LDAP: Adding Users to Group

justin_drysdale · ‎08-28-2014

I am running into an issue with group imports and adding users to groups. I am using ldapUtil.addMembers(source,target) in an on-after transform script which works for the most part. Users are being added to groups. However it looks like it is also adding users to non-existent phantom groups.

In 'sys_user_grmember' after the import, I see ~300 records where there is a valid user and an invalid group. I've queried some of the phantom groups and they report back with:

"Get for non-existent record: sys_user_group:d6c2c871ad2e6100998001b56318c5f8, initializing".

Odd how the non-existent group has a sys_id. If I take the sys_id and query 'sys_user_group' the group doesn't exist. Any idea what could cause this behavior?

I also checked deleted records and did not find any matching sys_ids.

conmic · ‎08-29-2014

Are you sure these groups have been created with the import?

I had this behavior when I cloned an instance and added the sys_user an sys_user_group to the exclusion list, causing all the references to be maintained, but links still pointing to the old sys_ids of users. This messed up all the tables used to link a user to a group, a role or basically anything...

I think in your case it messes up, because it probably tries to link to a group that is not yet existing or your script that returns the group to link to, returns a faulty value. Try to add an if-statement, verifying the group you try to link your user to.

I'm not really into using 'ldapUtil.addMembers(source,target)' as I got no or wrong results. Unfortunately there is no real documentation on how to use it, and retracing the source-code of it made me think to use an easier method.

I found a really simple script written by Mark Stanger (Crossfuze) and explained in this discussion:

Can you add users to Groups with script?

I slightly modified the script to be used also in an onAfter transform script (on a transform map that is importing Users from our Active Directory), it works like a charm:

//Create a new group relationship record for this user


var addUsr = target.sys_id;


var toGrp = 'Your_Group_SysID_here';




var rec1 = new GlideRecord('sys_user_grmember');


rec1.addQuery('user',addUsr);


rec1.addQuery('group',toGrp);


rec1.query();


if(!rec1.next() && !addUsr.nil() && !toGrp.nil()){


   rec1.initialize();


   rec1.user = addUsr;


   rec1.group = toGrp;


   rec1.insert();


}

Kind Regards,

Michel Conter

View solution in original post

conmic · ‎08-29-2014

I don't have this problem. Seems for me more like you did not set a proper coalesce value on the import, causing your problem.

I use for user and group import the GUID as coalesce value, like this you can even change the name, username, etc... without any repercussions

justin_drysdale · ‎08-29-2014

I was thinking of making my own add to group function, but I see that this wheel has already been invented. Thanks for the link!

conmic · ‎09-02-2014

No problem Just a little side note: when implementing the script, make sure to check if the membership already exists. Otherwise you end up with a lot of double entries. I just updated the script part of my comment a bit.

jesusemelendezm · ‎08-07-2015

Hi Michel,

What attribute from LDAP will bring me the user group membership info?

I am trying to import groups and members from LDAP. User import and Groups is working but members are not being added.

Any help is much appreciated.

Regards

JBark · ‎08-07-2015

member adds group memberships.

Our LDAP attributes list looks like this;

dn,EmployeeNumber,employeeID,givenname,mail,sn,source,telephonenumber,title,physicalDeliveryOfficeName,sAMAccountName,department,manager,description,managedby,displayname,othertelephone,company,distinguishedName,member,objectGUID