reading AD Resource group object's membership from workflow (or a form)
IdM v6.0 SP1 -I'm trying to dynamically read the membership of a group in an AD resource. I found code in a Rule in /sample that shows me how to use FormUtil.getResourceObject to connect to the object. Yep, that works - I can retrieve data alright, but the member attribute only comes back as a <String>, not a <List>, hence I only see the first member. Looking in the Resource definition I can see that member is listed as string type under ObjectAttributes:
<ObjectAttribute name='member' type='string'/>
I've tried setting this to 'list', but that didnt work and I cant seem to find any other example that might give me the correct syntax, if there is one.
Ultimately I know this is of course possible, because simply using the Resources page I can edit the group as a resource object and see the member list fine. Unfortunately I've not yet discovered how to trace/debug my way into seeing quite what IdM actually calls when building that form.
(Why this isn't easier I'll never know - I would have thought this sort of thing is quite a common requirement: directory groups are a pretty ubiquitous authorisation mechanism.)
This is the almost-but-not-quite FormUtil code I've been fiddling with, derived from sample that was working on the (single-value) manager attribute.
<Action name="getMembers">
<Variable name="memberArray"/>
<expression>
<block trace="true">
<defvar name="groupObject">
<invoke name="getResourceObjects" class="com.waveset.ui.FormUtil">
<invoke name="getLighthouseContext">
<ref>WF_CONTEXT</ref>
</invoke>
<s>Group</s>
<s>eProfile - Enterprise Directory</s>
<map>
<s>searchAttrsToGet</s>
<list>
<s>member</s>
</list>
<s>searchContext</s>
<s>cn=aSentinel-manprov1,OU=Groups,DC=testcore,DC=test,DC=dir,DC=telstra,DC=com</s>
<s>searchScope</s>
<s>BASE</s>
<s>searchFilter</s>
<s>(objectClass=group)</s>
</map>
</invoke>
</defvar>
<set name="memberArray">
<get>
<get>
<ref>groupObject</ref>
<s>_attributes</s>
</get>
<s>member</s>
</get>
</set>
</block>
</expression>
</Action>
Any suggestions very much appreciated. Oh and I'm not at all tied to FormUtil either - I've got somewhere using checkoutView type=ResourceObject in the past, but that requires much more code and I really want a read-only interface (ie, more like getView which I think refused to work). But I'll take whatever can get the job done in the end.
[3207 byte] By [
c732345] at [2007-11-26 9:40:29]
# 1
I am able to query the members of an LDAP group using below code. I guess something similar should work for AD
<block>
<defvar name='groupObject'>
<get>
<invoke name='getResourceObjects' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>groupOfUniqueNames</s>
<s>LDAP</s>
<map>
<s>searchContext</s>
<s>dc=sms1,dc=xxx,dc=com</s>
<s>searchScope</s>
<s>subTree</s>
<s>searchFilter</s>
<concat>
<s>cn=customer</s>
</concat>
<s>searchAttrsToGet</s>
<list>
<s>uniquemember</s>
<s>cn</s>
</list>
</map>
</invoke>
<i>0</i>
</get>
</defvar>
<get>
<ref>groupObject</ref>
<s>uniquemember</s>
</get>
</block>
# 4
kevinmaes,
Yes I did get a fix. It seems getResourceObject*s* has a known issue with AD in this sense. But getReasourceObject (singular) does work for multi-valued attributes. The only real difference is that the latter does not search for the group but rather specifies it explicitly. Which in my case is precisely what I wanted anyway. I turned the function into a Rule which I've inserted below - hope this works for you!
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule name="Get AD Group Attribute">
<Description>Returns the specified attribute of the target AD group
(assumed to be Resource Object of 'eProfile - Enterprise Directory' Resource)</Description>
<RuleArgument name="targetGroup">
<Comments>Full LDAP DN of the target group to read</Comments>
</RuleArgument>
<RuleArgument name="targetAttribute">
<Comments>Target attribute to retrieve; may be multi-valued</Comments>
</RuleArgument>
<RuleArgument name="executingSession">
<Comments>Optional session to execute with</Comments>
</RuleArgument>
<block>
<!-- We need a LocalSession object to use (later on): reference to 'context' works in a form
but if called in Workflow its not populated - generate one from WF_CONTEXT-->
<defvar name="currentContext">
<cond>
<isnull>
<ref>context</ref>
</isnull>
<invoke name="getLighthouseContext">
<ref>WF_CONTEXT</ref>
</invoke>
<ref>context</ref>
</cond>
</defvar>
<defvar name="groupObject">
<invoke name="getResourceObject" class="com.waveset.ui.FormUtil">
<ref>currentContext</ref>
<s>eProfile - Enterprise Directory</s>
<s>group</s>
<ref>targetGroup</ref>
<map>
<s>searchAttrsToGet</s>
<list>
<ref>targetAttribute</ref>
</list>
</map>
</invoke>
</defvar>
<!-- Return the target attribute -->
<get>
<get>
<ref>groupObject</ref>
<s>group.attributes</s>
</get>
<ref>targetAttribute</ref>
</get>
</block>
<MemberObjectGroups>
<ObjectRef type="ObjectGroup" name="All"/>
</MemberObjectGroups>
</Rule>
