Yes it works like it is supposed to. A bit more work but non the less its a good solution. Thank you, I appreciate your help very much.
2011/9/13 Xavier Montagutelli <[email protected]> > On Tuesday 13 September 2011 18:40:29 [email protected] wrote: > > Thanks for the reply. > > > > But in your solution i seem to run into the same problem that is have > right > > now? > > But perhaps i was not specific enough in my setup. I synchronize two OU's > > from the open ldap one filled with users and one filled with groups. They > > both have a corresponding OU in the Active directory. And i have a third > OU > > which is exclusively AD Users. And i want somehow put them into the > Groups > > i synchronized from the openLDAP. > > > > Right now i have the problem that the users from the AD vanish from my > > openLDAP group. I managed to use a merge with the tool to keep the > > membership, but then he does not delete openldap user which i remove from > > the openldap group. > > > > By your solution i will run into the same problem only with group, or did > i > > mistake you? > > Let's develop my example. > > In OpenLDAP, you have : > 1/ Two users, "alice" and "bob" > 2/ One group "mygroup" with the two users alice and bob > > In AD, you have two OU, "LDAP_People" and "LDAP_Groups" coming from > OpenLDAP. > You maintain an exact copy of OpenLDAP in these OU with LSC, *and* you > rename > the group (this can easely be made with LSC). > > So you will have in AD two users "alice" and "bob" (in "LDAP_People" > branch) > and one group "__mygroup" with the users "alice" and "bob" > > You create another group called "mygroup" in the "Groups" branch of AD, and > you put "__mygroup" as a member of "mygroup". > > You can create users in other branches in AD, for example "john" in the > "People" branch. Then you can add "john" to "mygroup" (not to "__mygroup" > !) > > > So at this point, you can *add* local AD users in "mygroup". > > And if you change the members in the OpenLDAP group, LSC will sync the > "__mygroup" group, and so at the end the members of "mygroup" will be > changed > without removing john from the group. > > Of course, as a drawback, you have *two* groups in AD, and you will have to > use the good one for setting permissions... > > Is this what you want ? > > > > > > I am sorry if my writing is hard to understand, english ist not my native > > language. > > > > > > 2011/9/13 Xavier Montagutelli <[email protected]> > > > > > On Tuesday 13 September 2011 15:03:23 [email protected] wrote: > > > > Hello, > > > > > > > > i have a problem with my synchronisation from openLDAP to AD 2008 > R2. > > > > Everything with the synchronisation works fine so far. > > > > Except keeping group membership of openldap groups for non openldap > > > > > > users. > > > > > > > (So user that are not known to the open LDAP lose the membership to > > > > openldap grous after a sync) > > > > > > > > I already tried to change §lsc.syncoptions.group.default.action = F" > to > > > > "lsc.syncoptions.group.default.action = M" but then es does not > delete > > > > opneldap users from openldap groups when i do this in the openldap. > > > > Maybe someone can tell me what i am doing wrong i already tried to > > > > adjust my script but i am basically out of ideas. Below the part for > > > > the groups. > > > > > > Perhaps it is possible to make what you want with LSC, but I don't know > > > how to > > > make it easely. > > > > > > My 10 cents : it seems easier (and less error prone) to maintain in AD > a > > > copy > > > of your LDAP groups, fully sunchronized with LSC. If you want to "add" > > > non openldap users, you could create another group, only in AD. Then > you > > > can add a > > > group coming from OepnLDAP in this group, *and* add AD users. > > > > > > You can easely manage that by creating for example a special OU in AD > to > > > keep > > > the original openldap groups, and/or prefix the groups' name coming > from > > > OpenLDAP with a special string. > > > > > > I.e. > > > > > > > > > people > > > coming from AD > > > > > > HTH, > > > > > > > ############# > > > > ### Group ### > > > > ############# > > > > > > > > lsc.syncoptions.group = > > > > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions > > > > lsc.syncoptions.group.default.action = F > > > > > > > > # Direct link - no need to specify syncoptions > > > > # cn <- cn > > > > # description <- description > > > > > > > > # sAMAccountName <- cn > > > > lsc.syncoptions.group.sAMAccountName.create_value = > > > > srcBean.getAttributeValueById("cn") > > > > > > > > # objectClass <- top/group > > > > lsc.syncoptions.group.objectClass.force_value = "top";"group" > > > > > > > > # member to AD <- member from OpenLDAP (groupOfNames) > > > > # The line "lsc.syncoptions.group.member.force_value" helps to find > the > > > > corresponding groupmembers in AD > > > > # 1. Find memberUid value of the user entry on source directory > > > > > > (OpenLDAP) > > > > > > > # 2. Search corresponding entry in destination directory (AD) with > the > > > > filter (sAMAccountName=$memberUid) > > > > # 3. Find DN of the found entry in destination directory (AD) > > > > # 4. Check if this value is not null and push it in member values > > > > > > > > # member(AD) <- member(openLDAP) Users > > > > lsc.syncoptions.group.member.delimiter = $ > > > > lsc.syncoptions.group.member.force_value = var umembers = > > > > srcBean.getAttributeValuesById("member").toArray() ; for (var i=0; > > > > i<umembers.length; i++ ) { try { umembers[i] = > > > > ldap.attribute(ldap.list( "ou=companyuser", "(sAMAccountName=" + > > > > (srcLdap.attribute(umembers[i], 'uid').get(0) + ")")).get(0), > > > > 'distinguishedname').get(0) } catch (e) { umembers[i]=null }} var > > > > members = new Array(); var j=0; for (var i=0; i<umembers.length; i++) > > > > { if (umembers[i]!=null) members[j++]=umembers[i] > > > > > > } > > > > > > > members > > > > > > -- > > > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > > > Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > > > Universite de Limoges > > > 123, avenue Albert Thomas > > > 87060 Limoges cedex > > > _______________________________________________________________ > > > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > > > > > lsc-users mailing list > > > [email protected] > > > http://lists.lsc-project.org/listinfo/lsc-users > > -- > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > Universite de Limoges > 123, avenue Albert Thomas > 87060 Limoges cedex > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
