Discussion:
Ldap Server Connector to Ldap Connector attribute Update
(too old to reply)
Shashi Booshan
2018-03-04 08:17:14 UTC
Permalink
Hi Everyone,

I am syncing password coming from plugin proxy to Ldap Server Connector. Everything works well.
However, when i try to update the user id and password coming from LDAP Server Connector to an LDAP using LDAP Connector, i get a schema violation exception and the value is not getting updated.

Error:

[updateLdap] CTGDIS353I Script is: var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value=userdn;
[updateLdap] CTGDIS126I Return uid=asasi,ou=PasswordStore,dc=com.
[updateLdap] CTGDIS123I Returned object class java.lang.String.
[updateLdap] CTGDIS057I Hook before_add not enabled.
[updateLdap] CTGDIS495I handleException , addonly, javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'uid=asasi,ou=PasswordStore,dc=com

I have 2 attributes
unique_name (derived from ldap.dn)
decryptedPW (decrypted password)

In Ldap Connector i am mapping the below:

var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value = userdn; setting this is $dn attribute.

Assignment Component Attribute
------------------------------------------------------------------------
unique_name id
decryptedPW userPassword

1. How can i update the above 3 attributes i.e $dn, unique_name, decryptedPW in Ldap through LDAP Connector ?
2. What mode should LDAP connector be run? ADD or UPDATE?
3 What attributes needs to be available in LDAP where i am trying to update?
4. I would be grateful if anyone could provide me a basic CSV to LDAP Update example (in the form of link or AL)
Please Help.


Thanks in Advance
Eddie Hartman
2018-03-05 06:45:27 UTC
Permalink
From this message it appears that your connector in Update mode is trying to perform an add:

CTGDIS057I Hook before_add not enabled.

Update mode does this if the Link Criteria fails to find a matching entry to modify. In this case you are not mapping enough attributes to create a new entry.

If you are sure all entries should already exist then it will be the $dn value which is wrong. Mapping out $dn overrides other search criteria, and you don't need this in you output map for a modify operation - only add.
Shashi Booshan
2018-03-05 09:06:53 UTC
Permalink
thank you for the response.

Now i tried running the LDAP Connector in ADD ONly mode and passed the below attributes

$dn mapping in this code:
var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value = userdn;

$dn -----> component Attribute --- $dn
unique_name -----> component attribute --- uid
decryptedPW -----> component attribute --- userPassword.

It gives the same error.

One thing is noticed is:

When i login to TDS Web Console and see ou=passwordstore,dc=com
i see lot of attributes where "uid" is not present.

But when i connect LDAPConnector to this LDAP with search base ou=passwordstore,dc=com, it shows huge list of attributes in the Schema (near output map) where uid and userPassword attribute is present.
Eddie Hartman
2018-03-05 13:44:18 UTC
Permalink
Post by Shashi Booshan
thank you for the response.
Now i tried running the LDAP Connector in ADD ONly mode and passed the below attributes
var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value = userdn;
$dn -----> component Attribute --- $dn
unique_name -----> component attribute --- uid
decryptedPW -----> component attribute --- userPassword.
It gives the same error.
When i login to TDS Web Console and see ou=passwordstore,dc=com
i see lot of attributes where "uid" is not present.
But when i connect LDAPConnector to this LDAP with search base ou=passwordstore,dc=com, it shows huge list of attributes in the Schema (near output map) where uid and userPassword attribute is present.
First off, you cannot add a new entry with so few attributes. That will give you a schema violation. So when you want to update a password, it should be a modify operation (Update mode with a Link Criteria that manages to isolate a single matching entry). This is your problem here - either your Link Criteria is not finding the right entry, or you are including a $dn in the output map, which will take precedence over your Link Criteria in finding a match. The $dn should be the full dn of the actual entry you wish to update.

The password store entries are not complete entries - instead they are simpler schema with uid of the user and the new password. You must use this uid to find the actual user to update.

-Eddie
Shashi Booshan
2018-03-05 15:59:54 UTC
Permalink
Post by Eddie Hartman
Post by Shashi Booshan
thank you for the response.
Now i tried running the LDAP Connector in ADD ONly mode and passed the below attributes
var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value = userdn;
$dn -----> component Attribute --- $dn
unique_name -----> component attribute --- uid
decryptedPW -----> component attribute --- userPassword.
It gives the same error.
When i login to TDS Web Console and see ou=passwordstore,dc=com
i see lot of attributes where "uid" is not present.
But when i connect LDAPConnector to this LDAP with search base ou=passwordstore,dc=com, it shows huge list of attributes in the Schema (near output map) where uid and userPassword attribute is present.
First off, you cannot add a new entry with so few attributes. That will give you a schema violation. So when you want to update a password, it should be a modify operation (Update mode with a Link Criteria that manages to isolate a single matching entry). This is your problem here - either your Link Criteria is not finding the right entry, or you are including a $dn in the output map, which will take precedence over your Link Criteria in finding a match. The $dn should be the full dn of the actual entry you wish to update.
The password store entries are not complete entries - instead they are simpler schema with uid of the user and the new password. You must use this uid to find the actual user to update.
-Eddie
Thank you very much Eddie as always :-)

But i would like to explain you that, this uid (unique_name attribute) and decryptedPW (userPassword) is coming from LDAP Server Connector,
and i am trying to Add these 2 attributes in a completely new LDAP Server, where the users are not available already ( These users are new to LDAP, so i think i cannot find them in the LDAP to Modify)
I am just using a new LDAP (TDS), created an OU (ou=passwordstore,dc=com) and trying to save the users there.
Franzw
2018-03-07 11:29:40 UTC
Permalink
Post by Shashi Booshan
Post by Eddie Hartman
Post by Shashi Booshan
thank you for the response.
Now i tried running the LDAP Connector in ADD ONly mode and passed the below attributes
var userdn = "uid=" + conn.getString("unique_name").toLowerCase()+",ou=PasswordStore,dc=com";
ret.value = userdn;
$dn -----> component Attribute --- $dn
unique_name -----> component attribute --- uid
decryptedPW -----> component attribute --- userPassword.
It gives the same error.
When i login to TDS Web Console and see ou=passwordstore,dc=com
i see lot of attributes where "uid" is not present.
But when i connect LDAPConnector to this LDAP with search base ou=passwordstore,dc=com, it shows huge list of attributes in the Schema (near output map) where uid and userPassword attribute is present.
First off, you cannot add a new entry with so few attributes. That will give you a schema violation. So when you want to update a password, it should be a modify operation (Update mode with a Link Criteria that manages to isolate a single matching entry). This is your problem here - either your Link Criteria is not finding the right entry, or you are including a $dn in the output map, which will take precedence over your Link Criteria in finding a match. The $dn should be the full dn of the actual entry you wish to update.
The password store entries are not complete entries - instead they are simpler schema with uid of the user and the new password. You must use this uid to find the actual user to update.
-Eddie
Thank you very much Eddie as always :-)
But i would like to explain you that, this uid (unique_name attribute) and decryptedPW (userPassword) is coming from LDAP Server Connector,
and i am trying to Add these 2 attributes in a completely new LDAP Server, where the users are not available already ( These users are new to LDAP, so i think i cannot find them in the LDAP to Modify)
I am just using a new LDAP (TDS), created an OU (ou=passwordstore,dc=com) and trying to save the users there.
One way to solve this is to to lookup up the user in the source system and then apply it (there may be some transformation/mapping included) and then add it.

This is among the many reasons I distaste password/ldap-synch "solutions" - just think about if you have to add the user in specific contexts then you need to be able to handle all aspects of mapping/transformation - that WOULD be simple if all aspects of ldap was covered by the protocol - but it isn't - group management being one of the very dark areas...

Regards
Franz Wolfhagen

Loading...