress: Windows Administrator

So the solution is to change the membership role from “contains” to “=“