Hi Maxime, The important piece of information is the pivot attributes and the way they are used to look for an entry in the various services.
>From one hand, you have an SQL database with : - a request that list objects by returning a map of pivot attributes - a request that get an object by using the pivot attributes and returning the entry On the other hand, you have an OpenLDAP directory with : - a base DN to use for each search - a filter to look for all entries returning a table of pivot attributes for each entry - a filter to look that will use the pivot attributes to get an unique entry When you are using "-c all", you are asking LSC to go through the various tasks and to launch the clean phase. On the task that is syncing your SQL database to your OpenLDAP directory, the following process will occur : - use the filterAll filter to get all the pivot attributes tables corresponding to the entries that should be sync to the directory - for each of them, use the pivot attributes table to look for an object inside the database through the request that get an object from the pivot attributes. So what you need to do is to modify your SQL request to allow either the field courriel to be equal the pivot attribute "courriel" or to the pivot attribute that comes from LDAP (I can't catch if it is the uid or mail attribute - but doesn't matter, choose the good one). And you should get an up-to-date directory with no more shadow accounts. Hope this help, Sebastien. -- Sebastien BAHLOUL IAM / Security specialist Ldap Synchronization Connector : http://lsc-project.org Blog : http://sbahloul.wordpress.com/ 2011/10/27 Maxime Pelletier <[email protected]> > Hi all, > > I want to share something that I think is not well documented. > > When you build your SQL statement to sync data with OpenLDAP, the column > you will use as your UID must be named UID if you want to use the "-c all" > option. > > I created entries in LDAP with an email address as the UID. I first build > the SQL statement with "select * from mytable", and then build the DN with > column "courriel". However, LSC was deleting all entries with "-c all" > option. > > From what I understand, LSC matches the #uid# of the SQL statement with the > field "uid" in LDAP. So when LSC tries to math #courriel# in LDAP, it fails > and then replace #courriel# by a NULL value in the SQL query. Result: it > deletes everything. > > I don't know if this is a well known pitfall/behavior, but I wanted to > share this in case it could help someone. > > Regards, > > Maxime > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users > >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
