2014-03-25 1:30 GMT+01:00 John Kristensen <[email protected] >:
> > > On 24/03/14 19:02, Clément OUDOT wrote: > >> >> >> >> 2014-03-24 6:24 GMT+01:00 John Kristensen >> <[email protected] >> <mailto:[email protected]>>: >> >> >> Hello, >> >> I have the following javascript to translate AD groups into OpenLDAP >> groups: >> >> >> <dataset> >> <name>member</name> >> <policy>FORCE</policy> >> <forceValues> >> <string> >> <![CDATA[ >> var members = new Array(); >> var query = >> '(&(!(objectClass=group))(__memberOf:1.2.840.113556.1.4.__1941:=' + >> >> srcBean.getDN()+'))'; >> var member_list = srcLdap.search('', query).toArray(); >> >> for ( var i = 0; i < member_list.length; i++ ) { >> var uid = srcLdap.attribute(member_list[__i], >> >> 'sAMAccountName').get(0); >> >> try { >> var user = ldap.list('ou=people', '(uid=' + uid + >> ')').get(0); >> members.push(user + ',' + ldap.getContextDn()); >> } catch(e) { >> continue; >> } >> } >> >> // Need to convert to a java array if using OpenJDK >> membersJava = >> java.lang.reflect.Array.__newInstance(java.lang.String, >> members.length); >> >> for ( var i = 0; i < members.length; i++ ) { >> membersJava[i] = members[i]; >> } >> membersJava >> ]]> >> </string> >> </forceValues> >> </dataset> >> >> >> But because I am only syncing only a selection of users some of >> these groups may not contain members after the javascript >> manipulation has been performed, which results in errors like: >> >> >> ERROR - Error while adding entry cn=Example >> Users,ou=groups,dc=example,dc=__com in directory >> :javax.naming.directory.__SchemaViolationException: [LDAP: error >> >> code 65 - object class 'groupOfNames' requires attribute 'member']; >> remaining name 'cn=Distributed COM Users,ou=groups' >> >> >> Is there anyway to skip a group if it would contain no members >> instead of generating these errors? There will be potentially lots >> of them and there is a high likelihood that "real" errors will be >> lost in the noise of these "false" errors. >> >> >> >> Hi, >> >> I think the best way is to change the LDAP filter used to get all >> groups. Just add in the filter a condition like (!(member=*)), which >> will ignore all entries that did not have any member values. >> >> >> Clément. >> >> ------------------------------------------------------------------------ >> > > Hello Clément, > > I am already using a condition that contains (member=*), but the problem > is that the AD groups are not empty - the AD groups may contain only > service accounts - but the 'membersJava' array that is generated will be > empty - because we are not syncing the AD service accounts, which is > essentially filtering the AD service accounts out of the groups. > > If the 'membersJava' array does happen to be empty then the error is > generated. It would be good if we could "return" something from the > javascript to indicate the entry should be skipped, or have an option that > an entry should be skipped if an attribute (ie. members) is empty. > You can use a javascript code inside the <condition> markup, for example in the <update> condition. Return false in this code to tell LSC to skip the modification of the entry. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
