Discussion:
Multivalued Attribute
(too old to reply)
g***@gmail.com
2017-05-19 00:59:11 UTC
Permalink
Raw Message
Hi, currently I'm working on a assembly line that change the DN for some ldap entry

example:
current dn - cn=galaDOC09876543,ou=sales,o=ibm
new dn - cn=DOC09876543,ou=sales,o=ibm

the issue here is that on the LDAP there's a reference of this dn on the LDAP group on a multi valued attribute "member"

example:
member: cn=galaDOC09876543,ou=sales,o=ibm
member: cn=lagaDOC03456789,ou=sales,o=ibm

how can i get the index of the dn and change it?

i tried by looping as follow

var memberArray = work.member.getValuesVector()

or

var memberArray = work.member.getValues()

but on either of the two i get the comparison right

memberArray[i].toString().toUppedCase() == newDN.toUppedCase()

this comparison always return false, also, on the production environment there's almost 1 million on members on each group, so this solution is not the correct approach.

There's a way to get the index of this dn without loop through the list of values? i tried with indexOf but always get as return -1.
Eddie Hartman
2017-05-22 10:00:03 UTC
Permalink
Raw Message
The easiest way to do this is to use the incremental-update feature of LDAP, provided via the LDAPConnector methods compare(), addAttributeValue() and removeAttributeValue().

add - https://ibm.biz/Bdiegs
compare - https://ibm.biz/Bdieg2
remove - https://ibm.biz/BdiegZ

If you want to make sure the old value is there before adding the new value, as well as checking that the new value is not already in place, then you make four calls:

if (ldap.compare(entryDN, "member", oldValue) {
ldap.removeAttributeValue(entryDN, "member", oldValue);
}
if (!ldap.compare(entryDN, "member", newValue) {
ldap.addAttributeValue(entryDN, "member", newValue);
}

And the 'ldap' variable I would set in the After Initialize Hook of the LDAP Connector:

ldap = thisConnector.connector; // get the Connector Interface of this AL component

I tend to do all group membership work using these three function calls since it is much faster than having TDI read in a large multi-valued attribute, make the change in memory and then writing out the entire set of values again.

Hope this helps!
-Eddie
g***@gmail.com
2017-05-23 04:27:14 UTC
Permalink
Raw Message
Post by Eddie Hartman
The easiest way to do this is to use the incremental-update feature of LDAP, provided via the LDAPConnector methods compare(), addAttributeValue() and removeAttributeValue().
add - https://ibm.biz/Bdiegs
compare - https://ibm.biz/Bdieg2
remove - https://ibm.biz/BdiegZ
if (ldap.compare(entryDN, "member", oldValue) {
ldap.removeAttributeValue(entryDN, "member", oldValue);
}
if (!ldap.compare(entryDN, "member", newValue) {
ldap.addAttributeValue(entryDN, "member", newValue);
}
ldap = thisConnector.connector; // get the Connector Interface of this AL component
I tend to do all group membership work using these three function calls since it is much faster than having TDI read in a large multi-valued attribute, make the change in memory and then writing out the entire set of values again.
Hope this helps!
-Eddie
This work for a loop connector that inherits form ldap on lookup?

i try to solve my issue like this(works but i have to iterator through the vector element of member):

Loop Connector[inherits from LDAP connector on lookup, this is because one user could be on multiple groups ]

Inside the Loop i get the vector using getValuesVector() iterate through the vector and replace the modified DN, then create a attribute var and assign the new attribute to the entry.

Inside the Loop i user an LDAP connector to update the current LDAP Entry.

but if i understand correctly i could use this on a script inside the loop instead of iterate through the whole vector?

By the way, thank you for the help.
Eddie Hartman
2017-05-23 20:54:57 UTC
Permalink
Raw Message
Post by g***@gmail.com
Post by Eddie Hartman
The easiest way to do this is to use the incremental-update feature of LDAP, provided via the LDAPConnector methods compare(), addAttributeValue() and removeAttributeValue().
add - https://ibm.biz/Bdiegs
compare - https://ibm.biz/Bdieg2
remove - https://ibm.biz/BdiegZ
if (ldap.compare(entryDN, "member", oldValue) {
ldap.removeAttributeValue(entryDN, "member", oldValue);
}
if (!ldap.compare(entryDN, "member", newValue) {
ldap.addAttributeValue(entryDN, "member", newValue);
}
ldap = thisConnector.connector; // get the Connector Interface of this AL component
I tend to do all group membership work using these three function calls since it is much faster than having TDI read in a large multi-valued attribute, make the change in memory and then writing out the entire set of values again.
Hope this helps!
-Eddie
This work for a loop connector that inherits form ldap on lookup?
Loop Connector[inherits from LDAP connector on lookup, this is because one user could be on multiple groups ]
Inside the Loop i get the vector using getValuesVector() iterate through the vector and replace the modified DN, then create a attribute var and assign the new attribute to the entry.
Inside the Loop i user an LDAP connector to update the current LDAP Entry.
but if i understand correctly i could use this on a script inside the loop instead of iterate through the whole vector?
By the way, thank you for the help.
Absolutely right, Gabriel. You can use these calls directly to add and remove values from the attribute (member DNs) instead of making changes to the values vector and then applying the entire attribute in a single write operation. This technique is what we use in the Federated Directory Server, which is a browser UI in front of a TDI solution, and it ensures that group membership changes are synchronized as efficiently as possible.
Loading...