Re: [lsc-users] Enable disabled users

Tue, 19 Apr 2011 13:50:26 -0700

It looks like I've gotten a little further, but this is what I get when I have the following line in the configuration.
lsc.syncoptions.SyncAccounts.userAccountControl.force_value = AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]) 


Apr 19 14:18:04 - DEBUG - Reading configuration from 
/ldap/dbstart/autoupdate/lsc-1.2.1/etc/
Apr 19 14:18:04 - DEBUG - Loading configuration url: 
file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties

Apr 19 14:18:04 - INFO  - Starting sync for SyncAccounts

Apr 19 14:18:04 - INFO  - Connecting to LDAP server 
ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
Apr 19 14:18:04 - DEBUG - Using JNDI URL setting of 
"ldaps://localhost:636/dc=blah??base?(objectclass=*) "
Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name 
objectClass.

Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name default.

Apr 19 14:18:05 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray, 
uid=neilt, description=Staff, givenname=Neil}
Apr 19 14:18:05 - INFO  - Connecting to LDAP server 
ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as 
[email protected]
Apr 19 14:18:05 - DEBUG - Using JNDI URL setting of 
"ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*) 
"
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  foot of 
attributes considered for writing in destination: [sn, 
userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName, 
description, givenName]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "sn" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "sn" with values [Thackeray]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "userAccountControl" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "userAccountControl" with values [512]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "objectClass" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "objectClass" with values [user, top, person, 
organizationalPerson]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "userPrincipalName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "userPrincipalName" with values [[email protected]]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "cn" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "cn" with values [neilt]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "sAMAccountName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "sAMAccountName" with values [neilt]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "description" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "description" with values [Staff]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "givenName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "givenName" with values [Neil]
Apr 19 14:18:05 - ERROR - Error while adding entry 
cn=neilt,cn=Users,ou=blah in directory 
:javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 
0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

]; remaining name 'cn=neilt,cn=Users,ou=blah'

Apr 19 14:18:05 - ERROR - Error while synchronizing ID 
cn=neilt,cn=Users,ou=blah: java.lang.Exception: Technical problem while 
applying modifications to directory
Apr 19 14:18:05 - DEBUG - java.lang.Exception: Technical problem while 
applying modifications to directory
java.lang.Exception: Technical problem while applying modifications to 
directory
       at 
org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:399) 
[lsc-core-1.2.1.jar:na]
       at 
org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:272) 
[lsc-core-1.2.1.jar:na]
       at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:155) 
[lsc-core-1.2.1.jar:na]

       at org.lsc.Launcher.run(Launcher.java:151) [lsc-core-1.2.1.jar:na]
       at org.lsc.Launcher.main(Launcher.java:123) [lsc-core-1.2.1.jar:na]
dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
changetype: add
sn: Thackeray
userAccountControl: 512
objectClass: user
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPrincipalName: [email protected]
cn: neilt
sAMAccountName: neilt
description: Staff
givenName: Neil

Without that line I get:


Apr 19 14:16:35 - DEBUG - Reading configuration from 
/ldap/dbstart/autoupdate/lsc-1.2.1/etc/
Apr 19 14:16:35 - DEBUG - Loading configuration url: 
file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties

Apr 19 14:16:35 - INFO  - Starting sync for SyncAccounts

Apr 19 14:16:35 - INFO  - Connecting to LDAP server 
ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
Apr 19 14:16:35 - DEBUG - Using JNDI URL setting of 
"ldaps://localhost:636/dc=blah??base?(objectclass=*) "
Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name 
objectClass.

Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name default.

Apr 19 14:16:36 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray, 
uid=neilt, description=Staff, givenname=Neil}
Apr 19 14:16:36 - INFO  - Connecting to LDAP server 
ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as 
[email protected]
Apr 19 14:16:36 - DEBUG - Using JNDI URL setting of 
"ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*) 
"
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  foot of 
attributes considered for writing in destination: [sn, 
userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName, 
description, givenName]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "sn" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "sn" with values [Thackeray]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "userAccountControl" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "userAccountControl" will not be written to the destination
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "objectClass" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "objectClass" with values [user, top, person, 
organizationalPerson]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "userPrincipalName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "userPrincipalName" with values [[email protected]]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "cn" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "cn" with values [neilt]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "sAMAccountName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "sAMAccountName" with values [neilt]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "description" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "description" with values [Staff]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  
Attribute "givenName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":  Adding 
attribute "givenName" with values [Neil]
Apr 19 14:16:36 - INFO  - # Adding new entry cn=neilt,cn=Users,ou=blah 
for SyncAccounts

dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
changetype: add
sn: Thackeray
objectClass: user
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPrincipalName: [email protected]
cn: neilt
sAMAccountName: neilt
description: Staff
givenName: Neil




Jonathan Clarke wrote:

On 19/04/2011 18:15, Neil L Thackeray wrote:

  

I have to admit to being completely new to using this tool. I tried
force_value but it didn't work. I'm not quite sure what you mean by
putting it in the lsc.tasks.task.dstService.attrs. My understanding
(what there is of it) was that dstService.attrs was to modify LDAP
values and the userAccountControl was using the values from the AD
class to modify the LDAP.

    


dstService.attrs is a foot of attributes that LSC is allowed to read or
write to. It won't touch anything not in that foot. So, to modify
userAccountControl, add it to that foot.


  

I checked and the password is not expired on the accounts.

My other question is how do you get the "User must change password at
next logon" unchecked? I didn't see a function for that in the AD
class. Is there better documentation out there that I'm missing?

    


All available flags for the userAccountControl field are footed in this doc:
http://lsc-project.org/javadoc/1.2-SNAPSHOT/

I think "User must change password at next logon" may pertain to
password expiry.

The rest of this looks OK, give it a try with userAccountControl added
to dstService.attrs.

Jonathan


  

dst.java.naming.provider.url =
ldaps://Myrul.blah.com/dc=ad,dc=foo,dc=blah,dc=com
dst.java.naming.security.authentication = simple
dst.java.naming.security.principal = [email protected]
dst.java.naming.security.credentials = xxxxxxxxx
dst.java.naming.referral = ignore
dst.java.naming.ldap.derefAliases = never
dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
dst.java.naming.ldap.version = 3
dst.java.naming.tls = true
dst.java.naming.ldap.pageSize = 1000


src.java.naming.provider.url = ldaps://localhost/dc=MYDC
src.java.naming.security.authentication = simple
src.java.naming.security.principal = cn=nsinfo,dc=MYDC
src.java.naming.security.credentials = ldap2nss
src.java.naming.referral = ignore
src.java.naming.ldap.derefAliases = never
src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
src.java.naming.ldap.version = 3
dst.java.naming.tls = true


lsc.tasks = SyncAccounts
lsc.tasks.SyncAccounts.srcService = org.lsc.jndi.SimpleJndiSrcService
lsc.tasks.SyncAccounts.srcService.baseDn = ou=People
lsc.tasks.SyncAccounts.srcService.filterAll =
(&(objectClass=person)(uid=*))
lsc.tasks.SyncAccounts.srcService.pivotAttrs = uid sn givenName
description
lsc.tasks.SyncAccounts.srcService.filterId =
(&(objectClass=person)(uid={uid}))
lsc.tasks.SyncAccounts.srcService.attrs = description cn sn givenName uid

lsc.tasks.SyncAccounts.dstService = org.lsc.jndi.SimpleJndiDstService
lsc.tasks.SyncAccounts.dstService.baseDn = cn=Users,ou=MYDC
lsc.tasks.SyncAccounts.dstService.filterAll = (&(cn=*)(sAMAccountType
= 805306368))
lsc.tasks.SyncAccounts.dstService.pivotAttrs = uid sn cn givenName
description
lsc.tasks.SyncAccounts.dstService.filterId = (uid={uid})
lsc.tasks.SyncAccounts.dstService.attrs = description cn sn
objectClass sAMAccountName givenName userPrincipalName

lsc.tasks.SyncAccounts.bean = org.lsc.beans.SimpleBean
lsc.tasks.SyncAccounts.dn = "cn=" +
srcBean.getAttributeValueById("uid") + ",cn=Users,ou=MYDC"
dn.real_root = cn=Users,ou=MYDC

lsc.syncoptions.SyncAccounts =
org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
lsc.syncoptions.SyncAccounts.default.action = F

lsc.syncoptions.SyncAccounts.objectClass.action = F
lsc.syncoptions.SyncAccounts.objectClass.force_value =
"top";"user";"person";"organizationalPerson"

lsc.syncoptions.SyncAccounts.sAMAccountName.create_value =
srcBean.getAttributeValueById("uid")
lsc.syncoptions.SyncAccounts.cn.force_value =
srcBean.getAttributeValueById("uid")
lsc.syncoptions.SyncAccounts.userPrincipalName.force_value =
srcBean.getAttributeValueById("uid") + "@blah.com"

lsc.syncoptions.SyncAccounts.userAccountControl.force_value =
AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE])

lsc.syncoptions.SyncAccounts.unicodePwd.create_value =
AD.getUnicodePwd("xxxxxxxxxx")


Jonathan Clarke wrote:

    

Hi Neil,

On 19/04/2011 17:02, Neil L Thackeray wrote:

 
      

I'm been able to sync users from our OpenLDAP server to our AD, but so
far all the users are disabled. I tried using the following to
override the disabling:
lsc.syncoptions.SyncAccounts.userAccountControl.create_value =
AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]).

No luck on current accounts in the AD or in accounts created with this
setting.

    
        

Using a create_value will only affect newly created accounts. If you
want to change current (already existing) accounts, use force_value
instead.

Are you sure that this attribute is being updated? Make sure it's in
your lsc.tasks.task.dstService.attrs configuration option.

If you still have no success, check that the password is set and is not
marked as expired.

Hope this helps,
Jonathan


  
      

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing foot
[email protected]
http://foots.lsc-project.org/footinfo/lsc-users

    




  


_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users






















					Reply via email to