On Tuesday 13 September 2011 15:03:23 [email protected] wrote:
> Hello,
> 
> i have a problem with my synchronisation from openLDAP  to AD 2008 R2.
> Everything with the synchronisation works fine so far.
> Except keeping group membership of openldap groups for non openldap users.
> (So user that are not known to the open LDAP lose the membership to
> openldap grous after a sync)
> 
> I already tried to change §lsc.syncoptions.group.default.action = F" to
> "lsc.syncoptions.group.default.action = M" but then es does not delete
> opneldap users from openldap groups when i do this in the openldap.
> Maybe someone can tell me what i am doing wrong i already tried to adjust
> my script but i am basically out of ideas. Below the part for the groups.

Perhaps it is possible to make what you want with LSC, but I don't know how to 
make it easely.

My 10 cents : it seems easier (and less error prone) to maintain in AD a copy 
of your LDAP groups, fully sunchronized with LSC. If you want to "add" non 
openldap users, you could create another group, only in AD. Then you can add a 
group coming from OepnLDAP in this group, *and* add AD users.

You can easely manage that by creating for example a special OU in AD to keep 
the original openldap groups, and/or prefix the groups' name coming from 
OpenLDAP with a special string.

I.e.

in OpenLDAP : "mygroup"
in AD : 
  1/ "__mygroup" could be a sync copy of "mygroup", in the OU "Groups_LDAP"
  2/ "mygroup" is a group containing the group "__mygroup", plus other people 
coming from AD

HTH,

> 
> 
> #############
> ### Group ###
> #############
> 
> lsc.syncoptions.group =
> org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
> lsc.syncoptions.group.default.action = F
> 
> # Direct link - no need to specify syncoptions
> # cn <- cn
> # description <- description
> 
> # sAMAccountName <- cn
> lsc.syncoptions.group.sAMAccountName.create_value =
> srcBean.getAttributeValueById("cn")
> 
> # objectClass <- top/group
> lsc.syncoptions.group.objectClass.force_value = "top";"group"
> 
> # member to AD <- member from OpenLDAP (groupOfNames)
> # The line "lsc.syncoptions.group.member.force_value" helps to find the
> corresponding groupmembers in AD
> # 1. Find memberUid value of the user entry on source directory (OpenLDAP)
> # 2. Search corresponding entry in destination directory (AD) with the
> filter (sAMAccountName=$memberUid)
> # 3. Find DN of the found entry in destination directory (AD)
> # 4. Check if this value is not null and push it in member values
> 
> # member(AD) <- member(openLDAP) Users
> lsc.syncoptions.group.member.delimiter = $
> lsc.syncoptions.group.member.force_value = var umembers =
> srcBean.getAttributeValuesById("member").toArray() ; for (var i=0;
> i<umembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list(
> "ou=companyuser", "(sAMAccountName=" + (srcLdap.attribute(umembers[i],
> 'uid').get(0) + ")")).get(0), 'distinguishedname').get(0) } catch (e) {
> umembers[i]=null }} var members = new Array(); var j=0; for (var i=0;
> i<umembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] }
> members

-- 
Xavier Montagutelli                      Tel : +33 (0)5 55 45 77 20
Service Commun Informatique              Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to