search

jelhub / scimgateway

Using SCIM protocol as a gateway for user provisioning to other endpoints
MIT License
176 stars 57 forks source link

Azure AD -> OpenLDAP - group provisionig fails - "endpointMapper: skipping - no mapping found for attributes: members" #116

Closed dmraj closed 8 months ago

dmraj commented 8 months ago

Hey Jarle,

Im trying to configure Azure AD to openldap provisioning of users and groups.

Users part is working good but when i try group provisionig im getting the below error: "createGroup error: endpointMapper: skipping - no mapping found for attributes: members"

But in plugin-ldap.json i do have mapping for members in map->group :

    "member": {
      "mapTo": "members.value",
      "type": "array"
    }

Im not understanding if this error is caused during ldapadd or before that in scimgateway processing itself.

Azure first creates a empty group and then PATCH users on top of that, so is this empty member list causing some problem here?

Any help or direction on how to debug further will be very helpful.

FYI: It works good with default plugin-loki.

Thank you in advance.

Log:

2024-03-15T23:31:16.570 debug: scimgateway[plugin-ldap] [Create Group] 2024-03-15T23:31:16.570 debug: scimgateway[plugin-ldap] POST /Groups body={"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"externalId":"555fb2ba-9254-4921-bce8-2ef9b630e36d","displayName":"dm_group_a","members":[],"meta":{"resourceType":"Group"}} 2024-03-15T23:31:16.570 debug: scimgateway[plugin-ldap] convertedBody={"externalId":"555fb2ba-9254-4921-bce8-2ef9b630e36d","displayName":"dm_group_a","members":[]} 2024-03-15T23:31:16.570 debug: scimgateway[plugin-ldap] calling "createGroup" and awaiting result 2024-03-15T23:31:16.570 debug: plugin-ldap[undefined] handling "createGroup" groupObj={"externalId":"555fb2ba-9254-4921-bce8-2ef9b630e36d","displayName":"dm_group_a","members":[]}

2024-03-15T23:31:16.571 error: scimgateway[plugin-ldap] 12ms ::ffff:10.10.133.74 token POST http://ldaptest.dm.com/Groups Inbound = {"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"externalId":"555fb2ba-9254-4921-bce8-2ef9b630e36d","displayName":"dm_group_a","members":[],"meta":{"resourceType":"Group"}} Outbound = {"statusCode":400,"statusMessage":"Bad Request","body":{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"scimType":"invalidSyntax","detail":"scimgateway[plugin-ldap] createGroup error: endpointMapper: skipping - no mapping found for attributes: members","status":400}

jelhub commented 8 months ago

Hi, When no members to be added/removed, endpointMapper skips the attribute. Mapper have logic to include attributes not "handled" and return those err object In your case the members attribute will become included in err object

This err object could be of interest, but not always e.g. IdP use attributes that should not be handled by plugin.

If you look at some of the other plugin methods e.g. createUser, you will see err object is skipped/ignored. https://github.com/jelhub/scimgateway/blob/master/lib/plugin-ldap.js#L292-L293

You should update createGroup method and skip err object: https://github.com/jelhub/scimgateway/blob/master/lib/plugin-ldap.js#L647-L648

const [endpointObj, err] = scimgateway.endpointMapper(...)
// if (err) throw new Error(`${action} error: ${err.message}`)

or

const [endpointObj] = scimgateway.endpointMapper(...)
dmraj commented 8 months ago

Hey Jarle,

Thanks a lot for the help, that worked. 👍

Group without memeber got provisioned as expected. I'm hitting other errors which may be related to my LDAP backend.

One doubt, i was debugging until this time i found that its failing in this line which leads to arrUnsupported.push(key):

https://github.com/jelhub/scimgateway/blob/master/lib/scimgateway.js#L2355

if (dotMap[key2].split(',').map(item => item.trim().toLowerCase()).includes(key.toLowerCase()))

Here why are we splitting dotMap[key2] by comma and comparing?

jelhub commented 8 months ago

Need more information.

dmraj commented 8 months ago

Sure, Sorry for missing out details.

Here in this case for below config:

    "member": {
      "mapTo": "members.value",
      "type": "array"
    }

Its hitting direction=inbound at: https://github.com/jelhub/scimgateway/blob/master/lib/scimgateway.js#L2355

where this check occurs: if (dotMap[key2].split(',').map(item => item.trim().toLowerCase()).includes(key.toLowerCase()))

If we print these values "dotMap[key2]" , it yeilds "members.value" and then it tries to compare with "key" which is "members"

2024-03-16T07:54:14.648 plugin-ldap debug: key: members 2024-03-16T07:54:14.648 plugin-ldap debug: key2: member.mapTo 2024-03-16T07:54:14.648 plugin-ldap debug: dotmap[key2]: members.Value

so just wanted to know if this is expected.

jelhub commented 8 months ago

Assume members is missing in your endpoint response and therefore there are no

members[ "bjensen", "jsmith" ]

to be mapped to SCIM:

members[ {"value": "bjensen"}, {"value": "jsmith"} ]

members will then end up in arrUnsupported and being returned as err object that can be ignored. You should check message being mapped to see if members is missing.

dmraj commented 8 months ago

Sure Jarle, things are looking good as of now. Thanks for all the help and clarifications.