Open source friends! Thanks for the tip! I think I'm getting closer to having
a sync execute.
So, I executed this on the destination LDAP server to create the base directory
structure:
# cat /var/tmp/add-to-ldap
dn: dc=linkedin,dc=biz
objectClass: top
objectClass: domain
dn: ou=staff users,dc=linkedin,dc=biz
objectClass: top
objectClass: organizationalUnit
ou: Staff Users
Executed ldapadd:
# ldapadd -D "cn=manager,dc=linkedin,dc=biz" -w xxxx -f /var/tmp/add-to-ldap
adding new entry "dc=linkedin,dc=biz"
adding new entry "ou=staff users,dc=linkedin,dc=biz"
It appears to have worked. I see the base directory entries now.
# ldapsearch -b "dc=linkedin,dc=biz" -D "cn=manager,dc=linkedin,dc=biz" -w xxxx
'(objectclass=*)' -s sub
# extended LDIF
#
# LDAPv3
# base <dc=linkedin,dc=biz> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# linkedin.biz
dn: dc=linkedin,dc=biz
objectClass: top
objectClass: domain
dc: linkedin
# staff users, linkedin.biz
dn: ou=staff users,dc=linkedin,dc=biz
objectClass: top
objectClass: organizationalUnit
ou: Staff Users
# search result
search: 2
result: 0 Success
Here's the relevant parts of my lsc.xml now, just trying to get something to
work.
<tasks>
<task>
<name>Sync_Active_Directory_Users</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>ad-src-service</name>
<connection reference="Active_Directory" />
<baseDn>ou=staff users,dc=linkedin,dc=biz</baseDn>
<pivotAttributes><string>cn</string></pivotAttributes>
<fetchedAttributes>
<string>cn</string>
</fetchedAttributes>
<getAllFilter>(objectClass=user)</getAllFilter>
<getOneFilter>(&(objectClass=user)(cn={cn}))</getOneFilter>
</ldapSourceService>
<ldapDestinationService>
<name>openldap-dst-service</name>
<connection reference="OpenLDAP" />
<baseDn>ou=staff users,dc=linkedin,dc=biz</baseDn>
<pivotAttributes><string>cn</string></pivotAttributes>
<fetchedAttributes>
<string>cn</string>
</fetchedAttributes>
<getAllFilter>(objectClass=user)</getAllFilter>
<getOneFilter>(&(objectclass=user)(cn={cn}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=Staff Users,dc=linkedin,dc=biz"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<name>objectclass</name>
<policy>FORCE</policy>
<forceValues>
<string>"cn"</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
Here's execution.
# lsc –s all
…
…
Oct 21 17:26:50 - WARN - No clean filter has been specified for
task=Sync_Active_Directory_Users. During the clean phase, LSC wouldn't be able
to get the right entries and may delete all destination entries !
Oct 21 17:26:50 - INFO - Starting sync for Sync_Active_Directory_Users
Oct 21 17:26:51 - ERROR - Error while adding entry cn=Kian Chung,ou=Staff
Users,dc=linkedin,dc=biz in directory
:javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - no
objectClass attribute]; remaining name 'cn=Kian Chung,ou=Staff Users'
…
..
This repeats for the 4000+ entries.
On the OpenLDAP server:
Oct 21 17:26:50 slapd[22055]: conn=3511 op=0 BIND
dn="cn=manager,dc=linkedin,dc=biz" method=128
Oct 21 17:26:50 slapd[22055]: conn=3511 op=0 BIND
dn="cn=manager,dc=linkedin,dc=biz" mech=SIMPLE ssf=0
Oct 21 17:26:50 slapd[22055]: conn=3511 op=0 RESULT tag=97 err=0 text=
Oct 21 17:26:51 slapd[22055]: conn=3511 op=1 SRCH base="ou=staff
users,dc=linkedin,dc=biz" scope=2 deref=0 filter="(&(?objectClass=user)(cn=kian
chung))"
Oct 21 17:26:51 slapd[22055]: conn=3511 op=1 SRCH attr=cn sn
Oct 21 17:26:51 slapd[22055]: conn=3511 op=9 ADD dn="cn=Kian Chung,ou=Staff
Users,dc=linkedin,dc=biz"
Oct 21 17:26:51 slapd[22055]: is_entry_objectclass("cn=Kian Chung,ou=Staff
Users,dc=linkedin,dc=biz", "2.5.17.0") no objectClass attribute
Oct 21 17:26:51 slapd[22055]: No objectClass for entry (cn=Kian Chung,ou=Staff
Users,dc=linkedin,dc=biz)
Oct 21 17:26:51 slapd[22055]: conn=3511 op=7 RESULT tag=105 err=65 text=no
objectClass attribute
Did I miss creating something in the base directory structure from the
execution of ldapadd? Thanks again for the assistance!
Mike
From: Jonathan Clarke <[email protected]<mailto:[email protected]>>
Date: Saturday, October 20, 2012 5:16 AM
To: Mike Svoboda <[email protected]<mailto:[email protected]>>
Cc: Joel Foote <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [lsc-users] Sync AD --> OpenLDAP help needed
Hi Mike,
On 20/10/12 03:06, Mike Svoboda wrote:
No dice. I now am trying this:
33 <tasks>
34 <task>
35 <name>Sync_Active_Directory_Users</name>
36 <bean>org.lsc.beans.SimpleBean</bean>
37
38 <ldapSourceService>
39 <name>ad-src-service</name>
40 <connection reference="Active_Directory" />
41 <baseDn>ou=staff users,dc=linkedin,dc=biz</baseDn>
42 <pivotAttributes><string>cn</string></pivotAttributes>
43 <fetchedAttributes>
44 <string>cn</string>
45 <string>description</string>
46 <string>name</string>
47 <string>objectClass</string>
48 <string>sn</string>
49 <string>givenName</string>
50 </fetchedAttributes>
51 <getAllFilter>(objectClass=user)</getAllFilter>
52 <getOneFilter>(&(objectClass=user)(cn={cn}))</getOneFilter>
53 </ldapSourceService>
54
55 <ldapDestinationService>
56 <name>openldap-dst-service</name>
57 <connection reference="OpenLDAP" />
58 <baseDn>ou=staff users,dc=linkedin,dc=biz</baseDn>
59 <pivotAttributes><string>uid</string></pivotAttributes>
60 <fetchedAttributes>
61 <string>description</string>
62 <string>cn</string>
63 <string>sn</string>
64 <string>givenName</string>
65 <string>objectClass</string>
66 <string>uid</string>
67 <string>mail</string>
68 </fetchedAttributes>
69 <getAllFilter>(objectClass=*)</getAllFilter>
70 <getOneFilter>(&(objectClass=*)(cn={cn}))</getOneFilter>
71 </ldapDestinationService>
72
73 <propertiesBasedSyncOptions>
74 <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=Staff Users,dc=linkedin,dc=biz"</mainIdentifier>
75 <defaultDelimiter>;</defaultDelimiter>
76 <defaultPolicy>FORCE</defaultPolicy>
77 <dataset>
78 <name>objectclass</name>
79 <policy>FORCE</policy>
80 <forceValues>
81 <string>"cn"</string>
82 </forceValues>
83 </dataset>
84 </propertiesBasedSyncOptions>
85
86 </task>
87 </tasks>
Output of executing LSC:
Oct 20 01:04:25 - ERROR - Error while looking for (&(objectClass=*)(cn=Jay
Ramamurthi)) in ou=staff users,dc=linkedin,dc=biz:
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
remaining name 'ou=staff users'
Oct 20 01:04:25 - ERROR - Error while looking for
(&(objectClass=*)(cn=Christopher Abrams)) in ou=staff users,dc=linkedin,dc=biz:
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
remaining name 'ou=staff users'
Oct 20 01:04:25 - ERROR - Error while synchronizing ID {cn=Jay Ramamurthi}:
org.lsc.exception.LscServiceException: javax.naming.NameNotFoundException:
[LDAP: error code 32 - No Such Object]; remaining name 'ou=staff users'
Oct 20 01:04:25 - ERROR - Error while synchronizing ID {cn=Christopher Abrams}:
org.lsc.exception.LscServiceException: javax.naming.NameNotFoundException:
[LDAP: error code 32 - No Such Object]; remaining name 'ou=staff users'
Oct 20 01:04:25 - ERROR - All entries: 3999, to modify entries: 0, successfully
modified entries: 0, errors: 3999
Output from syslog on the OpenLDAP server.
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3997 SRCH base="ou=staff
users,dc=linkedin,dc=biz" scope=2 deref=0 filter="(&(objectClass=*)(cn=justin
church))"
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3997 SRCH attr=description cn sn
givenName objectClass uid mail
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3997 SEARCH RESULT tag=101 err=32
nentries=0 text=
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3998 SRCH base="ou=staff
users,dc=linkedin,dc=biz" scope=2 deref=0 filter="(&(objectClass=*)(cn=jay
ramamurthi))"
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3998 SRCH attr=description cn sn
givenName objectClass uid mail
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3998 SEARCH RESULT tag=101 err=32
nentries=0 text=
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3999 SRCH base="ou=staff
users,dc=linkedin,dc=biz" scope=2 deref=0
filter="(&(objectClass=*)(cn=christopher abrams))"
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3999 SRCH attr=description cn sn
givenName objectClass uid mail
Oct 20 01:04:25 slapd[22055]: conn=1067 op=3999 SEARCH RESULT tag=101 err=32
nentries=0 text=
I'm guessing I have something wrong in my propertiesBasedSyncOptions stanza.
These error messages indicate the issue is in the destination directory
allright (filter is "(&(objectClass=*)(cn=<fullname>))" as indicated in the
ldapDestinationService section of your config.
The error logged by OpenLDAP, error 32 "No such entry" indicates that the
*base* of the search does not exist, that is the "ou=staff
users,dc=linkedin,dc=biz" entry. If it did exist, and no entries matched the
filter, the LDAP error code would be 0 (Success) but the number of results
would be 0. LSC will not (by design) create any entries other than the ones you
tell it to sync, that is it will not create the OU to hold users if you told it
to sync users. Creating it manually should make this sync work.
By the way, your filter could be optimized slightly
("(&(objectClass=*)(cn={cn}))") since "(objectClass=*)" basically means
"everything" in LDAP, so this could be shortened to "(cn={cn})". On a similar
note (optimization), I would recommend against using full names for syncs, but
a unique ID instead (ie username, or employee number if you have one) to avoid
issues in the future with name changes (married name vs maiden name) or two
people with duplicate names. This is just optimization though, so shouldn't
stop you from getting your LSC sync working.
Hope this helps,
Jonathan
PS: it's good to see I'm not the only one doing LSC and CFEngine!! :)
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
