Why is LDAP failing to set managers?

Stephen W_ · ‎02-11-2016

users are imported correctly, have correct source value etc. and I do not have a map for the manager field..

I have added correct code to transform map and have expanded all relevant fields to 255 characters and validated their data type.

I could script around this so easily.. but it should just work!

I threw some logging into LDAPUtils:

setManager: function(source, target) {
             var ge = source.getElement(this.manager);
             if (!ge || ge.isNil()){
                   return;
             }
             this._getLdapUserUpdate();
             var ldap = new GlideLDAPUserUpdate(); //what's the point of this.. never used..
             var mid =   this.ldapUserUpdate.getManagerValue(target, ge.toString());
             if (mid == null) {
                         gs.logWarning("mid is null. Manager: "+ge.toString(),"LDAPUtils");
                         gs.logWarning("mid is null. Source: "+source,"LDAPUtils");
                         return;
             }
             target.manager = mid;
       }
             target.manager = mid;
       },

The results are exactly as expected, not truncated, and matches another user's "source" field value..

mid is null. Source: [object GlideRecord]

mid is null. Manager: CN=Jimmy Hermo,OU=Users,OU=EXC,OU=CCRA,OU=CCR,DC=CCR,DC=local

Clearly it's calling the script include and not truncating.. so why is it not actually updating the user record?

Of course GlideLDAPUserUpdate source isn't described in the wiki/api. Anyone have that somewhere?

Thanks!

Stephen W_ · ‎02-12-2016

Solved!

When the transform was setup the user.source field was mapped to a value that contained the DN, but not to a field that contained the "ldap:" prefix.

So when I was evaluating:

this.ldapUserUpdate.getManagerValue(target, ge.toString());

What I didn't know that it filtered on an "ldap:" prefix when evaluating the source field.

The second attribute of getManagerValue() is:

ldap:CN=Jimmy Hermo,OU=Users,OU=EXC,OU=CCRA,OU=CCR,DC=CCR,DC=local

not this:

CN=Jimmy Hermo,OU=Users,OU=EXC,OU=CCRA,OU=CCR,DC=CCR,DC=local

View solution in original post

Robert Chrystie · ‎02-29-2016

Hi Stephen,

Can you elaborate on the steps that you took to fix this issue?

Thanks,

-Robert

Stephen W_ · ‎03-01-2016

Sure,

I initially added logging to the LDAPUtils script include so that I could see exactly what it was passing to the "getManagers()" function.

I saw that it was passing what I thought was valid. It was pulling source from the user record, which is correct. However, after looking at the transform map, I saw that the user's Source was linked to the LDAP DN, not the LDAP "Source"(u_source).

Source is identical to DN except that it contains the prefix "ldap:".

The first thing to do is look at the users that you imported, there is a source field in the sys_user table.

Four things you need for manager to work:

1. Your LDAP data source contains a manager field with the manager's DN

2. You have a sys_user record who's "source" field contains "ldap:" plus the DN of the contents of #1.

3. Do NOT block the automatic manager mapping by configuring the manager field to anything in your transform map. There should be no reference to the manager in your transform map.

4. You have the OOB transform scripts:

Transform script:

ldapUtils.setManager(source, target);   
target.ldap_server = source.sys_import_set.data_source.ldap_target.server;

onBefore:

var ctrl = parseInt(source.u_useraccountcontrol, 10);   
ctrl = ctrl.toString(16);   
   
if (ctrl.substr(-1) == "2") {   
   target.active = false;   
   target.locked_out = true;   
   if (action == 'insert')   
           ignore = true;   
} else {   
   //Optional: Reactivate and unlock the user account   
   //target.active = true;   
   //target.locked_out = ctrl.substr(-2, 1) == "1";   
}

onStart:

gs.include("LDAPUtils");   
var ldapUtils = new LDAPUtils();   
ldapUtils.setLog(log);

onAfter:

(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {   
   ldapUtils.addMembers(source, target);   
})(source, map, log, target);

onComplete:

ldapUtils.processManagers();

Nickels · ‎07-25-2016

I am running into this same issue, but I am not quite sure what you are saying to do to resolve it. I am bring in a field that contains the manager DN I believe, the line looks like this:

CN=Koenigsfeld\, Dan,OU=Users,OU=GFS,OU=KCO,OU=XXX,DC=XXXXXXXXX,DC=com

I also do not have the manager field mapped on the transform map. I did add some other fields for data that I wanted to load into the user record, but not the manager name.

I did increase the manager field from 40 characters to 200 as I read that could be part of the problem. It has not changed anything.

Appreciate the help.

-Chris

Stephen W_ · ‎07-25-2016

Take a look at your user record. Specifically look at the "source" field on that user record. It should start with "ldap:".

Also, you say you're bringing in a field containing the manager DN. That field should be named "u_manager".

Nickels · ‎07-27-2016

Thank you for the response. I checked the user records and add the source field to the form. It appears that it is ok as it starts with 'ldap.' Here is an example of it: ldap:CN=Redmond\, Emilie J,OU=Users,OU=F. I checked the import table and I do have the field of u_manager coming in populated with strings that look like this: CN=Haler\, Steve,OU=Users,OU=ESP,OU=KCO,OU=BMC,DC=asdfasdf,DC=com. I had changed the filter to only pull a few users and then I had a thought that maybe if I didn't pull the manager in via ldap (the manager already existed from our nightly csv imports) then perhaps it was missing something on that manager's user record. I imported the entire OU and still haven't had any luck. Any other suggestions?

Thanks,

-Chris