AnsweredAssumed Answered

LDAP RDC User to Role Membership

Question asked by eNyPHgARlzvoblwk6WWrNj5GJU63Q2Ng1Jc4ABSsTb0= on Oct 17, 2016
Latest reply on Sep 9, 2017 by shakti nayak

Has anyone managed to get a role data collector configured to collect role membership?

 

I've tried using the User to Role membership configuration with role DNs stored against a user attribute and also with the role to user config storing the user DNs against a role attribute. Neither works.

 

In both cases, the role is collected (along with the correctly referenced role owner) but there are no members collected.

 

Our goal is collect role definitions from ITIM 5.1. I created a quick test of the RDC in 7.0 P04 with the following config:

 

dc=dev,dc=local

   - ou=identities

      - cn=person1

        uid: Matches Via User ID attribute

        manager: cn=group1,ou=roles,dc=dev,dc=local (just using manager as the Role DN attribute for testing)

   - ou=roles

       - cn=group1

         description: Test Role (unique role name attribute)

         owner: cn=person1,ou=identities,dc=dev,dc=local (role owner attribute)

         member: cn=person1,ou=identities,dc=dev,dclocal (User DN attribute for testing)

 

As you can see i'm abusing the manager attribute on the inetOrgPerson object to reference the role (it's acting as the role membership attribute). I'm also abusing the groupOfNames object class to represent a role. I just couldn't be bothered setting up custom schema for a quick test.

 

When collecting with the LDAP RDC I cannot get it to determine the role membership either by reading the manager attribute on the person (as we would do with the erRoles attribute on ITIM persons) or by reading the member attribute on the role object (which i added in to test).

 

RDC User to Role Configuration

 

Looking at the logs / monitoring pages, the person1 identity is process but the raw data shows no memberships detected.

 

Run Data

 

10/17/2016 13:05:24.893 INFO (Thread-173) [com.aveksa.client.component.communication.ChangeListHandler] Got new change item method=Run ChangeItem[ID=77, type=CollectionRequest, source=6, source-name=CB Test RDC]
10/17/2016 13:05:24.896 INFO (ApplyChangesRegularThread-363) [com.aveksa.client.component.communication.ChangeListHandler] STARTING method=ApplyChanges subTask=Acting on a changeItem ChangeItem[ID=77, type=CollectionRequest, source=6, source-name=CB Test RDC]
10/17/2016 13:05:24.900 INFO (ApplyChangesRegularThread-363) [com.aveksa.client.component.DefaultComponentManager] DCM132: Ignoring Event: com.aveksa.client.component.event.CollectionRequestEvent[source=com.aveksa.client.component.communication.DefaultCommunicationManager@2bd9053a]
10/17/2016 13:05:24.903 INFO (ApplyChangesRegularThread-363) [com.aveksa.client.datacollector.framework.DataCollectorManager] STARTING method=Collect CollectionMetaInfo[{ID=13, run_id=230, collector_id=6, test-run=false, collector_name=CB Test RDC}]
10/17/2016 13:05:24.919 INFO (ApplyChangesRegularThread-363) [com.aveksa.collector.roledata.LdapRdcRoleScanner] Finished processing roles. Totally processed "1" roles from role entries! SUCCESS method=extractData
10/17/2016 13:05:24.922 INFO (ApplyChangesRegularThread-363) [com.aveksa.collector.roledata.LdapRdcUserScanner] Finished processing user to role/group memberships. Totally processed "1" user entries! SUCCESS method=extractData
10/17/2016 13:05:24.924 INFO (ApplyChangesRegularThread-363) [com.aveksa.client.component.DefaultComponentManager] DCM132: Ignoring Event: com.aveksa.client.datacollector.framework.CollectionOccurredEvent[source=com.aveksa.client.datacollector.collectors.roledatacollectors.RoleDataCollector@56f3087d]

Outcomes