----- "Jonathan Clarke" <jonathan at phillipoux.net> a ?crit :
> I see where the problem is coming from (...)
Sure you do ! I've made the mods, and I have no more errors.
> > lsc.tasks.user.dstService.attrs=description cn sn userPassword
> objectClass
> > # userAccountControl
> > lsc.syncoptions.user.userAccountControl.create_value =
> AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])
> > # pwdLastSet<- 0 to force user to change password on next
> connection
> > lsc.syncoptions.user.pwdLastset.create_value = "0"
> > # unicodePwd<- "changeit" at creation (requires SSL connection to
> AD)
> > lsc.syncoptions.user.unicodePwd.create_value =
> AD.getUnicodePwd("changeit")
>
> Similarly, you obivously want to write "userAccountControl",
> "pwdLastSet" and "unicodePwd" to the destination, so you must add them
>
> to the list in lsc.tasks.user.dstService.attrs.
I think i'm losing you there : should I add lines like these ones :
lsc.tasks.user.srcService.filterId = (&(objectClass=inetOrgPerson)(uid={uid}))
lsc.tasks.user.srcService.pivotAttrs = uid
lsc.tasks.user.dstService.filterId = (&(objectClass=user)(sAMAccountName={uid}))
lsc.tasks.user.dstService.pivotAttrs = uid
As I understand (correct me if i'm wrong), with these lines i build a relation
between an attribute in the OpenLDAP directory and an attribute in the AD
directory. I have to admit that i have shamefully copied the lines from the
tutorial, and i don't clearly understand the syntax to build such a relation
regarding the password.
The point is to import in AD the username and the password from OpenLDAP, so i
guess i can remove the "pwdLastSet" parameter ?
Anyway, I ran a sync test, and it returned me no errors, but the console says
that nothing will be modified :
lsc::synchronize:
[java] 0 - WARN - Starting sync for user (ldap2ldap)
[java] 181657 - WARN - # All entries: 9703, to modify entries: 0, modified
entries: 0, errors: 0
[java] 181657 - WARN - Starting clean for user (ldap2ldap)
[java] 181657 - WARN - # All entries: 1, to modify entries: 0, modified en
tries: 0, errors: 0
When I run a sync task (removing "-n"), it returns this kind of error for every
user (I have 9000+ users in my OpenLDAP directory...) :
[java] 142360 - ERROR - Error while adding entry cn=XXXX XXXX,ou=users in
directory : javax.naming.directory.InvalidAttributeValueException: [LDAP: error
code 21 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute convers
ion operation, data 0, vece ]; remaining name 'cn=XXXXX XXXX,ou=users'
[java] 142360 - ERROR - Error while synchronizing ID cn=XXXXX
XXXXXX,ou=user
s:
[java]
[java] dn: cn=XXXXXX XXXXXX,ou=users,dc=mondomaine,dc=test
[java] changetype: add
[java] description: xxxxxx
[java] objectclass: top
[java] objectclass: user
[java] objectclass: person
[java] objectclass: organizationalPerson
[java] sn: XXXXX
[java] cn: XXXXX XXXXX
[java] userPassword: {SMD5}hFygddkhtehlJE20oMjflz2dame8=
[java] samaccountname:
[java] unicodepwd:: IgBjAGgAYQBuAGcAZQBpAehrehrgA=
[java] pwdlastset: 0
[java] useraccountcontrol: 512
[java]
>
> > Also, I am running LSC on the AD Server, should I configure the SSL
> connection ?
>
> This is really up to you. I consider that if the connection is to
> localhost, it's not going to be intercepted on the network, so SSL is
>
> not necessary. You'll probably want to use SSL to connect to the
> distant
> server, though.
This is (once again) a quite obscure point to me : i followed the tutorial, and
installed iis and the certificate services on my AD server. Then, where will i
have to put this certificate ? On the OpenLDAP server ?
> Of course not. You've obviously made an effort to work things out
> yourself before asking here, and it's never easy to understand
> software
> you don't know. Also, we're aware our documentation is not as good as
> it
> might be... In fact, if you see anything in particular that could be
> improved, please mention it! We'd love to improve it, but need
> feedback!
Well, i have to say that i think the most important problem is me :) When my
m?moire is finished, and if I manage to make things work, i could send you some
remarks on things that took me time to understand, then you can decide weither
the problem is me or your tutorials :)
Anyway, i really appreciate your help.
Cheers,
S?bastien
