/// <summary> /// Creates a consistent base <see cref="ComposedRuleResult"/> instance with default values /// </summary> /// <param name="entry">The entry for which we are creating a result</param> /// <param name="isValuePresent">Allows calling code to know if the <paramref name="entry"/> has a value for the given <see cref="AttributeName"/></param> /// <returns></returns> protected ComposedRuleResult InitResult(SearchResultEntry entry, out bool isValuePresent) { isValuePresent = false; var result = new ComposedRuleResult() { AttributeName = this.AttributeName, EntityDistinguishedName = entry.Attributes[StringLiterals.DistinguishedName][0].ToString(), ObjectType = ComposedRule.GetObjectType(entry), OriginalValue = null, ProposedAction = ActionType.None }; if (entry.Attributes.Contains(this.AttributeName)) { isValuePresent = true; result.OriginalValue = entry.Attributes[this.AttributeName][0].ToString(); } return(result); }
/// <summary> /// Executes a rule collection against the supplied connection /// </summary> /// <param name="collection">The rule collection to execute</param> /// <param name="connection">The connection used to retrieve entries for processing</param> /// <returns><see cref="RuleCollectionResult"/> or null if canceled</returns> private RuleCollectionResult ExecuteRuleCollection(RuleCollection collection, LdapConnection connection) { // these count all the totals for the connection against which this RuleCollection is being run var stopWatch = new Stopwatch(); long skipCount = 0; long entryCount = 0; long duplicateCount = 0; long errorCount = 0; this.OnStatusUpdate?.Invoke(StringLiterals.LdapConnectionEstablishing); var searchRequest = collection.CreateSearchRequest(); this.OnStatusUpdate?.Invoke(StringLiterals.LdapConnectionEstablished); var errors = new List <ComposedRuleResult>(); this.OnStatusUpdate?.Invoke(StringLiterals.BeginningQuery); while (true) { var searchResponse = (SearchResponse)connection.SendRequest(searchRequest); // verify support for paged results if (searchResponse.Controls.Length != 1 || !(searchResponse.Controls[0] is PageResultResponseControl)) { this.OnStatusUpdate?.Invoke(StringLiterals.CannotPageResultSet); throw new InvalidOperationException(StringLiterals.CannotPageResultSet); } foreach (SearchResultEntry entry in searchResponse.Entries) { if (this.CancellationPending) { return(null); } if (collection.Skip(entry)) { skipCount++; continue; } // this tracks the number of entries we have processed and not skipped entryCount++; foreach (var composedRule in collection.Rules) { // run each composed rule which can produce multiple results var results = composedRule.Execute(entry); for (var i = 0; i < results.Length; i++) { var result = results[i]; if (!result.Success) { errorCount++; if (result.Results.Any(r => (r.ErrorTypeFlags & ErrorType.Duplicate) != 0)) { duplicateCount++; if (result.ProposedAction == ActionType.Edit) { // Add original LDAP entry with the same value. var originalEntry = DuplicateStore.GetOriginalSearchResultEntry(result.AttributeName, result.OriginalValue); var additionalResult = new ComposedRuleResult { AttributeName = result.AttributeName, EntityDistinguishedName = originalEntry.DistinguishedName, EntityCommonName = originalEntry.Attributes[StringLiterals.Cn][0].ToString(), ObjectType = ComposedRule.GetObjectType(entry), OriginalValue = result.OriginalValue, ProposedAction = result.ProposedAction, ProposedValue = result.ProposedValue, Results = new RuleResult[] { new RuleResult(false) { ErrorTypeFlags = ErrorType.Duplicate, ProposedAction = result.ProposedAction, UpdatedValue = result.OriginalValue } }, Success = result.Success }; errors.Add(additionalResult); } } errors.Add(result); } } } } // handle paging var cookie = searchResponse.Controls.OfType <PageResultResponseControl>().First().Cookie; // if this is true, there are no more pages to request if (cookie.Length == 0) { break; } searchRequest.Controls.OfType <PageResultRequestControl>().First().Cookie = cookie; } // we are all done, stop tracking time stopWatch.Stop(); return(new RuleCollectionResult { TotalDuplicates = duplicateCount, TotalErrors = errorCount, TotalFound = skipCount + entryCount, TotalSkips = skipCount, TotalProcessed = entryCount, Elapsed = stopWatch.Elapsed, Errors = errors.ToArray() }); }
/// <summary> /// Gets the object type as a string for the given <paramref name="entry"/> /// </summary> /// <param name="entry"><see cref="SearchResultEntry"/> whose object type we want</param> /// <returns></returns> protected string GetObjectType(SearchResultEntry entry) { return(ComposedRule.GetObjectType(entry)); }
/// <summary> /// Logic to determine if a given <see cref="SearchResultEntry"/> is skipped for processing /// </summary> /// <param name="entry"><see cref="SearchResultEntry"/> to check</param> /// <returns>True if <paramref name="entry"/> should be skipped, false if it should be processed</returns> public override bool Skip(SearchResultEntry entry) { string objectDn = String.Empty; try { objectDn = entry.Attributes[StringLiterals.DistinguishedName][0].ToString(); // Active Directory Synchronization in Office 365 // http://technet.microsoft.com/en-us/library/hh852469.aspx#bkmk_adcleanup // Remove duplicate proxyAddress and userPrincipalName attributes. // Update blank and invalid userPrincipalName attributes with a valid userPrincipalName. // Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, // mail, proxyAddresses, mailNickname, and userPrincipalName attributes. // Appendix F Directory Object Preparation // http://technet.microsoft.com/en-us/library/hh852533.aspx // Any object is filtered if: // match well known exclusion pattern if (entry.Attributes[StringLiterals.Cn][0].ToString().EndsWith("$", StringComparison.CurrentCultureIgnoreCase)) { return(true); } foreach (string exclusion in Constants.WellKnownExclusions) { if (entry.Attributes[StringLiterals.Cn][0].ToString().ToUpperInvariant().StartsWith(exclusion.ToUpperInvariant(), StringComparison.CurrentCultureIgnoreCase)) { return(true); } } // •Object is a conflict object (DN contains \0ACNF: ) if (entry.Attributes[StringLiterals.DistinguishedName][0].ToString().IndexOf("\0ACNF:", StringComparison.CurrentCultureIgnoreCase) != -1) { return(true); } // •isCriticalSystemObject is present if (entry.Attributes.Contains(StringLiterals.IsCriticalSystemObject)) { if (Convert.ToBoolean(entry.Attributes[StringLiterals.IsCriticalSystemObject][0].ToString(), CultureInfo.CurrentCulture) == true) { return(true); } } // determine objectClass string objectType = ComposedRule.GetObjectType(entry); // User objects are filtered if: if (objectType.Equals("user", StringComparison.CurrentCultureIgnoreCase)) { if (entry.Attributes.Contains(StringLiterals.SamAccountName)) { // SamAccountName exclusions if (entry.Attributes[StringLiterals.SamAccountName][0].ToString().ToUpperInvariant().StartsWith("CAS_", StringComparison.CurrentCultureIgnoreCase) || entry.Attributes[StringLiterals.SamAccountName][0].ToString().ToUpperInvariant().StartsWith("SUPPORT_", StringComparison.CurrentCultureIgnoreCase) || entry.Attributes[StringLiterals.SamAccountName][0].ToString().ToUpperInvariant().StartsWith("MSOL_", StringComparison.CurrentCultureIgnoreCase)) { return(true); } } else { // •sAMAccountName is not present //return true; } if (entry.Attributes.Contains(StringLiterals.MailNickName)) { // mailNickName exclusions if (entry.Attributes[StringLiterals.MailNickName][0].ToString().ToUpperInvariant().StartsWith("CAS_", StringComparison.CurrentCultureIgnoreCase) || entry.Attributes[StringLiterals.MailNickName][0].ToString().ToUpperInvariant().StartsWith("SYSTEMMAILBOX", StringComparison.CurrentCultureIgnoreCase)) { return(true); } } if (entry.Attributes.Contains(StringLiterals.DisplayName) && entry.Attributes.Contains(StringLiterals.MsExchHideFromAddressLists)) { if (Convert.ToBoolean(entry.Attributes[StringLiterals.MsExchHideFromAddressLists][0].ToString(), CultureInfo.CurrentCulture) == true && entry.Attributes[StringLiterals.DisplayName][0].ToString().ToUpperInvariant().StartsWith("MSOL", StringComparison.CurrentCultureIgnoreCase)) { return(true); } } // •msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000) if (entry.Attributes.Contains(StringLiterals.MsExchRecipientTypeDetails)) { switch (entry.Attributes[StringLiterals.MsExchRecipientTypeDetails][0].ToString()) { case "0x1000": case "0x2000": case "0x4000": case "0x400000": case "0x800000": case "0x1000000": case "0x20000000": return(true); } } } // Group objects are filter if: // List of attributes that are synchronized to Office 365 and attributes that are written back to the on-premises Active Directory Domain Services // http://support.microsoft.com/kb/2256198 // NOTE: these are listed as group filters in the article, but they appear to be an inaccurate mix of filters and errors. // SecurityEnabledGroup objects are filtered if: // •isCriticalSystemObject = TRUE // •mail is present AND DisplayName is not present // •Group has more than 15,000 immediate members // MailEnabledGroup objects are filtered if: // •DisplayName is empty // •(ProxyAddress does not have a primary SMTP address) AND (mail attribute is not present/invalid - i.e. indexof ('@') <= 0) // •Group has more than 15,000 immediate members if (objectType.Equals("group", StringComparison.CurrentCultureIgnoreCase)) { if (Convert.ToInt64(entry.Attributes[StringLiterals.GroupType][0].ToString(), CultureInfo.CurrentCulture) < 0) // security group { if (!entry.Attributes.Contains(StringLiterals.Mail)) { return(true); } } else // distribution group { if (!entry.Attributes.Contains(StringLiterals.ProxyAddresses)) { return(true); } } } return(false); } catch (Exception ex) { this.InvokeStatus(StringLiterals.Exception + "Result Filter: " + objectDn + " " + ex.Message); } return(false); }