Attributes filtered out of IDM document.

  • 3167055
  • 11-Aug-2006
  • 26-Apr-2012

Environment


Novell Identity Manager
Novell Identity Manager Remote Loader
Novell eDirectory 8.8 for All Platforms

Situation

Using encrypted attributes for attributes synchronized via Identity Manager (IDM). Getting message in trace stating, "Filtering out attributes that require a secure channel." Remote Loader is being used for this particular driver. The attributes showing after the message are encrypted on the IDM server.

Resolution

In order for an "Encrypted Attribute" to be accessed or transmitted from eDirectory it must be encrypted. This is true with LDAP (LDAPS), HTTP (HTTPS) and with Identity Manager when using the Remote Loader. To prevent these attributes from being filtered out enable SSL between the IDM engine and the Remote Loader.

This is not an issue when using no Remote Loader because there is no Novell-controlled communication that is open to the world to view via a LAN trace.

When using the eDirectory driver SSL encryption between drivers will also be needed in this same case even though there is no Remote Loader.

Additional Information

Support for eDir 8.8 Encrypted Attributes in Spitfire

The following enhancements were made to Spitfire in order to support eDirectory 8.8's encrypted attributes feature:

Encryption in the cache files

When the value for an attribute that appears in the server's attribute encryption policy is stored in a DirXML driver's cache the value is encrypted using the encryption method specified by the server's attribute encryption policy.

Suppression of values in trace output

Value of attributes that appear in the server's attribute encryption policy are suppressed in DSTrace, Java Trace File, and Remote Loader trace information. Encrypted attribute values for attributes that have a schema mapping to an application attribute name are also suppressed under the application attribute name.

Filtering in Remote Loader and eDir to eDir driver when not using SSL

If the Remote Loader or eDir to eDir driver is being used, and SSL is not used for communication, then attributes that appear in the server's attribute encryption policy are stripped from XML documents before the documents are sent to the Remote Loader or the eDir to eDir shim. The stripping occurs before the Schema Mapping Policy or Output Transformation Policy are applied, so such attribute values are not available in those policies.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.