LDAP issue with SCIM Id attribute

[momeijer]

Hi Jarle,

When a user, JohnDoe is created in Active Directory with SCIM Id mapped to LDAP DN it does not return the DN (for example: CN%3DJohnDoe%3Dxxx%3Dxxx%2CDC%3Dxx) but still JohnDoe.

When the SCIM Id is mapped to, for example, LDAP objectGUID or objectID, it still returns 'JohnDoe'.

Is DN the only attribute which can be used in combination with the SCIM Id attribute?

Regards,

Michael

[momeijer]

Ideally the creation of a unique GUID which returns in the Id attribute would be a nice enhancement

[momeijer]

I have noticed when I do a GET operation on the created user. The complete DN is returned.

{
"Resources": [
{
"id": "CN%3DJohnDoe%2COU%3Dxxx%2CDC%3Dxxx%2CDC%3Dxx",

So the question is, is it possible to return this value as SCIM Id during creation of the object?

[jelhub]

Hi,
For createUser SCIM Gateway simply returns the posted body including the id set to userName value.
This will be correct for most of the use cases where userName and id should be the same.
In this case it will not be correct and the gateway should instead do a getUser to retrieve actual user attributes to be returned.

This will be fixed in the next release.

Regards,
Jarle

[momeijer]

Thank you!

[momeijer]

Other than DistinguishedName I have tried to use the LDAP attribute ObjectGUID as unique SCIM Id, but the ObjectGUID 9dca87f0-1122-4db9-a838-fdaa6e01948d is returned as

"Resources": [
{
"id": "%EF%BF%BD%EF%BF%BD%CA%9D%22%11%EF%BF%BDM%EF%BF%BD8%EF%BF%BD%EF%BF%BDn%01%EF%BF%BD%EF%BF%BD",

I would be an enhancement to use a specific value for the SCIM Id which would not show 'information' like a path of subordinates as common with DN.

[jelhub]

plugin-ldap use endpointMapper having logic that will always url-encode the id value.

Reason for having id url-encoded is that some IdP's do not encode this id when used in request e.g:
/Users/CN=John Dow,CN=Users,DC=test,DC=com

Above mention path will be an invalid url syntax that cannot be handled by SCIM Gateway

having id url-endoded will ensure IdP use valid url e.g:
/Users/CN%3DJohn%20Dow%2CCN%3DUsers%2CDC%3Dtest%2CDC%3Dcom

Using ObjectGUID instead of DN requires misc. code modifications because ObjectGUID is not straight forward.
Ldapjs returns all attributes as text and this will not be correct for ObjectGUID because value is hexadecimal, and in addition when updating user based on ObjectGUID this attribute needs to be sent to AD with special syntax (the hexadecimal representation of the GUID must be escaped with a backslash).

Some information can be found here:
ldapjs/node-ldapjs#481
https://ldapwiki.com/wiki/ObjectGUID

[momeijer]

I understand, thank you for your explanation. The possibility to have SCIM gateway create a unique SCIM Id for an LDAP object instead of being dependent on DN would be an interesting feature.

[jelhub]

createUser repsonse id and using objectGUID are now both fixed in v3.2.7

[momeijer]

Thanks again!

[momeijer]

Release 3.2.7 correctly shows objectGUID or DN when the object is created.

But the overall functionality of the LDAP plugin is currently broken. All SCIM requests like:

../Users/ or
../Users?filter=userName eq ""

"ScimGateway[plugin-ldap] endpointMapper: skipping - no mapping found for attributes: id,displayName", "status" :404

[jelhub]

Hi,

Seems your configuration file group attribute mapping is missing "mapTo" definition for id and displayName.
Both id and displayName are mandatory for group (like id and userName are mandatory for user)

"map": {
  "group": {
    "objectGUID": {
      "mapTo": "id",
      "type": "string"
    },
    "cn": {
      "mapTo": "displayName",
      "type": "string"
    }

But I see that users group membership is broken when using objectGUID, and I need to look into this problem.

Regards
Jarle

[momeijer]

Hi,

You are correct. I have removed group mapping from the configuration because I have no need for them. I added them back as per your suggestion and the 'user' part seems to work as it should.

I have verified the same with group creation and retrieval, using objectGUID, and noticed that the displayName attribute (ldap) is not being set in the group object.

Currently I am testing a way to disable the group creation as I do not prefer to give this privilege automatically next to User CRUD actions.

Thank you for your support.

[jelhub]

v3.2.8 now published
Groups will be ignored when missing group mapping endpoint.map.group

[momeijer]

Hi Jarle,

I have tried to install 3.2.8, but 'npm install scimgateway@latest --save' still returns version 3.2.7.

[jelhub]

mkdir c:\my-scimgateway
cd c:\my-scimgateway
npm init -y
npm install scimgateway --save

package.json shows "scimgateway": "^3.2.8"

Maybe a npm problem using @latest?

[momeijer]

I tried several methods with the same result. I will try a different workstation.

Update: other workstation installed correctly. Never mind, probably some corruption due too (re)installing multiple times.

I will test and report back and close this issue.

[momeijer]

Everything works as it should. Thank you again.