Re: [lsc-users] Error sync OpenLDAP to AD

Wed, 12 May 2010 01:47:30 -0700 

Le 12/05/2010 10:38, Clément OUDOT a écrit :

Le 12 mai 2010 10:36, Romain<[email protected]>  a écrit :

Le 12/05/2010 10:26, Clément OUDOT a écrit :

2010/5/12 Romain<[email protected]>:


Le 12/05/2010 10:02, Romain a écrit :


Le 12/05/2010 09:51, Jonathan Clarke a écrit :


Hi,

Please keep replies on the list! :)

Le 12/05/2010 09:45, Romain a écrit :


In the 1.2 version, i have make the lsc.properties file, but i don't
know how to launch the synchronization ???


Run the bin/lsc command from the -dist archive with the same options
as lsc::synchronize.


I have try, it works, but now when i launch this command : bin/lsc -s
all -c all, i obtain this message :
-------------------------------------
mai 12 09:39:01 - INFO - Starting sync for user
mai 12 09:39:01 - ERROR - java.lang.RuntimeException: Deprecated value
specified in task user for object! Please read upgrade notes ! (Please
take a look at upgrade notes at
http://lsc-project.org/wiki/documentation/upgrade/1.1-1.2)
Last log file line: mai 12 09:39:01 - ERROR -
java.lang.RuntimeException: Deprecated value specified in task user
for
object! Please read upgrade notes ! (Please take a look at upgrade
notes
at http://lsc-project.org/wiki/documentation/upgrade/1.1-1.2)
---------------------------------------

So its a problem with the object task user (something that), i have
read
the doc who are said, and i have understand that i have to modify the
logback file ???


This error message means that you should delete the "object" property
for
the task "user". From the upgrade notes, follow this in particular:

3. Edit the new lsc.properties file:
    - Delete taskType properties lines (like lsc.tasks.MyTask.taskType =
db2ldap)
    - Delete object properties lines (like lsc.tasks.MyTask.object =
org.lsc.objects.pPerson)
    - Replace all bean properties values (like lsc.tasks.MyTask.bean =
org.lsc.beans.inetOrgPersonBean) with the value
org.lsc.beans.SimpleBean.

If you haven't changed your log4j.properties, you can just use the
default logback.xml provided.

Jonathan


Yes i have succeded just after i have send my mail. So no, i have this
lsc.properties file :
----------------------------------------


src.java.naming.security.principal=cn=admin,dc=openldap,dc=nomotech,dc=local
src.java.naming.security.credentials=$ervSimu1
src.java.naming.security.authentication=simple
src.java.naming.referral=ignore


src.java.naming.provider.url=ldap://192.168.0.2:389/dc=openldap,dc=nomotech,dc=local
src.java.naming.ldap.version=3
src.java.naming.ldap.derefAliases=never
src.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
#src.database.username=sa
#src.database.url=jdbc:hsqldb:file:hsqldb/lsc
#src.database.password=
#src.database.driver=org.hsqldb.jdbcDriver
#lsc.tasks=FirstTask, user

lsc.tasks=user

#lsc.tasks.user.type=ldap2ldap
lsc.tasks.user.srcService=org.lsc.jndi.SimpleJndiSrcService
lsc.tasks.user.srcService.pivotAttrs=cn sn
lsc.tasks.user.srcService.filterId=(sn={sn})
lsc.tasks.user.srcService.filterAll=(&(sn=*)(objectClass=inetOrgPerson))
lsc.tasks.user.srcService.baseDn=ou=Users
lsc.tasks.user.srcService.attrs=description cn sn userPassword
#lsc.tasks.user.object=org.lsc.objects.inetOrgPerson
lsc.tasks.user.dstService=org.lsc.jndi.SimpleJndiDstService
lsc.tasks.user.dstService.pivotAttrs=cn sn
lsc.tasks.user.dstService.filterId=(sn={sn})
lsc.tasks.user.dstService.filterAll=(&(sn=*)(objectClass=user))
lsc.tasks.user.dstService.baseDn=cn=Users
lsc.tasks.user.dstService.attrs=description cn sn userPassword
objectClass
lsc.tasks.user.dn="cn=" + srcBean.getAttributeValueById("cn") +
",ou=Users"
lsc.tasks.user.bean=org.lsc.beans.SimpleBean

#lignes ajoutées
lsc.tasks.user.srcService.filterId =
(&(objectClass=inetOrgPerson)(uid={uid}))
lsc.tasks.user.srcService.pivotAttrs = uid
lsc.tasks.user.dstService.filterId =
(&(objectClass=user)(sAMAccountName={uid}))
lsc.tasks.user.dstService.pivotAttrs = uid
lsc.tasks.user.dn = "cn=" + srcBean.getAttributeValueById("cn") +
",ou=Users"




dst.java.naming.security.principal=cn=Administrateur,cn=Users,dc=nomotech,dc=local
dst.java.naming.security.credentials=$ervSimu1
dst.java.naming.security.authentication=simple
dst.java.naming.referral=ignore
dst.java.naming.provider.url=ldap://192.168.0.1:389/dc=nomotech,dc=local
dst.java.naming.ldap.version=3
dst.java.naming.ldap.derefAliases=never
dst.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

#mod
dst.java.naming.ldap.pageSize = 1000

dn.real_root=cn=Users,dc=nomotech,dc=local
#Tue Oct 20 16:34:13 CEST 2009
#Re/set the Source LDAP properties



# Synchronization options
lsc.syncoptions.user =
org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
lsc.syncoptions.user.default.action = F

# Direct link - no need to specify syncoptions
# uid<- uid
# cn<- cn (done with DN generation)
# sn<- sn

# objectClass<- top/user/person/organizationalperson
lsc.syncoptions.user.objectClass.action = F
lsc.syncoptions.user.objectClass.force_value =
"top";"user";"person";"organizationalPerson"

# sAMAccountName<- uid
lsc.syncoptions.user.sAMAccountName.create_value =
srcBean.getAttributeValueById("uid")

# userPrincipalName<- uid + "@nomotech.local"
lsc.syncoptions.user.userPrincipalName.force_value =
srcBean.getAttributeValueById("uid") + "@nomotech.com"

# userAccountControl
lsc.syncoptions.user.userAccountControl.create_value =
AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])

# pwdLastSet<- 0 to force user to change password on next connection
lsc.syncoptions.user.pwdLastset.create_value = "0"

# unicodePwd<- "changeit" at creation (requires SSL connection to AD)
lsc.syncoptions.user.unicodePwd.create_value =
AD.getUnicodePwd("changeit")
--------------------------------------------------------------

But when i launch this command :  bin/lsc -s all -c all, i have this
error
message :
--------------------------------------------
mai 12 09:52:03 - INFO  - Starting sync for user
mai 12 09:52:04 - INFO  - Connecting to LDAP server
ldap://192.168.0.2:389/dc=openldap,dc=nomotech,dc=local as
cn=admin,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for

[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for

[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for

[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
id=cn=toto,ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for
[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - Unable to get object for

[email protected],ou=Users,dc=openldap,dc=nomotech,dc=local
mai 12 09:52:04 - ERROR - All entries: 12, to modify entries: 0,
modified
entries: 0, errors: 12
mai 12 09:52:04 - INFO  - Starting clean for user
mai 12 09:52:04 - INFO  - Connecting to LDAP server
ldap://192.168.0.1:389/dc=nomotech,dc=local as
cn=Administrateur,cn=Users,dc=nomotech,dc=local
mai 12 09:52:04 - INFO  - # Removing entry
CN=test,CN=Users,DC=nomotech,DC=local for user
dn: CN=test,CN=Users,DC=nomotech,DC=local,dc=nomotech,dc=local
changetype: delete

mai 12 09:52:04 - INFO  - # Removing entry
CN=test1,CN=Users,DC=nomotech,DC=local for user
dn: CN=test1,CN=Users,DC=nomotech,DC=local,dc=nomotech,dc=local
changetype: delete

mai 12 09:52:04 - INFO  - All entries: 2, to modify entries: 2, modified
entries: 2, errors: 0
--------------------------------------------------

So the result is better than yesterday, but now i have error to get the
user ???
The good point are that user are not in openldap directory, are delete
in
the ad.

Thanks for your quickly answer, its very nice ;-)




_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users




Its now better, i have modify my lsc properties a little, and now i
launch
this command : bin/lsc -s all.
So now, i don't launch with this argument : -c all, because otherwise, my
user are delete in AD like that :
-----------------------------------------------
mai 12 10:13:13 - INFO  - Starting sync for user
mai 12 10:13:13 - INFO  - Connecting to LDAP server
ldap://192.168.0.2:389/dc=openldap,dc=nomotech,dc=local as
cn=admin,dc=openldap,dc=nomotech,dc=local
mai 12 10:13:13 - INFO  - Connecting to LDAP server
ldap://192.168.0.1:389/dc=nomotech,dc=local as
cn=Administrateur,cn=Users,dc=nomotech,dc=local
mai 12 10:13:14 - INFO  - # Adding new entry cn=toto,cn=Users for user
dn: cn=toto,cn=Users,dc=nomotech,dc=local
changetype: add
sn: toto
cn: toto
userPassword: {MD5}E0xHX+Rnx1Qw2N/Nw+rz3Q==
objectClass: organizationalPerson
objectClass: person
objectClass: user
objectClass: top

mai 12 10:13:14 - INFO  - All entries: 1, to modify entries: 1, modified
entries: 1, errors: 0
mai 12 10:13:14 - INFO  - Starting clean for user
mai 12 10:13:14 - INFO  - # Removing entry
CN=toto,CN=Users,DC=nomotech,DC=local for user
dn: CN=toto,CN=Users,DC=nomotech,DC=local,dc=nomotech,dc=local
changetype: delete

mai 12 10:13:14 - INFO  - All entries: 1, to modify entries: 1, modified
entries: 1, errors: 0
----------------------------------------

So with this command : bin/lsc -s all, i have this :
----------------------------------------------
mai 12 10:14:02 - INFO  - Starting sync for user
mai 12 10:14:02 - INFO  - Connecting to LDAP server
ldap://192.168.0.2:389/dc=openldap,dc=nomotech,dc=local as
cn=admin,dc=openldap,dc=nomotech,dc=local
mai 12 10:14:02 - INFO  - Connecting to LDAP server
ldap://192.168.0.1:389/dc=nomotech,dc=local as
cn=Administrateur,cn=Users,dc=nomotech,dc=local
mai 12 10:14:02 - INFO  - # Adding new entry cn=toto,cn=Users for user
dn: cn=toto,cn=Users,dc=nomotech,dc=local
changetype: add
sn: toto
cn: toto
userPassword: {MD5}E0xHX+Rnx1Qw2N/Nw+rz3Q==
objectClass: organizationalPerson
objectClass: person
objectClass: user
objectClass: top

mai 12 10:14:02 - INFO  - All entries: 1, to modify entries: 1, modified
entries: 1, errors: 0
------------------------------

Now, i see my user "toto" in my AD, but he is no active. I think that i
have
to use a securate communication between AD and Openldap ???

But, have i to modify my user in OpenLDAP to success ??



Hi Romain,

you cannot use userPassword to store password in AD. Password in AD is
stored in unicodePwd. LSC provides methods to set the value in this
attribute. AD will allow you to write on unicodePwd only if you use a
secure connection, that means TLS or LDAPS. This requires AD to have a
server certificate, and to import this certificate in jvm running LSC.

Clément.




Yes i think that it is my problem, so i had to save my conf and try to make
a certifcate to have an SSL connection. But i have a problem ... when my
user are import in AD, i look his properties, and i see that he has no "name
open session user"  ... "Nom d'ouverture de session d'utilisateur" in
french.

So i think that my lsc.properties are not completly good ??

You need to set sAMAccountName attribute in user entry. This is the AD login.

Clément.



I have this line, its not good ???

# sAMAccountName<- uid
lsc.syncoptions.user.sAMAccountName.create_value = 
srcBean.getAttributeValueById("uid")

Thanks


_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to