2013/6/9 Ashtar Communications <[email protected]>: > Hi, > > First of all, thanks for writing this tool - it's really bailing me out of a > tough spot. > > I am having difficulty getting passwords to sync from OpenLDAP to Active > Directory Lightweight Directory Services. I have followed the tutorial and > the advice in the documentation, and I've tried to read every previous > thread I could find on this list about it, but I'm still struggling to get > it to work. I apologize for asking what I'm sure is a common question, but > this is very much not my area of expertise. > > Specifically, my issue is that users are created during sync, but the > password attribute doesn't appear to be set. After I run lsc, I can see > newly created users in AD LDS - but when I use my application on the AD LDS > machine to log in with one of those new users, it fails to authenticate with > the password I provided in the lsc.xml file. Instead, it allows me to log in > using the new username and a blank password. > > I'm not getting any error messages in the console when lsc runs. Even > turning up all the logback settings to DEBUG, I can see each attribute being > set, but zero references in the console to unicodePwd at all - it's as if > it's just being ignored entirely. > > My connection password to AD LDS is correct and has administrative rights. I > can connect over SSL and reset the user password successfully using another > online LDAP tool, using the same admin credentials. > > The password I'm trying to set complies with the AD LDS password policy - I > can manually set the same password on the AD side. > > I'm using lsc 2.0.2 on ubuntu. > > Edited excerpt from my lsc.xml file (can provide the whole thing if it would > help): > <propertiesBasedSyncOptions> > <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") + > ",cn=Test,dc=test,dc=local"</mainIdentifier> > <defaultDelimiter>;</defaultDelimiter> > <defaultPolicy>FORCE</defaultPolicy> > <dataset> > <name>userAccountControl</name> > <policy>KEEP</policy> > <createValues> > <string>AD.userAccountControlSet( "0", > [AD.UAC_SET_NORMAL_ACCOUNT])</string> > </createValues> > </dataset> > <dataset> > <name>unicodePwd</name> > <policy>FORCE</policy> > <createValues> > <string>AD.getUnicodePwd("change1t!")</string> > </createValues> > </dataset> > </propertiesBasedSyncOptions> > > Ultimately, I will need to use the userPassword attribute from OpenLDAP to > sync to AD for each user - but I can't even get this to work just specifying > a FORCE for the same password for all users.
You can't use userPassword from OpenLDAP is it is hased (SSHA or else). You can just use cleartext password to update password into AD. See http://lsc-project.org/wiki/documentation/2.0/howtos/activedirectory#password_synchronization > > Any idea what I'm doing wrong? > > One other question - I am also noticing that the msDS-UserAccountDisabled > attribute for all the synced accounts is set to TRUE - my first few attempts > at configuring the xml file to change that all failed. Does anyone know a > quick way to enable all the new accounts? I assume it has something to do > with the userAccountControl section, but the example in the tutorial didn't > seem to do it. > If the account is created without a password, it is automatically disabled. I don't think you can update msDS* attribute from LDAP. Clément. _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
