I'm using OpenAM 13 to provide single-sign-on capabilities to a suite of applications. The authentication itself is provided by LDAP, as there is an existing LDAP store used by other applications outside the scope of this single-sign-on.
A custom attribute called userattrib1 has been added to each users LDAP record. When this attribute is set to 999, the user is not allowed to log onto the single-sign-on, for all other values they are allowed to log on. I realise this is an unusual setup, however this is part of a pre-existing application.
How would I go about configuring OpenAM 13 to support this check? I'd like to avoid performing this check in the end-user applications, as there are several applications I'd have to add the check to.
If LDAP auth module is used you can specify a user search-filter to leverage the custom attribute.
However NOT searchfilters like
will typically lead to unindex searches and can not really be used, instead you should check how many distinct 'passing' values you have and then use that in a compound filter like
potentially you can even 'group' the values to use a substring filter like
depending on the filter used you need an equality index or/and a substring index configured for attribute userattrib1