It looks like I've gotten a little further, but this is what I get when
I have the following line in the configuration.
lsc.syncoptions.SyncAccounts.userAccountControl.force_value =
AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE])
Apr 19 14:18:04 - DEBUG - Reading configuration from
/ldap/dbstart/autoupdate/lsc-1.2.1/etc/
Apr 19 14:18:04 - DEBUG - Loading configuration url:
file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties
Apr 19 14:18:04 - INFO - Starting sync for SyncAccounts
Apr 19 14:18:04 - INFO - Connecting to LDAP server
ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
Apr 19 14:18:04 - DEBUG - Using JNDI URL setting of
"ldaps://localhost:636/dc=blah??base?(objectclass=*) "
Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name
objectClass.
Apr 19 14:18:05 - DEBUG - Adding 'F' sync type for attribute name default.
Apr 19 14:18:05 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray,
uid=neilt, description=Staff, givenname=Neil}
Apr 19 14:18:05 - INFO - Connecting to LDAP server
ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as
[email protected]
Apr 19 14:18:05 - DEBUG - Using JNDI URL setting of
"ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*)
"
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": foot of
attributes considered for writing in destination: [sn,
userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName,
description, givenName]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "sn" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "sn" with values [Thackeray]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "userAccountControl" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "userAccountControl" with values [512]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "objectClass" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "objectClass" with values [user, top, person,
organizationalPerson]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "userPrincipalName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "userPrincipalName" with values [[email protected]]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "cn" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "cn" with values [neilt]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "sAMAccountName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "sAMAccountName" with values [neilt]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "description" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "description" with values [Staff]
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "givenName" is in FORCE status
Apr 19 14:18:05 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "givenName" with values [Neil]
Apr 19 14:18:05 - ERROR - Error while adding entry
cn=neilt,cn=Users,ou=blah in directory
:javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=neilt,cn=Users,ou=blah'
Apr 19 14:18:05 - ERROR - Error while synchronizing ID
cn=neilt,cn=Users,ou=blah: java.lang.Exception: Technical problem while
applying modifications to directory
Apr 19 14:18:05 - DEBUG - java.lang.Exception: Technical problem while
applying modifications to directory
java.lang.Exception: Technical problem while applying modifications to
directory
at
org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:399)
[lsc-core-1.2.1.jar:na]
at
org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:272)
[lsc-core-1.2.1.jar:na]
at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:155)
[lsc-core-1.2.1.jar:na]
at org.lsc.Launcher.run(Launcher.java:151) [lsc-core-1.2.1.jar:na]
at org.lsc.Launcher.main(Launcher.java:123) [lsc-core-1.2.1.jar:na]
dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
changetype: add
sn: Thackeray
userAccountControl: 512
objectClass: user
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPrincipalName: [email protected]
cn: neilt
sAMAccountName: neilt
description: Staff
givenName: Neil
Without that line I get:
Apr 19 14:16:35 - DEBUG - Reading configuration from
/ldap/dbstart/autoupdate/lsc-1.2.1/etc/
Apr 19 14:16:35 - DEBUG - Loading configuration url:
file:/ldap/dbstart/autoupdate/lsc-1.2.1/etc/lsc.properties
Apr 19 14:16:35 - INFO - Starting sync for SyncAccounts
Apr 19 14:16:35 - INFO - Connecting to LDAP server
ldaps://localhost/dc=blah as cn=nsinfo,dc=blah
Apr 19 14:16:35 - DEBUG - Using JNDI URL setting of
"ldaps://localhost:636/dc=blah??base?(objectclass=*) "
Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name
objectClass.
Apr 19 14:16:36 - DEBUG - Adding 'F' sync type for attribute name default.
Apr 19 14:16:36 - DEBUG - Synchronizing SyncAccounts for {sn=Thackeray,
uid=neilt, description=Staff, givenname=Neil}
Apr 19 14:16:36 - INFO - Connecting to LDAP server
ldaps://blah-dc1.ad.foo.blah.com/dc=ad,dc=foo,dc=blah,dc=com as
[email protected]
Apr 19 14:16:36 - DEBUG - Using JNDI URL setting of
"ldaps://blah-dc1.ad.foo.blah.com:636/dc=ad,dc=foo,dc=blah,dc=com??base?(objectclass=*)
"
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": foot of
attributes considered for writing in destination: [sn,
userAccountControl, objectClass, userPrincipalName, cn, sAMAccountName,
description, givenName]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "sn" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "sn" with values [Thackeray]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "userAccountControl" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "userAccountControl" will not be written to the destination
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "objectClass" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "objectClass" with values [user, top, person,
organizationalPerson]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "userPrincipalName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "userPrincipalName" with values [[email protected]]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "cn" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "cn" with values [neilt]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "sAMAccountName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "sAMAccountName" with values [neilt]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "description" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "description" with values [Staff]
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah":
Attribute "givenName" is in FORCE status
Apr 19 14:16:36 - DEBUG - In entry "cn=neilt,cn=Users,ou=blah": Adding
attribute "givenName" with values [Neil]
Apr 19 14:16:36 - INFO - # Adding new entry cn=neilt,cn=Users,ou=blah
for SyncAccounts
dn: cn=neilt,cn=Users,ou=blah,dc=ad,dc=foo,dc=blah,dc=com
changetype: add
sn: Thackeray
objectClass: user
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPrincipalName: [email protected]
cn: neilt
sAMAccountName: neilt
description: Staff
givenName: Neil
Jonathan Clarke wrote:
On 19/04/2011 18:15, Neil L Thackeray wrote:
I have to admit to being completely new to using this tool. I tried
force_value but it didn't work. I'm not quite sure what you mean by
putting it in the lsc.tasks.task.dstService.attrs. My understanding
(what there is of it) was that dstService.attrs was to modify LDAP
values and the userAccountControl was using the values from the AD
class to modify the LDAP.
dstService.attrs is a foot of attributes that LSC is allowed to read or
write to. It won't touch anything not in that foot. So, to modify
userAccountControl, add it to that foot.
I checked and the password is not expired on the accounts.
My other question is how do you get the "User must change password at
next logon" unchecked? I didn't see a function for that in the AD
class. Is there better documentation out there that I'm missing?
All available flags for the userAccountControl field are footed in
this doc:
http://lsc-project.org/javadoc/1.2-SNAPSHOT/
I think "User must change password at next logon" may pertain to
password expiry.
The rest of this looks OK, give it a try with userAccountControl added
to dstService.attrs.
Jonathan
dst.java.naming.provider.url =
ldaps://Myrul.blah.com/dc=ad,dc=foo,dc=blah,dc=com
dst.java.naming.security.authentication = simple
dst.java.naming.security.principal = [email protected]
dst.java.naming.security.credentials = xxxxxxxxx
dst.java.naming.referral = ignore
dst.java.naming.ldap.derefAliases = never
dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
dst.java.naming.ldap.version = 3
dst.java.naming.tls = true
dst.java.naming.ldap.pageSize = 1000
src.java.naming.provider.url = ldaps://localhost/dc=MYDC
src.java.naming.security.authentication = simple
src.java.naming.security.principal = cn=nsinfo,dc=MYDC
src.java.naming.security.credentials = ldap2nss
src.java.naming.referral = ignore
src.java.naming.ldap.derefAliases = never
src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
src.java.naming.ldap.version = 3
dst.java.naming.tls = true
lsc.tasks = SyncAccounts
lsc.tasks.SyncAccounts.srcService = org.lsc.jndi.SimpleJndiSrcService
lsc.tasks.SyncAccounts.srcService.baseDn = ou=People
lsc.tasks.SyncAccounts.srcService.filterAll =
(&(objectClass=person)(uid=*))
lsc.tasks.SyncAccounts.srcService.pivotAttrs = uid sn givenName
description
lsc.tasks.SyncAccounts.srcService.filterId =
(&(objectClass=person)(uid={uid}))
lsc.tasks.SyncAccounts.srcService.attrs = description cn sn givenName
uid
lsc.tasks.SyncAccounts.dstService = org.lsc.jndi.SimpleJndiDstService
lsc.tasks.SyncAccounts.dstService.baseDn = cn=Users,ou=MYDC
lsc.tasks.SyncAccounts.dstService.filterAll = (&(cn=*)(sAMAccountType
= 805306368))
lsc.tasks.SyncAccounts.dstService.pivotAttrs = uid sn cn givenName
description
lsc.tasks.SyncAccounts.dstService.filterId = (uid={uid})
lsc.tasks.SyncAccounts.dstService.attrs = description cn sn
objectClass sAMAccountName givenName userPrincipalName
lsc.tasks.SyncAccounts.bean = org.lsc.beans.SimpleBean
lsc.tasks.SyncAccounts.dn = "cn=" +
srcBean.getAttributeValueById("uid") + ",cn=Users,ou=MYDC"
dn.real_root = cn=Users,ou=MYDC
lsc.syncoptions.SyncAccounts =
org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
lsc.syncoptions.SyncAccounts.default.action = F
lsc.syncoptions.SyncAccounts.objectClass.action = F
lsc.syncoptions.SyncAccounts.objectClass.force_value =
"top";"user";"person";"organizationalPerson"
lsc.syncoptions.SyncAccounts.sAMAccountName.create_value =
srcBean.getAttributeValueById("uid")
lsc.syncoptions.SyncAccounts.cn.force_value =
srcBean.getAttributeValueById("uid")
lsc.syncoptions.SyncAccounts.userPrincipalName.force_value =
srcBean.getAttributeValueById("uid") + "@blah.com"
lsc.syncoptions.SyncAccounts.userAccountControl.force_value =
AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE])
lsc.syncoptions.SyncAccounts.unicodePwd.create_value =
AD.getUnicodePwd("xxxxxxxxxx")
Jonathan Clarke wrote:
Hi Neil,
On 19/04/2011 17:02, Neil L Thackeray wrote:
I'm been able to sync users from our OpenLDAP server to our AD, but so
far all the users are disabled. I tried using the following to
override the disabling:
lsc.syncoptions.SyncAccounts.userAccountControl.create_value =
AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT,AD.UAC_UNSET_ACCOUNTDISABLE]).
No luck on current accounts in the AD or in accounts created with this
setting.
Using a create_value will only affect newly created accounts. If you
want to change current (already existing) accounts, use force_value
instead.
Are you sure that this attribute is being updated? Make sure it's in
your lsc.tasks.task.dstService.attrs configuration option.
If you still have no success, check that the password is set and is not
marked as expired.
Hope this helps,
Jonathan
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing foot
[email protected]
http://foots.lsc-project.org/footinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
