Merge pull request #578 from bajwa-adobe/v2

Fix for 'invalid attribute type memberOf' at user-level LDAP request

Author: adorton-adobe

docs/en/user-manual/advanced_configuration.md

@@ -742,6 +742,17 @@ targeted Adobe groups.
 **Note:** Additional group mapping will fail if a multiple source groups
 map to the same target group.
 
+### Configure 'dynamic_group_member_attribute'
+
+From User Sync tool 2.5 onward, you are required to mention the `memberOf` 
+LDAP attribute in `connector-ldap.yml`. There is no default value and if 
+`addtional_groups` is defined but `dynamic_group_member_attribute` not defined,
+you would see an warning. Here is example:
+
+```yaml
+dynamic_group_member_attribute: 'memberOf'
+```
+
 ### Additional Group Example
 
 Suppose an Adobe Experience Manager customer would like

examples/config files - basic/connector-ldap.yml

@@ -92,6 +92,12 @@ group_filter_format: "(&(|(objectCategory=group)(objectClass=groupOfNames)(objec
 # group_member_filter_format: "(memberOf:1.2.840.113556.1.4.1941:={group_dn})"
 group_member_filter_format: "(memberOf={group_dn})"
 
+# (optional) configure dynamic_group_member_attribute with dynamic group mappings 
+# From User Sync tool 2.5.0 onward, if additional_groups defined in user-sync-config.yml 
+# then dynamic_group_member_attribute is required. Here you specify the LDAP attribute 
+# used to filter groups mentioned in dynamic group mappings.
+#dynamic_group_member_attribute: "memberOf"
+
 # (optional) two_steps_lookup (no default)
 #two_steps_lookup:
   # (required) group_member_attribute_name (no default)

user_sync/app.py

@@ -337,7 +337,10 @@ def begin_work(config_loader):
         additional_group_filters = [r['source'] for r in additional_groups]
     if directory_connector is not None:
         directory_connector.state.additional_group_filters = additional_group_filters
-
+        # show error dynamic mappings enabled but 'dynamic_group_member_attribute' is not defined
+        if additional_group_filters and directory_connector.state.options['dynamic_group_member_attribute'] is None:
+            raise AssertionException(
+                "Failed to enable dynamic group mappings. 'dynamic_group_member_attribute' is not defined in config")
     primary_name = '.primary' if secondary_umapi_configs else ''
     umapi_primary_connector = user_sync.connector.umapi.UmapiConnector(primary_name, primary_umapi_config)
     umapi_other_connectors = {}

user_sync/connector/directory_ldap.py

@@ -137,6 +137,7 @@ def get_options(caller_config):
         builder.set_string_value('user_given_name_format', six.text_type('{givenName}'))
         builder.set_string_value('user_surname_format', six.text_type('{sn}'))
         builder.set_string_value('user_country_code_format', six.text_type('{c}'))
+        builder.set_string_value('dynamic_group_member_attribute', None)
         builder.set_string_value('user_identity_type', None)
         builder.set_int_value('search_page_size', 200)
         builder.set_string_value('logger_name', LDAPDirectoryConnector.name)
@@ -302,6 +303,9 @@ def iter_group_member_dns(self, group_dn, member_attribute, searched_dns=None):
             pass
 
     def iter_users(self, base_dn, users_filter, extended_attributes):
+        options = self.options
+        dynamic_group_member_attribute = options['dynamic_group_member_attribute']
+
         user_attribute_names = []
         user_attribute_names.extend(self.user_given_name_formatter.get_attribute_names())
         user_attribute_names.extend(self.user_surname_formatter.get_attribute_names())
@@ -310,7 +314,8 @@ def iter_users(self, base_dn, users_filter, extended_attributes):
         user_attribute_names.extend(self.user_email_formatter.get_attribute_names())
         user_attribute_names.extend(self.user_username_formatter.get_attribute_names())
         user_attribute_names.extend(self.user_domain_formatter.get_attribute_names())
-        user_attribute_names.append(six.text_type('memberOf'))
+        if dynamic_group_member_attribute is not None:
+            user_attribute_names.append(six.text_type(dynamic_group_member_attribute))
 
         extended_attributes = [six.text_type(attr) for attr in extended_attributes]
         extended_attributes = list(set(extended_attributes) - set(user_attribute_names))
@@ -389,7 +394,7 @@ def iter_users(self, base_dn, users_filter, extended_attributes):
             if c_value is not None:
                 user['country'] = c_value.upper()
 
-            user['member_groups'] = self.get_member_groups(record) if self.additional_group_filters else []
+            user['member_groups'] = self.get_member_groups(record, dynamic_group_member_attribute) if self.additional_group_filters else []
 
             if extended_attributes is not None:
                 for extended_attribute in extended_attributes:
@@ -403,15 +408,15 @@ def iter_users(self, base_dn, users_filter, extended_attributes):
 
             yield (dn, user)
 
-    def get_member_groups(self, user):
+    def get_member_groups(self, user, dynamic_group_member_attribute):
         """
         Get a list of member group common names for user
         Assumes groups are contained in attribute memberOf
         :param user:
         :return:
         """
         group_names = []
-        groups = LDAPValueFormatter.get_attribute_value(user, 'memberOf')
+        groups = LDAPValueFormatter.get_attribute_value(user, dynamic_group_member_attribute)
 
         if not groups:
             return group_names
@@ -512,6 +517,10 @@ def is_dn_within_base_dn_scope(base_dn, dn):
         :param dn: str
         :return: bool
         """
+        # return true if base_dn is empty string such as global scope and no need to check user_dn is part of base_dn
+        if (not (base_dn and base_dn.strip())):
+            return True
+
         split_base_dn = ldap3.utils.dn.parse_dn(base_dn.lower())
         split_dn = ldap3.utils.dn.parse_dn(dn.lower())
         if split_base_dn == split_dn[-len(split_base_dn):]: