On 19/04/2011 18:15, Neil L Thackeray wrote: > I have to admit to being completely new to using this tool. I tried > force_value but it didn't work. I'm not quite sure what you mean by > putting it in the lsc.tasks.task.dstService.attrs. My understanding > (what there is of it) was that dstService.attrs was to modify LDAP > values and the userAccountControl was using the values from the AD > class to modify the LDAP.
dstService.attrs is a list of attributes that LSC is allowed to read or write to. It won't touch anything not in that list. So, to modify userAccountControl, add it to that list. > > I checked and the password is not expired on the accounts. > > My other question is how do you get the "User must change password at > next logon" unchecked? I didn't see a function for that in the AD > class. Is there better documentation out there that I'm missing? All available flags for the userAccountControl field are listed in this doc: http://lsc-project.org/javadoc/1.2-SNAPSHOT/ I think "User must change password at next logon" may pertain to password expiry. The rest of this looks OK, give it a try with userAccountControl added to dstService.attrs. Jonathan > > dst.java.naming.provider.url = > ldaps://Myrul.blah.com/dc=ad,dc=lis,dc=illinois,dc=edu > dst.java.naming.security.authentication = simple > dst.java.naming.security.principal = [email protected] > dst.java.naming.security.credentials = xxxxxxxxx > dst.java.naming.referral = ignore > dst.java.naming.ldap.derefAliases = never > dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory > dst.java.naming.ldap.version = 3 > dst.java.naming.tls = true > dst.java.naming.ldap.pageSize = 1000 > > > src.java.naming.provider.url = ldaps://localhost/dc=MYDC > src.java.naming.security.authentication = simple > src.java.naming.security.principal = cn=nsinfo,dc=MYDC > src.java.naming.security.credentials = ldap2nss > src.java.naming.referral = ignore > src.java.naming.ldap.derefAliases = never > src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory > src.java.naming.ldap.version = 3 > dst.java.naming.tls = true > > > lsc.tasks = SyncAccounts > lsc.tasks.SyncAccounts.srcService = org.lsc.jndi.SimpleJndiSrcService > lsc.tasks.SyncAccounts.srcService.baseDn = ou=People > lsc.tasks.SyncAccounts.srcService.filterAll = > (&(objectClass=person)(uid=*)) > lsc.tasks.SyncAccounts.srcService.pivotAttrs = uid sn givenName > description > lsc.tasks.SyncAccounts.srcService.filterId = > (&(objectClass=person)(uid={uid})) > lsc.tasks.SyncAccounts.srcService.attrs = description cn sn givenName uid > > lsc.tasks.SyncAccounts.dstService = org.lsc.jndi.SimpleJndiDstService > lsc.tasks.SyncAccounts.dstService.baseDn = cn=Users,ou=MYDC > lsc.tasks.SyncAccounts.dstService.filterAll = (&(cn=*)(sAMAccountType > = 805306368)) > lsc.tasks.SyncAccounts.dstService.pivotAttrs = uid sn cn givenName > description > lsc.tasks.SyncAccounts.dstService.filterId = (uid={uid}) > lsc.tasks.SyncAccounts.dstService.attrs = description cn sn > objectClass sAMAccountName givenName userPrincipalName > > lsc.tasks.SyncAccounts.bean = org.lsc.beans.SimpleBean > lsc.tasks.SyncAccounts.dn = "cn=" + > srcBean.getAttributeValueById("uid") + ",cn=Users,ou=MYDC" > dn.real_root = cn=Users,ou=MYDC > > lsc.syncoptions.SyncAccounts = > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions > lsc.syncoptions.SyncAccounts.default.action = F > > lsc.syncoptions.SyncAccounts.objectClass.action = F > lsc.syncoptions.SyncAccounts.objectClass.force_value = > "top";"user";"person";"organizationalPerson" > > lsc.syncoptions.SyncAccounts.sAMAccountName.create_value = > srcBean.getAttributeValueById("uid") > lsc.syncoptions.SyncAccounts.cn.force_value = > srcBean.getAttributeValueById("uid") > lsc.syncoptions.SyncAccounts.userPrincipalName.force_value = > srcBean.getAttributeValueById("uid") + "@blah.com" > > lsc.syncoptions.SyncAccounts.userAccountControl.force_value = > AD.userAccountControlSet( "0", > [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]) > > lsc.syncoptions.SyncAccounts.unicodePwd.create_value = > AD.getUnicodePwd("xxxxxxxxxx") > > > Jonathan Clarke wrote: >> Hi Neil, >> >> On 19/04/2011 17:02, Neil L Thackeray wrote: >> >>> I'm been able to sync users from our OpenLDAP server to our AD, but so >>> far all the users are disabled. I tried using the following to >>> override the disabling: >>> lsc.syncoptions.SyncAccounts.userAccountControl.create_value = >>> AD.userAccountControlSet( "0", >>> [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]). >>> >>> No luck on current accounts in the AD or in accounts created with this >>> setting. >>> >> >> Using a create_value will only affect newly created accounts. If you >> want to change current (already existing) accounts, use force_value >> instead. >> >> Are you sure that this attribute is being updated? Make sure it's in >> your lsc.tasks.task.dstService.attrs configuration option. >> >> If you still have no success, check that the password is set and is not >> marked as expired. >> >> Hope this helps, >> Jonathan >> >> > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users -- -------------------------------------------------------------- Jonathan Clarke - [email protected] -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org -------------------------------------------------------------- _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
