[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openidm
Subject: [OpenIDM] comparing _id with different case
From: brett.maxfield () gmail ! com (Brett () Google)
Date: 2013-03-31 11:39:45
Message-ID: CAJiMZ94ZCFVOs2gSXmhzmJgt66yXkPsF7gRkR=vnPBT_GV2+OA () mail ! gmail ! com
[Download RAW message or body]
HI Gael,
Thanks for that. I have this working for "uidAttribute : name" the case of
users in AD all provisioned by openidm (destination users not pre-existing).
I still get the same exception when i use objectGUID in uidAttribute,
though. That would be preferable to name (in ADAM at least, i've yet to
test a "real" AD) for linking as it is not case sensitive.
But my original problem i think i solved (linking of external mutually
created objects on the the IDM -> AD mapping).
When a new user is added on the AD(AM) server (but not yet LDAP), it is
listed as UNASSIGN
If i have an correlation query defined AND i specify the FOUND state as
LINK, and UNASSIGN as IGNORE, the correlation query is used to create a
link for the target object, only when a matching source object eventually
exists, and then with a link in place, attribute syncing can occur. :)
So in this case corellationQuery seems to just be used for linking in the
case of FOUND, after that the created link is used for UPDATING..
Cheers
Brett
cat conf/provisioner.openicf-ad.json
{
"name" : "ad",
"connectorRef" : {
"bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
"bundleVersion" : "1.1.1.0-SNAPSHOT",
"connectorName" : "org.identityconnectors.ldap.LdapConnector"
},
"poolConfigOption" : {
"maxObjects" : 10,
"maxIdle" : 10,
"maxWait" : 150000,
"minEvictableIdleTimeMillis" : 120000,
"minIdle" : 1
},
"operationTimeout" : {
"CREATE" : -1,
"VALIDATE" : -1,
"TEST" : -1,
"SCRIPT_ON_CONNECTOR" : -1,
"SCHEMA" : -1,
"DELETE" : -1,
"UPDATE" : -1,
"SYNC" : -1,
"AUTHENTICATE" : -1,
"GET" : -1,
"SCRIPT_ON_RESOURCE" : -1,
"SEARCH" : -1
},
"configurationProperties" : {
"accountSynchronizationFilter" : null,
"passwordAttributeToSynchronize" : null,
"synchronizePasswords" : false,
"removeLogEntryObjectClassFromFilter" : true,
"modifiersNamesToFilterOut" : [ ],
"passwordDecryptionKey" : null,
"changeLogBlockSize" : 100,
"baseContextsToSynchronize" : [
"ou=users,dc=example,dc=com"
],
"attributesToSynchronize" : [ ],
"changeNumberAttribute" : "changeNumber",
"passwordDecryptionInitializationVector" : null,
"filterWithOrInsteadOfAnd" : false,
"objectClassesToSynchronize" : [
"user"
],
"port" : 389,
"vlvSortAttribute" : "uid",
"passwordAttribute" : "unicodePwd",
"useBlocks" : true,
"maintainPosixGroupMembership" : false,
"failover" : [ ],
"ssl" : false,
"principal" : "cn=sync,dc=example,dc=com",
"baseContexts" : [
"ou=users,dc=example,dc=com"
],
"readSchema" : false,
"accountObjectClasses" : [
"user"
],
"groupObjectClasses" : [
"group"
],
"accountUserNameAttributes" : [
"uid",
"cn"
],
"groupMemberAttribute" : "member",
"accountSearchFilter" : null,
"passwordHashAlgorithm" : "WIN-AD",
"usePagedResultControl" : true,
"blockSize" : 100,
"uidAttribute" : "name",
"maintainLdapGroupMembership" : false,
"respectResourcePasswordPolicyChangeAfterReset" : false,
"referralsHandling" : "ignore"
},
"objectTypes" : {
"account" : {
"$schema" : "http://json-schema.org/draft-03/schema",
"id" : "account",
"type" : "object",
"nativeType" : "__ACCOUNT__",
"properties" : {
"__NAME__" : {
"type" : "string",
"required" : true,
"nativeName" : "__NAME__",
"nativeType" : "string"
},
"__PASSWORD__" : {
"type" : "string",
"nativeName" : "__PASSWORD__",
"nativeType" : "JAVA_TYPE_GUARDEDSTRING",
"flags" : [
"NOT_RETURNED_BY_DEFAULT"
]
},
"cn" : {
"type" : "string",
"required" : true,
"nativeName" : "cn",
"nativeType" : "string",
"flags" : [
"NOT_UPDATEABLE"
]
},
"name" : {
"type" : "string",
"required" : true,
"nativeName" : "name",
"nativeType" : "string",
"flags" : [
"NOT_UPDATEABLE"
]
},
"sAMAccountName" : {
"type" : "string",
"required" : true,
"nativeName" : "sAMAccountName",
"nativeType" : "string",
"flags" : [
"NOT_UPDATEABLE"
]
},
"displayName" : {
"type" : "string",
"required" : true,
"nativeName" : "displayName",
"nativeType" : "string"
},
"givenName" : {
"type" : "string",
"required" : true,
"nativeName" : "givenName",
"nativeType" : "string"
},
"sn" : {
"type" : "string",
"required" : true,
"nativeName" : "sn",
"nativeType" : "string"
},
"employeeNumber" : {
"type" : "string",
"nativeName" : "employeeNumber",
"nativeType" : "string"
},
"mail" : {
"type" : "string",
"nativeName" : "mail",
"nativeType" : "string"
},
"postalAddress" : {
"type" : "string",
"nativeName" : "postalAddress",
"nativeType" : "string"
},
"description" : {
"type" : "string",
"nativeName" : "description",
"nativeType" : "string"
},
"pager" : {
"type" : "string",
"nativeName" : "pager",
"nativeType" : "string"
},
"l" : {
"type" : "string",
"nativeName" : "l",
"nativeType" : "string"
},
"street" : {
"type" : "string",
"nativeName" : "street",
"nativeType" : "string"
},
"postalCode" : {
"type" : "string",
"nativeName" : "postalCode",
"nativeType" : "string"
},
"st" : {
"type" : "string",
"nativeName" : "st",
"nativeType" : "string"
},
"mobile" : {
"type" : "string",
"nativeName" : "mobile",
"nativeType" : "string"
},
"telephoneNumber" : {
"type" : "string",
"nativeName" : "telephoneNumber",
"nativeType" : "string"
},
"initials" : {
"type" : "string",
"nativeName" : "initials",
"nativeType" : "string"
},
"info" : {
"type" : "string",
"nativeName" : "info",
"nativeType" : "string"
},
"objectClass" : {
"type" : "array",
"items" : {
"type" : "string",
"nativeType" : "string"
},
"nativeName" : "objectClass",
"nativeType" : "string",
"flags" : [
"NOT_CREATABLE",
"NOT_UPDATEABLE"
]
},
"uSNChanged" : {
"type" : "string",
"nativeName" : "uSNChanged",
"nativeType" : "string",
"flags" : [
"NOT_CREATABLE",
"NOT_UPDATEABLE"
]
},
"uSNCreated" : {
"type" : "string",
"nativeName" : "uSNCreated",
"nativeType" : "string",
"flags" : [
"NOT_CREATABLE",
"NOT_UPDATEABLE"
]
},
"whenChanged" : {
"type" : "string",
"nativeName" : "whenChanged",
"nativeType" : "string",
"flags" : [
"NOT_CREATABLE",
"NOT_UPDATEABLE"
]
},
"whenCreated" : {
"type" : "string",
"nativeName" : "whenCreated",
"nativeType" : "string",
"flags" : [
"NOT_CREATABLE",
"NOT_UPDATEABLE"
]
}
}
}
},
"operationOptions" : {
"DELETE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
},
"UPDATE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
},
"CREATE" : {
"denied" : false,
"onDeny" : "DO_NOTHING"
}
}
}
cat conf/sync.json
{
"mappings" : [
{
"name" : "systemLdapAccounts_managedUser",
"source" : "system/opendj/account",
"sourceIdsCaseSensitive" : false,
"target" : "managed/user",
"properties" : [
{
"source" : "uid",
"target" : "userName"
},
{
"source" : "givenName",
"target" : "givenName"
},
{
"source" : "sn",
"target" : "familyName"
},
{
"source" : "cn",
"target" : "fullName"
},
{
"source" : "description",
"target" : "description"
},
{
"source" : "mail",
"target" : "email"
},
{
"source" : "employeeNumber",
"target" : "employeeNumber"
},
{
"source" : "postalAddress",
"target" : "postalAddress"
},
{
"source" : "postalCode",
"target" : "postalCode"
},
{
"source" : "street",
"target" : "street"
},
{
"source" : "l",
"target" : "city"
},
{
"source" : "st",
"target" : "stateProvince"
},
{
"source" : "mobile",
"target" : "mobile"
},
{
"source" : "telephoneNumber",
"target" : "phoneNumber"
},
{
"source" : "homePhone",
"target" : "homePhone"
},
{
"source" : "initials",
"target" : "initials"
}
],
"policies" : [
{
"situation" : "CONFIRMED",
"action" : "UPDATE"
},
{
"situation" : "FOUND",
"action" : "IGNORE"
},
{
"situation" : "ABSENT",
"action" : "CREATE"
},
{
"situation" : "AMBIGUOUS",
"action" : "IGNORE"
},
{
"situation" : "MISSING",
"action" : "CREATE"
},
{
"situation" : "SOURCE_MISSING",
"action" : "DELETE"
},
{
"situation" : "UNQUALIFIED",
"action" : "IGNORE"
},
{
"situation" : "UNASSIGNED",
"action" : "IGNORE"
}
]
},
{
"name" : "managedUser_systemADAccounts",
"source" : "managed/user",
"target" : "system/ad/account",
"targetIdsCaseSensitive" : false,
"properties" : [
{
"source" : "userName",
"target" : "name"
},
{
"source" : "userName",
"target" : "sAMAccountName"
},
{
"source" : "userName",
"target" : "cn"
},
{
"source" : "fullName",
"target" : "displayName"
},
{
"source" : "givenName",
"target" : "givenName"
},
{
"source" : "familyName",
"target" : "sn"
},
{
"source" : "description",
"target" : "description"
},
{
"source" : "email",
"target" : "mail"
},
{
"source" : "employeeNumber",
"target" : "employeeNumber"
},
{
"source" : "postalAddress",
"target" : "postalAddress"
},
{
"source" : "postalCode",
"target" : "postalCode"
},
{
"source" : "street",
"target" : "street"
},
{
"source" : "l",
"target" : "l"
},
{
"source" : "st",
"target" : "st"
},
{
"source" : "mobile",
"target" : "mobile"
},
{
"source" : "phoneNumber",
"target" : "telephoneNumber"
},
{
"source" : "homePhone",
"target" : "homePhone"
},
{
"source" : "initials",
"target" : "initials"
}
],
"onCreate" : {
"type" : "text/javascript",
"source" : "target.__NAME__ = 'cn=' + source.userName +
',ou=users,dc=example,dc=com';"
},
"correlationQuery" : {
"type" : "text/javascript",
"source" : "var myarray = [source.userName];var map =
{'query' : { 'Equals': {'field' : 'name','values' : myarray}}};map;"
},
"policies" : [
{
"situation" : "CONFIRMED",
"action" : "UPDATE"
},
{
"situation" : "FOUND",
"action" : "LINK"
},
{
"situation" : "ABSENT",
"action" : "IGNORE"
},
{
"situation" : "AMBIGUOUS",
"action" : "IGNORE"
},
{
"situation" : "MISSING",
"action" : "CREATE"
},
{
"situation" : "SOURCE_MISSING",
"action" : "DELETE"
},
{
"situation" : "UNQUALIFIED",
"action" : "IGNORE"
},
{
"situation" : "UNASSIGNED",
"action" : "IGNORE"
}
]
}
]
}
On Sun, Mar 31, 2013 at 12:07 AM, Gael Allioux
<gael.allioux at forgerock.com>wrote:
> Brett,
>
> look again at the provisioner file I sent you...
>
> Some hints:
>
> 1- "readSchema" : true, => should be false if system is AD
>
> 2- "accountObjectClasses" : [
> "top",
> "person",
> "organizationalPerson",
> "inetOrgPerson"
> ],
>
> => should be "user" if AD
>
> 3- cn should not be modifiable (NOT_UPDATEABLE) on AD
>
> 4- Make sure you wipe out any previous links (link table)
>
> Gael
>
> On 03/30/2013 01:46 PM, Brett @Google wrote:
>
> Hi Gael,
>
> I copied the new file ldap-connector-1.1.1.0-20130329.221153-60.jar into
> connectors/ldap-connector-1.1.1.0-SNAPSHOT.jar and restarted the server.
>
> I changed both provider headers to : "bundleVersion" : "1.1.1.0-SNAPSHOT"
> and deleted (moved away) my old ldap provider.
>
> "connectorRef" : {
> "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
> "bundleVersion" : "1.1.1.0-SNAPSHOT",
> "connectorName" : "org.identityconnectors.ldap.LdapConnector"
> },
>
> It throws the exception below when i call to retrieve a system account
> from ad.
>
> That could be 8 x 8 bit bytes = 64 bits, the binary size of a GUID ?
>
> Cheers
> Brett
>
> OpenIDM version "2.1.0-SNAPSHOT" (revision: 0)
> -> OpenIDM ready
> Mar 30, 2013 10:05:53 PM
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService
> handle
> SEVERE: Operation [read, system/ad/account/user.111] failed with
> ConnectorException on system object:
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> objectGUID attribute has the wrong length (8). Should be 39 characters.
> Mar 30, 2013 10:05:53 PM
> org.forgerock.openidm.router.JsonResourceRouterService handle
> WARNING: JSON resource exception
> org.forgerock.json.resource.JsonResourceException: ConnectorException
> at
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.handle(OpenICFProvisionerService.java:502)
> at
> org.forgerock.openidm.provisioner.impl.SystemObjectSetService.handle(SystemObjectSetService.java:180)
> at
> org.forgerock.json.resource.JsonResourceRouter.handle(JsonResourceRouter.java:79)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.openidm.router.JsonResourceRouterService$Filter.filter(JsonResourceRouterService.java:571)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.openidm.router.JsonResourceRouterService$Filter.filter(JsonResourceRouterService.java:571)
> at
> org.forgerock.json.resource.JsonResourceFilterChain$1.handle(JsonResourceFilterChain.java:59)
> at
> org.forgerock.json.resource.JsonResourceFilterChain.handle(JsonResourceFilterChain.java:53)
> at
> org.forgerock.openidm.router.JsonResourceRouterService.handle(JsonResourceRouterService.java:321)
> at
> org.forgerock.json.resource.JsonResourceAccessor.read(JsonResourceAccessor.java:93)
> at
> org.forgerock.json.resource.restlet.JsonServerResource.read(JsonServerResource.java:137)
> at
> org.forgerock.json.resource.restlet.JsonServerResource.get(JsonServerResource.java:292)
> at
> org.restlet.resource.ServerResource.doHandle(ServerResource.java:381)
> at
> org.forgerock.restlet.ExtendedServerResource.doHandle(ExtendedServerResource.java:56)
> at
> org.forgerock.json.resource.restlet.JsonServerResource.doHandle(JsonServerResource.java:272)
> at
> org.restlet.resource.ServerResource.handle(ServerResource.java:853)
> at org.restlet.resource.Finder.handle(Finder.java:513)
> at
> org.forgerock.json.resource.restlet.JsonResourceRestlet.handle(JsonResourceRestlet.java:63)
> at org.restlet.routing.Filter.doHandle(Filter.java:159)
> at org.restlet.routing.Filter.handle(Filter.java:206)
> at org.restlet.routing.Router.doHandle(Router.java:500)
> at org.restlet.routing.Router.handle(Router.java:740)
> at org.restlet.routing.Filter.doHandle(Filter.java:159)
> at org.restlet.routing.Filter.handle(Filter.java:206)
> at org.restlet.routing.Filter.doHandle(Filter.java:159)
> at org.restlet.routing.Filter.handle(Filter.java:206)
> at org.restlet.routing.Filter.doHandle(Filter.java:159)
> at
> org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:155)
> at org.restlet.routing.Filter.handle(Filter.java:206)
> at org.restlet.routing.Filter.doHandle(Filter.java:159)
> at org.restlet.routing.Filter.handle(Filter.java:206)
> at org.restlet.engine.ChainHelper.handle(ChainHelper.java:114)
> at
> org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
> at org.restlet.Application.handle(Application.java:391)
> at
> org.restlet.ext.servlet.ServletAdapter.service(ServletAdapter.java:206)
> at
> org.forgerock.restlet.RestletRouterServlet.service(RestletRouterServlet.java:140)
> at org.forgerock.openidm.restlet.Servlet.service(Servlet.java:246)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.ops4j.pax.web.service.internal.HttpServiceStarted$2.invoke(HttpServiceStarted.java:242)
> at org.ops4j.pax.web.service.internal.$Proxy13.service(Unknown
> Source)
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:598)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1367)
> at
> org.forgerock.openidm.filter.AuthFilter.doFilter(AuthFilter.java:212)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1338)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:484)
> at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:70)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1065)
> at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:140)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:413)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:999)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at
> org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:74)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
> at org.eclipse.jetty.server.Server.handle(Server.java:350)
> at
> org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:454)
> at
> org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:890)
> at
> org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:944)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:630)
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
> at
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)
> at
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:620)
> at
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
> at java.lang.Thread.run(Thread.java:662)
> Caused by:
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> objectGUID attribute has the wrong length (8). Should be 39 characters.
> at
> org.identityconnectors.ldap.LdapUtil.guidStringtoByteString(LdapUtil.java:589)
> at
> org.identityconnectors.ldap.search.LdapFilterTranslator.createContainsAllValuesFilter(LdapFilterTranslator.java:211)
> at
> org.identityconnectors.ldap.search.LdapFilterTranslator.createEqualsExpression(LdapFilterTranslator.java:120)
> at
> org.identityconnectors.ldap.search.LdapFilterTranslator.createEqualsExpression(LdapFilterTranslator.java:47)
> at
> org.identityconnectors.framework.common.objects.filter.AbstractFilterTranslator.createLeafExpression(AbstractFilterTranslator.java:438)
> at
> org.identityconnectors.framework.common.objects.filter.AbstractFilterTranslator.createLeafExpression(AbstractFilterTranslator.java:420)
> at
> org.identityconnectors.framework.common.objects.filter.AbstractFilterTranslator.simplifyAndDistribute(AbstractFilterTranslator.java:301)
> at
> org.identityconnectors.framework.common.objects.filter.AbstractFilterTranslator.translate(AbstractFilterTranslator.java:104)
> at
> org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:123)
> at
> org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:103)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:96)
> at com.sun.proxy.$Proxy14.search(Unknown Source)
> at
> org.identityconnectors.framework.impl.api.local.operations.GetImpl.getObject(GetImpl.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:107)
> at com.sun.proxy.$Proxy15.getObject(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:107)
> at com.sun.proxy.$Proxy15.getObject(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
> at com.sun.proxy.$Proxy15.getObject(Unknown Source)
> at
> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getObject(AbstractConnectorFacade.java:227)
> at
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.read(OpenICFProvisionerService.java:542)
> at
> org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.handle(OpenICFProvisionerService.java:363)
>
> ... 73 more
>
> openidm conf :
>
> cat provisioner.openicf-ad.json
> {
> "name" : "ad",
> "connectorRef" : {
> "connectorHostRef" : "#LOCAL",
> "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
> "bundleVersion" : "1.1.1.0-SNAPSHOT",
> "connectorName" : "org.identityconnectors.ldap.LdapConnector"
> },
> "poolConfigOption" : {
> "maxObjects" : 10,
> "maxIdle" : 10,
> "maxWait" : 150000,
> "minEvictableIdleTimeMillis" : 120000,
> "minIdle" : 1
> },
> "operationTimeout" : {
> "CREATE" : -1,
> "VALIDATE" : -1,
> "TEST" : -1,
> "SCRIPT_ON_CONNECTOR" : -1,
> "SCHEMA" : -1,
> "DELETE" : -1,
> "UPDATE" : -1,
> "SYNC" : -1,
> "AUTHENTICATE" : -1,
> "GET" : -1,
> "SCRIPT_ON_RESOURCE" : -1,
> "SEARCH" : -1
> },
> "configurationProperties" : {
> "accountSynchronizationFilter" : null,
> "passwordAttributeToSynchronize" : null,
> "synchronizePasswords" : false,
> "removeLogEntryObjectClassFromFilter" : true,
> "modifiersNamesToFilterOut" : [ ],
> "passwordDecryptionKey" : null,
> "changeLogBlockSize" : 100,
> "baseContextsToSynchronize" : [
> "ou=users,dc=example,dc=com"
> ],
> "attributesToSynchronize" : [ ],
> "changeNumberAttribute" : "changeNumber",
> "passwordDecryptionInitializationVector" : null,
> "filterWithOrInsteadOfAnd" : false,
> "objectClassesToSynchronize" : [
> "inetOrgPerson"
> ],
> "port" : 389,
> "vlvSortAttribute" : "uid",
> "passwordAttribute" : "unicodePwd",
> "useBlocks" : true,
> "maintainPosixGroupMembership" : false,
> "failover" : [ ],
> "ssl" : false,
> "principal" : "cn=sync,dc=example,dc=com",
> "baseContexts" : [
> "ou=users,dc=example,dc=com"
> ],
> "readSchema" : true,
> "accountObjectClasses" : [
> "top",
> "person",
> "organizationalPerson",
> "inetOrgPerson"
> ],
> "accountUserNameAttributes" : [
> "name",
> "objectGUID"
> ],
> "groupMemberAttribute" : "uniqueMember",
> "accountSearchFilter" : null,
> "passwordHashAlgorithm" : "WIN-AD",
> "usePagedResultControl" : true,
> "blockSize" : 100,
> "uidAttribute" : "objectGUID",
> "maintainLdapGroupMembership" : false,
> "respectResourcePasswordPolicyChangeAfterReset" : false
> },
> "objectTypes" : {
> "account" : {
> "$schema" : "http://json-schema.org/draft-03/schema",
> "id" : "account",
> "type" : "object",
> "nativeType" : "__ACCOUNT__",
> "properties" : {
> "cn" : {
> "type" : "string",
> "required" : true,
> "nativeName" : "cn",
> "nativeType" : "string"
> },
> "employeeNumber" : {
> "type" : "string",
> "nativeName" : "employeeNumber",
> "nativeType" : "string"
> },
> "mail" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "mail",
> "nativeType" : "string"
> },
> "postalAddress" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "postalAddress",
> "nativeType" : "string"
> },
> "objectClass" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "objectClass",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> },
> "description" : {
> "type" : "string",
> "nativeName" : "description",
> "nativeType" : "string"
> },
> "pager" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "pager",
> "nativeType" : "string"
> },
> "dn" : {
> "type" : "string",
> "required" : true,
> "nativeName" : "__NAME__",
> "nativeType" : "string"
> },
> "name" : {
> "type" : "string",
> "required" : true,
> "nativeName" : "name",
> "nativeType" : "string"
> },
> "l" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "l",
> "nativeType" : "string"
> },
> "street" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "street",
> "nativeType" : "string"
> },
> "postalCode" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "postalCode",
> "nativeType" : "string"
> },
> "st" : {
> "type" : "string",
> "nativeName" : "st",
> "nativeType" : "string"
> },
> "__PASSWORD__" : {
> "type" : "string",
> "nativeName" : "__PASSWORD__",
> "nativeType" : "JAVA_TYPE_GUARDEDSTRING",
> "flags" : [
> "NOT_RETURNED_BY_DEFAULT"
> ]
> },
> "sn" : {
> "type" : "string",
> "required" : true,
> "nativeName" : "sn",
> "nativeType" : "string"
> },
> "userPassword" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "JAVA_TYPE_BYTE_ARRAY"
> },
> "nativeName" : "userPassword",
> "nativeType" : "JAVA_TYPE_BYTE_ARRAY"
> },
> "mobile" : {
> "type" : "array",
> "items" : {
> "type" : "string",
> "nativeType" : "string"
> },
> "nativeName" : "mobile",
> "nativeType" : "string"
> },
> "givenName" : {
> "type" : "string",
> "nativeName" : "givenName",
> "nativeType" : "string"
> },
> "telephoneNumber" : {
> "type" : "string",
> "nativeName" : "telephoneNumber",
> "nativeType" : "string"
> },
> "initials" : {
> "type" : "string",
> "nativeName" : "initials",
> "nativeType" : "string"
> },
> "displayName" : {
> "type" : "string",
> "nativeName" : "displayName",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> },
> "info" : {
> "type" : "string",
> "nativeName" : "info",
> "nativeType" : "string"
> },
> "uSNChanged" : {
> "type" : "string",
> "nativeName" : "uSNChanged",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> },
> "uSNCreated" : {
> "type" : "string",
> "nativeName" : "uSNCreated",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> },
> "whenChanged" : {
> "type" : "string",
> "nativeName" : "whenChanged",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> },
> "whenCreated" : {
> "type" : "string",
> "nativeName" : "whenCreated",
> "nativeType" : "string",
> "flags" : [
> "NOT_CREATABLE",
> "NOT_UPDATEABLE"
> ]
> }
> }
> }
> },
> "operationOptions" : {
> "DELETE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> },
> "UPDATE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> },
> "CREATE" : {
> "denied" : false,
> "onDeny" : "DO_NOTHING"
> }
> }
> }
>
> On Sat, Mar 30, 2013 at 9:29 PM, Gael Allioux <gael.allioux at forgerock.com>wrote:
>
> > Brett,
> >
> > make sure you get the latest build of the LDAP connector.
> > http://builds.forgerock.org/job/OpenICF%20-%20Ldap%20Connector/
> >
> > It contains the last improvements made to make the connector more "AD
> > friendly":
> > https://bugster.forgerock.org/jira/browse/OPENICF-99
> > https://bugster.forgerock.org/jira/browse/OPENICF-97 (next week)
> > https://bugster.forgerock.org/jira/browse/OPENICF-95
> > https://bugster.forgerock.org/jira/browse/OPENICF-91
> > https://bugster.forgerock.org/jira/browse/OPENICF-43
> >
> > and check the attached file which is an LDAP connector config
> > file sample to work with AD.
> >
> > Gael
> >
> >
> > On 03/30/2013 03:48 AM, Brett @Google wrote:
> >
> > Hi Gael,
> >
> > What is the nativeType of objectGUID ?
> >
> > (i used "JAVA_TYPE_BYTE_ARRAY" -> this gives "objectGUID":
> > "\u0002e\ufffd-\ufffd)\ufffdC\ufffdZ\ufffd\ufffd\ufffdz\ufffd\ufffd", )
> > which looked a little odd :
> >
> > A sync based on "name" as uidAttribute below gives :
> >
> > INFO: Reconciliation completed. SOURCE_IGNORED: 0 MISSING: 0 FOUND: 0
> > AMBIGUOUS: 0 UNQUALIFIED: 0 CONFIRMED: 0 SOURCE_MISSING: 0 ABSENT: 100
> > TARGET_IGNORED: 0 UNASSIGNED: 3
> >
> > The 3 unassigned are the users i made manually in a native ADAM mode AD
> > i created (these are users whoose attributes i wish to update).
> >
> > Out of curiosity, I tried running CREATE, for the ABSENT users above,
> > but i got a wierd error. :
> >
> > Caused by: javax.naming.InvalidNameException:
> > cn=user.57,ou=users,dc=example,dc=com: [LDAP: error code 34 - 00002081:
> > NameErr: DSID-03050B94, problem 2003 (BAD_ATT_SYNTAX), data 0, best match
> > of:
> > 'cn=user.57,ou=users,dc=example,dc=com'
> > ^@]; remaining name 'cn=user.57,ou=users,dc=example,dc=com'
> > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3005)
> > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
> > at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:791)
> > at
> > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
> > at
> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
> > at
> > javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
> > at
> > org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:310)
> >
> > This looks like garbage (?encoding?) characters in the DN. Other errors
> > i have got in the past, relate to attributre syntax, but it is not apparent
> > which attribute it is complaining about.
> >
> > My current configs are :
> >
> > cat provisioner.openicf-ad.json
> > {
> > "name" : "ad",
> > "connectorRef" : {
> > "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
> > "bundleVersion" : "1.1.0.1",
> > "connectorName" : "org.identityconnectors.ldap.LdapConnector"
> > },
> > "poolConfigOption" : {
> > "maxObjects" : 10,
> > "maxIdle" : 10,
> > "maxWait" : 150000,
> > "minEvictableIdleTimeMillis" : 120000,
> > "minIdle" : 1
> > },
> > "operationTimeout" : {
> > "CREATE" : -1,
> > "VALIDATE" : -1,
> > "TEST" : -1,
> > "SCRIPT_ON_CONNECTOR" : -1,
> > "SCHEMA" : -1,
> > "DELETE" : -1,
> > "UPDATE" : -1,
> > "SYNC" : -1,
> > "AUTHENTICATE" : -1,
> > "GET" : -1,
> > "SCRIPT_ON_RESOURCE" : -1,
> > "SEARCH" : -1
> > },
> > "configurationProperties" : {
> > "accountSynchronizationFilter" : null,
> > "passwordAttributeToSynchronize" : null,
> > "synchronizePasswords" : false,
> > "removeLogEntryObjectClassFromFilter" : true,
> > "modifiersNamesToFilterOut" : [ ],
> > "passwordDecryptionKey" : null,
> > "changeLogBlockSize" : 100,
> > "baseContextsToSynchronize" : [ ],
> > "attributesToSynchronize" : [ ],
> > "changeNumberAttribute" : "changeNumber",
> > "passwordDecryptionInitializationVector" : null,
> > "filterWithOrInsteadOfAnd" : false,
> > "objectClassesToSynchronize" : [
> > "inetOrgPerson"
> > ],
> > "port" : 389,
> > "vlvSortAttribute" : "uid",
> > "passwordAttribute" : "userPassword",
> > "useBlocks" : true,
> > "maintainPosixGroupMembership" : false,
> > "failover" : [ ],
> > "ssl" : false,
> > "principal" : "cn=sync,dc=example,dc=com",
> > "baseContexts" : [
> > "ou=users,dc=example,dc=com"
> > ],
> > "readSchema" : true,
> > "accountObjectClasses" : [
> > "top",
> > "person",
> > "organizationalPerson",
> > "inetOrgPerson"
> > ],
> > "accountUserNameAttributes" : [
> > "name"
> > ],
> > "groupMemberAttribute" : "uniqueMember",
> > "accountSearchFilter" : null,
> > "passwordHashAlgorithm" : null,
> > "usePagedResultControl" : true,
> > "blockSize" : 100,
> > "uidAttribute" : "name",
> > "maintainLdapGroupMembership" : false,
> > "respectResourcePasswordPolicyChangeAfterReset" : false
> > },
> > "objectTypes" : {
> > "account" : {
> > "$schema" : "http://json-schema.org/draft-03/schema",
> > "id" : "account",
> > "type" : "object",
> > "nativeType" : "__ACCOUNT__",
> > "properties" : {
> > "cn" : {
> > "type" : "string",
> > "required" : true,
> > "nativeName" : "cn",
> > "nativeType" : "string"
> > },
> > "objectGUID" : {
> > "type" : "string",
> > "required" : true,
> > "nativeName" : "objectGUID",
> > "nativeType" : "JAVA_TYPE_BYTE_ARRAY",
> > "flags" : [
> > "NOT_CREATABLE",
> > "NOT_UPDATEABLE"
> > ]
> > },
> > "employeeNumber" : {
> > "type" : "string",
> > "nativeName" : "employeeNumber",
> > "nativeType" : "string"
> > },
> > "mail" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "mail",
> > "nativeType" : "string"
> > },
> > "postalAddress" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "postalAddress",
> > "nativeType" : "string"
> > },
> > "objectClass" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "objectClass",
> > "nativeType" : "string",
> > "flags" : [
> > "NOT_CREATABLE",
> > "NOT_UPDATEABLE"
> > ]
> > },
> > "description" : {
> > "type" : "string",
> > "nativeName" : "description",
> > "nativeType" : "string"
> > },
> > "pager" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "pager",
> > "nativeType" : "string"
> > },
> > "dn" : {
> > "type" : "string",
> > "required" : true,
> > "nativeName" : "__NAME__",
> > "nativeType" : "string"
> > },
> > "name" : {
> > "type" : "string",
> > "required" : true,
> > "nativeName" : "name",
> > "nativeType" : "string"
> > },
> > "l" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "l",
> > "nativeType" : "string"
> > },
> > "street" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "street",
> > "nativeType" : "string"
> > },
> > "postalCode" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "postalCode",
> > "nativeType" : "string"
> > },
> > "st" : {
> > "type" : "string",
> > "nativeName" : "st",
> > "nativeType" : "string"
> > },
> > "__PASSWORD__" : {
> > "type" : "string",
> > "nativeName" : "__PASSWORD__",
> > "nativeType" : "JAVA_TYPE_GUARDEDSTRING",
> > "flags" : [
> > "NOT_RETURNED_BY_DEFAULT"
> > ]
> > },
> > "sn" : {
> > "type" : "string",
> > "required" : true,
> > "nativeName" : "sn",
> > "nativeType" : "string"
> > },
> > "userPassword" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "JAVA_TYPE_BYTE_ARRAY"
> > },
> > "nativeName" : "userPassword",
> > "nativeType" : "JAVA_TYPE_BYTE_ARRAY"
> > },
> > "mobile" : {
> > "type" : "array",
> > "items" : {
> > "type" : "string",
> > "nativeType" : "string"
> > },
> > "nativeName" : "mobile",
> > "nativeType" : "string"
> > },
> > "givenName" : {
> > "type" : "string",
> > "nativeName" : "givenName",
> > "nativeType" : "string"
> > },
> > "telephoneNumber" : {
> > "type" : "string",
> > "nativeName" : "telephoneNumber",
> > "nativeType" : "string"
> > },
> > "initials" : {
> > "type" : "string",
> > "nativeName" : "initials",
> > "nativeType" : "string"
> > }
> > }
> > }
> > },
> > "operationOptions" : {
> > "DELETE" : {
> > "denied" : false,
> > "onDeny" : "DO_NOTHING"
> > },
> > "UPDATE" : {
> > "denied" : false,
> > "onDeny" : "DO_NOTHING"
> > },
> > "CREATE" : {
> > "denied" : false,
> > "onDeny" : "DO_NOTHING"
> > }
> > }
> > }
> >
> > cat sync.json
> >
> > {
> > "mappings" : [
> > {
> > "name" : "systemLdapAccounts_managedUser",
> > "source" : "system/opendj/account",
> > "sourceIdsCaseSensitive" : false,
> > "target" : "managed/user",
> > "properties" : [
> > {
> > "source" : "cn",
> > "target" : "displayName"
> > },
> > {
> > "source" : "description",
> > "target" : "description"
> > },
> > {
> > "source" : "givenName",
> > "target" : "givenName"
> > },
> > {
> > "source" : "mail",
> > "target" : "email"
> > },
> > {
> > "source" : "sn",
> > "target" : "familyName"
> > },
> > {
> > "source" : "uid",
> > "target" : "userName"
> > }
> > ],
> > "policies" : [
> > {
> > "situation" : "CONFIRMED",
> > "action" : "UPDATE"
> > },
> > {
> > "situation" : "FOUND",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "ABSENT",
> > "action" : "CREATE"
> > },
> > {
> > "situation" : "AMBIGUOUS",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "MISSING",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "SOURCE_MISSING",
> > "action" : "DELETE"
> > },
> > {
> > "situation" : "UNQUALIFIED",
> > "action" : "DELETE"
> > },
> > {
> > "situation" : "UNASSIGNED",
> > "action" : "IGNORE"
> > }
> > ]
> > },
> > {
> > "name" : "managedUser_systemADAccounts",
> > "source" : "managed/user",
> > "target" : "system/ad/account",
> > "targetIdsCaseSensitive" : false,
> > "properties" : [
> > {
> > "source" : "userName",
> > "target" : "name"
> > },
> > {
> > "source" : "givenName",
> > "target" : "givenName"
> > },
> > {
> > "source" : "familyName",
> > "target" : "sn"
> > },
> > {
> > "source" : "displayName",
> > "target" : "cn"
> > },
> > {
> > "source" : "userName",
> > "target" : "name"
> > },
> > {
> > "source" : "description",
> > "target" : "description"
> > },
> > {
> > "source" : "email",
> > "target" : "mail"
> > }
> > ],
> > "onCreate" : {
> > "type" : "text/javascript",
> > "source" : "target.dn = 'cn=' + source.userName +
> > ',ou=users,dc=example,dc=com';"
> > },
> > "policies" : [
> > {
> > "situation" : "CONFIRMED",
> > "action" : "UPDATE"
> > },
> > {
> > "situation" : "FOUND",
> > "action" : "UPDATE"
> > },
> > {
> > "situation" : "ABSENT",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "AMBIGUOUS",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "MISSING",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "SOURCE_MISSING",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "UNQUALIFIED",
> > "action" : "IGNORE"
> > },
> > {
> > "situation" : "UNASSIGNED",
> > "action" : "IGNORE"
> > }
> > ]
> > }
> > ]
> > }
> >
> > a test query of an ad user :
> >
> > ../../scripts/system_ad_get-account.sh user.111
> > {
> > "_id": "user.111",
> > "cn": "user.111",
> > "description": null,
> > "dn": "CN=user.111,ou=users,dc=example,dc=com",
> > "employeeNumber": null,
> > "givenName": null,
> > "initials": null,
> > "l": [],
> > "mail": [],
> > "mobile": [],
> > "name": "user.111",
> > "objectClass": [
> > "top",
> > "person",
> > "organizationalPerson",
> > "user",
> > "inetOrgPerson"
> > ],
> > "objectGUID":
> > "\u0002e\ufffd-\ufffd)\ufffdC\ufffdZ\ufffd\ufffd\ufffdz\ufffd\ufffd",
> > "pager": [],
> > "postalAddress": [],
> > "postalCode": [],
> > "sn": null,
> > "st": null,
> > "street": [],
> > "telephoneNumber": null,
> > "userPassword": []
> > }
> >
> >
> >
> > On Thu, Mar 28, 2013 at 5:43 PM, Gael Allioux <gael.allioux at forgerock.com
> > > wrote:
> >
> > > Hi Brett,
> > >
> > > thanks for the explanation.
> > > I'm still curious about your configuration...
> > > Could you send me your two provisioner-*.json files, sync.json and
> > > correlation query scripts?
> > >
> > > You are using the LDAP connector to connect to AD right?
> > > Do you use samaccountname as the id attribute?
> > >
> > > Have you seen this?
> > > https://bugster.forgerock.org/jira/browse/OPENICF-95
> > >
> > >
> > > Gael
> > >
> > >
> > >
> > >
> > > On 03/28/2013 04:22 AM, Brett @Google wrote:
> > >
> > > Hi Gael,
> > >
> > > Sorry for explaining myself not clearly. I am trying to sync LDAP -> IDM
> > > -> AD
> > >
> > > LDAP is our web directory for end users, AD is our domain controller for
> > > windows desktops.
> > >
> > > The use case is to synchronize our authoritative web directory, to fill
> > > in missing details in our AD domain controller, which is only up-datable by
> > > admins, and not regular desktop users. The attributes in AD can be very
> > > old, and or inaccurate as they are in the worst case only updated when a
> > > user is originally added to the domain controller.
> > >
> > > The data synced from LDAP <--> IDM is authoritative (and is
> > > bidirectional, using the same links for both directions, with a .js
> > > correlation query), but the intent of sending from IDM to AD is presently
> > > only a single direction push from IDM to AD, not creating LDAP users in AD,
> > > just synchronizing some attributes from IDM to AD, where pre-existing users
> > > are FOUND or CONFIRMED.
> > >
> > > I imagine in a green fields deployment, users created by IDM in AD
> > > (MISSING state, then CREATE action) the case would match, all subsequent
> > > syncs would match users (FOUND state, and then UPDATE action), . In this
> > > case they users exist, using a different case, so trying to create "auser"
> > > AD account where there is already "Auser" AD account would fail in any
> > > case. In the current deployment, the MISSING state is IGNORE, as all the
> > > users already exist.
> > >
> > > The LDAP has mostly lower case uid attribute values, the AD has mixed
> > > case sAMAccountName attribute values.
> > >
> > > If compared without case sensitivity, userName(IDM) and
> > > sAMAccountName(AD) attributes would match users from IDM -> AD. The
> > > userName(IDM) values have previously been provisioned from the uid(LDAP)
> > > attribute, transformed to lower case during sync.
> > >
> > > There are no links created for the IDM -> AD mapping, as the users in AD
> > > are not FOUND or CONFIRMED by recon, the users expected to sync are all
> > > therefore in the IGNORE state, as the _id's IDM->AD don't match case.
> > >
> > > The sync from LDAP -> IDM is ok, and the userName values in IDM are all
> > > lower case, as they are provisioned from the LDAP (transformed to lower
> > > case in this mapping - below), which is the authoratative source of user
> > > data.
> > >
> > > The links for the LDAP -> IDM mapping are in all lower case, even the
> > > one user which has mixed native case in the LDAP. The AD has the same user
> > > names, but using different cases.
> > >
> > > The case sensitivity options are in docs version 2.1.0 :
> > >
> > >
> > > http://docs.forgerock.org/en/openidm/2.1.0/integrators-guide/index.html#case-sensitivity
> > >
> > > I think that there is a bug called \
> > > OPENIDM-456<https://bugster.forgerock.org/jira/browse/OPENIDM-456>, and this \
> > > fix is targeted at 2.2, and not 2.1 branch which i am using.
> > > So maybe these case sensitivity options are not fully functional yet in
> > > 2.1.x branch ?
> > >
> > > I have tried using a scripts/adCorrelationQuery.js (when syncing IDM -->
> > > AD)
> > >
> > > var srcvalue = source.userName;
> > > var srcarray = [srcvalue];
> > > var map = {"query": { "Equals": {"field" : "sAMAccountName", "values" :
> > > srcarray}}};
> > > map;
> > >
> > > This is basically the default anyway, and does not let me convert lower
> > > case of the target UID's, so does not help.
> > >
> > > I have tried these transform the _id properties in sync.js (LDAP -> IDM)
> > >
> > > {
> > > "source" : "uid",
> > > "target" : "_id",
> > > "transform" : {
> > > "type" : "text/javascript",
> > > "source" : "source.toLowerCase()"
> > > }
> > > },
> > > {
> > > "source" : "uid",
> > > "transform" : {
> > > "type" : "text/javascript",
> > > "source" : "source.toLowerCase()"
> > > },
> > > "target" : "userName"
> > > },
> > >
> > > This does not work for _id, with the above in my sync.json, the value in
> > > _id is unaffected, but the value in userName is successfully changed to
> > > lower case (i put in a test LDAP user with mixed case). So i'm assuming the
> > > _id values are retrieved before the recon is called, so therefore can't be
> > > changed by sync.json ?
> > >
> > > I am guessing that the native, unmodified case is used when matching the
> > > IDM(userName) and AD(sAMAccountName) before it makes the decision to
> > > "UPDATE" using sync.json.
> > >
> > > The LDAP provisioner has :
> > >
> > > "accountUserNameAttributes" : [
> > > "uid"
> > > ]
> > >
> > > The AD provisionser has :
> > >
> > > "accountUserNameAttributes" : [
> > > "sAMAccountName"
> > > ]
> > >
> > > I will try to demonstrate this weekend with two simple openDJ instances,
> > > but i think there are some fundamental differences between a real AD and an
> > > OpenDJ test installation made to look like an AD.
> > >
> > > Cheers
> > > Brett
> > >
> > > On Thu, Mar 28, 2013 at 12:13 AM, Gael Allioux <
> > > gael.allioux at forgerock.com> wrote:
> > >
> > > > Hi Brett,
> > > >
> > > > I'd like to help you... but your email is very confusing.
> > > > I read it 3 times and I still don't understand what you're trying to
> > > > achieve and what is your problem.
> > > >
> > > > Could you provide diagrams and use cases?
> > > > What are you trying to do?
> > > > AD=>IDM=>LDAP sync?
> > > >
> > > > regards,
> > > > Gael
> > > >
> > > >
> > > > On 03/27/2013 09:02 AM, Brett @Google wrote:
> > > >
> > > > Hello,
> > > >
> > > > I am reconciling the managed data source, to an ad server using the
> > > > ldap conenctor, using openidm 2.1 branch. (i also try 2.0.3 - same problem)
> > > >
> > > > I have managed users with lower case, syncing against an ldap
> > > > destination with mixed case AD ldap.
> > > >
> > > > The _id column on (ldap) side exists like :
> > > >
> > > > {"__NAME__":"uid=someguy,ou=People,dc=example,dc=com","_id":"someguy"}
> > > >
> > > > And on the other (ad) side differs only by case, like :
> > > >
> > > > {"__NAME__":"uid=someGUY,ou=People,dc=someother,dc=com","_id":"someGUY"}
> > > >
> > > > These entries represent the same person, as both the original source
> > > > from which the managed usered were synced, and the bas DN's to which i wish
> > > > to sync are aliases for the same thing. Basically there is a ldap server
> > > > and AD server, that represent the same collection of users, but have
> > > > different base DN's and case conventions. Both systems record the case they
> > > > are given, but perform case insensitivity in ldap seearches.
> > > >
> > > > Queries /openidm/system/ldap/account/someguy and
> > > > /openidm/system/ad/account/someGUY with correct case work from thier
> > > > prospective providers, but not if the case differs from the native case,
> > > > which i expect. But how to get openidm to ignore case difference in _id for
> > > > they case of initial reconciliation ?
> > > >
> > > > I have tried the new 2.1 case insensitivity for finding links, and i
> > > > presume it will work, but for now the users come up ad UNASSIGN or ABSENT,
> > > > the number of entries that come up as ABSENT match the object count for the
> > > > managedUsers table. For the link to be established they need to come up
> > > > with the CONFIRMED or FOUND which have been both set for policy UPDATE;
> > > > ABSENT is set to IGNORE as i only wish to sync attribute data not
> > > > add/create objects.
> > > >
> > > > I think maybe :
> > > >
> > > > 1. there is some brokenness in the connector, as Ad does not have
> > > > entryDN as an attribute which i saw had coded in a few places in 2.0.3, at
> > > > least.
> > > >
> > > > 2. the attibutes are all returned in native case, and then compared
> > > > case sensitive. as if i query (sAMAccountName=sOmeGuy) or
> > > > (sAMAccountName=someguy) using ldap it works just the same, as
> > > > sAMAccountName is case insensitive when used in an actual ldap query.
> > > >
> > > > Any thoughts anyone ?
> > > >
> > > > Also the openidm examples always use entryUUID for "uidAttribute" in
> > > > the provider, and AD has no such attribute that i can see (ad uses
> > > > distinguishedName).
> > > >
> > > > This is using jdbc repository with mysql, openidm 2.1 branch, java 1.6.x
> > > >
> > > > I'm pretty sure the problem is to get openidm to ignore case when
> > > > matching the UID's during initial recociliation, but i cant see a way of
> > > > doing that..
> > > >
> > > > Cheers
> > > > Brett
> > > >
> > > > --
> > > > Whenever you find yourself on the side of the majority, it is time to
> > > > pause and reflect.
> > > >
> > > > - Mark Twain
> > > >
> > > > _______________________________________________
> > > > OpenIDM mailing listOpenIDM at \
> > > > forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
> > > >
> > > >
> > > > _______________________________________________
> > > > OpenIDM mailing list
> > > > OpenIDM at forgerock.org
> > > > https://lists.forgerock.org/mailman/listinfo/openidm
> > > >
> > > >
> > >
> > >
> > > --
> > > Whenever you find yourself on the side of the majority, it is time to
> > > pause and reflect.
> > >
> > > - Mark Twain
> > >
> > > _______________________________________________
> > > OpenIDM mailing listOpenIDM at \
> > > forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
> > >
> > >
> > > _______________________________________________
> > > OpenIDM mailing list
> > > OpenIDM at forgerock.org
> > > https://lists.forgerock.org/mailman/listinfo/openidm
> > >
> > >
> >
> >
> > --
> > Whenever you find yourself on the side of the majority, it is time to
> > pause and reflect.
> >
> > - Mark Twain
> >
> >
> > _______________________________________________
> > OpenIDM mailing listOpenIDM at \
> > forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
> >
> >
> > _______________________________________________
> > OpenIDM mailing list
> > OpenIDM at forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openidm
> >
> >
>
>
> --
> Whenever you find yourself on the side of the majority, it is time to
> pause and reflect.
>
> - Mark Twain
>
>
> _______________________________________________
> OpenIDM mailing listOpenIDM at \
> forgerock.orghttps://lists.forgerock.org/mailman/listinfo/openidm
>
>
> _______________________________________________
> OpenIDM mailing list
> OpenIDM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openidm
>
>
--
Whenever you find yourself on the side of the majority, it is time to pause
and reflect.
- Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openidm/attachments/20130331/0131d68e/attachment-0001.html \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic