2014-03-25 11:08 GMT+01:00 John Kristensen < [email protected]>:
> On 2014-03-25 19:47, Clément OUDOT wrote: > >> 2014-03-25 9:42 GMT+01:00 John Kristensen >> <[email protected]>: >> >> On 2014-03-25 18:55, Clément OUDOT wrote: >>> 2014-03-25 1:30 GMT+01:00 John Kristensen >>> <[email protected]>: >>> >>> On 24/03/14 19:02, Clément OUDOT wrote: >>> >>> 2014-03-24 6:24 GMT+01:00 John Kristensen >>> <[email protected] >>> <mailto:[email protected]>>: >>> >>> Hello, >>> >>> I have the following javascript to translate AD groups into >>> OpenLDAP >>> groups: >>> >>> <dataset> >>> <name>member</name> >>> <policy>FORCE</policy> >>> <forceValues> >>> <string> >>> <![CDATA[ >>> var members = new Array(); >>> var query = >>> '(&(!(objectClass=group))(__memberOf:1.2.840.113556.1.4.__1941:=' >>> + >>> >>> srcBean.getDN()+'))'; >>> var member_list = srcLdap.search('', query).toArray(); >>> >>> for ( var i = 0; i < member_list.length; i++ ) { >>> var uid = srcLdap.attribute(member_list[__i], >>> >>> 'sAMAccountName').get(0); >>> >>> try { >>> var user = ldap.list('ou=people', '(uid=' + uid + >>> ')').get(0); >>> members.push(user + ',' + ldap.getContextDn()); >>> } catch(e) { >>> continue; >>> } >>> } >>> >>> // Need to convert to a java array if using OpenJDK >>> membersJava = >>> java.lang.reflect.Array.__newInstance(java.lang.String, >>> members.length); >>> >>> for ( var i = 0; i < members.length; i++ ) { >>> membersJava[i] = members[i]; >>> } >>> membersJava >>> ]]> >>> </string> >>> </forceValues> >>> </dataset> >>> >>> But because I am only syncing only a selection of users some of >>> these groups may not contain members after the javascript >>> manipulation has been performed, which results in errors like: >>> >>> ERROR - Error while adding entry cn=Example >>> Users,ou=groups,dc=example,dc=__com in directory >>> :javax.naming.directory.__SchemaViolationException: [LDAP: error >>> >>> code 65 - object class 'groupOfNames' requires attribute >>> 'member']; >>> remaining name 'cn=Distributed COM Users,ou=groups' >>> >>> Is there anyway to skip a group if it would contain no members >>> instead of generating these errors? There will be potentially >>> lots >>> of them and there is a high likelihood that "real" errors will be >>> lost in the noise of these "false" errors. >>> >>> Hi, >>> >>> I think the best way is to change the LDAP filter used to get all >>> groups. Just add in the filter a condition like (!(member=*)), >>> which >>> will ignore all entries that did not have any member values. >>> >>> Clément. >>> >> ------------------------------------------------------------------------ >> >> Hello Clément, >>> >>> I am already using a condition that contains (member=*), but the >>> problem is that the AD groups are not empty - the AD groups may >>> contain only service accounts - but the 'membersJava' array that is >>> generated will be empty - because we are not syncing the AD service >>> accounts, which is essentially filtering the AD service accounts >>> out >>> of the groups. >>> >>> If the 'membersJava' array does happen to be empty then the error >>> is generated. It would be good if we could "return" something from >>> the javascript to indicate the entry should be skipped, or have an >>> option that an entry should be skipped if an attribute (ie. >>> members) >>> is empty. >>> >> >> You can use a javascript code inside the <condition> markup, for >> example in the <update> condition. Return false in this code to tell >> LSC to skip the modification of the entry. >> >> Clément. >> >> Hello Clément, >> >> the <condition> stuff sort of seems to be what I am after, but how do >> I access the generated array (membersJava) for the member attribute to >> see if its length is >0? From the documentation the only thing I seem >> to have access to with <create> is the srcBean, which will just >> contain the unfiltered members which isn't much use in this case. >> >> You can access to srcBean in create, update and changeId conditions, >> and dstBean in update, changeId and delete conditions. >> >> Clément. >> >> > Hello Clément, > > Yes, I understand those beans are available but they don't provide > anything useful in this case. > > The most common case will be <create> because groups with all it's members > filtered out via javascript will attempt to be created on each run. The > srcBean.getDatasetAsSetById("member") is not very useful because it will > just contain what is in the source LDAP, and not the filtered member list > which could be empty. So what I need is some way to access the filtered > list ('membersJava' in the script above) to determine if the entry should > be created. > > The other thought I had was just to duplicate most of the script in the > <condition> section, but 'srcLdap' and 'ldap' don't seem to be available, > so that is not really an option either. > > Any other thoughts? > In your javascript, why can't you test the size of the membersJava array ? If it is empty, you just have to return dstBean member attributes, and in this case, LSC will see that "src" and "dst" values are the same and will not update anything. You also can try the MERGE policy to merge values from src and dst. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
