convertDnToSpecificValue does not unescape commas

Erik Coleman 13 hours ago
I'm banging my head into the wall with a new conundrum. I've got several working LDAP loader jobs, I want to create an LDAP_GROUP_SIMPLE to slurp an AD group membership into a Grouper group. This worked before because my CN happens to equal the subjectIdentifier, so I was able to use the JEXL "convertDnToSpecificValue" transform to convert the DN in the "Member" attribute to a subjectIdentifier and it resolves. However, I have a new subject source that is different, the subjectId is sAMAccountName and subjectIdentifier is set to DN, For some reason, it cannot resolve the subject. The different thing is the "Member" attribute DNs contain the CN, which are in a display name format of "LastName, Firstname (deptname)". The loader finds all the members of the group but can't resolve the subjects, it claims it cannot find them. I've tried changing the subject source search LDAP filters to look at distinguishedName, I've tried setting the subjectIdentifier to CN instead of DN, and I've tried using some JEXL tricks, but ConvertDnToSpecificValue doesn't seem to properly convert the entire CN value. Has anyone had to deal with LDAP group members that don't match subjectId or Identifier? Here's the loader config: