Disabling accounts from OpenIDM and sync in OpenDJ

This topic has 13 replies, 5 voices, and was last updated 5 years, 5 months ago by [email protected].

  • Author
    Posts
  • #11522

    Hi,

    In managedUser_sourceLdapopendjAccount mapping, I have mapped accounStatus(source) to disabled(target) attribute.
    The use case is, when user account is disabled in OpenIDM, it should be disabled from OpenDJ as well.
    But this doesn’t work. The value for disabled is blank.

    Since accountStatus holds values like ‘active’ and ‘inactive’ and disabled is a boolean field, I wrote a transform script:

    if ( source == 'inactive') {
      true;
    } else {
      false;
    }

    But this doesn’t seem to work.
    Can anyone help?

    Regards,
    Ashwini

    #11525
     Bill Nelson
    Participant

    “source” is an object that contains all attributes – of which the accountStatus is just one. Depending on the object you are using (I assume it is managed/user) then you probably have others like mail, sn, sn, or other. You need to specify the attribute you are referring to in your comparison (such as source.cn). You should also use the exact match operator (“===”) instead of the “==” when making string comparisons.

    #11526

    Hi Bill,

    I have selected the source as accountStatus and not complete user object. So the source would be accountStatus right?
    We get all other attributes like mail, sn, givenName only when we select the complete user object.

    #11527
     Bill Nelson
    Participant

    Not knowing how you are implementing this I would give something like source.accountStatus a try.

    #11545

    I tried using the following code:

    if ( source.accountStatus === 'inactive' ) {
      true;
    } else {
      false;
    }

    It still doesn’t work.
    Ideally ‘ds-pwp-account-disabled’ field should be set to true in OpenDJ.

    Am I missing something here?

    Regards,
    Ashwini

    #11558

    You can always use logging to examine the source-object you are referring to.
    Something along the lines of “logger.error(“this is source: {}”,source);” should be easy to spot in openidm.log

    #11559

    logger.error(“this is source: {}”,source); prints ‘inactive’ in the logs.
    It goes inside the if statement, but in OpenDJ true value is not set in ds-pwp-account-disabled attribute.
    This is what I get in the logs:
    Method: update
    org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException

    #11561

    So using “source” instead of source.accountStatus is correct.

    Ignore the mapping for a moment and read the system object directly via system/opendj/account….
    does it report ds-pwp-account-disabled? Can you modify it by modifying the system object?

    #11569
     bgallantfr
    Participant

    You can also check the logs for clues during reconciliation.

    I gave it a quick try and used the following transform for accountStatus(source) and disabled(target):

    if ( source === 'inactive' ) { true; } else { ; }

    I got an error message when trying “Single Record Reconciliation” (which is an easy way to test reconciliation using one entry):

    Attribute value conflicts with the attribute’s schema definition on operation UPDATE for system object:…

    accountStatus is a string in the user managed object and the disabled property in the connector is a boolean. At least it is in my lab.

    I’m not sure what the right solution is for your use case, but at least you now have another avenue to pursue.

    #11581

    Hi bgallantfr,

    Since the disabled attribute is boolean, I had to write the transform script.
    I tried your approach as well, but still no luck.
    The disabled attribute gets a value of either true or false through this script. But it is not updated in OpenDJ due to schema violation.
    I also tried returning 1 instead of true and 0 instead of false considering the boolean values, but no luck.

    #11598

    You try fiddling around with the mapping to solve you issue. I consider it to be quite unlikely, perhaps technically impossible, to solve your issue that way.

    For the mapping to work, the configuration of the provisioner has to be correct, for the provisioner to work, the proxy-accounts needs the correct capabilities, etc.

    Can you perform the modification using LDAP and the proxy-account you configured in OpenIDM?
    What is the LDAP-schema of the attribute?

    If you succeed using LDAP:
    what’s the mapping in provisioner.openicf-opendj.json for the specific attribute? Does it conform to the LDAP-schema?
    Can you toggle the attribute using REST-calls at system/opendj/….?

    Check your mapping only after checking all those preconditions.

    #11701

    What all operators are allowed in the transform script apart from ===?
    Can we use something like string.includes() or string.contains()?

    #11713
     migel
    Participant

    Hi.

    I have been trying disabled users with the same attribute ‘ds-pwp-account-disabled’ but OpenIDM can handle it delete it but never merge or replace. I think was a bug.

    #11714

    Yes this seems to be a bug. Confirmed this with Forgerock.
    The disable functionality is not supported by the DJ LDAP connector

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?