> On 21/10/2009 13:58, sebastiendescamps at free.fr wrote:
>> Hello,
>>
>> Here is the structures of my directories :
>>
>> OpenLDAP : dn: ou=Users, ou=securite,dc=mondomaine,dc=fr
>> AD : dn: CN=Users, dc=mondomaine,dc=test
>>
>> And here is my lsc.properties file :
>
> Hi,
>
> I see where the problem is coming from: your search base is specified
> twice (in provider url and in {src,dst}Service.baseDn.
>
> I also note some other elements that might cause problems, see below. I
> have reformatted the file slightly, to put conflicting lines together,
> to make it easier to understand.
>
>> src.java.naming.provider.url=ldap://192.168.xxx.xxx:389/ou=Users,ou=securite,dc=mondomaine,dc=fr
> > lsc.tasks.user.srcService.baseDn=ou=Users,ou=securite
>
> These two properties work together. The base dn from provider.url is
> appended to the srcService.baseDn. So, searches are actually being
> performed on
> ou=Users,ou=securite,ou=Users,ou=securite,dc=mondomaine,dc=fr, which is
> unlikely to be what you want. Change one or the other.
>
>> dst.java.naming.provider.url=ldap://192.168.xxx.xxx:389/cn=Users,dc=mondomaine,dc=test
>> lsc.tasks.user.dstService.baseDn=ou=Users
>
> Same as above, this would use ou=Users,cn=Users,dc=mondomaine,dc=test
> Also, be careful: is it "cn=" or "ou="?
>
>> lsc.tasks.user.srcService.pivotAttrs=cn sn
>> lsc.tasks.user.srcService.filterId=(sn={sn})
>> lsc.tasks.user.srcService.filterAll=(&(sn=*)(objectClass=inetOrgPerson))
>> lsc.tasks.user.dstService.pivotAttrs=cn sn
>> lsc.tasks.user.dstService.filterId=(sn={sn})
>> lsc.tasks.user.dstService.filterAll=(&(sn=*)(objectClass=user))
>>
>> #lignes ajout?es
>> lsc.tasks.user.srcService.filterId =
>> (&(objectClass=inetOrgPerson)(uid={uid}))
>> lsc.tasks.user.srcService.pivotAttrs = uid
>> lsc.tasks.user.dstService.filterId =
>> (&(objectClass=user)(sAMAccountName={uid}))
>> lsc.tasks.user.dstService.pivotAttrs = uid
>
> You must avoid defining properties twice. Java doesn't read properties
> in any particular order, so there's no way of knowing which line will be
> used. Delete the unused ones.
>
>> lsc.tasks.user.srcService.attrs=description cn sn userPassword
>> lsc.syncoptions.user.sAMAccountName.create_value =
>> srcBean.getAttributeValueById("uid")
>> lsc.syncoptions.user.userPrincipalName.force_value =
>> srcBean.getAttributeValueById("uid") + "@mondomaine.fr"
>
> Since you use the "uid" attribute from the source bean here, you should
> read this attribute from the srcService. Add "uid" to
> lsc.tasks.user.srcService.attrs.
>
>> lsc.tasks.user.dstService.attrs=description cn sn userPassword
>> objectClass
>> # userAccountControl
>> lsc.syncoptions.user.userAccountControl.create_value =
>> AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])
>> # pwdLastSet<- 0 to force user to change password on next connection
>> lsc.syncoptions.user.pwdLastset.create_value = "0"
>> # unicodePwd<- "changeit" at creation (requires SSL connection to AD)
>> lsc.syncoptions.user.unicodePwd.create_value =
>> AD.getUnicodePwd("changeit")
>
> Similarly, you obivously want to write "userAccountControl",
> "pwdLastSet" and "unicodePwd" to the destination, so you must add them
> to the list in lsc.tasks.user.dstService.attrs.
>
>> Also, I am running LSC on the AD Server, should I configure the SSL
>> connection ?
>
> This is really up to you. I consider that if the connection is to
> localhost, it's not going to be intercepted on the network, so SSL is
> not necessary. You'll probably want to use SSL to connect to the distant
> server, though.
Hi,
just a remark: you must use SSL to connect AD if you want to write the
unicodePwd attribute (the password). All other attributes can be written
with a clear connection.
>> Well, maybe the subject of my internship is a bit too difficult for me,
>> so don't hesitate to tell me if my questions are really too stupid :) I
>> think i miss a lot of knowledge about all this, but I have to present my
>> conclusions about directories synchronization by the end of the week...
>
> Of course not. You've obviously made an effort to work things out
> yourself before asking here, and it's never easy to understand software
> you don't know. Also, we're aware our documentation is not as good as it
> might be... In fact, if you see anything in particular that could be
> improved, please mention it! We'd love to improve it, but need feedback!
>
Cl?ment.
