Ah yes this indeed works also. However i will stick with the solution i have already implemented :-D But non the less thank you very much for your help.
2011/9/14 Maxime Pelletier <[email protected]> > Hi Cain, > > I'm resending the message I sent yesterday because it never showed up in > the list. > > > Regards > > ============================================ > > Hi Cain, > > We had a similar problem where we wanted to automatically populate group > members, while keeping manually added members. So each time we synchronize a > group, we execute an LDAP query to retrieve manually added members, and then > merge them with the one added automatically. Here is what it could look like > for you. This code might not be working as is since I adapted my code for > your needs without running it. > > In lsc.properties > ====================== > lsc.syncoptions.Employee.groupMembership.delimiter = $ > lsc.syncoptions.Employee.groupMembership.action = F > lsc.syncoptions.Employee.groupMembership.force_value = \ > var members= srcBean.getAttributeFirstValueById("groupMembers") \ > var umembers = ldap.search("ou=GROUPS", "uid=x*" ) ; \ > var j=0; \ > for (var i=0; i<umembers.size(); i++) { \ > members[members.length] = umembers.get(i) \ > } \ > members; > ====================== > > However, this solution implies that you have a way to identify manually > added members... In my example code, it would be all UID starting with > lettre "x". > > Xavier just sent an interesting solution too. I let you choose which one is > best for you:) > > Good luck! > > Max > > [email protected] a écrit : > > > > Yes it works like it is supposed to. A bit more work but non the less its > a > > good solution. Thank you, I appreciate your help very much. > > > > 2011/9/13 Xavier Montagutelli <[email protected]> > > > >> On Tuesday 13 September 2011 18:40:29 [email protected] wrote: > >> > Thanks for the reply. > >> > > >> > But in your solution i seem to run into the same problem that is have > >> right > >> > now? > >> > But perhaps i was not specific enough in my setup. I synchronize two > OU's > >> > from the open ldap one filled with users and one filled with groups. > They > >> > both have a corresponding OU in the Active directory. And i have a > third > >> OU > >> > which is exclusively AD Users. And i want somehow put them into the > >> Groups > >> > i synchronized from the openLDAP. > >> > > >> > Right now i have the problem that the users from the AD vanish from my > >> > openLDAP group. I managed to use a merge with the tool to keep the > >> > membership, but then he does not delete openldap user which i remove > from > >> > the openldap group. > >> > > >> > By your solution i will run into the same problem only with group, or > did > >> i > >> > mistake you? > >> > >> Let's develop my example. > >> > >> In OpenLDAP, you have : > >> 1/ Two users, "alice" and "bob" > >> 2/ One group "mygroup" with the two users alice and bob > >> > >> In AD, you have two OU, "LDAP_People" and "LDAP_Groups" coming from > >> OpenLDAP. > >> You maintain an exact copy of OpenLDAP in these OU with LSC, *and* you > >> rename > >> the group (this can easely be made with LSC). > >> > >> So you will have in AD two users "alice" and "bob" (in "LDAP_People" > >> branch) > >> and one group "__mygroup" with the users "alice" and "bob" > >> > >> You create another group called "mygroup" in the "Groups" branch of AD, > and > >> you put "__mygroup" as a member of "mygroup". > >> > >> You can create users in other branches in AD, for example "john" in the > >> "People" branch. Then you can add "john" to "mygroup" (not to > "__mygroup" > >> !) > >> > >> > >> So at this point, you can *add* local AD users in "mygroup". > >> > >> And if you change the members in the OpenLDAP group, LSC will sync the > >> "__mygroup" group, and so at the end the members of "mygroup" will be > >> changed > >> without removing john from the group. > >> > >> Of course, as a drawback, you have *two* groups in AD, and you will have > to > >> use the good one for setting permissions... > >> > >> Is this what you want ? > >> > >> > >> > > >> > I am sorry if my writing is hard to understand, english ist not my > native > >> > language. > >> > > >> > > >> > 2011/9/13 Xavier Montagutelli <[email protected]> > >> > > >> > > On Tuesday 13 September 2011 15:03:23 [email protected] wrote: > >> > > > Hello, > >> > > > > >> > > > i have a problem with my synchronisation from openLDAP to AD 2008 > >> R2. > >> > > > Everything with the synchronisation works fine so far. > >> > > > Except keeping group membership of openldap groups for non > openldap > >> > > > >> > > users. > >> > > > >> > > > (So user that are not known to the open LDAP lose the membership > to > >> > > > openldap grous after a sync) > >> > > > > >> > > > I already tried to change §lsc.syncoptions.group.default.action = > F" > >> to > >> > > > "lsc.syncoptions.group.default.action = M" but then es does not > >> delete > >> > > > opneldap users from openldap groups when i do this in the > openldap. > >> > > > Maybe someone can tell me what i am doing wrong i already tried to > >> > > > adjust my script but i am basically out of ideas. Below the part > for > >> > > > the groups. > >> > > > >> > > Perhaps it is possible to make what you want with LSC, but I don't > know > >> > > how to > >> > > make it easely. > >> > > > >> > > My 10 cents : it seems easier (and less error prone) to maintain in > AD > >> a > >> > > copy > >> > > of your LDAP groups, fully sunchronized with LSC. If you want to > "add" > >> > > non openldap users, you could create another group, only in AD. Then > >> you > >> > > can add a > >> > > group coming from OepnLDAP in this group, *and* add AD users. > >> > > > >> > > You can easely manage that by creating for example a special OU in > AD > >> to > >> > > keep > >> > > the original openldap groups, and/or prefix the groups' name coming > >> from > >> > > OpenLDAP with a special string. > >> > > > >> > > I.e. > >> > > > >> > > > >> > > people > >> > > coming from AD > >> > > > >> > > HTH, > >> > > > >> > > > ############# > >> > > > ### Group ### > >> > > > ############# > >> > > > > >> > > > lsc.syncoptions.group = > >> > > > org.lsc.beans.syncoptions.PropertiesBasedSyncOptions > >> > > > lsc.syncoptions.group.default.action = F > >> > > > > >> > > > # Direct link - no need to specify syncoptions > >> > > > # cn <- cn > >> > > > # description <- description > >> > > > > >> > > > # sAMAccountName <- cn > >> > > > lsc.syncoptions.group.sAMAccountName.create_value = > >> > > > srcBean.getAttributeValueById("cn") > >> > > > > >> > > > # objectClass <- top/group > >> > > > lsc.syncoptions.group.objectClass.force_value = "top";"group" > >> > > > > >> > > > # member to AD <- member from OpenLDAP (groupOfNames) > >> > > > # The line "lsc.syncoptions.group.member.force_value" helps to > find > >> the > >> > > > corresponding groupmembers in AD > >> > > > # 1. Find memberUid value of the user entry on source directory > >> > > > >> > > (OpenLDAP) > >> > > > >> > > > # 2. Search corresponding entry in destination directory (AD) with > >> the > >> > > > filter (sAMAccountName=$memberUid) > >> > > > # 3. Find DN of the found entry in destination directory (AD) > >> > > > # 4. Check if this value is not null and push it in member values > >> > > > > >> > > > # member(AD) <- member(openLDAP) Users > >> > > > lsc.syncoptions.group.member.delimiter = $ > >> > > > lsc.syncoptions.group.member.force_value = var umembers = > >> > > > srcBean.getAttributeValuesById("member").toArray() ; for (var i=0; > >> > > > i<umembers.length; i++ ) { try { umembers[i] = > >> > > > ldap.attribute(ldap.list( "ou=companyuser", "(sAMAccountName=" + > >> > > > (srcLdap.attribute(umembers[i], 'uid').get(0) + ")")).get(0), > >> > > > 'distinguishedname').get(0) } catch (e) { umembers[i]=null }} var > >> > > > members = new Array(); var j=0; for (var i=0; i<umembers.length; > i++) > >> > > > { if (umembers[i]!=null) members[j++]=umembers[i] > >> > > > >> > > } > >> > > > >> > > > members > >> > > > >> > > -- > >> > > Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > >> > > Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > >> > > Universite de Limoges > >> > > 123, avenue Albert Thomas > >> > > 87060 Limoges cedex > >> > > _______________________________________________________________ > >> > > Ldap Synchronization Connector (LSC) - http://lsc-project.org > >> > > > >> > > lsc-users mailing list > >> > > [email protected] > >> > > http://lists.lsc-project.org/listinfo/lsc-users > >> > >> -- > >> Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 > >> Service Commun Informatique Fax : +33 (0)5 55 45 75 95 > >> Universite de Limoges > >> 123, avenue Albert Thomas > >> 87060 Limoges cedex > >> _______________________________________________________________ > >> Ldap Synchronization Connector (LSC) - http://lsc-project.org > >> > >> lsc-users mailing list > >> [email protected] > >> http://lists.lsc-project.org/listinfo/lsc-users > >> > > > > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users > >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
