Active Directory Attributes


hopefully someone can help me. I have some Questions, all related to AD attributes and their appearence.

I managed to add some AD Attributes via the pnServer.Config.xml file:

      <PropertiesToLoad type="System.String">udgender;udCostCenter</PropertiesToLoad>
            <AliasDisplayName type="System.String">Geschlecht</AliasDisplayName>
            <AliasDisplayName type="System.String">Kostenstelle</AliasDisplayName>

In the configuration Window it shows me this:

How is it possible to change the Attributes name to from "udcostcenter (udcostcenter)" to "Kostenstelle (udcostcenter)"? 

Do i get any problems, because the Attribute udCostCenter is a multivalue field and i load it with "PropertiesToLoad type="System.String"". Do i have to use another type (and which)?

My ultimate goal behind this is to configure the webclient self service seeable attributes.

Because of this i tried to add the "<WebClient.Cockpit.ChangeAttributes.SelfService>exampleAttributes<\WebClient.Cockpit.ChangeAttributes.SelfService>" to the same file, but when i do this the config cant be loaded anymore.

I dont know where to put this line. Is this the right spot:

      <defaultDomain type="System.String">company</defaultDomain>
      <!-- use this entry to define your default domain (netbios) -->
         <showFeedbackButton type="System.Boolean">true</showFeedbackButton>
         <allowTypeIdGrouping type="System.Boolean">false</allowTypeIdGrouping>
         <useAppInsights type="System.Boolean">false</useAppInsights>
         <requestAdminScenario type="System.String">f85224c0-4c81-4f4a-b868-821e1601428c</requestAdminScenario>
         <allowSSO type="System.Boolean">true</allowSSO>
         <!-- use the following to redirect to a different url -->
         <redirectSSO type="System.String">
            <!-- use the following entry for path definition of the custom logo file e.g. ../assets/images/company name/ -->
            <logoSource type="System.String">../assets/images/hypoport/</logoSource>
            <!-- use this entry to define the custom company name e.g. Company name -->
            <logoTitle type="System.String">Company</logoTitle>
            <!-- use this entry to define the custom logo file e.g. logo.png -->
            <navLogo type="System.String">logo.png</navLogo>

Are these Values: SelfService, Manager and DataOwner4 hardcoded or do i have to use the names to which we changed them...?

Is it possible to show attributes in the SelfService via the webclient and make them (only via the SelfService) unchangeable?

I think this are enough question for now. I would be very happy if anybody could give me the right hints for this




  • Hi HPSAdmin,

    for multivalue attributes you need to use a different TypeInfo. Here is an example:

    <AliasDisplayName type="System.String">proxyAddressesMV</AliasDisplayName>
    <TypeInfo type="System.String">System.String[]</TypeInfo>
    <AttributeEditType type="System.String">StringMultiValue</AttributeEditType>
    <IsChangeable type="System.String">true</IsChangeable>

    Unfortunately there is no other field for defining a name other than AliasDisplayName. It seems that is not used on the selfservice, which i would say is a bug.

    The switch for the available attributes needs to be placed inside of the <config> tag of the pnserver.config.xml, example:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>



    The values for the roles should be hardcoded.

    As far as i know it is not possible at the moment to show values in the self service but make them not changeable.

  • Hi, 

    what would the configuration for the AD attribute "memberof" look like in the pnserver.config.xml?

    This is also a multi-value attribute.

    if it is configured in the XML file as follows, it will not be loaded into the ARM:

    <AliasDisplayName type="System.String">memberOf</AliasDisplayName>
    <PropertiesDetails.ServicePrincipalName.ApplicableObjectClasses type="System.String">computer, group, user</PropertiesDetails.ServicePrincipalName.ApplicableObjectClasses>
    <PropertiesDetails.servicePrincipalName.IsHidden type="System.String">false</PropertiesDetails.servicePrincipalName.IsHidden>
    <PropertiesDetails.serviceprincipalname.TypeInfo type="System.String">System.String[]</PropertiesDetails.serviceprincipalname.TypeInfo>
    <PropertiesDetails.serviceprincipalname.AttributeEditType type="System.String">StringMultiValue</PropertiesDetails.serviceprincipalname.AttributeEditType>

    Does anyone here have an idea about this problem?

  • Hi Marc,

    what is the point of making this editable as attribute? Will your users write correct distinguished names into the textfield? Slight smile I´m pretty sure memberOf is a special case that is handled differently in the tool than normal attributes.

    What is it you want to achieve? You can just allow users to change group memberships through the web interface functions in the cockpit if that is what you are after.

  • Hi Paul, 

    We want to display the content of the AD attribute "memberOf" in an OpenTemplate using the "AccountSearchTextField" and "lookup".

    After a user has been selected in the OpenTemplate, its AD groups should be displayed in the template.

    Therefore, this attribute would have to be included in the ARM scan in order for it to be displayed in the Template.

    If there is another way to do this, let me know ;-)

  • Hi Marc,

    i dont think that is currently possible, maybe it could be an alternative to have the opentemplate run a script which plots out the memberships and sends them to the requester via email?

  • Hi

    your way away could be a possible solution.

    but how do you get the requester (samaccountname or similar) of an OpenTemplate by parameter in the PS script?

    we didn't find anything for this case in the ARM documentation 

  • I thought the guys added a parameter for that, do you not see something like username or something like that in the parameter selection for the template? 

    If not what you can do is pass the UserAuthZToken, authenticate against the API and then fetch the user from the info provided in the API token. At the time i last did this it looked something like this:

    $baseUrl = "">">https://localhost"
    $loginUrl = $baseUrl + "/Session/loginWithToken?token=$authZToken"
    $request = Invoke-RestMethod -uri $loginUrl -Method Get -SessionVariable websession

    if($request.Success -eq $true){

    #get requester
    try {
    $user = Get-ADuser -Filter "DisplayName -eq '$($request.DisplayName)'"
    } catch {
    "Failed to resolve requester, aborting execution $($request.DisplayName)" | log $errorLog
    $request | log $errorLog
    #exit -1


    Not sure if that still works as is, i would also check the token maybe it has a samaccountname property now so you maybe dont have to use the displayname.

  • Hi Paul,

    this way is working. If you use the UserAuthZToken, you get back the samaccountname from the provided info in the API token.

    Thanks for this solution! 

  • Thx 4 ur answer, this helped.

    4 the not changeable problem, then i have to hide them.

    BUT  even that the udcostcenter (multivalue) field is now loaded in ARM it isnt shown in the web to edit it there. (I have set this field via webclient.cockpit)


  • Now i have a RegEx Filter which i want to include in the telephonenumber attribute in ARM. But the telephonenumber line isnt changeable. Do i have to insert the telephonenumber to the pnserver.config.xml to set the regex? (even if it already exists in arm?)