In Unwired Platform attribution is typically provided with an LDAP attribution module. The attribution provider has maximum functionality when combined with the LDAP authentication provider, however the attribution provider can be configured completely standalone or with alternate authentication providers.
An attribution provider provides access to standard user attributes such as username, first name, email address, telephone number, as well as any additional attributes. For LDAP, you can configure attribution using the com.sybase.security.ldap.LDAPAttributer module.
The attribution provider may provide services in several ways:
- When a user is authenticated through the LDAP authentication provider, the attribution provider is used to fill out more information about the authenticated user.
- If an authenticated client requests information about a specific alternate username, the attribution provider is used to fulfill this request for information using the authenticated user's connection to the LDAP server.
- In the event that a context was not authenticated against an LDAP server, the attribution provider can provide services for client requests for attributes. This works by establishing a new LDAP connection using the configured authentication credentials (BindDN and BindPassword).
- Facilitates self registration. One can create users in the LDAP server using the updated LDAP attributer. When using LDAP attributer to create users in Active Directory, one has to set the configuration property SecurityProtocol to "ssl" and specify the corresponding port as Active Directory requires the use of an SSL connection to set the password attribute for the user.
- (LDAP only) Facilitates changing an expired password for a user who has been validated by the LDAP authentication provider. The user should have failed the authentication attempt with a failure code set to FAILURE_CODE_PASSWORD_EXPIRED_CAN_CHANGE and the same context should be used for changing the expired password as outlined in the SDK.
- Provides a means to query the capabilities supported by the LDAP attributer. The self registration, password change and expired password change capabilities are supported. Password change capability is supported only when the user is authenticated by the LDAP authentication provider. Similarly, the expired password change capability is supported only when the LDAP authentication provider returns the authentication failure code as FAILURE_CODE_PASSWORD_EXPIRED_CAN_CHANGE. When the attributer cannot dynamically determine if the configured credentials have the necessary permissions to create a user or change the password, it supports the capabilities only if the configuration flag AllowSelfRegistrationAndManagement is set to true.