Hi Cain,
I'm resending the message I sent yesterday because it never showed
up in the list.
Regards
============================================
Hi Cain,
We had a similar problem where we wanted to automatically populate
group members, while keeping manually added members. So each time we
synchronize a group, we execute an LDAP query to retrieve manually
added members, and then merge them with the one added automatically.
Here is what it could look like for you. This code might not be
working as is since I adapted my code for your needs without running it.
In lsc.properties
======================
lsc.syncoptions.Employee.groupMembership.delimiter = $
lsc.syncoptions.Employee.groupMembership.action = F
lsc.syncoptions.Employee.groupMembership.force_value = \
var members= srcBean.getAttributeFirstValueById("groupMembers") \
var umembers = ldap.search("ou=GROUPS", "uid=x*" ) ; \
var j=0; \
for (var i=0; i<umembers.size(); i++) { \
members[members.length] = umembers.get(i) \
} \
members;
======================
However, this solution implies that you have a way to identify
manually added members... In my example code, it would be all UID
starting with lettre "x".
Xavier just sent an interesting solution too. I let you choose which
one is best for you:)
Good luck!
Max
[email protected] a écrit :
Yes it works like it is supposed to. A bit more work but non the less its a
good solution. Thank you, I appreciate your help very much.
2011/9/13 Xavier Montagutelli <[email protected]>
On Tuesday 13 September 2011 18:40:29 [email protected] wrote:
> Thanks for the reply.
>
> But in your solution i seem to run into the same problem that is have
right
> now?
> But perhaps i was not specific enough in my setup. I synchronize two OU's
> from the open ldap one filled with users and one filled with groups. They
> both have a corresponding OU in the Active directory. And i have a third
OU
> which is exclusively AD Users. And i want somehow put them into the
Groups
> i synchronized from the openLDAP.
>
> Right now i have the problem that the users from the AD vanish from my
> openLDAP group. I managed to use a merge with the tool to keep the
> membership, but then he does not delete openldap user which i remove from
> the openldap group.
>
> By your solution i will run into the same problem only with group, or did
i
> mistake you?
Let's develop my example.
In OpenLDAP, you have :
1/ Two users, "alice" and "bob"
2/ One group "mygroup" with the two users alice and bob
In AD, you have two OU, "LDAP_People" and "LDAP_Groups" coming from
OpenLDAP.
You maintain an exact copy of OpenLDAP in these OU with LSC, *and* you
rename
the group (this can easely be made with LSC).
So you will have in AD two users "alice" and "bob" (in "LDAP_People"
branch)
and one group "__mygroup" with the users "alice" and "bob"
You create another group called "mygroup" in the "Groups" branch of AD, and
you put "__mygroup" as a member of "mygroup".
You can create users in other branches in AD, for example "john" in the
"People" branch. Then you can add "john" to "mygroup" (not to "__mygroup"
!)
So at this point, you can *add* local AD users in "mygroup".
And if you change the members in the OpenLDAP group, LSC will sync the
"__mygroup" group, and so at the end the members of "mygroup" will be
changed
without removing john from the group.
Of course, as a drawback, you have *two* groups in AD, and you will have to
use the good one for setting permissions...
Is this what you want ?
>
> I am sorry if my writing is hard to understand, english ist not my native
> language.
>
>
> 2011/9/13 Xavier Montagutelli <[email protected]>
>
> > On Tuesday 13 September 2011 15:03:23 [email protected] wrote:
> > > Hello,
> > >
> > > i have a problem with my synchronisation from openLDAP to AD 2008
R2.
> > > Everything with the synchronisation works fine so far.
> > > Except keeping group membership of openldap groups for non openldap
> >
> > users.
> >
> > > (So user that are not known to the open LDAP lose the membership to
> > > openldap grous after a sync)
> > >
> > > I already tried to change §lsc.syncoptions.group.default.action = F"
to
> > > "lsc.syncoptions.group.default.action = M" but then es does not
delete
> > > opneldap users from openldap groups when i do this in the openldap.
> > > Maybe someone can tell me what i am doing wrong i already tried to
> > > adjust my script but i am basically out of ideas. Below the part for
> > > the groups.
> >
> > Perhaps it is possible to make what you want with LSC, but I don't know
> > how to
> > make it easely.
> >
> > My 10 cents : it seems easier (and less error prone) to maintain in AD
a
> > copy
> > of your LDAP groups, fully sunchronized with LSC. If you want to "add"
> > non openldap users, you could create another group, only in AD. Then
you
> > can add a
> > group coming from OepnLDAP in this group, *and* add AD users.
> >
> > You can easely manage that by creating for example a special OU in AD
to
> > keep
> > the original openldap groups, and/or prefix the groups' name coming
from
> > OpenLDAP with a special string.
> >
> > I.e.
> >
> >
> > people
> > coming from AD
> >
> > HTH,
> >
> > > #############
> > > ### Group ###
> > > #############
> > >
> > > lsc.syncoptions.group =
> > > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
> > > lsc.syncoptions.group.default.action = F
> > >
> > > # Direct link - no need to specify syncoptions
> > > # cn <- cn
> > > # description <- description
> > >
> > > # sAMAccountName <- cn
> > > lsc.syncoptions.group.sAMAccountName.create_value =
> > > srcBean.getAttributeValueById("cn")
> > >
> > > # objectClass <- top/group
> > > lsc.syncoptions.group.objectClass.force_value = "top";"group"
> > >
> > > # member to AD <- member from OpenLDAP (groupOfNames)
> > > # The line "lsc.syncoptions.group.member.force_value" helps to find
the
> > > corresponding groupmembers in AD
> > > # 1. Find memberUid value of the user entry on source directory
> >
> > (OpenLDAP)
> >
> > > # 2. Search corresponding entry in destination directory (AD) with
the
> > > filter (sAMAccountName=$memberUid)
> > > # 3. Find DN of the found entry in destination directory (AD)
> > > # 4. Check if this value is not null and push it in member values
> > >
> > > # member(AD) <- member(openLDAP) Users
> > > lsc.syncoptions.group.member.delimiter = $
> > > lsc.syncoptions.group.member.force_value = var umembers =
> > > srcBean.getAttributeValuesById("member").toArray() ; for (var i=0;
> > > i<umembers.length; i++ ) { try { umembers[i] =
> > > ldap.attribute(ldap.list( "ou=companyuser", "(sAMAccountName=" +
> > > (srcLdap.attribute(umembers[i], 'uid').get(0) + ")")).get(0),
> > > 'distinguishedname').get(0) } catch (e) { umembers[i]=null }} var
> > > members = new Array(); var j=0; for (var i=0; i<umembers.length; i++)
> > > { if (umembers[i]!=null) members[j++]=umembers[i]
> >
> > }
> >
> > > members
> >
> > --
> > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20
> > Service Commun Informatique Fax : +33 (0)5 55 45 75 95
> > Universite de Limoges
> > 123, avenue Albert Thomas
> > 87060 Limoges cedex
> > _______________________________________________________________
> > Ldap Synchronization Connector (LSC) - http://lsc-project.org
> >
> > lsc-users mailing list
> > [email protected]
> > http://lists.lsc-project.org/listinfo/lsc-users
--
Xavier Montagutelli Tel : +33 (0)5 55 45 77 20
Service Commun Informatique Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
