Because OUs are not security principals, they lack the objectSID
attribute. I've created a request,
http://tools.lsc-project.org/issues/453. The conversion itself is fairly
trivial.
// Where GUID is a byte array returned by a previous LDAP search
String byteGUID = "";
for (int c=0;c<GUID.length;c++) {
byteGUID = byteGUID + "\\" + AddLeadingZero((int)GUID[c] & 0xFF);
}
static String AddLeadingZero(int k) {
return (k <= 0xF)?"0" +
Integer.toHexString(k):Integer.toHexString(k);
}
I have verified that the resulting string can be used directly in an LDAP
filter.
System.out.println("(objectGUID=" + byteGUID + ")");
Hugh
On Tue, Apr 24, 2012 at 8:38 AM, Sébastien Bahloul <
[email protected]> wrote:
> Hi Hugh,
>
> LSC doesn't have such feature for ObjectGUID. Can you use the ObjectSID
> instead ?
>
> I suggest to open an issue and to mention the following page which should
> help to add support for it :
>
> https://forums.oracle.com/forums/thread.jspa?threadID=1155698&tstart=0
>
> Regards,
> --
> Sebastien BAHLOUL
> IAM / Security specialist
> Ldap Synchronization Connector : http://lsc-project.org
> Blog : http://sbahloul.wordpress.com/
>
>
>
> 2012/4/24 Hugh Kelley <[email protected]>
>
>> On Tue, Apr 24, 2012 at 4:58 AM, Clément OUDOT <[email protected]>wrote:
>>
>>> Le 24 avril 2012 01:05, Hugh Kelley <[email protected]> a écrit :
>>> > I am trying to retrieve AD/ADAM objectGUID attributes in their
>>> > string-formatted form from the source directory. So far, I'm getting
>>> some
>>> > jumbled mess that I assume is a direct translation of the binary
>>> objectGUID
>>> > into a character set.
>>> >
>>> > Unfortunately, this is really the only unique and immutable attribute
>>> for
>>> > OUs in MS directory services. Assuming this attribute has already
>>> been
>>> > crammed into a string (by JNDI) by the time the LSC runtime sees it,
>>> where
>>> > can I customize this behavior, by inheriting from
>>> > com.sun.jndi.ldap.LdapCtxFactory ?
>>> >
>>> > My LSC excerpt is below:
>>> >
>>> > <ldapSourceService>
>>> > <name>MySyncTask-src</name>
>>> > <connection reference="src-ldap"/>
>>> > <baseDn>dc=xyz,dc=net</baseDn>
>>> > <pivotAttributes>
>>> > <string>objectGUID</string>
>>> > </pivotAttributes>
>>> > <fetchedAttributes>
>>> > <string>description</string>
>>> > <string>distinguishedName</string>
>>> > <string>objectGUID</string>
>>> > <string>ou</string>
>>> > </fetchedAttributes>
>>> > <getAllFilter>
>>> >
>>> (&(!(isCriticalSystemObject=TRUE))(objectClass=organizationalUnit))</getAllFilter>
>>> > <getOneFilter>
>>> >
>>> (&(!(isCriticalSystemObject=TRUE))(objectClass=organizationalUnit)(objectGUID={objectGUID}))</getOneFilter>
>>> > </ldapSourceService>
>>>
>>>
>>> Hello,
>>>
>>> can you try to add objectGUID in the binary attributes of your LDAP
>>> connection?
>>>
>>> See binaryAttributes in
>>>
>>> http://lsc-project.org/wiki/documentation/2.0/configuration/connections/ldap
>>>
>>> Clément.
>>>
>>
>> Thank you, Clément. I had looked under the Task section for a way to
>> specify binary-ness, not thinking to check the connection.
>>
>> The <binaryAttributes> setting has had an impact, but it doesn't
>> entirely solve the problem.
>>
>> The query is now issued as this:
>>
>> Filter: (&(!(isCriticalSystemObject=
>> TRUE))(objectClass=organizationalUnit)(objectGUID=71:0mb#@�}Xê??�P))
>>
>> Without the binary setting it was issued as this.
>>
>> Filter:
>> (&(!(isCriticalSystemObject=TRUE))(objectClass=organizationalUnit)(objectGUID=�j>��
>> M��.�Q��))
>>
>> Unfortunately, I need it to look like this (the guid value is a dummy
>> just to show the format).
>>
>> Filter:
>> (&(!(isCriticalSystemObject=TRUE))(objectClass=organizationalUnit)(objectGUID=(objectGUID=\FFd\D7\F8j\9A\8EA\A6A\B6\F9\96a\A8\D5))
>>
>>
>> Where can I insert some Java code that will reformat that attribute
>> before it is used in the <getOneFilter> substitution?
>>
>> Regards,
>> Hugh
>>
>>
>> _______________________________________________________________
>> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>>
>> lsc-users mailing list
>> [email protected]
>> http://lists.lsc-project.org/listinfo/lsc-users
>>
>>
>
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
