Thanks to you both for your quick response.
Sébastien - You were correct, I forgot to add unicodePwd as a string in the
fetchedAttributes section of the destination service. It appears to be
working now.
That also remedied the msDS-AccountDisabled issue - the accounts are now
enabled on creation when they're given a valid unicodePwd.
Clément - If I understand you correctly, as long as the userPassword is
stored in clear text in OpenLDAP (and I have that attribute in the
fetchedAttributes section of the source service), I would use something
like:
<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>
</createValues>
</dataset>
The above throws an exception for me - I'm assuming it's a syntax error?
thanks,
aaron
On Sun, Jun 9, 2013 at 2:33 AM, Clément OUDOT <[email protected]> wrote:
> 2013/6/9 Ashtar Communications <[email protected]>:
> > Hi,
> >
> > First of all, thanks for writing this tool - it's really bailing me out
> of a
> > tough spot.
> >
> > I am having difficulty getting passwords to sync from OpenLDAP to Active
> > Directory Lightweight Directory Services. I have followed the tutorial
> and
> > the advice in the documentation, and I've tried to read every previous
> > thread I could find on this list about it, but I'm still struggling to
> get
> > it to work. I apologize for asking what I'm sure is a common question,
> but
> > this is very much not my area of expertise.
> >
> > Specifically, my issue is that users are created during sync, but the
> > password attribute doesn't appear to be set. After I run lsc, I can see
> > newly created users in AD LDS - but when I use my application on the AD
> LDS
> > machine to log in with one of those new users, it fails to authenticate
> with
> > the password I provided in the lsc.xml file. Instead, it allows me to
> log in
> > using the new username and a blank password.
> >
> > I'm not getting any error messages in the console when lsc runs. Even
> > turning up all the logback settings to DEBUG, I can see each attribute
> being
> > set, but zero references in the console to unicodePwd at all - it's as if
> > it's just being ignored entirely.
> >
> > My connection password to AD LDS is correct and has administrative
> rights. I
> > can connect over SSL and reset the user password successfully using
> another
> > online LDAP tool, using the same admin credentials.
> >
> > The password I'm trying to set complies with the AD LDS password policy
> - I
> > can manually set the same password on the AD side.
> >
> > I'm using lsc 2.0.2 on ubuntu.
> >
> > Edited excerpt from my lsc.xml file (can provide the whole thing if it
> would
> > help):
> > <propertiesBasedSyncOptions>
> > <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") +
> > ",cn=Test,dc=test,dc=local"</mainIdentifier>
> > <defaultDelimiter>;</defaultDelimiter>
> > <defaultPolicy>FORCE</defaultPolicy>
> > <dataset>
> > <name>userAccountControl</name>
> > <policy>KEEP</policy>
> > <createValues>
> > <string>AD.userAccountControlSet( "0",
> > [AD.UAC_SET_NORMAL_ACCOUNT])</string>
> > </createValues>
> > </dataset>
> > <dataset>
> > <name>unicodePwd</name>
> > <policy>FORCE</policy>
> > <createValues>
> > <string>AD.getUnicodePwd("change1t!")</string>
> > </createValues>
> > </dataset>
> > </propertiesBasedSyncOptions>
> >
> > Ultimately, I will need to use the userPassword attribute from OpenLDAP
> to
> > sync to AD for each user - but I can't even get this to work just
> specifying
> > a FORCE for the same password for all users.
>
> You can't use userPassword from OpenLDAP is it is hased (SSHA or
> else). You can just use cleartext password to update password into AD.
> See
> http://lsc-project.org/wiki/documentation/2.0/howtos/activedirectory#password_synchronization
>
> >
> > Any idea what I'm doing wrong?
> >
> > One other question - I am also noticing that the msDS-UserAccountDisabled
> > attribute for all the synced accounts is set to TRUE - my first few
> attempts
> > at configuring the xml file to change that all failed. Does anyone know a
> > quick way to enable all the new accounts? I assume it has something to do
> > with the userAccountControl section, but the example in the tutorial
> didn't
> > seem to do it.
> >
>
> If the account is created without a password, it is automatically
> disabled. I don't think you can update msDS* attribute from LDAP.
>
>
> Clément.
>
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
