One other odd thing I noticed with using the dateformat, it appears to spam the ldap query and no longer respect the default <interval>. I even tried setting this to a really high number, but it does like 20 queries a second regardless as to what <interval> is set to. When I remove dateformat it goes back to respecting what is set in <interval>.
-Joel On Tue, Aug 7, 2012 at 9:36 AM, dunkan <[email protected]> wrote: > Thank you Sébastien, I missed that. After testing it works great! > > I have one further issue, it seems like I am trying to sync entries that > are not matched by my getAllFilter. We have a large AD enviroment, but not > all of those users need to be in LDAP. I only want to sync users that have > a uidNumber assigned. > > I use this filter: <getAllFilter>(& (objectClass=user) > (sAMAccountName=*) (uidNumber=*))</getAllFilter> > > If I use it manually via ldapsearch it returns the users I expect. > However my task is trying to grab users that have been modified recently, > but do not have a uidNumber. > > This seems to be related to the timestamp, when I take the > <dateFormat>yyyyMMddHHmmss'.0Z'</dateFormat> out of my config, I don't see > this any longer. Is it still using the getallfilter when checking the > modifytimestamp? > > I appreciate all the help. > > -Joel > > > ** > > On Mon, Aug 6, 2012 at 11:51 PM, Sébastien Bahloul < > [email protected]> wrote: > >> Hi Dunkan, >> >> Yes you are completely right, that's why you can customize it. Look at >> the following page : >> >> >> http://lsc-project.org/wiki/documentation/2.0/configuration/service/sourceldap >> >> and set the "*dateFormat" value to the following setting (not tested) :* >> * >> * >> *yyyyMMddHHmmss.S'Z * >> >> The pattern to use is documented in standard Java documentation for >> SimpleDateFormat class: >> http://docs.oracle.com/javase/1.4.2/docs/api/java/text/SimpleDateFormat.html >> >> >> Regards, >> >> -- >> Sebastien BAHLOUL >> IAM / Security specialist >> Ldap Synchronization Connector : http://lsc-project.org >> Blog : http://sbahloul.wordpress.com/ >> >> >> >> 2012/8/7 dunkan <[email protected]> >> >>> Sorry to be spammy. From looking at tcpdumps I see it is checking the >>> modifytimestamp. It looks like the problem is the value is stored with a >>> decimal in the directory, but not in the filter. >>> >>> For example, it is looking for "(modifytimestamp>=20110807030345Z)", >>> and never gets any results. If I change that >>> to "(modifytimestamp>=20110807030345.0Z)" it returns the entries that are >>> modified. >>> >>> Thanks, >>> Joel >>> >>> >>> On Mon, Aug 6, 2012 at 9:00 PM, dunkan <[email protected]> wrote: >>> >>>> It looks like FORCE, with forcevalues will always put what I need, so >>>> that part is working out now. >>>> >>>> I'm not sure about the async job though. How does it determine that it >>>> needs to update? The logs give the indication that it is searching every 5 >>>> seconds, but changes don't show up. If I stop and re-run it again they are >>>> always picked up. >>>> >>>> -Joel >>>> >>>> >>>> On Mon, Aug 6, 2012 at 7:02 PM, dunkan <[email protected]> wrote: >>>> >>>>> Hey there, >>>>> >>>>> I am working on one way syncing AD to OpenLDAP. I am seeing a >>>>> difference in operation between using lsc in async vs sync mode. >>>>> >>>>> If I start lsc like so: >>>>> >>>>> # bin/lsc -f etc -a all >>>>> >>>>> users are read from active directory using my filter correctly, and >>>>> attributes are updated as I would expect. >>>>> >>>>> If I start lsc in async like so: >>>>> >>>>> # bin/lsc -f etc -s all >>>>> >>>>> lsc attempts to create users every time, and I will get a failure to >>>>> add as the entry already exists. >>>>> >>>>> From what I have read this sort of behavior shouldn't change using >>>>> sync vs async, is that correct? >>>>> It seems like an easy work around for now is to just use async and >>>>> trigger an event. >>>>> >>>>> >>>>> My second issue I believe is configuration. I have been using >>>>> http://lsc-project.org/wiki/documentation/2.0/configuration/syncoptions as >>>>> my guide for this. >>>>> >>>>> AD has a different objectclass than OpenLDAP. >>>>> >>>>> So in AD the objectClass will be OrgainzationalPerson, person >>>>> In OpenLDAP it is Account, PossixAccount. >>>>> >>>>> I want the values in OpenLDAP to always be the OpenLDAP values, >>>>> leave existing entries alone, and create new users with those values. >>>>> >>>>> I thought the way to do this would be to set policy to FORCE and >>>>> defaultvalues to my requested values. >>>>> This creates a new user ok, but existing users get trampled. >>>>> >>>>> If I set it to KEEP and defaultvalues to the requested values, >>>>> existing users don't get messed with, but new users use the AD >>>>> objectclass. >>>>> >>>>> I tried using forcevalues and createvalues with KEEP/FORCE as well, >>>>> but am not having any luck getting the behavior I am looking for. >>>>> >>>>> Any tips? >>>>> >>>>> Thanks, >>>>> Joel >>>>> >>>>> >>>>> >>>> >>> >>> _______________________________________________________________ >>> Ldap Synchronization Connector (LSC) - http://lsc-project.org >>> >>> lsc-users mailing list >>> [email protected] >>> http://lists.lsc-project.org/listinfo/lsc-users >>> >>> >> >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
