On 21/10/2009 16:01, S?bastien Descamps wrote:
> Sure you do ! I've made the mods, and I have no more errors.
Great! :)
>>> lsc.tasks.user.dstService.attrs=description cn sn userPasswordobjectClass
>>> # userAccountControl
>>> lsc.syncoptions.user.userAccountControl.create_value
>>> =AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])
>>> # pwdLastSet<- 0 to force user to change password on nextconnection
>>> lsc.syncoptions.user.pwdLastset.create_value = "0" #
>>> unicodePwd<- "changeit" at creation (requires SSL connection toAD)
>>> lsc.syncoptions.user.unicodePwd.create_value =AD.getUnicodePwd("changeit")
>>
>> Similarly, you obivously want to write "userAccountControl",
>> "pwdLastSet" and "unicodePwd" to the destination, so you must add
>> themto the list in lsc.tasks.user.dstService.attrs.
>
> I think i'm losing you there : should I add lines like these ones :
>
> lsc.tasks.user.srcService.filterId =
> (&(objectClass=inetOrgPerson)(uid={uid}))
> lsc.tasks.user.srcService.pivotAttrs = uid
> lsc.tasks.user.dstService.filterId =
> (&(objectClass=user)(sAMAccountName={uid}))
> lsc.tasks.user.dstService.pivotAttrs = uid
No.
> As I understand (correct me if i'm wrong), with these lines i build
> a relation between an attribute in the OpenLDAP directory and an
> attribute in the AD directory.
Not quite. You do this to link each *entry* in your OpenLDAP directory
with an *entry* in AD. Usually, you use "uid" or "mail" to link user
accounts, but you can use any piece of information present in both
directories.
However, each entry can contain as many attributes as necessary. The
list of attributes to read from the source, and write to the destination
is in the property:
lsc.tasks.user.dstService.attrs = uid mail unicodePwd etc
(this is a list of attributes seperated by spaces)
(this is just an example)
Fill this property with the list of attributes you want to write. If an
attribute is not in this list, it won't be updated.
> I have to admit that i have shamefully copied the lines from the
> tutorial, and i don't clearly understand the syntax to build such a
> relation regarding the password.
To update the password in AD, you need to set the attribute "unicodePwd".
To do this you must set several properties :
1) Add unicodePwd to lsc.tasks.user.dstService.attrs
2) Add syncoptions to build up the unicodePwd. For example, to always
update the password based on the userPassword attribute from OpenLDAP:
> lsc.syncoptions.user.unicodePwd.action =F
> lsc.syncoptions.user.unicodePwd.force_value =
> AD.getUnicodePwd(srcBean.getAttributeValueById("userPassword")
However, this is just an example and probably won't work, since the
userPassword attribute in OpenLDAP doesn't usually contain cleartext
passwords, but hashes. You need the cleartext password to do this.
> The point is to import in AD the username and the password from
> OpenLDAP, so i guess i can remove the "pwdLastSet" parameter ?
I guess so, yes.
> Anyway, I ran a sync test, and it returned me no errors, but the
> console says that nothing will be modified :
>
> lsc::synchronize: [java] 0 - WARN - Starting sync for user
> (ldap2ldap) [java] 181657 - WARN - # All entries: 9703, to modify
> entries: 0, modified entries: 0, errors: 0 [java] 181657 - WARN -
> Starting clean for user (ldap2ldap) [java] 181657 - WARN - # All
> entries: 1, to modify entries: 0, modified en tries: 0, errors: 0
This is normal is you're running with "-n" (dry-run mode). Change the
log level to DEBUG in etc/log4j.properties to see what would be done.
> When I run a sync task (removing "-n"), it returns this kind of
> error for every user (I have 9000+ users in my OpenLDAP directory...)
> :
>
> [java] 142360 - ERROR - Error while adding entry cn=XXXX
> XXXX,ou=users in directory :
> javax.naming.directory.InvalidAttributeValueException: [LDAP: error
> code 21 - 00000057: LdapErr: DSID-0C090B38, comment: Error in
> attribute convers ion operation, data 0, vece ]; remaining name
> 'cn=XXXXX XXXX,ou=users' [java] 142360 - ERROR - Error while
> synchronizing ID cn=XXXXX XXXXXX,ou=user s: [java] [java] dn:
> cn=XXXXXX XXXXXX,ou=users,dc=mondomaine,dc=test [java] changetype:
> add [java] description: xxxxxx [java] objectclass: top [java]
> objectclass: user [java] objectclass: person [java] objectclass:
> organizationalPerson [java] sn: XXXXX [java] cn: XXXXX XXXXX [java]
> userPassword: {SMD5}hFygddkhtehlJE20oMjflz2dame8= [java]
> samaccountname: [java] unicodepwd:: IgBjAGgAYQBuAGcAZQBpAehrehrgA=
> [java] pwdlastset: 0 [java] useraccountcontrol: 512 [java]
It looks like AD doesn't like one of the attributes you're trying to
write. Remove some from the list in lsc.tasks.user.dstService.attrs
until you figure out which one.
> This is (once again) a quite obscure point to me : i followed the
> tutorial, and installed iis and the certificate services on my AD
> server. Then, where will i have to put this certificate ? On the
> OpenLDAP server ?
No. You need to tell the Java virtual machine to trust it. The
instructions on this page are not for Windows environments, but you
should be able to figure it out from there:
http://lsc-project.org/wiki/documentation/howtos/ssltls
>> Of course not. You've obviously made an effort to work things out
>> yourself before asking here, and it's never easy to understand
>> software you don't know. Also, we're aware our documentation is
>> not as good as it might be... In fact, if you see anything in
>> particular that could be improved, please mention it! We'd love to
>> improve it, but need feedback!
>
> Well, i have to say that i think the most important problem is me :)
> When my m?moire is finished, and if I manage to make things work, i
> could send you some remarks on things that took me time to
> understand, then you can decide weither the problem is me or your
> tutorials :)
That would be most appreciated. Off-topic, if your m?moire is on
directory synchronization, I'd also be very interested to read it :)
Hope this helps,
Jonathan
