search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 592 forks source link

Richer APIs for user and group information #24949

Open rlint opened 1 year ago

rlint commented 1 year ago

Describe the use case that you want to enable: The documented UserRegistry API does not provide enough information about users, and is lacking in its ability for flexible user searches. In particular we have an immediate need for:

  1. the ability to get an email address of any user
  2. the ability to search for users based on multiple different attributes

Describe why this is important to you: There are various functions in our software where we need to be able to determine a user's email address, for example for notifications and email links in our UIs. We also have several functions in our software where the user needs to search and pick a person from the directory. As a human, that user would probably be searching by "display name".

Additional context We are transitioning from full IBM WebSphere Application Server and have been using VMM APIs, which are not surfaced in Liberty. Ideally we would have access to those same APIs in Liberty to minimize change to our code; however, we could make do with something equivalent. In our case, we only the ability to read more information about users and groups, not write. Federation of directories through a single API is also highly desirable. Our software is typically installed for usage within a single company; however, we have seen instances of customers linking to more than one LDAP directory.

jvanhill commented 1 year ago

Can you use the SCIM API? It works with federation of any number of registries. It supports read / write operations to LDAP.

https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-scim-user-group-member-management

rlint commented 1 year ago

Can you use the SCIM API? It works with federation of any number of registries. It supports read / write operations.

https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-scim-user-group-member-management

Interesting. At first glance, this wouldn't be easy, because this is a REST/JSON client-side API vs a Java server-side API. But this might be an option to consider for the future, or in a pinch, make a http request back to ourselves (yuck) as a stop-gap measure.

jlpatrick commented 6 months ago

We have pretty much the same scenario as described by @rlint above and need Java server-side APIs to read and search LDAP attributes. The Open Liberty LdapAdapter class is perfectly capable of fetching the attributes but there is no API provided to use it.