Quantcast
Channel: Software Communities : Popular Discussions - ActiveRoles
Viewing all articles
Browse latest Browse all 1277

OnPostModify (via DirSync) catching update operations as deletes

$
0
0

So I've got a weird one I'm hoping somebody can help me figure out.

 

I have a powershell script to watch for changes via DirSync and onPostModify validate the values of the managedBy attribute.

I've attached the script to a policy and selected the "Handle changes from DirSync control".

 

A shortened version of my script looks like so:

 

function onPostModify($Request)

{

     # I only care about changes that happened outside of ARS

     if ($Request.Parameter("RequestSource") -eq $Constants.EDST_MOD_SOURCE_AD ) {

          # Only process requests for groups

          if ($Request.Class -ne "group") {return}

 

          # Only process changes to the managedBy attribute

          $managedByRequestItem = $Request.GetPropertyItem("managedBy",$Constants.ADSTYPE_DN_STRING)

          if ($managedByRequestItem -ne $null)

          {

               if ($managedByRequestItem.ControlCode -eq $Constants.ADS_PROPERTY_UPDATE)

               {

                    # Validate the new value here

               }

          }

     }

}

 

The problem is that when a user changes the value via ADUC the request seems to appear as a DELETE operation with the old value in the request. I never see an UPDATE request or the new name anywhere, unless I query the object.

 

Here is a sample of the Request when I turn on debugging. The red text is the old value.

 

<------------------- $Request  XML ------------------------>

<?xml version="1.0" encoding="utf-16"?>

<ModifyRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" dn="CN=groupa,OU=Managed Groups,DC=contoso,DC=com" xmlns="urn:schemas-quest-com:ActiveRolesServer">

  <Attributes>

    <Attribute name="managedBy" operation="Delete" type="String">

      <Values>

        <Value>CN=smith1,OU=users,DC=contoso,DC=com</Value> 

      </Values>

    </Attribute>

    <Attribute name="ADsPath" operation="Replace" type="String">

      <Values>

        <Value>LDAP://dc1.contoso.com:636/CN=groupa,OU=Managed Groups,DC=contoso,DC=com</Value>

      </Values>

    </Attribute>

  </Attributes>

  <Controls>

    <Control id="13">

      <Values>

        <Value>dc1.contoso.com</Value>

      </Values>

    </Control>

  </Controls>

</ModifyRequest>

<------------------- $Request  XML ------------------------>

 

 

Am I missing something here? How do I catch the update request and check the new value?

 

I figured I'd ask here before I opened a ticket with support.


Viewing all articles
Browse latest Browse all 1277

Trending Articles