On 26/03/14 00:29, Clément OUDOT wrote:
2014-03-25 11:08 GMT+01:00 John Kristensen
<[email protected]
<mailto:[email protected]>>:
On 2014-03-25 19:47, Clément OUDOT wrote:
2014-03-25 9:42 GMT+01:00 John Kristensen
<[email protected].__gov.au
<mailto:[email protected]>>:
On 2014-03-25 18:55, Clément OUDOT wrote:
2014-03-25 1:30 GMT+01:00 John Kristensen
<[email protected].__gov.au
<mailto:[email protected]>>:
On 24/03/14 19:02, Clément OUDOT wrote:
2014-03-24 6:24 GMT+01:00 John Kristensen
<[email protected].__gov.au
<mailto:[email protected]>
<mailto:john.kristensen@__dpipwe.tas.gov.au
<mailto:[email protected]>>>:
Hello,
I have the following javascript to translate AD groups into
OpenLDAP
groups:
<dataset>
<name>member</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[
var members = new Array();
var query =
'(&(!(objectClass=group))(____memberOf:1.2.840.113556.1.4.____1941:='
+
srcBean.getDN()+'))';
var member_list = srcLdap.search('', query).toArray();
for ( var i = 0; i < member_list.length; i++ ) {
var uid = srcLdap.attribute(member_list[____i],
'sAMAccountName').get(0);
try {
var user = ldap.list('ou=people', '(uid=' + uid +
')').get(0);
members.push(user + ',' + ldap.getContextDn());
} catch(e) {
continue;
}
}
// Need to convert to a java array if using OpenJDK
membersJava =
java.lang.reflect.Array.____newInstance(java.lang.String,
members.length);
for ( var i = 0; i < members.length; i++ ) {
membersJava[i] = members[i];
}
membersJava
]]>
</string>
</forceValues>
</dataset>
But because I am only syncing only a selection of users some of
these groups may not contain members after the javascript
manipulation has been performed, which results in errors like:
ERROR - Error while adding entry cn=Example
Users,ou=groups,dc=example,dc=____com in directory
:javax.naming.directory.____SchemaViolationException: [LDAP:
error
code 65 - object class 'groupOfNames' requires attribute
'member'];
remaining name 'cn=Distributed COM Users,ou=groups'
Is there anyway to skip a group if it would contain no members
instead of generating these errors? There will be potentially
lots
of them and there is a high likelihood that "real" errors
will be
lost in the noise of these "false" errors.
Hi,
I think the best way is to change the LDAP filter used to
get all
groups. Just add in the filter a condition like (!(member=*)),
which
will ignore all entries that did not have any member values.
Clément.
------------------------------__------------------------------__------------
Hello Clément,
I am already using a condition that contains (member=*), but the
problem is that the AD groups are not empty - the AD groups may
contain only service accounts - but the 'membersJava' array
that is
generated will be empty - because we are not syncing the AD
service
accounts, which is essentially filtering the AD service accounts
out
of the groups.
If the 'membersJava' array does happen to be empty then the
error
is generated. It would be good if we could "return"
something from
the javascript to indicate the entry should be skipped, or
have an
option that an entry should be skipped if an attribute (ie.
members)
is empty.
You can use a javascript code inside the <condition> markup, for
example in the <update> condition. Return false in this code
to tell
LSC to skip the modification of the entry.
Clément.
Hello Clément,
the <condition> stuff sort of seems to be what I am after, but
how do
I access the generated array (membersJava) for the member
attribute to
see if its length is >0? From the documentation the only thing I
seem
to have access to with <create> is the srcBean, which will just
contain the unfiltered members which isn't much use in this case.
You can access to srcBean in create, update and changeId conditions,
and dstBean in update, changeId and delete conditions.
Clément.
Hello Clément,
Yes, I understand those beans are available but they don't provide
anything useful in this case.
The most common case will be <create> because groups with all it's
members filtered out via javascript will attempt to be created on
each run. The srcBean.getDatasetAsSetById("__member") is not very
useful because it will just contain what is in the source LDAP, and
not the filtered member list which could be empty. So what I need is
some way to access the filtered list ('membersJava' in the script
above) to determine if the entry should be created.
The other thought I had was just to duplicate most of the script in
the <condition> section, but 'srcLdap' and 'ldap' don't seem to be
available, so that is not really an option either.
Any other thoughts?
In your javascript, why can't you test the size of the membersJava array
? If it is empty, you just have to return dstBean member attributes, and
in this case, LSC will see that "src" and "dst" values are the same and
will not update anything. You also can try the MERGE policy to merge
values from src and dst.
Clément.
Hello Clément,
The dstBean won't exist for a create because the the group
(groupOfNames) doesn't exist, LSC is seeing that the group doesn't exist
so is attempting to create a new group with no member attributes. There
are no member attributes because in some cases there are no valid
members (the invalid ones have been filtered out using javascript) which
then results in an error and the group is not being created. The next
time LSC runs this entire process repeats.
Something similar would happen with an update that should actually
delete an entry. The dstBean may have one or more members, but if the
source is changed to contain no valid members (ie. all members would be
filtered out by javascript) then LSC will attempt to update the dstBean
with no member attributes which again would result in an error. If I
were to check the length of membersJava and return the dstBean member
attributes then there wouldn't be an error, but the groups would be
inconsistent between the source and destination.
It is starting to sound like LSC can't handle the use case I am throwing
at it.
SeeYa,
John
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
