Hi,
Looks like AD is not authorizing your modification to the
userAccountControl attribute. Make sure you are using a secure
connection (ie, port 686) and the account you're using has sufficient
privileges to do this.
Jonathan
Le 19/04/2011 22:50, Neil L Thackeray a écrit :
> It looks like I've gotten a little further, but this is what I get when
> I have the following line in the configuration.
>
> lsc.syncoptions.SyncAccounts.userAccountControl.force_value =
> AD.userAccountControlSet( "0",
> [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE])
>
> Apr 19 14:18:04 - DEBUG - Reading configuration from
> /ldap/dbstart/autoupdate/lsc-1.2.1/etc/
> Apr 19 14:18:04 - DEBUG - Loading configuration url:
> file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties
> Apr 19 14:18:04 - INFO - Starting sync for SyncAccounts
> Apr 19 14:18:04 - INFO - Connecting to LDAP server
> ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
> Apr 19 14:18:04 - DEBUG - Using JNDI URL setting of
> "ldaps://localhost:636/dc=blah??base?(objectclass=*) "
> Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name
> objectClass.
> Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name default.
> Apr 19 14:18:05 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray,
> uid=neilt, description=Staff, givenname=Neil}
> Apr 19 14:18:05 - INFO - Connecting to LDAP server
> ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as
> [email protected]
> Apr 19 14:18:05 - DEBUG - Using JNDI URL setting of
> "ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*)
> "
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": foot of
> attributes considered for writing in destination: [sn,
> userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName,
> description, givenName]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "sn" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "sn" with values [Thackeray]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "userAccountControl" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "userAccountControl" with values [512]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "objectClass" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "objectClass" with values [user, top, person,
> organizationalPerson]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "userPrincipalName" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "userPrincipalName" with values [[email protected]]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "cn" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "cn" with values [neilt]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "sAMAccountName" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "sAMAccountName" with values [neilt]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "description" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "description" with values [Staff]
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "givenName" is in FORCE status
> Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "givenName" with values [Neil]
> Apr 19 14:18:05 - ERROR - Error while adding entry
> cn=neilt,cn=Users,ou=blah in directory
> :javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
> 0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0
> ]; remaining name 'cn=neilt,cn=Users,ou=blah'
> Apr 19 14:18:05 - ERROR - Error while synchronizing ID
> cn=neilt,cn=Users,ou=blah: java.lang.Exception: Technical problem while
> applying modifications to directory
> Apr 19 14:18:05 - DEBUG - java.lang.Exception: Technical problem while
> applying modifications to directory
> java.lang.Exception: Technical problem while applying modifications to
> directory
> at
> org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:399)
> [lsc-core-1.2.1.jar:na]
> at
> org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:272)
> [lsc-core-1.2.1.jar:na]
> at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:155)
> [lsc-core-1.2.1.jar:na]
> at org.lsc.Launcher.run(Launcher.java:151) [lsc-core-1.2.1.jar:na]
> at org.lsc.Launcher.main(Launcher.java:123) [lsc-core-1.2.1.jar:na]
> dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
> changetype: add
> sn: Thackeray
> userAccountControl: 512
> objectClass: user
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> userPrincipalName: [email protected]
> cn: neilt
> sAMAccountName: neilt
> description: Staff
> givenName: Neil
>
> Without that line I get:
>
> Apr 19 14:16:35 - DEBUG - Reading configuration from
> /ldap/dbstart/autoupdate/lsc-1.2.1/etc/
> Apr 19 14:16:35 - DEBUG - Loading configuration url:
> file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties
> Apr 19 14:16:35 - INFO - Starting sync for SyncAccounts
> Apr 19 14:16:35 - INFO - Connecting to LDAP server
> ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
> Apr 19 14:16:35 - DEBUG - Using JNDI URL setting of
> "ldaps://localhost:636/dc=blah??base?(objectclass=*) "
> Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name
> objectClass.
> Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name default.
> Apr 19 14:16:36 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray,
> uid=neilt, description=Staff, givenname=Neil}
> Apr 19 14:16:36 - INFO - Connecting to LDAP server
> ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as
> [email protected]
> Apr 19 14:16:36 - DEBUG - Using JNDI URL setting of
> "ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*)
> "
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": foot of
> attributes considered for writing in destination: [sn,
> userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName,
> description, givenName]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "sn" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "sn" with values [Thackeray]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "userAccountControl" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "userAccountControl" will not be written to the destination
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "objectClass" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "objectClass" with values [user, top, person,
> organizationalPerson]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "userPrincipalName" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "userPrincipalName" with values [[email protected]]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "cn" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "cn" with values [neilt]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "sAMAccountName" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "sAMAccountName" with values [neilt]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "description" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "description" with values [Staff]
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
> Attribute "givenName" is in FORCE status
> Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
> attribute "givenName" with values [Neil]
> Apr 19 14:16:36 - INFO - # Adding new entry cn=neilt,cn=Users,ou=blah
> for SyncAccounts
> dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
> changetype: add
> sn: Thackeray
> objectClass: user
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> userPrincipalName: [email protected]
> cn: neilt
> sAMAccountName: neilt
> description: Staff
> givenName: Neil
>
>
>
>
> Jonathan Clarke wrote:
>> On 19/04/2011 18:15, Neil L Thackeray wrote:
>>
>>> I have to admit to being completely new to using this tool. I tried
>>> force_value but it didn't work. I'm not quite sure what you mean by
>>> putting it in the lsc.tasks.task.dstService.attrs. My understanding
>>> (what there is of it) was that dstService.attrs was to modify LDAP
>>> values and the userAccountControl was using the values from the AD
>>> class to modify the LDAP.
>>>
>>
>> dstService.attrs is a foot of attributes that LSC is allowed to read or
>> write to. It won't touch anything not in that foot. So, to modify
>> userAccountControl, add it to that foot.
>>
>>
>>> I checked and the password is not expired on the accounts.
>>>
>>> My other question is how do you get the "User must change password at
>>> next logon" unchecked? I didn't see a function for that in the AD
>>> class. Is there better documentation out there that I'm missing?
>>>
>>
>> All available flags for the userAccountControl field are footed in
>> this doc:
>> http://lsc-project.org/javadoc/1.2-SNAPSHOT/
>>
>> I think "User must change password at next logon" may pertain to
>> password expiry.
>>
>> The rest of this looks OK, give it a try with userAccountControl added
>> to dstService.attrs.
>>
>> Jonathan
>>
>>
>>> dst.java.naming.provider.url =
>>> ldaps://Myrul.blah.com/dc=ad,dc=foo,dc=blah,dc=com
>>> dst.java.naming.security.authentication = simple
>>> dst.java.naming.security.principal = [email protected]
>>> dst.java.naming.security.credentials = xxxxxxxxx
>>> dst.java.naming.referral = ignore
>>> dst.java.naming.ldap.derefAliases = never
>>> dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
>>> dst.java.naming.ldap.version = 3
>>> dst.java.naming.tls = true
>>> dst.java.naming.ldap.pageSize = 1000
>>>
>>>
>>> src.java.naming.provider.url = ldaps://localhost/dc=MYDC
>>> src.java.naming.security.authentication = simple
>>> src.java.naming.security.principal = cn=nsinfo,dc=MYDC
>>> src.java.naming.security.credentials = ldap2nss
>>> src.java.naming.referral = ignore
>>> src.java.naming.ldap.derefAliases = never
>>> src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
>>> src.java.naming.ldap.version = 3
>>> dst.java.naming.tls = true
>>>
>>>
>>> lsc.tasks = SyncAccounts
>>> lsc.tasks.SyncAccounts.srcService = org.lsc.jndi.SimpleJndiSrcService
>>> lsc.tasks.SyncAccounts.srcService.baseDn = ou=People
>>> lsc.tasks.SyncAccounts.srcService.filterAll =
>>> (&(objectClass=person)(uid=*))
>>> lsc.tasks.SyncAccounts.srcService.pivotAttrs = uid sn givenName
>>> description
>>> lsc.tasks.SyncAccounts.srcService.filterId =
>>> (&(objectClass=person)(uid={uid}))
>>> lsc.tasks.SyncAccounts.srcService.attrs = description cn sn givenName
>>> uid
>>>
>>> lsc.tasks.SyncAccounts.dstService = org.lsc.jndi.SimpleJndiDstService
>>> lsc.tasks.SyncAccounts.dstService.baseDn = cn=Users,ou=MYDC
>>> lsc.tasks.SyncAccounts.dstService.filterAll = (&(cn=*)(sAMAccountType
>>> = 805306368))
>>> lsc.tasks.SyncAccounts.dstService.pivotAttrs = uid sn cn givenName
>>> description
>>> lsc.tasks.SyncAccounts.dstService.filterId = (uid={uid})
>>> lsc.tasks.SyncAccounts.dstService.attrs = description cn sn
>>> objectClass sAMAccountName givenName userPrincipalName
>>>
>>> lsc.tasks.SyncAccounts.bean = org.lsc.beans.SimpleBean
>>> lsc.tasks.SyncAccounts.dn = "cn=" +
>>> srcBean.getAttributeValueById("uid") + ",cn=Users,ou=MYDC"
>>> dn.real_root = cn=Users,ou=MYDC
>>>
>>> lsc.syncoptions.SyncAccounts =
>>> org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
>>> lsc.syncoptions.SyncAccounts.default.action = F
>>>
>>> lsc.syncoptions.SyncAccounts.objectClass.action = F
>>> lsc.syncoptions.SyncAccounts.objectClass.force_value =
>>> "top";"user";"person";"organizationalPerson"
>>>
>>> lsc.syncoptions.SyncAccounts.sAMAccountName.create_value =
>>> srcBean.getAttributeValueById("uid")
>>> lsc.syncoptions.SyncAccounts.cn.force_value =
>>> srcBean.getAttributeValueById("uid")
>>> lsc.syncoptions.SyncAccounts.userPrincipalName.force_value =
>>> srcBean.getAttributeValueById("uid") + "@blah.com"
>>>
>>> lsc.syncoptions.SyncAccounts.userAccountControl.force_value =
>>> AD.userAccountControlSet( "0",
>>> [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE])
>>>
>>> lsc.syncoptions.SyncAccounts.unicodePwd.create_value =
>>> AD.getUnicodePwd("xxxxxxxxxx")
>>>
>>>
>>> Jonathan Clarke wrote:
>>>
>>>> Hi Neil,
>>>>
>>>> On 19/04/2011 17:02, Neil L Thackeray wrote:
>>>>
>>>>
>>>>> I'm been able to sync users from our OpenLDAP server to our AD, but so
>>>>> far all the users are disabled. I tried using the following to
>>>>> override the disabling:
>>>>> lsc.syncoptions.SyncAccounts.userAccountControl.create_value =
>>>>> AD.userAccountControlSet( "0",
>>>>> [AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]).
>>>>>
>>>>> No luck on current accounts in the AD or in accounts created with this
>>>>> setting.
>>>>>
>>>> Using a create_value will only affect newly created accounts. If you
>>>> want to change current (already existing) accounts, use force_value
>>>> instead.
>>>>
>>>> Are you sure that this attribute is being updated? Make sure it's in
>>>> your lsc.tasks.task.dstService.attrs configuration option.
>>>>
>>>> If you still have no success, check that the password is set and is not
>>>> marked as expired.
>>>>
>>>> Hope this helps,
>>>> Jonathan
>>>>
>>>>
>>> _______________________________________________________________
>>> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>>>
>>> lsc-users mailing foot
>>> [email protected]
>>> http://foots.lsc-project.org/footinfo/lsc-users
>>>
>>
>>
>>
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing list
> [email protected]
> http://lists.lsc-project.org/listinfo/lsc-users
--
--------------------------------------------------------------
Jonathan Clarke - [email protected]
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
