On Tuesday 13 September 2011 15:03:23 [email protected] wrote:
> Hello,
>
> i have a problem with my synchronisation from openLDAP to AD 2008 R2.
> Everything with the synchronisation works fine so far.
> Except keeping group membership of openldap groups for non openldap users.
> (So user that are not known to the open LDAP lose the membership to
> openldap grous after a sync)
>
> I already tried to change §lsc.syncoptions.group.default.action = F" to
> "lsc.syncoptions.group.default.action = M" but then es does not delete
> opneldap users from openldap groups when i do this in the openldap.
> Maybe someone can tell me what i am doing wrong i already tried to adjust
> my script but i am basically out of ideas. Below the part for the groups.
Perhaps it is possible to make what you want with LSC, but I don't know how to
make it easely.
My 10 cents : it seems easier (and less error prone) to maintain in AD a copy
of your LDAP groups, fully sunchronized with LSC. If you want to "add" non
openldap users, you could create another group, only in AD. Then you can add a
group coming from OepnLDAP in this group, *and* add AD users.
You can easely manage that by creating for example a special OU in AD to keep
the original openldap groups, and/or prefix the groups' name coming from
OpenLDAP with a special string.
I.e.
in OpenLDAP : "mygroup"
in AD :
1/ "__mygroup" could be a sync copy of "mygroup", in the OU "Groups_LDAP"
2/ "mygroup" is a group containing the group "__mygroup", plus other people
coming from AD
HTH,
>
>
> #############
> ### Group ###
> #############
>
> lsc.syncoptions.group =
> org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
> lsc.syncoptions.group.default.action = F
>
> # Direct link - no need to specify syncoptions
> # cn <- cn
> # description <- description
>
> # sAMAccountName <- cn
> lsc.syncoptions.group.sAMAccountName.create_value =
> srcBean.getAttributeValueById("cn")
>
> # objectClass <- top/group
> lsc.syncoptions.group.objectClass.force_value = "top";"group"
>
> # member to AD <- member from OpenLDAP (groupOfNames)
> # The line "lsc.syncoptions.group.member.force_value" helps to find the
> corresponding groupmembers in AD
> # 1. Find memberUid value of the user entry on source directory (OpenLDAP)
> # 2. Search corresponding entry in destination directory (AD) with the
> filter (sAMAccountName=$memberUid)
> # 3. Find DN of the found entry in destination directory (AD)
> # 4. Check if this value is not null and push it in member values
>
> # member(AD) <- member(openLDAP) Users
> lsc.syncoptions.group.member.delimiter = $
> lsc.syncoptions.group.member.force_value = var umembers =
> srcBean.getAttributeValuesById("member").toArray() ; for (var i=0;
> i<umembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list(
> "ou=companyuser", "(sAMAccountName=" + (srcLdap.attribute(umembers[i],
> 'uid').get(0) + ")")).get(0), 'distinguishedname').get(0) } catch (e) {
> umembers[i]=null }} var members = new Array(); var j=0; for (var i=0;
> i<umembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] }
> members
--
Xavier Montagutelli Tel : +33 (0)5 55 45 77 20
Service Commun Informatique Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
