User Rights ( Filter ) with LDAP / "Finetune"

Relativity Server
1

Hello

This is a Followup question on this Topic:

Found out that when a User is only in one group and not in a group with other Groups to solution from previus post does not work. The user sees no data.

How could i Grant Access as follows:
If a User is not in RPL$GROUPS_RIGHTS then C_No is session[‘Login.ou’]

The Probelm is here:

if (name === ‘filter’)
return “C_NO IN (SELECT DISTINCT CAMP_NO FROM RPL$GROUPS_RIGHTS WHERE
GROUP_NO = (SELECT GROUP_NO FROM RPL$GROUPS WHERE gidNumber = '” + session[‘Login.gidNumber’] + “') )”;

Since a wile i am trying with IFNULL:

C_NO IN (SELECT DISTINCT CAMP_NO FROM RPL$GROUPS_RIGHTS WHERE
GROUP_NO = (IFNULL((SELECT GROUP_NO FROM RPL$GROUPS WHERE gidNumber = ‘" + session[‘Login.gidNumber’] + "’),‘" + session[‘Login.ou’] + "’)

With no success…
Any Help on this Topic?

2

The easiest solution is to ensure that all users belong to one of the required groups.

Another approach would be to create a VIEW over the RPL$GROUPS table in the LDAP database that will adjust the data so that will work with old (ie already exsting) filters. That solution would be way easier to maintain later, as well it will be easier to create and debug if needed.

3

Thank you for your Idea.

Another approach would be to create a VIEW over the RPL$GROUPS table in the LDAP database that will adjust the data so that will work with old (ie already exsting) filters.

Try to find out if / how i could do this.
Shalom
Manfred

4

I cannot remember right which exactly database server you use. For Firebird it looks like http://firebirdsql.org/refdocs/langrefupd21-ddl-view.html

5

I use a MySQL Database.
But the Link you provided is a view in the Database…
My LDAP is not stored in a MySQL Database…

6

You still have a database. This database can perform queries to the LDAP in the SQL way (otherwise filters wouldn’t work). You can add the view to your database.

7

Sorry, just that i understand it correctly:
Status now:
LDAP

  • Users and also Groups

MySQL

  • Groups and “Sub-Groups” in the Table RPL$GROUPS and RPL$GROUPS_RIGHTS

Relativity Server

  • Does

    function onUnknownSqlMacroIdentifier(name)
    {
    log('sn = ’ + session[‘Login.sn’] + ‘’);
    log('uidNumber = ’ + session[‘Login.uidNumber’] + ‘’);
    log(‘ou =’ + session[‘Login.ou’] + ‘’);
    log('gidNumber = ’ + session[‘Login.gidNumber’] + ‘’);
    log('cn = ’ + session[‘Login.cn’] + ‘’);
    log(‘uid = ’ + session[‘Login.uid’] + ‘’);
    log(‘description = ’ + session[‘Login.description’] + ‘’);
    log(’__________________________________________________’);

    	if (name === 'filter')
		return "C_NO IN (SELECT DISTINCT CAMP_NO FROM RPL$GROUPS_RIGHTS WHERE
				 GROUP_NO = (SELECT GROUP_NO FROM RPL$GROUPS WHERE `gidNumber` = '" + session['Login.gidNumber'] + "') )";
				 
// Check Access Rights
    if (name === 'description')
        return '"' + session['Login.description'] + '"';
        
// User Info
    if (name === 'camp')
        return '"' + session['Login.ou'] + '"';
    if (name === 'country')
        return '"' + session['Login.l'] + '"'; 
    if (name === 'first_name')
        return '"' + session['Login.givenName'] + '"';           
    if (name === 'last_name')
        return '"' + session['Login.sn'] + '"';         
        
}

So the VIEW would be generated from the Relativity Server to the LDAP Database?
Sorry for the Question …:expressionless:

8

No. What I would do (however it depends on how often the LDAP data changes and how fast these changes should be ‘seen’ by the app) is:

  • Create a table in the app database with the structure that would allow me to simplify my filters
  • Create a job that runs every (f.e.) 30 mins using How to Create Scheduled Events in MySQL Databases . This job would gather data from LDAP data, clean it up, index it and then put it to the abovementioned table

The idea is to use in filters not the RPL$GROUPS_RIGHTS , RPL$GROUPS and such tables but your own one, with fine-tuned indexes and the data you need.

Pros:

  • Better performance
  • Easier to debug if something goes wrong
  • Simper filter expression

Cons

  • One need to maintain the LDAP data-extracting job
9

I am now try to evaluate in witch way i could get the LDAP Data to MySQL.
Did finde a possible Solution: http://ldap-csvexport.sourceforge.net/

And will look further…

This job would gather data from LDAP data, clean it up, index it and then put it to the abovementioned table

Do you have a preferred Methode?

10

Is it possible to save the filter for one session, so there would be no need to check the rights for every Data-access?

11

Yes, toy can save the value in the session. It is available from the script

12

I did manage to export the member and the groups from LDAP with http://ldap-csvexport.sourceforge.net/ to a csv an then to MySQL.

I did not find a description in the Docu how to store the Filter for a session. Could you help here or point me to the right place in the Documentation…

13

Hi again

Still try to figure out how to store the filter in the Session. I am not sure where to put this?
Do i have to create a special event?

Session[‘SessionVariable_camp_filter’] := “C_NO IN (SELECT DISTINCT CAMP_NO FROM LDAP_GROUP_RIGHTS WHERE
GROUP_NO = (SELECT cn FROM LDAP_GROUPS WHERE gidNumber = '” + session[‘Login.gidNumber’] + “’) )”;

function onUnknownSqlMacroIdentifier(name)
{
log('sn = ’ + session[‘Login.sn’] + ‘’);
log('uidNumber = ’ + session[‘Login.uidNumber’] + ‘’);
log(‘ou =’ + session[‘Login.ou’] + ‘’);
log('gidNumber = ’ + session[‘Login.gidNumber’] + ‘’);
log('cn = ’ + session[‘Login.cn’] + ‘’);
log('uid = ’ + session[‘Login.uid’] + ‘’);
// log('gecos = ’ + session[‘Login.gecos’] + ‘’);
// log(‘departmentNumber = ’ + session[‘Login.departmentNumber’] + ‘’);
log(‘description = ’ + session[‘Login.description’] + ‘’);
log(’__________________________________________________’);

if (name === 'filter')
	return SessionVariable_camp_filter;

}

14

In any place of the JS code. F.e. you could do this in onUnknownSqlMacroIdentifier - you’d need to check the session variable content and if it is empty - recalculate it

15

Did find in the Docu this example:
[Introduction Business Rules Scripting session variable content](Introduction Business Rules Scripting session variable content)

function afterLogin(userName, parameters)
{
session[“MyCustomValue”] = “Hello”;
log(“Custom Value: “+session[“MyCustomValue”]);
// log(“User Name: “+session[“Relativity.Username”]);
//session[“Relativity.Username”] = “Peter”; //this would fail
}

But i always get Script parse error.

Did also try to include this in my onUnknownSqlMacroIdentifier with the same result.

16

On which exactly line did you get that parse error?

17

18

These quotation symbols - not sure if they are understood by the script engine. And for sure they differ from the usual " one. Could you try to replace them with ’ ?

19

This works now. ( btw. this was a copy & Paste from your wiki >> [Introduction Business Rules Scripting session variable content](Introduction Business Rules Scripting session variable content)

if i use function afterLogin(userName, parameters) this is not shown at all in the logfile.
If i place it under function onUnknownSqlMacroIdentifier(name) it works.

My problem is just i whant the result of this:

“C_NO IN (SELECT DISTINCT CAMP_NO FROM LDAP_GROUP_RIGHTS WHERE
GROUP_NO = (SELECT cn FROM LDAP_GROUPS WHERE gidNumber = '” + session[‘Login.gidNumber’] + “') )”;

in the variable ant not the SQL itself. So the SQL would only be called once. Bequase of this afterLogin would be usefully?

20

Looks lie a bug there. Thanks, I’ll fix it

afterLogin is a very special thingie that cannot be set via UI. You’ll have to go directly to the domain storage place, open the Domain.config file and to add there parameter with the script source

<Configuration Parameter="BusinessRulesScript" Value="function afterLogin(){log('!!! Finally, Im   here');log(JSON.stringify(session)); // put your code here}" />

You need to close the Relativity server before editing this file