Idea ID: 2876104

eDirectory, make users and groups be internally consistent

Status: New Idea

Reviewing my OES logs shows postfix complaining about not finding a group for a user. Culling the MF archives shows this useful article  https://community.microfocus.com/img/oes/w/oes_tips/34724/group-membership-updater. The article points to an .xml file which seems to require IDM to fix this insistency matter. The article has this pithy description:

"One problem people struggle with is keeping eDirectory group membership information in sync. eDirectory stores Groups as double-linked lists. What this means is, the Group has a pointer to the User and the User has a pointer to the Group. The problem is, when you use LDAP to update the User, eDirectory does not automatically update the Group and vice versa."

I don't use IDM and it ought not be necessary for run of the mill OES machines. Instead, the regular OES components should take care of ensuring that a change to a user or a group is properly reflected in the other side of the pointers. That synchronization should be automatic, no user action needed, no IDM needed. Lack of sync can easily lead to access permissions problems, or worse.

Thanks,

Joe D.

Tags:

  • I recently ran into this when restoring a group from a backup.

    It turned out that the groupMembership attributes under the users were still missing. I had to resort to writing a script that generates a LDIF to add these attributes to the user.

    Until the requested feature gets implemented, you can resolve it as follows:

    Use Apache Directory Studio to create a LDIF of the group:
    Right click group -> Advanced -> Copy Entry as LIDF (include operational attributes)

    Then you can use the resulting LDIF as input (group-ldif.txt) for the script below to generate a new LDIF that adds the attributes to the users.

    Then you can import this LDIF through Apache Directory Studio (or any other tool).

    As always be sure to first test it with one user and verify that the result is as desired, I ran this against Domain Services for Windows (which is based on eDirectory). So there might be small differences.

    Here is the script:

    #!/usr/bin/perl
    
    my $file = 'group-ldif.txt';
    open my $info, $file or die "Could not open $file: $!";
    
    $groupname = "cn=groupname,ou=group,DC=domain";
    
    while( my $line = <$info>)  {
        if ($line =~ /member: (\S+)/)
        {
            print "dn: $1\n";
            print "changetype: modify\n";
            print "add: groupMembership\n";
            print "groupMembership: $groupname\n";
            print "-\n";
            print "add: securityEquals\n";
            print "securityEquals: $groupname\n\n";
        }
    }
    
    close $info;
    

    I hope it is helpfull.

    Kind regards, Don