--- title: Custom attributes description: These sample deployments demonstrate using PingDS as a shared identity store for PingAM and PingIDM. The PingDS setup profile that configures PingDS as a shared identity store defines all the Advanced Identity Software attributes required by PingAM and PingIDM. component: platform version: 8 page_id: platform:sample-setup:custom-attributes canonical_url: https://docs.pingidentity.com/platform/8/sample-setup/custom-attributes.html page_aliases: ["platform-setup-guide:custom-attributes.adoc"] section_ids: custom-attribute-ds: Define the attribute in PingDS custom-attribute-am: Update PingAM to use the attribute custom-attribute-idm: Update PingIDM to use the attribute custom-attribute-ui: View the results --- # Custom attributes These sample deployments demonstrate using PingDS as a shared identity store for PingAM and PingIDM. The PingDS setup profile that configures PingDS as a shared identity store defines all the Advanced Identity Software attributes required by PingAM and PingIDM. Many deployments use additional custom attributes in identity profiles. The following examples show how to add a custom attribute, and how to configure PingAM and PingIDM to use it. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This example adds a custom attribute that Advanced Identity Software can retrieve with a user profile. This custom attribute is not searchable, and therefore not indexed. | Before you start, create a `demo` account for test purposes in your sample deployment: 1. Browse to the Advanced Identity Software End User UI page of the sample deployment, and click Create an account. 2. Create a user with user identifier `demo`, and whatever other attributes you like. 3. Find this user's entry in the PingDS shared identity repository: ```bash /path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word \ --baseDn ou=identities \ "(uid=demo)" ``` Notice that the user's entry is named for its `fr-idm-uuid` attribute. ## Define the attribute in PingDS You define the attribute in PingDS as an attribute type in the LDAP schema. In LDAP, an entry's object classes define which attributes it can have. You therefore also define an object class that lets the entry have the custom attribute. The example custom attribute is a multi-valued directory string attribute named `customAttribute`. The auxiliary object class that lets the entry have the attribute is named `customAttributeOC`: 1. In PingDS, add LDAP schema for the new attribute and object class alongside other LDAP schema definitions: ```bash /path/to/opendj/bin/ldapmodify \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word << EOF dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( customAttribute-oid NAME 'customAttribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) - add: objectClasses objectClasses: ( customAttributeOC-oid NAME 'customAttributeOC' SUP top AUXILIARY MAY customAttribute ) EOF ``` By default, PingDS writes these definitions to the file `/path/to/opendj/db/schema/99-user.ldif`. 2. Test that you can add a custom attribute to the `demo` user entry. Use the `fr-idm-uuid` that you got when searching for `uid=demo` in `ou=identities`: ```bash /path/to/opendj/bin/ldapmodify \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word << EOF dn: fr-idm-uuid=,ou=people,ou=identities changetype: modify add: objectClass objectClass: customAttributeOC - add: customAttribute customAttribute: Testing 1, 2... EOF ``` 3. Read the `demo` user entry to check your work: ```bash /path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDn uid=admin \ --bindPassword str0ngAdm1nPa55word \ --baseDn ou=identities \ "(uid=demo)" \ customAttribute dn: fr-idm-uuid=,ou=people,ou=identities customAttribute: Testing 1, 2... ``` Notice that the value of `customAttribute` is set to `Testing 1, 2...`. LDAP schema features are much richer than this simple example can demonstrate. For details about LDAP schema in PingDS, see [LDAP schema](https://docs.pingidentity.com/pingds/8/config-guide/schema.html). ## Update PingAM to use the attribute Update the PingAM configuration to make PingAM aware of the new object class and attribute: 1. Sign in to the Platform admin UI as `amAdmin`. The password used in the documentation to set up the platform is `Passw0rd`. 2. Under Native Consoles, select Access Management to open the PingAM admin console. 3. In the `alpha` realm, under Identity Stores > OpenDJ > User Configuration, update these settings: * LDAP User Object Class Add `customAttributeOC`. * LDAP User Attributes Add `customAttribute`. 4. Save your work. For additional details, see [Adding user profile attributes](https://docs.pingidentity.com/pingam/8/setup-guide/customizing-data-stores.html#sec-maint-datastore-customattr). ## Update PingIDM to use the attribute Update the PingIDM configuration to make PingIDM aware of the attribute: 1. In the `conf/managed.json` file, under `user` > `schema` > `order`, add the custom attribute to the list: ```json "customAttribute", ``` 2. In the `conf/managed.json` file, under `user` > `schema` > `properties`, define a property corresponding to the custom attribute: ```json "customAttribute" : { "title" : "Custom Attribute", "type" : "string", "viewable" : true, "searchable" : false, "userEditable" : true }, ``` Notice that this property is not searchable; meaning, it does not need to be indexed. 3. In the `conf/repo.ds.json` file, under `resourceMapping` > `explicitMapping` > `managed/user` > `objectClasses`, add the object class: ```json "customAttributeOC", ``` 4. In the `conf/repo.ds.json` file, under `resourceMapping` > `explicitMapping` > `managed/user` > `properties`, add a mapping for the attribute: ```json "customAttribute" : { "type" : "simple", "ldapAttribute" : "customAttribute" }, ``` 5. Restart PingIDM to take the changes to the `conf/repo.ds.json` file into account. For additional details, see [Create and modify object types](https://docs.pingidentity.com/pingidm/8/objects-guide/creating-modifying-managed-objects.html), and [Explicit mappings (PingDS)](https://docs.pingidentity.com/pingidm/8/objects-guide/explicit-generic-mapping-ds.html#explicit-mappings-ds). ## View the results After configuring PingDS, PingAM, and PingIDM to use the custom attribute: 1. Browse to the Advanced Identity Software End User UI, and sign in as the `demo` user. 2. Click Edit Your Profile, and then click Edit Personal Info. Notice that your custom attribute is visible with the value you set: ![demo with custom attribute](_images/demo-with-custom-attribute.png)