2014-03-25 9:42 GMT+01:00 John Kristensen <[email protected] >:
> On 2014-03-25 18:55, Clément OUDOT wrote: > >> 2014-03-25 1:30 GMT+01:00 John Kristensen >> <[email protected]>: >> >> On 24/03/14 19:02, Clément OUDOT wrote: >>> >>> 2014-03-24 6:24 GMT+01:00 John Kristensen >>>> <[email protected] >>>> <mailto:[email protected]>>: >>>> >>>> Hello, >>>> >>>> I have the following javascript to translate AD groups into >>>> OpenLDAP >>>> groups: >>>> >>>> <dataset> >>>> <name>member</name> >>>> <policy>FORCE</policy> >>>> <forceValues> >>>> <string> >>>> <![CDATA[ >>>> var members = new Array(); >>>> var query = >>>> '(&(!(objectClass=group))(__memberOf:1.2.840.113556.1.4.__1941:=' >>>> + >>>> >>>> srcBean.getDN()+'))'; >>>> var member_list = srcLdap.search('', query).toArray(); >>>> >>>> for ( var i = 0; i < member_list.length; i++ ) { >>>> var uid = srcLdap.attribute(member_list[__i], >>>> >>>> 'sAMAccountName').get(0); >>>> >>>> try { >>>> var user = ldap.list('ou=people', '(uid=' + uid + >>>> ')').get(0); >>>> members.push(user + ',' + ldap.getContextDn()); >>>> } catch(e) { >>>> continue; >>>> } >>>> } >>>> >>>> // Need to convert to a java array if using OpenJDK >>>> membersJava = >>>> java.lang.reflect.Array.__newInstance(java.lang.String, >>>> members.length); >>>> >>>> for ( var i = 0; i < members.length; i++ ) { >>>> membersJava[i] = members[i]; >>>> } >>>> membersJava >>>> ]]> >>>> </string> >>>> </forceValues> >>>> </dataset> >>>> >>>> But because I am only syncing only a selection of users some of >>>> these groups may not contain members after the javascript >>>> manipulation has been performed, which results in errors like: >>>> >>>> ERROR - Error while adding entry cn=Example >>>> Users,ou=groups,dc=example,dc=__com in directory >>>> :javax.naming.directory.__SchemaViolationException: [LDAP: error >>>> >>>> code 65 - object class 'groupOfNames' requires attribute >>>> 'member']; >>>> remaining name 'cn=Distributed COM Users,ou=groups' >>>> >>>> Is there anyway to skip a group if it would contain no members >>>> instead of generating these errors? There will be potentially >>>> lots >>>> of them and there is a high likelihood that "real" errors will be >>>> lost in the noise of these "false" errors. >>>> >>>> Hi, >>>> >>>> I think the best way is to change the LDAP filter used to get all >>>> groups. Just add in the filter a condition like (!(member=*)), >>>> which >>>> will ignore all entries that did not have any member values. >>>> >>>> Clément. >>>> >>>> >>>> >>> ------------------------------------------------------------ >> ------------ >> >>> >>> Hello Clément, >>> >>> I am already using a condition that contains (member=*), but the >>> problem is that the AD groups are not empty - the AD groups may >>> contain only service accounts - but the 'membersJava' array that is >>> generated will be empty - because we are not syncing the AD service >>> accounts, which is essentially filtering the AD service accounts out >>> of the groups. >>> >>> If the 'membersJava' array does happen to be empty then the error >>> is generated. It would be good if we could "return" something from >>> the javascript to indicate the entry should be skipped, or have an >>> option that an entry should be skipped if an attribute (ie. members) >>> is empty. >>> >> >> You can use a javascript code inside the <condition> markup, for >> example in the <update> condition. Return false in this code to tell >> LSC to skip the modification of the entry. >> >> Clément. >> >> > Hello Clément, > > the <condition> stuff sort of seems to be what I am after, but how do I > access the generated array (membersJava) for the member attribute to see if > its length is >0? From the documentation the only thing I seem to have > access to with <create> is the srcBean, which will just contain the > unfiltered members which isn't much use in this case. > > You can access to srcBean in create, update and changeId conditions, and dstBean in update, changeId and delete conditions. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
