Objects and Attributes in Active Directory

With this configuration, ES will use a combination of Microsoft and Micro Focus object classes in Active Directory.

The Windows APIs invoked by OS ESM during Verify requests operate (indirectly) on the Windows security principals defined in AD. (More information on Windows security principals is available from the Microsoft Developer Network and similar resources.) These principals typically use LDAP object classes defined by Microsoft, such as user. Those classes have attributes such as cn (common name), which is the (base) username, and password, which contains the Microsoft hashed password.

In this configuration, the object class used for users will be extended to include attributes defined by Micro Focus. These attributes (which begin with "microfocus-MFDS-") are ignored by Windows, but ES will use them to set session characteristics when a user logs in, such as timeout and operator class. When a user signs on to MSS or MFDS, the MLDAP ESM will retrieve the values of those attributes from the user object.

Also during signon, the MLDAP ESM module will consult the ES user group lists. These are specified with microfocus-MFDS-User-Group objects, and they allow a user to belong to multiple MSS groups. Note that at this time ES does not use Windows user groups to control access to MFDS and MSS resources, even with this configuration.

Since OS ESM is handling the actual user credential verification, some of the attributes that Micro Focus defines for ES users are not used:

Unused Micro Focus User Attributes

Attribute Name Description
microfocus-MFDS-User-Pwd Micro Focus user password hash
microfocus-MFDS-User-Pwd-ExpirationDate password expiration
microfocus-MFDS-User-Pwd-MustChange password must-change flag
microfocus-MFDS-User-AllowLogon allow-logon flag
microfocus-MFDS-User-ExpirationDate user expiration
microfocus-MFDS-User-CreateToken passtoken creation authority (if tokens are enabled in OS ESM)
microfocus-MFDS-User-UseToken passtoken signon authority (if tokens are enabled in OS ESM)

Instead, the Windows password, expiration date, etc will be used. Note that the two passtoken attributes are used unless passtoken support is explicitly configured in OS ESM.

For resource access (Auth) requests, the MLDAP ESM will retrieve MF resource object access control data from microfocus-MFDS-Resource objects in AD.