Will take a brief look at new features added in version 3.0.0 of Active Directory plugin for vRealize Orchestrator.
Here is brief list of newly added features and fixes.
- Added support for non-persistent LDAP connections.
- Added generic LDAP client (LdapClient).
- Added support for SimplePagedResultsControl. It allows the client to iterate through a potentially large set of search results in subsets of a specified
number of entries (i.e., "pages").
- Added User.getSID() and UserGroup.getSID() scripting methods for retrieving objectSID attribute in following format format 'S-1-IdentifierAuthority-SubAuthority1-SubAuthority2-...-SubAuthorityn'
- Added getGUID() support for retrieving objectGUID formatted as dashed string
- Fix: ActiveDriectory.search() methods discards configured LDAP base
- Removed sub-domain entries from inventory tree of parent domain. (Deprecated since 2.0)
Let's go trough above list and see what those mean in more details...
Added support for non-persistent LDAP connections
What does that mean?
It means that is no longer needed to add Active Directory server using one of the configuration workflows ('Add an Active Directory server ") in order to invoke operation on it.
Starting with version 3.0 of the plugin you can create connection toward LDAP server without registering it as inventory item.
Here is brief example how this can be achieved. Below example will create a connection toward given LDAP host and will seach for specific LDAP entey by it's DN.
var ldapClient = null; try { System.log("Initializing ldap client..."); ldapClient = LdapClientFactory.newLdapClient(host, port, username, password, false); System.log("Searching for entry with dn ["+ lookupDn +"]"); entry = ldapClient.getEntry(lookupDn); if (entry != null) { System.log("Found entry with dn[" + entry.getDN() + "]"); attrs = entry.getAttributes(); for ( i in attrs){ System.log(" name :" + attrs[i].getName()); System.log(" values :" + attrs[i].getValues()); } } else { System.log("Nothing found!!!"); } } finally { if (ldapClient != null){ ldapClient.close(); } }
Added generic LDAP client (LdapClient).
What does that mean?
Previous version of the plugin supported connecting to Active Directory LDAP server only. New version of plugin introduces support of generic LDAP client which can be connected to any server supporting LDAP protocol.
Newly added generic LdapClient is fully functional and support searches and modification of arbitrary LDAP entry. It also supports lookup of specific entry by it's DN.
For more details regarding available functionality you can refer to vRO API explorer under AD plugin you should see number of new scripting objects available starting with LdapXXXX prefix
Added support for SimplePagedResultsControl.
What does that mean?
Newly added LdapClient support also SimplePagedResultsControl. It allows the client to iterate through a potentially large set of search results in subsets of a specified number of entries (pages).
var ldapClient = LdapClientFactory.newLdapClient(host, port, username, password, false); // Perform a search to retrieve all users in the server, but only retrieving 2 at a time. var numSearches = 0; var totalEntriesReturned = 0; var searchRequest = LdapSearchRequest.createRequest( baseDn, "(&(objectCategory=person)(objectClass=organizationalPerson))", LdapSearchScope.SUB, null, //attributes LdapDereferencePolicy.ALWAYS); var resumeCookie = null; while (true) { System.log('--------------------------------------------'); System.log("More results found. Continuing with page " + numSearches) // Create SimplePagedResultsControl configured to return at most 2 entries // on initiali request resumeCookie must be null pagedSearchControl= new LdapSimplePagedResultsControl(2, resumeCookie,true) // Make sure there is no another control registered with same OID searchRequest.removeControlByOid(pagedSearchControl.getOID()); // add SimplePagedResultsControl to current search control searchRequest.addControl(pagedSearchControl); // execute search request var searchResult = ldapClient.searchBySearchRequest(searchRequest); numSearches++; totalEntriesReturned += searchResult.getEntryCount(); // Traverse trough result set entries = searchResult.getSearchEntries() for (var e in entries) { System.log(entries[e].getParsedDN().toNormalizedString()); } // Check if htere are more results responseControl = LdapSimplePagedResultsControl.get(searchResult); if (responseControl.moreResultsToReturn()) { // The resume cookie can be included in the simple paged results // control included in the next search to get the next page of results. resumeCookie = responseControl.getCookieBytes(); } else { break; } }
Added User.getSID() and UserGroup.getSID()
System.log("User " + user.distinguishedName + " objectSID [" + user.getSID() + "]");
Produces following output :
[2016-07-18 18:00:29.725] [I] User CN=demo user,CN=Users,DC=gia,DC=net objectSID [S-1-5-21-124928778-1889607053-1629036291-4274]
Added getGUID()
System.log("User " + user.distinguishedName + " objectGUID [" + user.getGUID() + "]");
Produces following output :
[2016-07-18 18:03:29.867] [I] User CN=demo user,CN=Users,DC=gia,DC=net objectGUID [efc97a06-7a3b-47df-b630-7b814e8a1cc6]
Removed sub-domain entries from inventory tree of parent domain. (Deprecated since 2.0)
In Version 1.x of Active Directory there was support for single AD server. To mitigate to same degree this limitation was added possibility for showing sub-domains inventory tree as part of configured AD server. Version 2.x of the plugin introduced support for multiple AD server and starting with this version recommended approach for handling sub domain is to register them as separate AD server configuration. Showing sub-domain entries as part of parent domain inventory tree was deprecated in favor of creating separate AD server configuration for each domain. in version 3.0 of the plugin sub-domain are no longer shown as items in parent domain inventory tree.