Conditional attribute mapping

The configuration file allows conditional attribute value mappings to support AD users that are marked as disabled.

This mapping is done by replacing the normal “scim” block with “cond-scim” block. For example,

{  "ldap":"userAccountControl",
  "cond-scim":{
    "if":{"&":["{{value}}", "2"]},
    "then":{"active":false},
    "else":{"active":true}
  }
 }

The preceding code example does an arithmetic bit test of the userAccountControl attribute value against 0x00000002. If the bit is set (the bitwise “and” operation produces a nonzero result), then {“active”:false} is merged into the new user outline entry, otherwise {"active":true} is merged into it.

A few logic operators are implemented, but only the "&" (bitwise and) expression was tested.

"&" (bitwise and)
"!" (logical not)
"&&"(logical and)
"||"(logical or)
"==" (string equality)

Also implemented are "!" (logical not), "&&"(logical and), "||"(logical or), "==" (string equality).

For example, you could make the resulting SCIM attribute value conditional that the LDAP AD attribute value is equal to one of two strings. String compares are case-insensitive.

"if":{
  "||":[
    {"==":["{{value}}", "Fred"]},
    {"==":["{{value}}", "Barney"]}
  ]
 },
 "then":...
 "else":...

The example IcbLdapSync.json contains the JSON config for supporting the mapping of the AD LDAP "userAccountControl" attribute to Verify-SCIM "active" attribute.