2014-03-26 1:51 GMT+01:00 John Kristensen <[email protected] >:
> > > On 26/03/14 00:29, Clément OUDOT wrote: > >> >> >> >> 2014-03-25 11:08 GMT+01:00 John Kristensen >> <[email protected] >> <mailto:[email protected]>>: >> >> >> On 2014-03-25 19:47, Clément OUDOT wrote: >> >> 2014-03-25 9:42 GMT+01:00 John Kristensen >> <[email protected].__gov.au >> <mailto:[email protected]>>: >> >> >> On 2014-03-25 18:55, Clément OUDOT wrote: >> 2014-03-25 1:30 GMT+01:00 John Kristensen >> <[email protected].__gov.au >> <mailto:[email protected]>>: >> >> >> On 24/03/14 19:02, Clément OUDOT wrote: >> >> 2014-03-24 6:24 GMT+01:00 John Kristensen >> <[email protected].__gov.au >> <mailto:[email protected]> >> <mailto:john.kristensen@__dpipwe.tas.gov.au >> >> <mailto:[email protected]>>>: >> >> Hello, >> >> I have the following javascript to translate AD groups into >> OpenLDAP >> groups: >> >> <dataset> >> <name>member</name> >> <policy>FORCE</policy> >> <forceValues> >> <string> >> <![CDATA[ >> var members = new Array(); >> var query = >> '(&(!(objectClass=group))(____memberOf:1.2.840.113556.1.4.__ >> __1941:=' >> >> + >> >> srcBean.getDN()+'))'; >> var member_list = srcLdap.search('', query).toArray(); >> >> for ( var i = 0; i < member_list.length; i++ ) { >> var uid = srcLdap.attribute(member_list[____i], >> >> >> 'sAMAccountName').get(0); >> >> try { >> var user = ldap.list('ou=people', '(uid=' + uid + >> ')').get(0); >> members.push(user + ',' + ldap.getContextDn()); >> } catch(e) { >> continue; >> } >> } >> >> // Need to convert to a java array if using OpenJDK >> membersJava = >> java.lang.reflect.Array.____newInstance(java.lang.String, >> >> members.length); >> >> for ( var i = 0; i < members.length; i++ ) { >> membersJava[i] = members[i]; >> } >> membersJava >> ]]> >> </string> >> </forceValues> >> </dataset> >> >> But because I am only syncing only a selection of users some >> of >> these groups may not contain members after the javascript >> manipulation has been performed, which results in errors like: >> >> ERROR - Error while adding entry cn=Example >> Users,ou=groups,dc=example,dc=____com in directory >> :javax.naming.directory.____SchemaViolationException: [LDAP: >> >> error >> >> code 65 - object class 'groupOfNames' requires attribute >> 'member']; >> remaining name 'cn=Distributed COM Users,ou=groups' >> >> Is there anyway to skip a group if it would contain no members >> instead of generating these errors? There will be potentially >> lots >> of them and there is a high likelihood that "real" errors >> will be >> lost in the noise of these "false" errors. >> >> Hi, >> >> I think the best way is to change the LDAP filter used to >> get all >> groups. Just add in the filter a condition like (!(member=*)), >> which >> will ignore all entries that did not have any member values. >> >> Clément. >> >> ------------------------------__---------------------------- >> --__------------ >> >> >> Hello Clément, >> >> I am already using a condition that contains (member=*), but >> the >> problem is that the AD groups are not empty - the AD groups >> may >> contain only service accounts - but the 'membersJava' array >> that is >> generated will be empty - because we are not syncing the AD >> service >> accounts, which is essentially filtering the AD service >> accounts >> out >> of the groups. >> >> If the 'membersJava' array does happen to be empty then the >> error >> is generated. It would be good if we could "return" >> something from >> the javascript to indicate the entry should be skipped, or >> have an >> option that an entry should be skipped if an attribute (ie. >> members) >> is empty. >> >> >> You can use a javascript code inside the <condition> markup, for >> example in the <update> condition. Return false in this code >> to tell >> LSC to skip the modification of the entry. >> >> Clément. >> >> Hello Clément, >> >> the <condition> stuff sort of seems to be what I am after, but >> how do >> I access the generated array (membersJava) for the member >> attribute to >> see if its length is >0? From the documentation the only thing I >> seem >> to have access to with <create> is the srcBean, which will just >> contain the unfiltered members which isn't much use in this case. >> >> You can access to srcBean in create, update and changeId >> conditions, >> and dstBean in update, changeId and delete conditions. >> >> Clément. >> >> >> Hello Clément, >> >> Yes, I understand those beans are available but they don't provide >> anything useful in this case. >> >> The most common case will be <create> because groups with all it's >> members filtered out via javascript will attempt to be created on >> each run. The srcBean.getDatasetAsSetById("__member") is not very >> >> useful because it will just contain what is in the source LDAP, and >> not the filtered member list which could be empty. So what I need is >> some way to access the filtered list ('membersJava' in the script >> above) to determine if the entry should be created. >> >> The other thought I had was just to duplicate most of the script in >> the <condition> section, but 'srcLdap' and 'ldap' don't seem to be >> available, so that is not really an option either. >> >> Any other thoughts? >> >> >> >> In your javascript, why can't you test the size of the membersJava array >> ? If it is empty, you just have to return dstBean member attributes, and >> in this case, LSC will see that "src" and "dst" values are the same and >> will not update anything. You also can try the MERGE policy to merge >> values from src and dst. >> >> >> Clément. >> >> > Hello Clément, > > The dstBean won't exist for a create because the the group (groupOfNames) > doesn't exist, LSC is seeing that the group doesn't exist so is attempting > to create a new group with no member attributes. There are no member > attributes because in some cases there are no valid members (the invalid > ones have been filtered out using javascript) which then results in an > error and the group is not being created. The next time LSC runs this > entire process repeats. > > Something similar would happen with an update that should actually delete > an entry. The dstBean may have one or more members, but if the source is > changed to contain no valid members (ie. all members would be filtered out > by javascript) then LSC will attempt to update the dstBean with no member > attributes which again would result in an error. If I were to check the > length of membersJava and return the dstBean member attributes then there > wouldn't be an error, but the groups would be inconsistent between the > source and destination. > > It is starting to sound like LSC can't handle the use case I am throwing > at it. > Hi, you can maybe give a look to the Executable plugin and LSC 2.1 (we released a RC some days ago) : http://lsc-project.org/wiki/documentation/plugins/executable This plugin allow you to call scripts for each operation (create, update, etc.) and so you wouldbe able to program the behavior you want. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
