- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2017 02:53 AM
Hi All,
I need to import from LDAP some groups which contain within them, other groups of users.
I have note that the function: ldapUtils.addMembers(source, target) , import only the users like members but exclude the groups.
So, I have checked inside the script LDAPUtils and I have find this:
addMembers : function(source, target) {
var ge = source.getElement(this.members);
var geString = null;
if (ge && !ge.isNil()) {
this._log(ge.toString());
geString = ge.toString();
}
var group = new GlideLDAPGroups(target, geString);
group.setMembers();
},
I'm thinking that the working is this:
the variable ge, will contain a big string, (readed in LDAP, field: member)
that contain a list of users and groups identify by the ldap path.
At the end of the script is present, group.setMembers(),
that I think, it procede to read the big string, executing an identify of the objects inside and adding the memebers at the group.
Now,
Is possibie to extend the working to allow the process to add over the users also the groups ?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2017 08:31 AM
We do some imports similar to what you are asking, however we are not nesting groups.
In our case we just do a weekly sync of two specific groups. There is a "member" field, within this field is a list of users separated by the character ^. What we do is create an array from this, splitting on the ^ symbol. This gives you each member. We then perform the logic we need based on each member.
Unfortunately the hold back I see is that each member is identified by their distinguished name (e.g. CN=ROBERTO,OU=Senior,OU=Engineers,OU=Staff,OU=Accounts,DC=google,DC=ca). This is where the challenge is that I see - you will need to then compare each of these members individually to determine if they are a group or user (possibly against your user record). Of course if you had a strict / reliable AD structure your OU might tell you if it's a group but that can be problematic.
Because what you are asking for returns the list of members as stated above, I think the challenge is more in how you will differentiate between groups and users from this list because in my instance I am only seeing distinguished name.
Sorry I can't add a group to our list to test - we don't have a development AD environment so I cannot add a group and go any further. However I think the above is enough to get you started with syncing the members, at which point your challenge is just how you want to logically determine if it's a group or user (and a couple ways are above).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2017 08:31 AM
We do some imports similar to what you are asking, however we are not nesting groups.
In our case we just do a weekly sync of two specific groups. There is a "member" field, within this field is a list of users separated by the character ^. What we do is create an array from this, splitting on the ^ symbol. This gives you each member. We then perform the logic we need based on each member.
Unfortunately the hold back I see is that each member is identified by their distinguished name (e.g. CN=ROBERTO,OU=Senior,OU=Engineers,OU=Staff,OU=Accounts,DC=google,DC=ca). This is where the challenge is that I see - you will need to then compare each of these members individually to determine if they are a group or user (possibly against your user record). Of course if you had a strict / reliable AD structure your OU might tell you if it's a group but that can be problematic.
Because what you are asking for returns the list of members as stated above, I think the challenge is more in how you will differentiate between groups and users from this list because in my instance I am only seeing distinguished name.
Sorry I can't add a group to our list to test - we don't have a development AD environment so I cannot add a group and go any further. However I think the above is enough to get you started with syncing the members, at which point your challenge is just how you want to logically determine if it's a group or user (and a couple ways are above).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2017 06:07 AM
Hi,
I have created a new "LDAP OU Definitions"
This new object triggered this filter in LDAP:
(memberOf:1.2.840.113556.1.4.1941:=CN=<GroupName>,OU=Groups,OU=Domain Objects,DC=prv)
That filter respond with a list of all users that are part of the group indicated in it, jumping across in all intermediate groups.
So, now I can execute a script to add the single person at the group.
var ge = 'CN=<GroupName>,OU=Groups,OU=Domain Objects,DC=prv';
var groups = new GlideLDAPGroups();
groups.processGroups(target.sys_id.toString(), ge.toString());
return;
Af the finish of the script, my group is popolated, with all users.
But now I need to execute sometihing that clean the group by all users before to insert the new users..
Can you have some idea ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2017 09:12 AM
So it sounds like you have worked out the ability to populate a group with all the users, which is great!
Now it seems your problem is how do you insert these users into an existing group, where the user themselves may already exist in that group. Then of course, how to clean up users in your existing group no longer in the AD group.
There are a couple different ways to do this:
a) The easiest way is before you populate the group remove all group membership (query for all members of the group, delete all those records, then populate all the new). This is the least technical way to do this, and obviously if you have auditing turned on, will generate much more wasted audit entries / deleted records than is required.
b) Before adding a user look to the group membership (you could store in an array at the beginning), if the user exists in the group membership do not add. Then have a cleanup job at the end (onComplete transform script) that takes the "new" group membership from Active Directory and compares it to the "old" group membership you maintain. Anyone who is in the "old" but not the "new" should be removed. This is a more technical way but also ensures that you do not remove everyone needlessly. I would even go as far to say this method is more "proper" in terms of good programming. You could also do this as a "post import script" on a scheduled data import.
We have done both (we do a lot of manual integrations to avoid buying the tools) and now we have moved towards (b) only. It is more technical, requires more work, but at the end of the day is not difficult to write and avoids unforeseen problems such as removing everyone from a group then the load not working, leaving the group completely empty.
Hope that helps. Any questions let me know!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2017 02:46 AM
Hi Trevor,
I have solved the problem in this mode:
I'm triggering in the first step the Group import (filtered only for the my interestd groups), that write the information diretly in the Grou table,
It Import description and other fields about the group, and also it execute the function "ldapUtils.addMembers" This function clean all users present in the group, but dont add anyone because the group contin only other groups 🙂
So after this I'm startig the others import that do in the users table the fuction that add the single users to the group (cleaned in the previous step)
unfortunatelly now I need to create a new LDAP OU Definition for all new group, but it work 🙂
Regards,
Vincenzo
