Home

Results 1 to 3 of 3

Thread: SSPR 4.1 missing Macro for logged in User

Threaded View

  1. #1
    Join Date
    Oct 2016
    Posts
    28

    Question SSPR 4.1 missing Macro for logged in User

    Hi there,
    here my business case:
    Using the SSPR 4.1 helpdesk module I want to track on the LDAP-Object (regular user), who (helpdesk user) did a change to the user (so I can pick it up with IDM later on...)
    A side hint, as it may add to the szenario: SSPR runs against a different LDAP Server than IDM driver is running, so eDir Replica Sync and sync delays are involved...

    I tried the macro @LDAP:DN@ which seemd obvious to me in the first place, but because I did a search for the regular user before, the macro responds with the regular users DN, not the helpdesk user DN.

    I have the configuration "Use Proxy Connection" disabled, as my helpdesk user has the appropriate eDir Rights, so I wanted to relate on modifiersName (thought this is a simple way...), but in the XDS document on the IDM server it said:

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.7">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <modify cached-time="20170509090600.950Z" class-name="User" event-id="LS00135P#20170509090600#3#1:76f72dd5-532d-495a-21ac-d52df7762d53" qualified-src-dn="...\OU=Users\OU=PROD\CN=RegularUser" src-dn="...\Users\PROD\RegularUser" src-entry-id="147807" timestamp="1494320756#9">
    <modify-attr attr-name="modifiersName">
    <remove-value>
    <value timestamp="1494318905#2" type="string">CN=AdminUser,OU=SSPR,OU=Services,... </value>
    </remove-value>
    <add-value>
    <value timestamp="1494320756#9" type="string">CN=SSPRProxy,OU=SSPR,OU=Services,... </value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="MyAttribute">
    <add-value>
    <value timestamp="1494320756#2" type="string">TRUE</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>

    That looks like the change was done by the proxy user, not the helpdesk user... So I investigated the LDAP trace further on to verify my SSPR config is doing good and I found the following:

    11:29:19 9E2E6700 LDAP: DoModify on connection 0xda25c00 (belonging to Helpdesk User)
    11:29:19 9E2E6700 LDAP: modify: dn (cn=RegularUser,ou=PROD,ou=Users,...)
    11:29:19 9E2E6700 LDAP: modifications:
    11:29:19 9E2E6700 LDAP: replace: MyAttribute
    11:29:19 9E2E6700 LDAP: Sending operation result 0:"":"" to connection 0xda25c00

    that looks good and the settings works as designed...
    further down the trace I found:

    11:29:19 9EBA1700 LDAP: DoModify on connection 0xdb4b500 (belonging to the SSPRProxy User)
    11:29:19 9EBA1700 LDAP: modify: dn (cn=RegularUser,ou=PROD,ou=Users,...)
    11:29:19 9EBA1700 LDAP: modifications:
    11:29:19 9EBA1700 LDAP: delete: pwmEventLog
    11:29:19 9EBA1700 LDAP: add: pwmEventLog
    11:29:19 9EBA1700 LDAP: Sending operation result 0:"":"" to connection 0xdb4b500

    That might explain why the XDS document of the IDM server has the incorrect information on the modifiers name, assuming that eDir replica sync sends over the last state of the object...

    ##### my conclusion: having a macro for the currently logged in User would help me a lot here...
    Other ideas also welcome...

    Thanks in advance
    Steffen
    Last edited by skoehler; 09-May-2017 at 11:21 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •