Re: [lsc-users] Ignore groups that have no members

Mon, 24 Mar 2014 01:03:26 -0700 

2014-03-24 6:24 GMT+01:00 John Kristensen <[email protected]
>:

> Hello,
>
> I have the following javascript to translate AD groups into OpenLDAP
> groups:
>
>
> <dataset>
>   <name>member</name>
>   <policy>FORCE</policy>
>   <forceValues>
>     <string>
>       <![CDATA[
>         var members = new Array();
>         var query = 
> '(&(!(objectClass=group))(memberOf:1.2.840.113556.1.4.1941:='
> + srcBean.getDN()+'))';
>         var member_list = srcLdap.search('', query).toArray();
>
>         for ( var i = 0; i < member_list.length; i++ ) {
>             var uid = srcLdap.attribute(member_list[i],
> 'sAMAccountName').get(0);
>
>             try {
>                 var user = ldap.list('ou=people', '(uid=' + uid +
> ')').get(0);
>                 members.push(user + ',' + ldap.getContextDn());
>             } catch(e) {
>                 continue;
>             }
>         }
>
>         // Need to convert to a java array if using OpenJDK
>         membersJava = java.lang.reflect.Array.newInstance(java.lang.String,
> members.length);
>         for ( var i = 0; i < members.length; i++ ) {
>             membersJava[i] = members[i];
>         }
>         membersJava
>       ]]>
>     </string>
>   </forceValues>
> </dataset>
>
>
> But because I am only syncing only a selection of users some of these
> groups may not contain members after the javascript manipulation has been
> performed, which results in errors like:
>
>
>   ERROR - Error while adding entry cn=Example
> Users,ou=groups,dc=example,dc=com in directory 
> :javax.naming.directory.SchemaViolationException:
> [LDAP: error code 65 - object class 'groupOfNames' requires attribute
> 'member']; remaining name 'cn=Distributed COM Users,ou=groups'
>
>
> Is there anyway to skip a group if it would contain no members instead of
> generating these errors? There will be potentially lots of them and there
> is a high likelihood that "real" errors will be lost in the noise of these
> "false" errors.
>
>

Hi,

I think the best way is to change the LDAP filter used to get all groups.
Just add in the filter a condition like (!(member=*)), which will ignore
all entries that did not have any member values.


Clément.

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to