Thanks for the reply. But in your solution i seem to run into the same problem that is have right now? But perhaps i was not specific enough in my setup. I synchronize two OU's from the open ldap one filled with users and one filled with groups. They both have a corresponding OU in the Active directory. And i have a third OU which is exclusively AD Users. And i want somehow put them into the Groups i synchronized from the openLDAP.
Right now i have the problem that the users from the AD vanish from my openLDAP group. I managed to use a merge with the tool to keep the membership, but then he does not delete openldap user which i remove from the openldap group. By your solution i will run into the same problem only with group, or did i mistake you? I am sorry if my writing is hard to understand, english ist not my native language. 2011/9/13 Xavier Montagutelli <[email protected]> > On Tuesday 13 September 2011 15:03:23 [email protected] wrote: > > Hello, > > > > i have a problem with my synchronisation from openLDAP to AD 2008 R2. > > Everything with the synchronisation works fine so far. > > Except keeping group membership of openldap groups for non openldap > users. > > (So user that are not known to the open LDAP lose the membership to > > openldap grous after a sync) > > > > I already tried to change §lsc.syncoptions.group.default.action = F" to > > "lsc.syncoptions.group.default.action = M" but then es does not delete > > opneldap users from openldap groups when i do this in the openldap. > > Maybe someone can tell me what i am doing wrong i already tried to adjust > > my script but i am basically out of ideas. Below the part for the groups. > > Perhaps it is possible to make what you want with LSC, but I don't know how > to > make it easely. > > My 10 cents : it seems easier (and less error prone) to maintain in AD a > copy > of your LDAP groups, fully sunchronized with LSC. If you want to "add" non > openldap users, you could create another group, only in AD. Then you can > add a > group coming from OepnLDAP in this group, *and* add AD users. > > You can easely manage that by creating for example a special OU in AD to > keep > the original openldap groups, and/or prefix the groups' name coming from > OpenLDAP with a special string. > > I.e. > > in OpenLDAP : "mygroup" > in AD : > 1/ "__mygroup" could be a sync copy of "mygroup", in the OU "Groups_LDAP" > 2/ "mygroup" is a group containing the group "__mygroup", plus other > people > coming from AD > > HTH, > > > > > > > ############# > > ### Group ### > > ############# > > > > lsc.syncoptions.group = > > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions > > lsc.syncoptions.group.default.action = F > > > > # Direct link - no need to specify syncoptions > > # cn <- cn > > # description <- description > > > > # sAMAccountName <- cn > > lsc.syncoptions.group.sAMAccountName.create_value = > > srcBean.getAttributeValueById("cn") > > > > # objectClass <- top/group > > lsc.syncoptions.group.objectClass.force_value = "top";"group" > > > > # member to AD <- member from OpenLDAP (groupOfNames) > > # The line "lsc.syncoptions.group.member.force_value" helps to find the > > corresponding groupmembers in AD > > # 1. Find memberUid value of the user entry on source directory > (OpenLDAP) > > # 2. Search corresponding entry in destination directory (AD) with the > > filter (sAMAccountName=$memberUid) > > # 3. Find DN of the found entry in destination directory (AD) > > # 4. Check if this value is not null and push it in member values > > > > # member(AD) <- member(openLDAP) Users > > lsc.syncoptions.group.member.delimiter = $ > > lsc.syncoptions.group.member.force_value = var umembers = > > srcBean.getAttributeValuesById("member").toArray() ; for (var i=0; > > i<umembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( > > "ou=companyuser", "(sAMAccountName=" + (srcLdap.attribute(umembers[i], > > 'uid').get(0) + ")")).get(0), 'distinguishedname').get(0) } catch (e) { > > umembers[i]=null }} var members = new Array(); var j=0; for (var i=0; > > i<umembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] > } > > members > > -- > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > Universite de Limoges > 123, avenue Albert Thomas > 87060 Limoges cedex > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
