cancel
Showing results for 
Search instead for 
Did you mean: 

Resolve group members when rdn has changed

UnboundID TonyS
UnboundID
0 Kudos

Resolve group members when rdn has changed

We're looking at syncing user objects and also the groups that these user objects are members of to a new Ping Directory.

 

However in the target Ping Directory, the user object will have a different rdn compared to the value used in the source. The original identifier is held in an attribute on the new object. Sync is in one direction only (to the Ping Directory).

 

When we sync the groups across, what is the recommended method to resolve the new DNs for the group members on the target side?

3 REPLIES
UnboundID ArnoL
UnboundID
0 Kudos

Re: Resolve group members when rdn has changed

You will need to write a Sync Pipe Plugin that will dereference the member DN that has been updated, go back to the source, fetch the member entry and furnish the required attribute to the sync class that is tasked with mapping the DN.

 

I recommend taking a look here for an example of how this can be accomplished:

https://gitlab.corp.pingidentity.com/rsa/sync-group-dereference

UnboundID TonyS
UnboundID
0 Kudos

Re: Resolve group members when rdn has changed

Thanks Arno!

 

That has worked for the customer.

 
They do have a follow on question. They are searching for the new dn on the target PD side. Because in this case it is possible to attempt to create the group before the user objects are created, the attempt to find a dn can fail. This is a situation which occurs infrequently but has been seen.
 
If this happens, do they have to throw a particular type of exception to take advantage of retry processing within Sync?

 

UnboundID ArnoL
UnboundID
0 Kudos

Re: Resolve group members when rdn has changed

This would not be handled via an exception but the PostStepResult value returned by the method.

There would be two options to indicate to Sync core that a retry is desired:

  • PostStepResult.RETRY_OPERATION_LIMITED
  • PostStepResult.RETRY_OPERATION_UNLIMITED

Details here: https://docs.ping.directory/latest_server-sdk/javadoc/com/unboundid/directory/sdk/sync/types/PreStep...