On 24/03/14 19:02, Clément OUDOT wrote:
2014-03-24 6:24 GMT+01:00 John Kristensen
<[email protected]
<mailto:[email protected]>>:
Hello,
I have the following javascript to translate AD groups into OpenLDAP
groups:
<dataset>
<name>member</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[
var members = new Array();
var query =
'(&(!(objectClass=group))(__memberOf:1.2.840.113556.1.4.__1941:=' +
srcBean.getDN()+'))';
var member_list = srcLdap.search('', query).toArray();
for ( var i = 0; i < member_list.length; i++ ) {
var uid = srcLdap.attribute(member_list[__i],
'sAMAccountName').get(0);
try {
var user = ldap.list('ou=people', '(uid=' + uid +
')').get(0);
members.push(user + ',' + ldap.getContextDn());
} catch(e) {
continue;
}
}
// Need to convert to a java array if using OpenJDK
membersJava =
java.lang.reflect.Array.__newInstance(java.lang.String, members.length);
for ( var i = 0; i < members.length; i++ ) {
membersJava[i] = members[i];
}
membersJava
]]>
</string>
</forceValues>
</dataset>
But because I am only syncing only a selection of users some of
these groups may not contain members after the javascript
manipulation has been performed, which results in errors like:
ERROR - Error while adding entry cn=Example
Users,ou=groups,dc=example,dc=__com in directory
:javax.naming.directory.__SchemaViolationException: [LDAP: error
code 65 - object class 'groupOfNames' requires attribute 'member'];
remaining name 'cn=Distributed COM Users,ou=groups'
Is there anyway to skip a group if it would contain no members
instead of generating these errors? There will be potentially lots
of them and there is a high likelihood that "real" errors will be
lost in the noise of these "false" errors.
Hi,
I think the best way is to change the LDAP filter used to get all
groups. Just add in the filter a condition like (!(member=*)), which
will ignore all entries that did not have any member values.
Clément.
------------------------------------------------------------------------
Hello Clément,
I am already using a condition that contains (member=*), but the problem
is that the AD groups are not empty - the AD groups may contain only
service accounts - but the 'membersJava' array that is generated will be
empty - because we are not syncing the AD service accounts, which is
essentially filtering the AD service accounts out of the groups.
If the 'membersJava' array does happen to be empty then the error is
generated. It would be good if we could "return" something from the
javascript to indicate the entry should be skipped, or have an option
that an entry should be skipped if an attribute (ie. members) is empty.
Cheers,
John.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
