Comments (17)
momeijer
commented on June 11, 2024
Ideally the creation of a unique GUID which returns in the Id attribute would be a nice enhancement
from scimgateway.
momeijer
commented on June 11, 2024
I have noticed when I do a GET operation on the created user. The complete DN is returned.
{
"Resources": [
{
"id": "CN%3DJohnDoe%2COU%3Dxxx%2CDC%3Dxxx%2CDC%3Dxx",
So the question is, is it possible to return this value as SCIM Id during creation of the object?
from scimgateway.
jelhub
commented on June 11, 2024
Hi,
For createUser SCIM Gateway simply returns the posted body including the id set to userName value.
This will be correct for most of the use cases where userName and id should be the same.
In this case it will not be correct and the gateway should instead do a getUser to retrieve actual user attributes to be returned.
This will be fixed in the next release.
Regards,
Jarle
from scimgateway.
momeijer
commented on June 11, 2024
Thank you!
from scimgateway.
momeijer
commented on June 11, 2024
Other than DistinguishedName I have tried to use the LDAP attribute ObjectGUID as unique SCIM Id, but the ObjectGUID 9dca87f0-1122-4db9-a838-fdaa6e01948d is returned as
"Resources": [
{
"id": "%EF%BF%BD%EF%BF%BD%CA%9D%22%11%EF%BF%BDM%EF%BF%BD8%EF%BF%BD%EF%BF%BDn%01%EF%BF%BD%EF%BF%BD",
I would be an enhancement to use a specific value for the SCIM Id which would not show 'information' like a path of subordinates as common with DN.
from scimgateway.
jelhub
commented on June 11, 2024
plugin-ldap use endpointMapper having logic that will always url-encode the id value.
Reason for having id url-encoded is that some IdP's do not encode this id when used in request e.g:
/Users/CN=John Dow,CN=Users,DC=test,DC=com
Above mention path will be an invalid url syntax that cannot be handled by SCIM Gateway
having id url-endoded will ensure IdP use valid url e.g:
/Users/CN%3DJohn%20Dow%2CCN%3DUsers%2CDC%3Dtest%2CDC%3Dcom
Using ObjectGUID instead of DN requires misc. code modifications because ObjectGUID is not straight forward.
Ldapjs returns all attributes as text and this will not be correct for ObjectGUID because value is hexadecimal, and in addition when updating user based on ObjectGUID this attribute needs to be sent to AD with special syntax (the hexadecimal representation of the GUID must be escaped with a backslash).
Some information can be found here:
ldapjs/node-ldapjs#481
https://ldapwiki.com/wiki/ObjectGUID
from scimgateway.
momeijer
commented on June 11, 2024
I understand, thank you for your explanation. The possibility to have SCIM gateway create a unique SCIM Id for an LDAP object instead of being dependent on DN would be an interesting feature.
from scimgateway.
jelhub
commented on June 11, 2024
createUser repsonse id and using objectGUID are now both fixed in v3.2.7
from scimgateway.
momeijer
commented on June 11, 2024
Thanks again!
from scimgateway.
momeijer
commented on June 11, 2024
Release 3.2.7 correctly shows objectGUID or DN when the object is created.
But the overall functionality of the LDAP plugin is currently broken. All SCIM requests like:
../Users/ or
../Users?filter=userName eq ""
"ScimGateway[plugin-ldap] endpointMapper: skipping - no mapping found for attributes: id,displayName", "status" :404
from scimgateway.
jelhub
commented on June 11, 2024
Hi,
Seems your configuration file group attribute mapping is missing "mapTo" definition for id and displayName.
Both id and displayName are mandatory for group (like id and userName are mandatory for user)
"map": {
"group": {
"objectGUID": {
"mapTo": "id",
"type": "string"
},
"cn": {
"mapTo": "displayName",
"type": "string"
}
But I see that users group membership is broken when using objectGUID, and I need to look into this problem.
Regards
Jarle
from scimgateway.
momeijer
commented on June 11, 2024
Hi,
You are correct. I have removed group mapping from the configuration because I have no need for them. I added them back as per your suggestion and the 'user' part seems to work as it should.
I have verified the same with group creation and retrieval, using objectGUID, and noticed that the displayName attribute (ldap) is not being set in the group object.
Currently I am testing a way to disable the group creation as I do not prefer to give this privilege automatically next to User CRUD actions.
Thank you for your support.
from scimgateway.
jelhub
commented on June 11, 2024
v3.2.8 now published
Groups will be ignored when missing group mapping endpoint.map.group
from scimgateway.
momeijer
commented on June 11, 2024
Hi Jarle,
I have tried to install 3.2.8, but 'npm install scimgateway@latest --save' still returns version 3.2.7.
from scimgateway.
jelhub
commented on June 11, 2024
mkdir c:\my-scimgateway
cd c:\my-scimgateway
npm init -y
npm install scimgateway --save
package.json shows "scimgateway": "^3.2.8"
Maybe a npm problem using @latest?
from scimgateway.
momeijer
commented on June 11, 2024
I tried several methods with the same result. I will try a different workstation.
Update: other workstation installed correctly. Never mind, probably some corruption due too (re)installing multiple times.
I will test and report back and close this issue.
from scimgateway.
momeijer
commented on June 11, 2024
Everything works as it should. Thank you again.
from scimgateway.
Related Issues (20)
- Is it possible to set 401 or 403 status HOT 5
- How to change ServiceProviderConfig HOT 2
- How to limit the attributes in default schema? HOT 2
- Feature request: option to disable ping success logging HOT 2
- Problem with modifyUser when user does not exist HOT 3
- createUser is returning userName instead of id HOT 5
- Cannot distinguish PATCH/add and PUT in modifyGroups HOT 2
- Configurable path for plugin-config.json HOT 2
- Override base URL for metadata.location HOT 3
- Support for PATCH with replace used on an array to set it to empty HOT 2
- 500 with PATCH and no members from Okta HOT 1
- PATCH replace empty members is not calling modifyGroup HOT 5
- Azure Soft Delete (IsSoftDeleted) -> scimgateway.modifyUser() not triggered HOT 7
- createUser error: Cannot read properties of undefined (reading 'value') from plugin-mssql.js HOT 1
- Azure AD -> OpenLDAP - group provisionig fails - "endpointMapper: skipping - no mapping found for attributes: members" HOT 6
- Azure AD -> OpenLDAP - group provisionig fails - "modifyGroup error: only supports modification of members" HOT 3
- Multiple mail aliases wont work HOT 10
- mssql plugin only accepts "work" email type HOT 2
- mssql plugin does not generate value for id HOT 1
- Azure function HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scimgateway.