scimgateway 4.5.7 → 4.5.9

package/README.md

@@ -16,7 +16,7 @@ Validated through IdP's:
   
 Latest news:  
 
-- Supports stream publishing mode having [SCIM Stream](https://elshaug.xyz/docs/scim-stream) as a prerequisite. In this mode, standard incoming SCIM requests from your Identity Provider (IdP) or API are directed and published to the stream. Subsequently, one of the gateways subscribing to the channel utilized by the publisher will manage the SCIM request, and response back. Using SCIM Stream we have egress/outbound only traffic and get loadbalancing/failover by adding more gateways subscribing to the same channel.
+- Supports stream publishing mode having [SCIM Stream](https://elshaug.xyz/docs/scim-stream) as a prerequisite. In this mode, standard incoming SCIM requests from your Identity Provider (IdP) or API are directed and published to the stream. Subsequently, one of the gateways subscribing to the channel utilized by the publisher will manage the SCIM request, and response back. Using SCIM Stream we have only egress/outbound traffic and get loadbalancing/failover by adding more gateways subscribing to the same channel.
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. Kubernetes health checks and shutdown handler support
 - Supports OAuth Client Credentials authentication
@@ -65,7 +65,7 @@ Can be used to chain several gateways
 
 * **Soap** (SOAP Webservice)  
 Demonstrates user provisioning towards SOAP-Based endpoint  
-Excample WSDLs are included  
+Example WSDLs are included  
 Using endpoint "Forwardinc" as an example (comes with Symantec/Broadcom/CA IM SDK - SDKWS)   
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL  
 
@@ -84,7 +84,7 @@ Includes Symantec/Broadcom/CA ConnectorXpress metafile for creating provisioning
 * **LDAP** (Directory)  
 Fully functional LDAP plugin  
 Pre-configured for Microsoft Active Directory  
-Using endpointMapper (like plugin-entra-id) for attribute flexibility  
+Using endpointMapper (like plugin-entra-id) for attribute mapping flexibility  
 
 * **API** (REST Webservices)  
 Demonstrates API Gateway/plugin functionality using post/put/patch/get/delete  
@@ -1163,6 +1163,54 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.5.9
+  
+[Improved]  
+
+- Dependencies bump  
+
+### v4.5.8  
+
+[Fixed]
+
+- plugin-ldap failed when using national special characters and some other LDAP special characters in DN
+
+Note, plugin-ldap now has following new configuration:
+
+	"ldap": {
+	  "isOpenLdap": false,
+	  ...
+	  "namingAttribute": {
+		"user": [
+		  {
+			"attribute": "CN",
+			"mapTo": "userName"
+		  }
+		],
+		"group": [
+		  {
+			"attribute": "CN",
+			"mapTo": "displayName"
+		  }
+		]
+	  },
+	  ...
+	}
+
+`isOpenLdap` true/false decides whether or not OpenLDAP Foundation protocol should be used for national characters and special characters in DN. For Active Directory, default isOpenLdap=false should be used.
+
+`namingAttribute` can now be linked to scim `mapTo` attribute and is not hardcoded like it was in previous version.
+
+Previous `userNamingAttr` and `groupNamingAttr` shown below, is now deprecated
+
+	"ldap": {
+	  ...
+	  "userNamingAttr": "CN",
+	  "groupNamingAttr": "CN",
+	  ...
+	}
+
+
 ### v4.5.7  
 
 [Fixed]

package/config/plugin-ldap.json

@@ -139,12 +139,25 @@
         "username": "CN=Administrator,CN=Users,DC=test,DC=com",
         "password": "password",
         "ldap": {
+          "isOpenLdap": false,
           "userBase": "CN=Users,DC=test,DC=com",
           "groupBase": "OU=Groups,DC=test,DC=com",
           "userFilter": null,
           "groupFilter": null,
-          "userNamingAttr": "CN",
-          "groupNamingAttr": "CN",
+          "namingAttribute": {
+            "user": [
+              {
+                "attribute": "CN",
+                "mapTo": "userName"
+              }
+            ],
+            "group": [
+              {
+                "attribute": "CN",
+                "mapTo": "displayName"
+              }
+            ]
+          },
           "userObjectClasses": [
             "user",
             "person",

package/lib/plugin-api.js

@@ -283,8 +283,8 @@ const getAccessToken = async (baseEntity, ctx) => {
       lock.release()
       throw (err)
     }
-    if (config.entity[baseEntity].tokenAuth) { // in case response using token instead of access_token
-      if (jbody.token) jbody.access_token = jbody.token
+    if (config.entity[baseEntity].tokenAuth) { // custom access_token
+      if (jbody.accessToken) jbody.access_token = jbody.accessToken
     }
     if (!jbody.access_token) {
       const err = new Error(`[${action}] Error message: Retrieved invalid token response`)

package/lib/plugin-ldap.js

@@ -31,6 +31,10 @@
 //   ...
 //  }
 //
+// Configuration isOpenLdap true/false decides whether or not OpenLDAP Foundation protocol should
+// be used for national characters and special characters in DN.
+// For Active Directory, default isOpenLdap=false should be used
+//
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
 // GlobalUser   Template                  Scim                                          Endpoint
@@ -70,6 +74,7 @@
 'use strict'
 
 const ldap = require('ldapjs')
+const { BerReader } = require('@ldapjs/asn1')
 
 // start - mandatory plugin initialization
 let ScimGateway = null
@@ -86,33 +91,6 @@ config = scimgateway.processExtConfig(pluginName, config) // add any external co
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
 // end - mandatory plugin initialization
 
-if (!config.map || !config.map.user) {
-  scimgateway.logger.error(`${pluginName} map.user configuration is mandatory`)
-  process.exit(1)
-}
-
-config.useSID_id = config.map.user.objectSid && config.map.user.objectSid.mapTo === 'id' // AD proprietary SID/GUID
-config.useGUID_id = config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id'
-if (config.useSID_id && config.map.group) {
-  if (!config.map.group.objectSid || config.map.group.objectSid.mapTo !== 'id') {
-    scimgateway.logger.error(`${pluginName} missing configuration group.objectSid - user and group should be using the same attribute`)
-    process.exit(1)
-  }
-} else if (config.useGUID_id && config.map.group) {
-  if (!config.map.group.objectGUID || config.map.group.objectGUID.mapTo !== 'id') {
-    scimgateway.logger.error(`${pluginName} missing configuration group.objectGUID - user and group should be using the same attribute`)
-    process.exit(1)
-  }
-}
-if (config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) { // support mapping different inbound/outbound upn domain names
-  if (config.map.user.userPrincipalName.mapDomain.inbound && config.map.user.userPrincipalName.mapDomain.outbound) {
-    const inbound = config.map.user.userPrincipalName.mapDomain.inbound
-    const outbound = config.map.user.userPrincipalName.mapDomain.outbound
-    config.map.user.userPrincipalName.mapDomain.inbound = inbound.startsWith('@') ? inbound : '@' + inbound // "@my-company.com"
-    config.map.user.userPrincipalName.mapDomain.outbound = outbound.startsWith('@') ? outbound : '@' + outbound // "@test.onmicrosoft.com
-  } else delete config.map.user.userPrincipalName.mapDomain
-}
-
 // =================================================
 // getUsers
 // =================================================
@@ -185,12 +163,12 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
             attributes: attrs
           }
         } else { // search instead of lookup
+          const filter = createAndFilter(baseEntity, 'user', [{ attribute: userIdAttr, value: getObj.value }])
           ldapOptions = {
-            filter: `&${getObjClassFilter(baseEntity, 'user')}(${userIdAttr}=${getObj.value})`, // &(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)(objectClass=top)(sAMAccountName=bjensen)
-            scope: scope,
+            filter,
+            scope: 'sub',
             attributes: attrs
           }
-          if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
@@ -199,12 +177,14 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     } else {
       // optional - simpel filtering
       if (getObj.operator === 'eq') {
+        const [filterAttr, err] = scimgateway.endpointMapper('outbound', getObj.attribute, config.map.user)
+        if (err) throw new Error(`${action} error: ${err.message}`)
+        const filter = createAndFilter(baseEntity, 'user', [{ attribute: filterAttr, value: getObj.value }])
         ldapOptions = {
-          filter: `&${getObjClassFilter(baseEntity, 'user')}(${getObj.attribute}=${getObj.value})`, // &(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)(objectClass=top)(employeeNumber=123)
-          scope: scope,
+          filter,
+          scope,
           attributes: attrs
         }
-        if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
       } else {
         throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
       }
@@ -214,12 +194,12 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     throw new Error(`${action} error: not supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
     // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all users to be returned - correspond to exploreUsers() in versions < 4.x.x
+    const filter = createAndFilter(baseEntity, 'user', [{ attribute: userIdAttr, value: '*' }])
     ldapOptions = {
-      filter: `&${getObjClassFilter(baseEntity, 'user')}(${userIdAttr}=*)`,
-      scope: scope,
+      filter,
+      scope,
       attributes: attrs
     }
-    if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
   }
   // end mandatory if-else logic
 
@@ -229,8 +209,6 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     const users = await doRequest(baseEntity, method, base, ldapOptions, ctx) // ignoring SCIM paging startIndex/count - get all
     result.totalResults = users.length
     result.Resources = await Promise.all(users.map(async (user) => { // Promise.all because of async map
-      if (user.name) delete user.name // because mapper converts to SCIM name.xxx
-
       // endpoint spesific attribute handling
       // "active" must be handled separate
       if (user.userAccountControl !== undefined) { // SCIM "active" - Active Directory
@@ -263,7 +241,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
       }
 
       const scimObj = scimgateway.endpointMapper('inbound', user, config.map.user)[0] // endpoint attribute naming => SCIM
-      if (!scimObj.groups) scimObj.groups = []
+      // if (!scimObj.groups) scimObj.groups = []
       return scimObj
     }))
   } catch (err) {
@@ -317,8 +295,16 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   // endpointObj.objectClass is mandatory and must must match your ldap schema
   endpointObj.objectClass = config.entity[baseEntity].ldap.userObjectClasses // Active Directory: ["user", "person", "organizationalPerson", "top"]
 
+  let base = ''
+  const [userNamingAttr, scimAttr] = getNamingAttribute(baseEntity, 'user') // ['CN', 'userName']
+  const arr = scimAttr.split('.')
+  if (arr.length < 2) {
+    base = `${userNamingAttr}=${userObj[scimAttr]},${userBase}`
+  } else {
+    base = `${userNamingAttr}=${userObj[arr[0]][arr[1]]},${userBase}`
+  }
+
   const method = 'add'
-  const base = `${config.entity[baseEntity].ldap.userNamingAttr}=${userObj.userName},${userBase}`
   const ldapOptions = endpointObj
 
   try {
@@ -371,7 +357,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
     delete attrObj.groups // make sure to be removed from attrObj
 
     const [groupsAttr] = scimgateway.endpointMapper('outbound', 'groups.value', config.map.user)
-    const grp = { add: { }, remove: { } }
+    const grp = { add: {}, remove: {} }
     grp.add[groupsAttr] = []
     grp.remove[groupsAttr] = []
 
@@ -510,8 +496,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
     totalResults: null
   }
 
-  if (!config.map.group || !config.entity[baseEntity].ldap.groupBase) { // not using groups
-    scimgateway.logger.debug(`${pluginName}[${baseEntity}] "${action}" stopped - missing configuration endpoint.map.group or groupBase`)
+  if (!config?.map?.group || !config.entity[baseEntity]?.ldap?.groupBase) { // not using groups
+    scimgateway.logger.debug(`${pluginName}[${baseEntity}] "${action}" skip group handling - missing configuration endpoint.map.group or groupBase`)
     return result
   }
 
@@ -536,7 +522,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   // mandatory if-else logic - start
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
-    // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
+      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
       if (getObj.attribute === 'id') { // lookup using dn or objectSid/objectGUID (Active Directory)
         if (config.useSID_id) {
           const sid = convertStringToSid(getObj.value) // sid using formatted string instead of default hex
@@ -566,12 +552,12 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
             attributes: attrs
           }
         } else { // search instead of lookup
+          const filter = createAndFilter(baseEntity, 'group', [{ attribute: groupIdAttr, value: getObj.value }])
           ldapOptions = {
-            filter: `&${getObjClassFilter(baseEntity, 'group')}(${groupIdAttr}=${getObj.value})`, // &(objectClass=group)(cn=Group1)
-            scope: scope,
+            filter,
+            scope,
             attributes: attrs
           }
-          if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
@@ -580,19 +566,30 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
       ldapOptions = 'getMemberOfGroups'
     } else {
       // optional - simpel filtering
-      throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
+      if (getObj.operator === 'eq') {
+        const [filterAttr, err] = scimgateway.endpointMapper('outbound', getObj.attribute, config.map.group)
+        if (err) throw new Error(`${action} error: ${err.message}`)
+        const filter = createAndFilter(baseEntity, 'group', [{ attribute: filterAttr, value: getObj.value }])
+        ldapOptions = {
+          filter,
+          scope,
+          attributes: attrs
+        }
+      } else {
+        throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
+      }
     }
   } else if (getObj.rawFilter) {
     // optional - advanced filtering having and/or/not - use getObj.rawFilter
     throw new Error(`${action} error: not supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
-  // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
+    // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
+    const filter = createAndFilter(baseEntity, 'group', [{ attribute: groupDisplayNameAttr, value: '*' }])
     ldapOptions = {
-      filter: `&${getObjClassFilter(baseEntity, 'group')}(${groupDisplayNameAttr}=*)`,
-      scope: scope,
+      filter,
+      scope,
       attributes: attrs
     }
-    if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
   }
   // mandatory if-else logic - end
 
@@ -639,6 +636,7 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
 
   if (!config.map.group) throw new Error(`${action} error: missing configuration endpoint.map.group`)
+  const groupBase = config.entity[baseEntity].ldap.groupBase
 
   // convert SCIM attributes to endpoint attributes according to config.map
   const [endpointObj] = scimgateway.endpointMapper('outbound', groupObj, config.map.group)
@@ -646,13 +644,23 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   // endpointObj.objectClass is mandatory and must must match your ldap schema
   endpointObj.objectClass = config.entity[baseEntity].ldap.groupObjectClasses // Active Directory: ["group"]
 
+  let base = ''
+  const [groupNamingAttr, scimAttr] = getNamingAttribute(baseEntity, 'group') // ['CN', 'displayName']
+  const arr = scimAttr.split('.')
+  if (arr.length < 2) {
+    base = `${groupNamingAttr}=${groupObj[scimAttr]},${groupBase}`
+  } else {
+    base = `${groupNamingAttr}=${groupObj[arr[0]][arr[1]]},${groupBase}`
+  }
+
   const method = 'add'
-  const base = `${config.entity[baseEntity].ldap.groupNamingAttr}=${groupObj.displayName},${config.entity[baseEntity].ldap.groupBase}`
   const ldapOptions = endpointObj
 
   try {
     await doRequest(baseEntity, method, base, ldapOptions, ctx)
-    return null
+    const res = await scimgateway.getGroups(baseEntity, { attribute: 'id', operator: 'eq', value: base }, [], ctx)
+    if (res && Array.isArray(res.Resources) && res.Resources.length === 1) return res.Resources[0]
+    else return null
   } catch (err) {
     const newErr = new Error(`${action} error: ${err.message}`)
     if (newErr.message.includes('ENTRY_EXISTS')) newErr.name += '#409' // customErrCode
@@ -703,7 +711,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const [memberAttr] = scimgateway.endpointMapper('outbound', 'members.value', config.map.group)
   if (!memberAttr && attrObj.members) throw new Error(`${action} error: missing attribute mapping configuration for group members`)
 
-  const grp = { add: { }, remove: { } }
+  const grp = { add: {}, remove: {} }
   grp.add[memberAttr] = []
   grp.remove[memberAttr] = []
 
@@ -764,22 +772,82 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 const _serviceClient = {}
 
 //
-// getObjClassFilter returns object classes to be included in search
+// createAndFilter creates AndFilter object to be used as filter instead of standard string filter
+// Using AndFilter object for eliminating internal ldapjs escaping problems related to values with some
+// combinations of parentheses e.g. ab(c)d
 //
-const getObjClassFilter = (baseEntity, type) => {
-  let filter = ''
+const createAndFilter = (baseEntity, type, arrObj) => {
+  const objFilters = []
+
+  // add arrObj
+  for (let i = 0; i < arrObj.length; i++) {
+    if (arrObj[i].value.indexOf('*') > -1) { // SubstringFilter or PresenceFilter
+      const arr = arrObj[i].value.split('*')
+      if (arr.length === 2 && !arr[0] && !arr[1]) { // cn=*
+        const f = new ldap.PresenceFilter({ attribute: arrObj[i].attribute })
+        objFilters.push(f)
+      } else { // cn=ab*cd*e
+        const fObj = {
+          attribute: arrObj[i].attribute
+        }
+        const arrAny = []
+        fObj.initial = arr[0]
+        if (!fObj.initial) delete fObj.initial
+        for (let i = 1; i < arr.length - 1; i++) {
+          arrAny.push(arr[i])
+        }
+        fObj.any = arrAny
+        if (arr[arr.length - 1]) {
+          fObj.final = arr[arr.length - 1]
+        }
+        const f = new ldap.SubstringFilter(fObj)
+        objFilters.push(f)
+      }
+    } else { // EqualityFilter cn=abc
+      const f = new ldap.EqualityFilter({ attribute: arrObj[i].attribute, value: arrObj[i].value })
+      objFilters.push(f)
+    }
+  }
+
+  // add from configuration objectClass and userFiter/groupFilter
   switch (type) {
     case 'user':
       for (let i = 0; i < config.entity[baseEntity].ldap.userObjectClasses.length; i++) {
-        filter += `(objectClass=${config.entity[baseEntity].ldap.userObjectClasses[i]})`
+        const f = new ldap.EqualityFilter({ attribute: 'objectClass', value: config.entity[baseEntity].ldap.userObjectClasses[i] })
+        objFilters.push(f)
+      }
+      if (config.entity[baseEntity].ldap.userFilter) {
+        try {
+          const uf = ldap.parseFilter(config.entity[baseEntity].ldap.userFilter)
+          objFilters.push(uf)
+        } catch (err) {
+          throw new Error(`configuration ldap.userFilter: ${config.entity[baseEntity].ldap.userFilter} - parseFilter error: ${err.message}`)
+        }
       }
       break
     case 'group':
       for (let i = 0; i < config.entity[baseEntity].ldap.groupObjectClasses.length; i++) {
-        filter += `(objectClass=${config.entity[baseEntity].ldap.groupObjectClasses[i]})`
+        const f = new ldap.EqualityFilter({ attribute: 'objectClass', value: config.entity[baseEntity].ldap.groupObjectClasses[i] })
+        objFilters.push(f)
+        if (config.entity[baseEntity].ldap.groupFilter) {
+          try {
+            const gf = ldap.parseFilter(config.entity[baseEntity].ldap.groupFilter)
+            objFilters.push(gf)
+          } catch (err) {
+            throw new Error(`configuration ldap.groupFilter: ${config.entity[baseEntity].ldap.groupFilter} - parseFilter error: ${err.message}`)
+          }
+        }
       }
       break
   }
+
+  // put all into AndFilter
+  const filter = new ldap.AndFilter({
+    filters: [
+      ...objFilters
+    ]
+  })
+
   return filter
 }
 
@@ -858,10 +926,10 @@ const convertSidToString = (buf) => {
     for (i = 0, end = subAuthorityCount - 1, asc = end >= 0; asc ? i <= end : i >= end; asc ? i++ : i--) {
       const subAuthOffset = i * 4
       const tmp =
-      pad(buf[11 + subAuthOffset].toString(16)) +
-      pad(buf[10 + subAuthOffset].toString(16)) +
-      pad(buf[9 + subAuthOffset].toString(16)) +
-      pad(buf[8 + subAuthOffset].toString(16))
+        pad(buf[11 + subAuthOffset].toString(16)) +
+        pad(buf[10 + subAuthOffset].toString(16)) +
+        pad(buf[9 + subAuthOffset].toString(16)) +
+        pad(buf[8 + subAuthOffset].toString(16))
       sidString += `-${parseInt(tmp, 16)}`
     }
   } catch (err) {
@@ -946,9 +1014,10 @@ const getMemberOfGroups = async (baseEntity, id, ctx) => {
   const scope = 'sub'
   const base = config.entity[baseEntity].ldap.groupBase
 
+  const filter = createAndFilter(baseEntity, 'group', [{ attribute: memberAttr, value: idDn }])
   const ldapOptions = {
-    filter: `&${getObjClassFilter(baseEntity, 'group')}(${memberAttr}=${idDn})`,
-    scope: scope,
+    filter,
+    scope,
     attributes: attrs
   }
 
@@ -967,6 +1036,192 @@ const getMemberOfGroups = async (baseEntity, id, ctx) => {
   }
 }
 
+//
+// ldapEscDn will escape DN according to the LDAP standard adjusted to ldapjs behavior
+// using OpenLDAP, DN must be escaped - national characters and special ldap characters
+// using Active Directory (none OpenLDAP), DN should not be escaped, but DN retrieved from AD is character escaped
+//
+const ldapEscDn = (isOpenLdap, str) => {
+  if (!str) return str
+
+  if (!isOpenLdap && str.indexOf('\\') > 0) {
+    const conv = str.replace(/\\([0-9A-Fa-f]{2})/g, (_, hex) => {
+      const intAscii = parseInt(hex, 16)
+      if (intAscii > 128) { // extended ascii - will be unescaped by decodeURIComponent
+        return '%' + hex
+      } else { // use character escape
+        return '\\' + String.fromCharCode(intAscii)
+      }
+    })
+    str = decodeURIComponent(conv)
+    str = str.replace(/\\/g, '') // lower ascii may be character escaped e.g. 'cn=Kürt\, Lastname' - see below comma logic
+  }
+
+  const arr = str.split(',')
+  for (let i = 0; i < arr.length; i++) { // CN=Firstname, Lastname,OU=...
+    if (!arr[i]) { // value having comma only
+      if (arr[i - 1].charAt(arr[i - 1].length - 1) === '\\') {
+        arr[i - 1] = arr[i - 1].substring(0, arr[i - 1].length - 1)
+      }
+      if (isOpenLdap) arr[i - 1] += '\\,'
+      else arr[i - 1] += ','
+      arr.splice(i, 1)
+      i -= 1
+      continue
+    }
+    const a = arr[i].split('=')
+    if (a.length < 2 && i > 0) { // value having comma and content
+      if (arr[i - 1].charAt(arr[i - 1].length - 1) === '\\') {
+        arr[i - 1] = arr[i - 1].substring(0, arr[i - 1].length - 1)
+      }
+      if (isOpenLdap) arr[i - 1] += `\\,${ldapEsc(a[0])}`
+      else arr[i - 1] += `,${a[0]}`
+      arr.splice(i, 1)
+      i -= 1
+      continue
+    } else {
+      if (isOpenLdap) arr[i] = `${a[0]}=${ldapEsc(a[1])}`
+      else arr[i] = `${a[0]}=${a[1]}`
+    }
+    if (i > 0) break // only escape logic on first, assume sub OU's are correct
+  }
+  if (isOpenLdap) {
+    str = arr.join(',')
+    return str
+  }
+  // Using dn object and BER encoding
+  // e.g., Active Directory to avoid internal ldapjs OpenLDAP validating and string escaping logic
+  const dn = new ldap.DN()
+  for (let i = 0; i < arr.length; i++) {
+    const a = arr[i].split('=') // cn=Kürt
+    if (a.length === 2) {
+      if (i === 0) {
+        const ua = new Uint8Array(Buffer.from(a[1], 'utf-8'))
+        const buf = Buffer.from(new Uint8Array([4, ua.length, ...ua]))
+        const rdn = {}
+        rdn[a[0]] = new BerReader(buf)
+        dn.push(new ldap.RDN(rdn))
+        // new BerReader(Buffer.from([0x04, 0x05, 0x4B, 0xc3, 0xbc, 0x72, 0x74])) // Kürt
+        // the leading 04 is the tag for "octet string" and the following 05 is the length in bytes of the string.
+      } else {
+        const rdn = {}
+        rdn[a[0]] = a[1]
+        dn.push(new ldap.RDN(rdn))
+      }
+    } else {
+      throw new Error('ldapEscDn() invalid DN: ' + str)
+    }
+  }
+  return dn
+}
+
+//
+// ldapEsc will character escape str according to OpenLDAP DN standard
+// Hex encoded escaping (extended and unicode ascii) is not included because
+// automatically handled by ldapjs when not using BER encoded DN
+//
+const ldapEsc = (str) => {
+  if (!str) return str
+  let newStr = ''
+  for (let i = 0; i < str.length; i++) {
+    let c = str[i]
+    let isEsc = false
+    if (i > 0 && str[i - 1] === '\\') isEsc = true
+    switch (c) {
+      case ',':
+        if (isEsc) c = ','
+        else c = '\\,'
+        break
+      case ';':
+        if (isEsc) c = ';'
+        else c = '\\;'
+        break
+      case '+':
+        if (isEsc) c = '+'
+        else c = '\\+'
+        break
+      case '<':
+        if (isEsc) c = '<'
+        else c = '\\<'
+        break
+      case '>':
+        if (isEsc) c = '>'
+        else c = '\\>'
+        break
+      case '=':
+        if (isEsc) c = '='
+        else c = '\\='
+        break
+      case '"':
+        if (isEsc) c = '"'
+        else c = '\\"'
+        break
+      case '(':
+        if (isEsc) c = '('
+        else c = '\\('
+        break
+      case ')':
+        if (isEsc) c = ')'
+        else c = '\\)'
+        break
+    }
+    newStr += c
+  }
+  return newStr
+}
+
+//
+// berDecodeDn decodes a BER string part of type DN
+// OU=#04057573657273,OU=abc,... => OU=users,OU=abc,...
+// only using BER on first part of dn
+// Having BER decoding for Active Directory, but not for OpenLDAP
+//
+const berDecodeDn = (dn) => {
+  if (Object.prototype.toString.call(dn) !== '[object LdapDn]') return dn // OpenLDAP
+  const str = dn.toString()
+  if (str.indexOf('#') < 1) return str
+  const arr = str.split('#')
+  if (arr.length === 2) {
+    const a = arr[1].split(',')
+    if (a.length > 1) {
+      const berStr = a[0].substring(4)
+      let decoded = ''
+      let c = ''
+      if (berStr.length % 2 === 0) {
+        for (let i = 0; i < berStr.length; i++) {
+          c += berStr[i]
+          if (c.length === 2) {
+            const intAscii = parseInt(c, 16)
+            decoded += String.fromCharCode(intAscii)
+            c = ''
+          }
+        }
+      }
+      if (decoded.length > 0) {
+        a.splice(0, 1) // remove element 0 from array
+        return `${arr[0]}${decoded},${a.join(',')}` // OU=users,OU=abc
+      }
+    }
+  }
+  return str
+}
+
+const getNamingAttribute = (baseEntity, type) => {
+  let arr
+  switch (type) {
+    case 'user':
+      arr = config.entity[baseEntity]?.ldap?.namingAttribute?.user
+      break
+    case 'group':
+      arr = config.entity[baseEntity]?.ldap?.namingAttribute?.group
+      break
+    default:
+      throw new Error(`getNamingAttribute error: invalid type ${type}`)
+  }
+  if (!Array.isArray(arr) || arr.length !== 1) throw new Error(`configuration missing namingAttribute definition for ${type}`)
+  return [arr[0].attribute, arr[0].mapTo]
+}
+
 //
 // getCtxAuth returns username/secret from ctx header when using Auth PassThrough
 //
@@ -1034,11 +1289,11 @@ const getServiceClient = async (baseEntity, ctx) => {
 //         "attributes": ["sAMAccountName","displayName","mail"]
 //       }
 //
-const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
+const doRequest = async (baseEntity, method, base, options, ctx) => {
   let result = null
   let client = null
+  base = ldapEscDn(config.entity[baseEntity].ldap.isOpenLdap, base)
 
-  const options = scimgateway.copyObj(ldapOptions)
   // support having different upn-domain on IdP and target
   if (options.modification && options.modification.userPrincipalName && config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) {
     if (options.modification.userPrincipalName.endsWith(config.map.user.userPrincipalName.mapDomain.outbound)) {
@@ -1055,7 +1310,8 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
         options.paged = { pageSize: 200, pagePause: false } // parse entire directory calling 'page' method for each page
         result = await new Promise((resolve, reject) => {
           const results = []
-          client.search(base, scimgateway.copyObj(options), (err, search) => {
+
+          client.search(base, options, (err, search) => {
             if (err) {
               return reject(err)
             }
@@ -1086,6 +1342,23 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
                   scimgateway.logger.debug(`${pluginName}[${baseEntity}] outbound upnMapDomain ${old} => ${obj.userPrincipalName}`)
                 }
               }
+
+              if (obj.dn && obj.dn.indexOf('\\') > 0) {
+                // for OpenLDAP ensure dn is not hex escaped e.g.: cn=K\c3\bcrt => cn=Kürt
+                // because dn may be be used as value in standard attributes like group memberOf
+                obj.dn = obj.dn.replace(/\\\\/g, '__') // temp
+                let conv = obj.dn.replace(/\\([0-9A-Fa-f]{2})/g, (_, hex) => {
+                  const intAscii = parseInt(hex, 16)
+                  if (intAscii > 128) { // extended ascii - will be unescaped by decodeURIComponent
+                    return '%' + hex
+                  } else { // use character escape
+                    return '\\' + String.fromCharCode(intAscii)
+                  }
+                })
+                conv = conv.replace(/__/g, '\\\\')
+                obj.dn = decodeURIComponent(conv)
+              }
+
               results.push(obj)
             })
 
@@ -1115,11 +1388,10 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
               if (mod.values.length > 1) { // delete before replace to keep inbound order
                 changes.push({
                   operation: 'delete',
-                  modification: {type: key, values: []}
+                  modification: { type: key, values: [] }
                 })
               }
-            }
-            else {
+            } else {
               if (typeof options.modification[key] === 'string') mod.values = [options.modification[key]]
               else mod.values = [options.modification[key].toString()]
             }
@@ -1168,14 +1440,20 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
     }
     client.unbind()
   } catch (err) {
-    scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest method=${method} base=${base} ldapOptions=${JSON.stringify(options)} Error Response = ${err.message}`)
+    if (options.filter && typeof options.filter === 'object') {
+      options.filter = options.filter.toString()
+    }
+    scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest method=${method} base=${berDecodeDn(base)} ldapOptions=${JSON.stringify(options)} Error Response = ${err.message}`)
     if (client) {
-      try { client.destroy() } catch (err) {}
+      try { client.destroy() } catch (err) { }
     }
     throw err
   }
 
-  scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest method=${method} base=${base} ldapOptions=${JSON.stringify(options)} Response=${JSON.stringify(result)}`)
+  if (options.filter && typeof options.filter === 'object') {
+    options.filter = options.filter.toString()
+  }
+  scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest method=${method} base=${berDecodeDn(base)} ldapOptions=${JSON.stringify(options)} Response=${JSON.stringify(result)}`)
   return result
 } // doRequest
 
@@ -1186,3 +1464,121 @@ process.on('SIGTERM', () => { // kill
 })
 process.on('SIGINT', () => { // Ctrl+C
 })
+
+//
+// startup initialization
+// at the end to ensure scimgatway logger have started
+//
+if (!config?.map?.user) {
+  scimgateway.logger.error('configuration map.user is missing')
+  throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+} else {
+  let idFound = false
+  let userNameFound = false
+  for (const key in config.map.user) {
+    if (config.map.user[key].mapTo === 'id') idFound = true
+    else if (['userName', 'externalId'].includes(config.map.user[key].mapTo)) userNameFound = true
+    if (idFound && userNameFound) break
+  }
+  if (!idFound || !userNameFound) {
+    scimgateway.logger.error('configuration map.user missing mapTo definition for mandatory id/userName')
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+}
+if (!config?.map?.group) {
+  scimgateway.logger.info('configuration map.group is not defiend and groups will not be supported')
+} else {
+  let idFound = false
+  let displayNameFound = false
+  for (const key in config.map.group) {
+    if (config.map.group[key].mapTo === 'id') idFound = true
+    else if (config.map.group[key].mapTo === 'displayName') displayNameFound = true
+    if (idFound && displayNameFound) break
+  }
+  if ((!idFound || !displayNameFound) && (Object.keys(config.map.group).length > 0)) {
+    scimgateway.logger.error('configuration map.group missing mapTo definition for mandatory id/displayName')
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+}
+
+for (const key in config.entity) {
+  const userBase = config.entity[key]?.ldap?.userBase
+  const groupBase = config.entity[key]?.ldap?.groupBase
+  if (!userBase) {
+    scimgateway.logger.error(`configuration missing mandatory endpoint.entity.${key}.ldap.userBase`)
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+  if (!groupBase && config?.map?.group && Object.keys(config.map.group).length > 0) {
+    scimgateway.logger.error(`configuration missing mandatory endpoint.entity.${key}.ldap.groupBase`)
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+  let usrArr = config.entity[key]?.ldap?.namingAttribute?.user
+  if (!usrArr || !Array.isArray(usrArr)) { // check for legacy
+    const attr = config.entity[key]?.ldap?.userNamingAttr
+    if (attr) {
+      usrArr = [{ attribute: attr, mapTo: 'userName' }]
+      if (!config.entity[key].ldap.namingAttribute) config.entity[key].ldap.namingAttribute = {}
+      config.entity[key].ldap.namingAttribute.user = scimgateway.copyObj(usrArr)
+    }
+  }
+  if (!Array.isArray(usrArr) || usrArr.length !== 1) {
+    scimgateway.logger.error(`configuration missing namingAttribute: endpoint.entity.${key}.ldap.namingAttribute.user`)
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+  if (!usrArr[0].attribute || !usrArr[0].mapTo) {
+    scimgateway.logger.error(`configuration missing attribute/mapTo: endpoint.entity.${key}.ldap.namingAttribute.user`)
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+  const [endpointAttr] = scimgateway.endpointMapper('outbound', usrArr[0].mapTo, config.map.user)
+  if (!endpointAttr) {
+    scimgateway.logger.error(`configuration namingAttribute mapTo:${usrArr[0].mapTo} cannot be found in the map user configuration`)
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+
+  let grpArr = config.entity[key]?.ldap?.namingAttribute?.group
+  if (config?.map?.group && Object.keys(config.map.group).length > 0) {
+    if (!grpArr || !Array.isArray(grpArr)) { // check for legacy
+      const attr = config.entity[key]?.ldap?.groupNamingAttr
+      if (attr) {
+        grpArr = [{ attribute: attr, mapTo: 'displayName' }]
+        if (!config.entity[key].ldap.namingAttribute) config.entity[key].ldap.namingAttribute = {}
+        config.entity[key].ldap.namingAttribute.group = scimgateway.copyObj(grpArr)
+      }
+    }
+    if (!Array.isArray(grpArr) || grpArr.length !== 1) {
+      scimgateway.logger.error(`configuration missing namingAttribute: endpoint.entity.${key}.ldap.namingAttribute.group`)
+      throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+    }
+    if (!grpArr[0].attribute || !grpArr[0].mapTo) {
+      scimgateway.logger.error(`configuration missing attribute/mapTo: endpoint.entity.${key}.ldap.namingAttribute.group`)
+      throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+    }
+    const [endpointAttr] = scimgateway.endpointMapper('outbound', grpArr[0].mapTo, config.map.group)
+    if (!endpointAttr) {
+      scimgateway.logger.error(`configuration namingAttribute mapTo:${grpArr[0].mapTo} cannot be found in the map group configuration`)
+      throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+    }
+  }
+}
+
+config.useSID_id = config.map.user.objectSid && config.map.user.objectSid.mapTo === 'id' // AD proprietary SID/GUID
+config.useGUID_id = config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id'
+if (config.useSID_id && config.map.group) {
+  if (!config.map.group.objectSid || config.map.group.objectSid.mapTo !== 'id') {
+    scimgateway.logger.error('configuration missing group.objectSid - user and group should be using the same attribute')
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+} else if (config.useGUID_id && config.map.group) {
+  if (!config.map.group.objectGUID || config.map.group.objectGUID.mapTo !== 'id') {
+    scimgateway.logger.error('configuration missing group.objectGUID - user and group should be using the same attribute')
+    throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
+  }
+}
+if (config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) { // support mapping different inbound/outbound upn domain names
+  if (config.map.user.userPrincipalName.mapDomain.inbound && config.map.user.userPrincipalName.mapDomain.outbound) {
+    const inbound = config.map.user.userPrincipalName.mapDomain.inbound
+    const outbound = config.map.user.userPrincipalName.mapDomain.outbound
+    config.map.user.userPrincipalName.mapDomain.inbound = inbound.startsWith('@') ? inbound : '@' + inbound // "@my-company.com"
+    config.map.user.userPrincipalName.mapDomain.outbound = outbound.startsWith('@') ? outbound : '@' + outbound // "@test.onmicrosoft.com
+  } else delete config.map.user.userPrincipalName.mapDomain
+}

package/lib/scimgateway.js

@@ -521,8 +521,8 @@ const ScimGateway = function () {
             else expires = oAuthTokenExpire
             config.auth.oauthTokenStore[authToken] = {
               expireDate: Date.now() + expires * 1000,
-              readOnly: readOnly,
-              baseEntities: baseEntities
+              readOnly,
+              baseEntities
             }
             return resolve(true)
           }
@@ -792,8 +792,8 @@ const ScimGateway = function () {
 
     config.auth.oauthTokenStore[token] = { // update token store
       expireDate: dtNow + expires * 1000, // 1 hour
-      readOnly: readOnly,
-      baseEntities: baseEntities
+      readOnly,
+      baseEntities
     }
 
     const tx = {
@@ -844,7 +844,10 @@ const ScimGateway = function () {
     let u = ctx.request.originalUrl.substr(0, ctx.request.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
-    const id = decodeURIComponent(require('path').basename(ctx.params.id, '.json')) // supports <id>.json
+    let id = decodeURIComponent(ctx.params.id)
+    if (id && id.endsWith('.json')) {
+      id = decodeURIComponent(require('path').basename(id, '.json')) // supports <id>.json
+    }
 
     const getObj = {
       attribute: 'id',
@@ -863,7 +866,7 @@ const ScimGateway = function () {
           handle: handle.getMethod,
           baseEntity: ctx.params.baseEntity,
           obj: ob,
-          attributes: attributes,
+          attributes,
           ctxPassThrough: ctx.passThrough
         }
         logger.debug(`${gwName}[${pluginName}] publishing "${handle.getMethod}" to SCIM Stream and awaiting result`)
@@ -909,7 +912,7 @@ const ScimGateway = function () {
                 handle: handler.groups.getMethod,
                 baseEntity: ctx.params.baseEntity,
                 obj: ob,
-                attributes: attributes,
+                attributes,
                 ctxPassThrough: ctx.passThrough
               }
               logger.debug(`${gwName}[${pluginName}] publishing "${handler.groups.getMethod}" to SCIM Stream and awaiting result - groups to be included`)
@@ -987,7 +990,6 @@ const ScimGateway = function () {
         getObj.value = decodeURIComponent(arrFilter.slice(2).join(' ').replace(/"/g, '')) // bjensen
       }
     }
-
     let err
     if (getObj.attribute) {
       if (multiValueTypes.includes(getObj.attribute) || getObj.attribute === 'roles') {
@@ -1108,7 +1110,7 @@ const ScimGateway = function () {
           handle: handle.getMethod,
           baseEntity: ctx.params.baseEntity,
           obj: ob,
-          attributes: attributes,
+          attributes,
           ctxPassThrough: ctx.passThrough
         }
         logger.debug(`${gwName}[${pluginName}] publishing "${handle.getMethod}" to SCIM Stream and awaiting result`)
@@ -1147,7 +1149,7 @@ const ScimGateway = function () {
                   handle: handler.groups.getMethod,
                   baseEntity: ctx.params.baseEntity,
                   obj: ob,
-                  attributes: attributes,
+                  attributes,
                   ctxPassThrough: ctx.passThrough
                 }
                 logger.debug(`${gwName}[${pluginName}] publishing "${handler.groups.getMethod}" to SCIM Stream and awaiting result - groups to be included`)
@@ -1265,13 +1267,13 @@ const ScimGateway = function () {
         res = await this.publish(streamObj)
       } else {
         if (scimdata.groups && Array.isArray(scimdata.groups) && handle.createMethod === 'createUser') {
-            if (!config.scim.groupMemberOfUser) {
-              for (let i = 0; i < scimdata.groups.length; i++) {
-                if (!scimdata.groups[i].value) continue
-                addGrps.push(decodeURIComponent(scimdata.groups[i].value))
-              }
-              delete scimdata.groups            
+          if (!config.scim.groupMemberOfUser) {
+            for (let i = 0; i < scimdata.groups.length; i++) {
+              if (!scimdata.groups[i].value) continue
+              addGrps.push(decodeURIComponent(scimdata.groups[i].value))
             }
+            delete scimdata.groups
+          }
         }
         logger.debug(`${gwName}[${pluginName}] calling "${handle.createMethod}" and awaiting result`)
         res = await this[handle.createMethod](ctx.params.baseEntity, scimdata, ctx.passThrough)
@@ -1279,7 +1281,7 @@ const ScimGateway = function () {
       for (const key in res) { // merge any result e.g: {'id': 'xxxx'}
         jsonBody[key] = res[key]
       }
-      
+
       if (!jsonBody.id) { // retrieve all attributes including id
         let res
         try {
@@ -1293,7 +1295,7 @@ const ScimGateway = function () {
                 handle: handle.getMethod,
                 baseEntity: ctx.params.baseEntity,
                 obj: ob,
-                attributes: attributes,
+                attributes,
                 ctxPassThrough: ctx.passThrough
               }
               res = await this.publish(streamObj)
@@ -1310,7 +1312,7 @@ const ScimGateway = function () {
                 handle: handle.getMethod,
                 baseEntity: ctx.params.baseEntity,
                 obj: ob,
-                attributes: attributes,
+                attributes,
                 ctxPassThrough: ctx.passThrough
               }
               res = await this.publish(streamObj)
@@ -1327,7 +1329,7 @@ const ScimGateway = function () {
       }
 
       if (addGrps.length > 0 && handle.createMethod === 'createUser') { // add group membership
-        const addGroups = async (groupId) => { 
+        const addGroups = async (groupId) => {
           if (config.stream.publisher.enabled) {
             const streamObj = {
               handle: handler.groups.modifyMethod,
@@ -1349,7 +1351,7 @@ const ScimGateway = function () {
         }
         jsonBody.groups = []
         addGrps.forEach((el) => {
-          jsonBody.groups.push({ 'value': el, 'type': 'direct' })
+          jsonBody.groups.push({ value: el, type: 'direct' })
         })
       }
 
@@ -1398,7 +1400,7 @@ const ScimGateway = function () {
         const streamObj = {
           handle: handle.deleteMethod,
           baseEntity: ctx.params.baseEntity,
-          id: id,
+          id,
           ctxPassThrough: ctx.passThrough
         }
         logger.debug(`${gwName}[${pluginName}] publishing "${handle.deleteMethod}" to SCIM Stream and awaiting result`)
@@ -1479,7 +1481,7 @@ const ScimGateway = function () {
             obj.value = decodeURIComponent(obj.value)
             groups.push(obj)
           }
-          delete scimdata.groups            
+          delete scimdata.groups
         }
       }
       try {
@@ -1487,7 +1489,7 @@ const ScimGateway = function () {
           let streamObj = {
             handle: handle.modifyMethod,
             baseEntity: ctx.params.baseEntity,
-            id: id,
+            id,
             obj: scimdata,
             ctxPassThrough: ctx.passThrough
           }
@@ -1497,7 +1499,7 @@ const ScimGateway = function () {
               handle: 'replaceUsrGrp',
               baseEntity: ctx.params.baseEntity,
               originalUrl: ctx.request.originalUrl,
-              id: id,
+              id,
               obj: scimdata,
               ctxPassThrough: ctx.passThrough
             }
@@ -1515,21 +1517,21 @@ const ScimGateway = function () {
         }
 
         if (groups.length > 0 && handle.modifyMethod === 'modifyUser') { // modify user includes groups, add/remove group membership
-          const updateGroup = async (groupsObj) => { 
+          const updateGroup = async (groupsObj) => {
             const groupId = groupsObj.value
-            const memberObj = { 'value': id }
-            if (groupsObj.operation) memberObj.operation= groupsObj.operation
+            const memberObj = { value: id }
+            if (groupsObj.operation) memberObj.operation = groupsObj.operation
             if (config.stream.publisher.enabled) {
               const streamObj = {
                 handle: handler.groups.modifyMethod,
                 baseEntity: ctx.params.baseEntity,
                 id: groupId,
-                obj: { members: [ memberObj ] },
+                obj: { members: [memberObj] },
                 ctxPassThrough: ctx.passThrough
               }
               return await this.publish(streamObj)
             } else {
-              return await this[handler.groups.modifyMethod](ctx.params.baseEntity, groupId, { members: [ memberObj ] }, ctx.passThrough)
+              return await this[handler.groups.modifyMethod](ctx.params.baseEntity, groupId, { members: [memberObj] }, ctx.passThrough)
             }
           }
           const res = await Promise.allSettled(groups.map((groupsObj) => updateGroup(groupsObj)))
@@ -1554,7 +1556,7 @@ const ScimGateway = function () {
             handle: handle.getMethod,
             baseEntity: ctx.params.baseEntity,
             obj: ob,
-            attributes: attributes,
+            attributes,
             ctxPassThrough: ctx.passThrough
           }
           logger.debug(`${gwName}[${pluginName}] publishing "${handle.getMethod}" to SCIM Stream and awaiting result`)
@@ -1762,7 +1764,7 @@ const ScimGateway = function () {
       const streamObj = {
         handle: 'replaceUsrGrp',
         baseEntity: ctx.params.baseEntity,
-        originalUrl: originalUrl,
+        originalUrl,
         id: ctx.params.id,
         obj: ctx.request.body,
         ctxPassThrough: ctx.passThrough
@@ -1810,12 +1812,12 @@ const ScimGateway = function () {
           result = await this.postApi(ctx.params.baseEntity, apiObj, ctx.passThrough)
         }
         if (result) {
-          if (typeof result === 'object') result = { result: result }
+          if (typeof result === 'object') result = { result }
           else {
             try {
               result = { result: JSON.parse(result) }
             } catch (err) {
-              result = { result: result }
+              result = { result }
             }
           }
         } else result = {}
@@ -1859,7 +1861,7 @@ const ScimGateway = function () {
           const streamObj = {
             handle: 'putApi',
             baseEntity: ctx.params.baseEntity,
-            id: id,
+            id,
             obj: apiObj,
             ctxPassThrough: ctx.passThrough
           }
@@ -1870,12 +1872,12 @@ const ScimGateway = function () {
           result = await this.putApi(ctx.params.baseEntity, id, apiObj, ctx.passThrough)
         }
         if (result) {
-          if (typeof result === 'object') result = { result: result }
+          if (typeof result === 'object') result = { result }
           else {
             try {
               result = { result: JSON.parse(result) }
             } catch (err) {
-              result = { result: result }
+              result = { result }
             }
           }
         } else result = {}
@@ -1919,7 +1921,7 @@ const ScimGateway = function () {
           const streamObj = {
             handle: 'patchApi',
             baseEntity: ctx.params.baseEntity,
-            id: id,
+            id,
             obj: apiObj,
             ctxPassThrough: ctx.passThrough
           }
@@ -1930,12 +1932,12 @@ const ScimGateway = function () {
           result = await this.patchApi(ctx.params.baseEntity, id, apiObj, ctx.passThrough)
         }
         if (result) {
-          if (typeof result === 'object') result = { result: result }
+          if (typeof result === 'object') result = { result }
           else {
             try {
               result = { result: JSON.parse(result) }
             } catch (err) {
-              result = { result: result }
+              result = { result }
             }
           }
         } else result = {}
@@ -1976,7 +1978,7 @@ const ScimGateway = function () {
         const streamObj = {
           handle: 'getApi',
           baseEntity: ctx.params.baseEntity,
-          id: id,
+          id,
           query: ctx.query,
           obj: apiObj,
           ctxPassThrough: ctx.passThrough
@@ -1988,12 +1990,12 @@ const ScimGateway = function () {
         result = await this.getApi(ctx.params.baseEntity, id, ctx.query, apiObj, ctx.passThrough)
       }
       if (result) {
-        if (typeof result === 'object') result = { result: result }
+        if (typeof result === 'object') result = { result }
         else {
           try {
             result = { result: JSON.parse(result) }
           } catch (err) {
-            result = { result: result }
+            result = { result }
           }
         }
       } else result = {}
@@ -2026,7 +2028,7 @@ const ScimGateway = function () {
         const streamObj = {
           handle: 'deleteApi',
           baseEntity: ctx.params.baseEntity,
-          id: id,
+          id,
           ctxPassThrough: ctx.passThrough
         }
         logger.debug(`${gwName}[${pluginName}] publishing "deleteApi" to SCIM Stream and awaiting result`)
@@ -2036,12 +2038,12 @@ const ScimGateway = function () {
         result = await this.deleteApi(ctx.params.baseEntity, id, ctx.passThrough)
       }
       if (result) {
-        if (typeof result === 'object') result = { result: result }
+        if (typeof result === 'object') result = { result }
         else {
           try {
             result = { result: JSON.parse(result) }
           } catch (err) {
-            result = { result: result }
+            result = { result }
           }
         }
       } else result = {}
@@ -3323,7 +3325,7 @@ const jsonErr = (scimVersion, pluginName, htmlErrCode, err) => {
     errJson =
     {
       schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
-      scimType: scimType,
+      scimType,
       detail: msg,
       status: customErrCode || htmlErrCode
     }

package/lib/utils.js

@@ -330,7 +330,7 @@ module.exports.extendObjClear = (obj, src, isSoftSync) => {
                   break
                 }
               }
-              if (!found)  {
+              if (!found) {
                 const v = module.exports.copyObj(val)
                 if (!isSoftSync) v.operation = 'delete'
                 addArr.push(v)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.5.7",
+  "version": "4.5.9",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -34,7 +34,7 @@
     "callsite": "^1.0.0",
     "dot-object": "^2.1.5",
     "fold-to-ascii": "^5.0.1",
-    "https-proxy-agent": "^7.0.4",
+    "https-proxy-agent": "^7.0.5",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^9.0.2",
     "koa": "^2.15.3",
@@ -42,14 +42,14 @@
     "koa-router": "^12.0.1",
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
-    "mongodb": "^6.6.2",
-    "nats": "^2.26.0",
+    "mongodb": "^6.9.0",
+    "nats": "^2.28.2",
     "node-machine-id": "1.1.9",
-    "nodemailer": "^6.9.13",
+    "nodemailer": "^6.9.15",
     "passport": "^0.7.0",
     "passport-azure-ad": "^4.3.5",
-    "tedious": "^18.2.0",
-    "winston": "^3.13.0"
+    "tedious": "^18.6.1",
+    "winston": "^3.14.2"
   },
   "devDependencies": {
     "chai": "^4.2.0",