On Tuesday 13 September 2011 18:40:29 [email protected] wrote: > Thanks for the reply. > > But in your solution i seem to run into the same problem that is have right > now? > But perhaps i was not specific enough in my setup. I synchronize two OU's > from the open ldap one filled with users and one filled with groups. They > both have a corresponding OU in the Active directory. And i have a third OU > which is exclusively AD Users. And i want somehow put them into the Groups > i synchronized from the openLDAP. > > Right now i have the problem that the users from the AD vanish from my > openLDAP group. I managed to use a merge with the tool to keep the > membership, but then he does not delete openldap user which i remove from > the openldap group. > > By your solution i will run into the same problem only with group, or did i > mistake you?
Let's develop my example. In OpenLDAP, you have : 1/ Two users, "alice" and "bob" 2/ One group "mygroup" with the two users alice and bob In AD, you have two OU, "LDAP_People" and "LDAP_Groups" coming from OpenLDAP. You maintain an exact copy of OpenLDAP in these OU with LSC, *and* you rename the group (this can easely be made with LSC). So you will have in AD two users "alice" and "bob" (in "LDAP_People" branch) and one group "__mygroup" with the users "alice" and "bob" You create another group called "mygroup" in the "Groups" branch of AD, and you put "__mygroup" as a member of "mygroup". You can create users in other branches in AD, for example "john" in the "People" branch. Then you can add "john" to "mygroup" (not to "__mygroup" !) So at this point, you can *add* local AD users in "mygroup". And if you change the members in the OpenLDAP group, LSC will sync the "__mygroup" group, and so at the end the members of "mygroup" will be changed without removing john from the group. Of course, as a drawback, you have *two* groups in AD, and you will have to use the good one for setting permissions... Is this what you want ? > > I am sorry if my writing is hard to understand, english ist not my native > language. > > > 2011/9/13 Xavier Montagutelli <[email protected]> > > > On Tuesday 13 September 2011 15:03:23 [email protected] wrote: > > > Hello, > > > > > > i have a problem with my synchronisation from openLDAP to AD 2008 R2. > > > Everything with the synchronisation works fine so far. > > > Except keeping group membership of openldap groups for non openldap > > > > users. > > > > > (So user that are not known to the open LDAP lose the membership to > > > openldap grous after a sync) > > > > > > I already tried to change §lsc.syncoptions.group.default.action = F" to > > > "lsc.syncoptions.group.default.action = M" but then es does not delete > > > opneldap users from openldap groups when i do this in the openldap. > > > Maybe someone can tell me what i am doing wrong i already tried to > > > adjust my script but i am basically out of ideas. Below the part for > > > the groups. > > > > Perhaps it is possible to make what you want with LSC, but I don't know > > how to > > make it easely. > > > > My 10 cents : it seems easier (and less error prone) to maintain in AD a > > copy > > of your LDAP groups, fully sunchronized with LSC. If you want to "add" > > non openldap users, you could create another group, only in AD. Then you > > can add a > > group coming from OepnLDAP in this group, *and* add AD users. > > > > You can easely manage that by creating for example a special OU in AD to > > keep > > the original openldap groups, and/or prefix the groups' name coming from > > OpenLDAP with a special string. > > > > I.e. > > > > > > people > > coming from AD > > > > HTH, > > > > > ############# > > > ### Group ### > > > ############# > > > > > > lsc.syncoptions.group = > > > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions > > > lsc.syncoptions.group.default.action = F > > > > > > # Direct link - no need to specify syncoptions > > > # cn <- cn > > > # description <- description > > > > > > # sAMAccountName <- cn > > > lsc.syncoptions.group.sAMAccountName.create_value = > > > srcBean.getAttributeValueById("cn") > > > > > > # objectClass <- top/group > > > lsc.syncoptions.group.objectClass.force_value = "top";"group" > > > > > > # member to AD <- member from OpenLDAP (groupOfNames) > > > # The line "lsc.syncoptions.group.member.force_value" helps to find the > > > corresponding groupmembers in AD > > > # 1. Find memberUid value of the user entry on source directory > > > > (OpenLDAP) > > > > > # 2. Search corresponding entry in destination directory (AD) with the > > > filter (sAMAccountName=$memberUid) > > > # 3. Find DN of the found entry in destination directory (AD) > > > # 4. Check if this value is not null and push it in member values > > > > > > # member(AD) <- member(openLDAP) Users > > > lsc.syncoptions.group.member.delimiter = $ > > > lsc.syncoptions.group.member.force_value = var umembers = > > > srcBean.getAttributeValuesById("member").toArray() ; for (var i=0; > > > i<umembers.length; i++ ) { try { umembers[i] = > > > ldap.attribute(ldap.list( "ou=companyuser", "(sAMAccountName=" + > > > (srcLdap.attribute(umembers[i], 'uid').get(0) + ")")).get(0), > > > 'distinguishedname').get(0) } catch (e) { umembers[i]=null }} var > > > members = new Array(); var j=0; for (var i=0; i<umembers.length; i++) > > > { if (umembers[i]!=null) members[j++]=umembers[i] > > > > } > > > > > members > > > > -- > > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > > Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > > Universite de Limoges > > 123, avenue Albert Thomas > > 87060 Limoges cedex > > _______________________________________________________________ > > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > > > lsc-users mailing list > > [email protected] > > http://lists.lsc-project.org/listinfo/lsc-users -- Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 Service Commun Informatique Fax : +33 (0)5 55 45 75 95 Universite de Limoges 123, avenue Albert Thomas 87060 Limoges cedex _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
