Script to set the rep:externalId if it is missing in AEM due to users being migrated from an older version of CQ/AEM

INSTRUCTIONS.md

1. Install the Felix script console and groovy bundle - http://felix.apache.org/documentation/subprojects/apache-felix-script-console-plugin.html
2. Go to http://host:port/system/console/sc
3. Select Groovy as the language
4. Paste the contents of setRepExternalId.groovy to the script field
5. Click Execute

setRepExternalId.groovy

import org.apache.jackrabbit.oak.spi.commit.CommitInfo
import org.apache.jackrabbit.oak.spi.commit.EmptyHook
import org.apache.jackrabbit.oak.spi.state.NodeStore
import org.apache.jackrabbit.oak.commons.PathUtils
import com.google.common.collect.Lists
import java.util.List


public class FixLDAPUsers {
  
   private out;
  
  public FixLDAPUsers(def out) {
       this.out =  out;
  }
   public setRepUserProps(def session, def argpath, def ldapConfigName, def isDryRun=true) {
        out.println("Running... (Dry Run)");
        if (!PathUtils.isValid(argpath)) {
            out.println("Not a valid path: " + argpath);
            return;
        }
        String path = argpath;
        
        List<String> elements = Lists.newArrayList();
        PathUtils.elements(path).each{String element ->
            if (PathUtils.denotesParent(element)) {
                if (!elements.isEmpty()) {
                    elements.remove(elements.size() - 1);
                }
            } else if (!PathUtils.denotesCurrent(element)) {
                elements.add(element);
            }
        }
        
        NodeStore nstore = session.getRootNode().sessionDelegate.root.store
        def rs = nstore.root
        def ns = rs
        def rnb = rs.builder()
        //def nb = rnb;
        elements.each {
          if(it.size() > 0) {
            ns = ns.getChildNode(it)
          }
        }
        def entryIter = ns.getChildNodeEntries()
        entryIter.each {
            setRepUserPropsRecurse(session, nstore, argpath + "/" + it.getName(), ns, it, ldapConfigName, isDryRun)
        }
        
        session.refresh(true);
    }

    private setRepUserPropsRecurse(def session, def nodeStore, def curPath, def parentState, def childEntry, def ldapConfigName, def isDryRun) {
        def ns = childEntry.getNodeState()
        def entryIter = ns.getChildNodeEntries()
        entryIter.each {
            def childNS = it.getNodeState();
            def primaryType = null;
            def principalName = null;
            if(childNS.hasProperty("jcr:primaryType") && childNS.hasProperty("rep:principalName")) {
              primaryType = childNS.getProperty("jcr:primaryType").getValue(childNS.getProperty("jcr:primaryType").getType());
              principalName = childNS.getProperty("rep:principalName").getValue(childNS.getProperty("rep:principalName").getType());
              if(("rep:User".equals(primaryType) || "rep:Group".equals(primaryType)) && principalName != null && (principalName.toLowerCase().startsWith("uid=") || principalName.toLowerCase().startsWith("cn="))) {
                    out.println(curPath + "/" + it.getName() + " has rep:principalName = " + principalName);
                    out.println(" Setting properties: ");
                    out.println("   rep:authorizableId=" + it.getName()) // + principalName.substring(principalName.indexOf("=")+1, principalName.indexOf(",")));
                    out.println("   rep:externalId=" + principalName + ";" + ldapConfigName );
                    if(!isDryRun) {
                      def rnb = nodeStore.root.builder()
                      def nb = getNodeBuilderForPath(rnb, curPath);
                      def cnb = nb.getChildNode(it.getName())
                      cnb.setProperty("rep:authorizableId",  it.getName()) //principalName.substring(principalName.indexOf("=")+1, principalName.indexOf(",")));
                      cnb.setProperty("rep:externalId", principalName + ";" + ldapConfigName );
                      nodeStore.merge(rnb, EmptyHook.INSTANCE, CommitInfo.EMPTY);
                      out.println(" Changes saved for " + principalName);
                    }
                    return;
              }
            }
            setRepUserPropsRecurse(session, nodeStore, curPath + "/" + it.getName(), parentState, it, ldapConfigName, isDryRun)
        }
    }
    
    private getNodeBuilderForPath(def rootNodeBuilder, def argpath) {
        def nb = rootNodeBuilder
        String path;
        if (PathUtils.isAbsolute(argpath)) {
            path = argpath;
        } else {
            path = PathUtils.concat(session.getWorkingPath(), argpath);
        }
        List<String> elements = Lists.newArrayList();
        PathUtils.elements(path).each{String element ->
            if (PathUtils.denotesParent(element)) {
                if (!elements.isEmpty()) {
                    elements.remove(elements.size() - 1);
                }
            } else if (!PathUtils.denotesCurrent(element)) {
                elements.add(element);
            }
        }

        elements.each {
          if(it.size() > 0) {
            nb = nb.getChildNode(it)
          }
        }
        return nb
    }
}
                 
def runFixer(session) {
    out.println("Running user fixer")
    new FixLDAPUsers(out).setRepUserProps(session, "/home", "ldap")
    out.println("Done")
    null
}
                 
def runFixer() {
	def repo = osgi.getService(org.apache.sling.jcr.api.SlingRepository)
	def session = repo.loginAdministrative(null)
	try {
	    runFixer(session)
	} finally {
	    session.logout()
	}
}

runFixer()