Hi all I have some questions about ldap ingestion a I ve got DataHub #ingestion

Hi all, I have some questions about ldap ingestion...

broad-flag-97458

05/26/2021, 12:44 PM

Hi all, I have some questions about ldap ingestion. a. I’ve got a service account that has the

sn

set but not a

given_name

. I saw the optional parameter

drop_missing_first_last_name

but I don’t think it’s applicable because this account does have a last_name. My question is should I just ensure that each user in a group has a proper givenName and sn? Or would there be a use case in general to be able to exclude users if they don’t have a givenName? I’ve got to capture it like (diff)

Copy code

-        first_name = attrs["givenName"][0].decode()
+        first_name = (attrs["givenName"][0]).decode() if "givenName" in attrs else None

a. I guess our LDAP server (active directory) is structured a little different than the assumptions. I had to add this block to make ldap ingestion work (otherwise I’d get index errors, etc.). My question is, is this a typical scenario that should be captured more broadly or is it just my screwy ldap setup? Diff:

Copy code

+                if "objectClass" in attrs:
                 if (
-                    b"inetOrgPerson" in attrs["objectClass"]
+                        b"organizationalPerson" in attrs["objectClass"]
+                        or b"inetOrgPerson" in attrs["objectClass"]
                     or b"posixAccount" in attrs["objectClass"]

loud-island-88694

05/26/2021, 1:18 PM

@gray-shoe-75895 can help here

gray-shoe-75895

05/26/2021, 5:43 PM

Hey @broad-flag-97458 - everyone seems to use ldap a bit differently, so its more that ldap is screwy and lacks standardization 🙂 . The

drop_missing_first_last_name

parameter was added to work around some issues with Microsoft Active Directory, and we can definitely tweak it a little bit to work for you as well - I’m curious what sorts of users have a last name but not a first name in your system. Ditto with the objectClass issue.

gray-shoe-75895

05/26/2021, 5:43 PM

I’ve found that the easiest way to debug these ldap issues is to hop on a call - let me know if you’re up for that

broad-flag-97458

05/26/2021, 6:07 PM

hey Harshal, I’m down with chatting if it makes things easier! To answer your questions: 1. I’m only looking in the one group that I manage in AD right now. In there I have a service account. I’d imagine that the AD admins just didn’t provide a ‘given_name’ since it’s not an actual person. 2. as for

objectClass

, I noticed that as the ingest was looping through my group that it encountered something strange (it seemingly saw

ref: ldap://[domain].com/CN=Configuration,DC=[domain],DC=com

as a user? I know because I just did a simple debug

print()

on the attrs as it was iterating) 3. For

organizationalPerson

I guess it’s just that our AD admins use that vs

inetOrgPerson

gray-shoe-75895

06/02/2021, 10:33 PM

Sorry, looks like I dropped the ball on this - let’s set up some time to chat https://calendly.com/harshalsheth/30min

broad-flag-97458

06/03/2021, 2:40 AM

Perfect, I setup something for tomorrow if that works for you!

✅ 1

Open in Slack

Previous Next