Hi Clement, Thanks for your help below, I learned quite a bit. Once I've got everything working I'll write Newbie Howto that explains how to set this up for Newbies. Right now I've moved on to trying to get the Distribution Lists to work, but realize they reference the DN in the Member field. So the change we do to the DN in <mainIdentifier> means the OpenLDAP DN and the DN listed in the Member attribute for Distribution lists in AD don't match.
Now I've learned I can't use the DN as a filter, so I continue to use the sAMAccountName as a filter and pivotattribute as you'll see below. I pull the distinguishedName attribute in AD and try to use that as my <mainIdentifier> but still get the error below: Nov 16 09:21:12 - ERROR - Error while adding entry CN=Chris Visser,OU=GSSIT,OU=Users,OU=JHB,OU=Infrastructure,OU=Divisions,DC=RTT,DC=co,DC=za in directory :javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'CN=Chris Visser,OU=GSSIT,OU=Users,OU=JHB,OU=Infrastructure,OU=Divisions,DC=RTT,DC=co,DC=za' Nov 16 09:21:12 - ERROR - Error while synchronizing ID CN=Chris Visser,OU=GSSIT,OU=Users,OU=JHB,OU=Infrastructure,OU=Divisions,DC=RTT,DC=co,DC=za: java.lang.Exception: Technical problem while applying modifications to the destination dn: CN=Chris Visser,OU=GSSIT,OU=Users,OU=JHB,OU=Infrastructure,OU=Divisions,DC=RTT,DC=co,DC=za changetype: add uid: Chris.Visser mail: [email protected] sn: Visser cn: Chris Visser objectClass: inetorgperson If I copy and paste the entry described above (from dn: to objectclass:) into an ldif file and use the ldapadd command the entry gets added to the OpenLDAP server with no editing. What am I still missing or doing wrong? Below is my task definition: <task> <name>ad-src-task</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>ad-src-service</name> <connection reference="AD" /> <baseDn>dc=rtt,dc=co,dc=za</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>sn</string> <string>sAMAccountName</string> <string>mail</string> <string>distinguishedName</string> <string>userAccountControl</string> <string>msExchMailboxGuid</string> </fetchedAttributes> <getAllFilter>(objectClass=person)</getAllFilter> <getOneFilter>(&(objectClass=person)(sAMAccountName={sAMAccountName}))</getOneFilter> <getCleanFilter>(&(objectClass=person)(sAMAccountName={uid}))</getCleanFilter> </ldapSourceService> <ldapDestinationService> <name>ldap-dst-service</name> <connection reference="OpenLDAP" /> <baseDn>dc=rtt,dc=co,dc=za</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>objectClass</string> <string>dn</string> <string>cn</string> <string>sn</string> <string>uid</string> <string>mail</string> <string>destinationIndicator</string> </fetchedAttributes> <getAllFilter>(objectClass=inetorgperson)</getAllFilter> <getOneFilter>(&(objectClass=inetorgperson)(uid={sAMAccountName}))</getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>srcBean.getDatasetFirstValueById("distinguishedName")</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <dataset> <name>objectClass</name> <policy>FORCE</policy> <forceValues> <string>"top";"user";"person";"inetorgperson"</string> </forceValues> </dataset> <dataset> <name>uid</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("sAMAccountName")</string> </createValues> </dataset> <dataset> <name>cn</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("cn")</string> </createValues> </dataset> <dataset> <name>sn</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("sn")</string> </createValues> </dataset> <dataset> <name>mail</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("mail")</string> </createValues> </dataset> <dataset> <name>destinationIndicator</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("msExchMailboxGuid")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> Chris Visser From: Clément OUDOT [mailto:[email protected]] Sent: Friday, September 28, 2012 1:44 PM To: Chris Visser Cc: lsc-userslsc-users ([email protected]) Subject: Re: [lsc-users] AD to OpenLDAP sync 2012/9/28 Chris Visser <[email protected]> Hi, Hi, After the help and stating that I need to check my sync options. I went back to the documentation, but I'm unable to figure out what to do. I'm trying to sync the sAMAccount to uid, and mail entries for Active Directory users to my local Open LDAP server. Please look at what what's wrong with my tasks since I can't see or understand what I'm missing, the documentation is just to unclear. Documentation for the source LDAP service is http://lsc-project.org/wiki/documentation/2.0/configuration/service/sourceldap Documentation for the destination LDAP service is http://lsc-project.org/wiki/documentation/2.0/configuration/service/destinationldap You can see in this two files how configure filters to match yout entries. The error I get is: ERROR - Unable to get object for id=CN=Username,OU=GSSIT,OU=Users,OU=JHB,OU=Infrastructure,OU=Divisions,DC=RTT,DC=co,DC=za For every user it finds in the AD, where CN=Username is equal to the CN for that user. LSC could not find you user in your source LDAP. Your getOneFilter is wrong. See further. <task> <name>ad-src-task</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>ad-src-service</name> <connection reference="AD" /> <baseDn>ou=Divisions,dc=rtt,dc=co,dc=za</baseDn> <pivotAttributes> <string>samAccountName</string> </pivotAttributes> <fetchedAttributes> <string>sAMAccountName</string> <string>mail</string> </fetchedAttributes> <getAllFilter>(objectClass=person)</getAllFilter> -> OK <getOneFilter>(&(objectClass=person)(uid={sAMAccountName}))</getOneFilter> -> KO ! (uid=..) will not work on AD. Use this instead: <getOneFilter>(&( objectClass=person)(sAMAccountName={sAMAccountName}))</getOneFilter> <getCleanFilter>(&(objectClass=person)(uid={sAMAccountName}))</getCleanFilter> -> KO. Bad filter and bad pivot. <getCleanFilter>(&(objectClass=person)(sAMAccountName={uid}))</getCleanFilter> <interval>15</interval> -> Delete it, it should not to be used with a simple LDAP source service. </ldapSourceService> <ldapDestinationService> <name>ldap-dst-service</name> <connection reference="OpenLDAP" /> <baseDn>ou=Divisions,dc=rtt,dc=co,dc=za</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>objectClass</string> <string>uid</string> <string>mail</string> </fetchedAttributes> <getAllFilter>(objectClass=inetorgperson)</getAllFilter> <getOneFilter>((objectClass=inetorgperson))</getOneFilter> How do you filter entries with such filter? Use: <getOneFilter>(&(objectClass=inetorgperson)(uid={sAMAccountName))</getOneFilter> <getCleanFilter>((objectClass=inetorgperson))</getCleanFilter> -> KO, this does not exists for a destination LDAP service. </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>srcBean.getMainIdentifier("sAMAccountName")</mainIdentifier> -> KO, you should build the full DN here: <mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("sAMAccountName") + ",ou=Divisions,dc=rtt, dc=co,dc=za "</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <dataset> <name>objectClass</name> <policy>FORCE</policy> <forceValues> <string>"top";"user";"person";"organizationalPerson"</string> </forceValues> </dataset> <dataset> <name>uid</name> <policy>FORCE</policy> <createValues> <string>srcBean.getDatasetFirstValueById("sAMAccountName")</string> </createValues> </dataset> This a little short. You need at least to creat cn and sn attributes which are mandatory in inetorgperson entry. </propertiesBasedSyncOptions> </task> Clément. ================== Please read our Email Disclaimer : http://www.rtt.co.za/disclaimer.html _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
