Hi Sebastien, I resumed work on that issue after some time and I switched from ldaps to ldap and captured traffic with tcpdump. It seems that all changes are recognized on the lsc sync server, but I found out that if I wait about 3 minutes between disabling 2 users everything works fine. If I want to disable users immediatly after each other, they weren't disabled in the target AD. Is it possible that lsc scans the whole directory on each change and that in series immediately changes aren't recognized?
Kind regards, Christian On Apr 22, 2013, at 11:35 , Sébastien Bahloul <[email protected]> wrote: > Hi Christian, > > There's nothing valuable in this log. I'll give you some hints to solve this > issue : > - confirm that you launch LSC with " -a users " option > - switch the LDAPS urls to LDAP and launch a network capture through > Wireshark to look at the LDAP message sent by LSC to the OpenLDAP server > - check OpenLDAP's replication parameters > (http://www.openldap.org/doc/admin24/replication.html): LSC async for > OpenLDAP is based on the replication service and will check the the > synchronization status. You should check that the corresponding overlay and > configuration is active. > > By the way, if it is not annoying regarding the provided information, please > copy the lsc-users mailing list so that any valuable solution will be > accessible to everyone. > > Kind regards, > > > Sebastien BAHLOUL > IAM / Security specialist > Ldap Synchronization Connector : http://lsc-project.org > Blog : http://sbahloul.wordpress.com/ > > > 2013/4/22 Christian Bösch <[email protected]> > Hi Sebastien, > > I deleted 3 users from openldap. > The first two were disabled in AD. From the third one haven't appeared > anything in the logfile. > > Regards, > Christian > > > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": List of attributes considered > for writing in destination: [extensionAttribute1, mail, sn, department, > userAccountControl, company, telephoneNumber, physicalDeliveryOfficeName, > givenName, displayName] > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "extensionAttribute1" > is in FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "extensionAttribute1" > will not be written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "mail" is in FORCE > status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "mail" will not be > written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "sn" is in FORCE > status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "sn" will not be > written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "department" is in > FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "department" will not > be written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "userAccountControl" > is in FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Replacing attribute > "userAccountControl": source values are [], old values were [66048], new > values are [66050] > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "company" is in FORCE > status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "company" will not be > written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "telephoneNumber" is > in FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "telephoneNumber" > will not be written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute > "physicalDeliveryOfficeName" is in FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute > "physicalDeliveryOfficeName" will not be written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "givenName" is in > KEEP status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "givenName" will not > be written to the destination > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "displayName" is in > FORCE status > Apr 22 10:44:23 - DEBUG - In object > "CN=abl8697,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "displayName" will > not be written to the destination > > > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": List of attributes considered > for writing in destination: [extensionAttribute1, mail, sn, department, > userAccountControl, company, telephoneNumber, physicalDeliveryOfficeName, > givenName, displayName] > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "extensionAttribute1" > is in FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "extensionAttribute1" > will not be written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "mail" is in FORCE > status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "mail" will not be > written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "sn" is in FORCE > status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "sn" will not be > written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "department" is in > FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "department" will not > be written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "userAccountControl" > is in FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Replacing attribute > "userAccountControl": source values are [], old values were [66048], new > values are [66050] > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "company" is in FORCE > status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "company" will not be > written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "telephoneNumber" is > in FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "telephoneNumber" > will not be written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute > "physicalDeliveryOfficeName" is in FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute > "physicalDeliveryOfficeName" will not be written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "givenName" is in > KEEP status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "givenName" will not > be written to the destination > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "displayName" is in > FORCE status > Apr 22 10:45:03 - DEBUG - In object > "CN=abu3450,OU=FHusers,DC=ad,DC=abc,DC=net": Attribute "displayName" will > not be written to the destination > > On Apr 22, 2013, at 9:23 , Sébastien Bahloul <[email protected]> > wrote: > >> Hi Christian, >> >> It seems right. Can you setup your LSC in debug mode and send the log ? >> >> Kind regards, >> >> Le 22 avr. 2013 08:53, "Christian Bösch" <[email protected]> a écrit : >> Hi Sebastien, >> >> I post to config below. >> >> Kind regards, >> Christian >> >> <?xml version="1.0" ?> >> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd"; revision="0"> >> <connections> >> <ldapConnection> >> <name>openldap</name> >> <url>ldaps://ldap1.abc.net:636/dc=abc,dc=net</url> >> <username>uid=provisioning,dc=abc,dc=net</username> >> <password>pass</password> >> <authentication>SIMPLE</authentication> >> <referral>IGNORE</referral> >> <derefAliases>NEVER</derefAliases> >> <version>VERSION_3</version> >> <pageSize>-1</pageSize> >> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >> <tlsActivated>true</tlsActivated> >> </ldapConnection> >> <ldapConnection> >> <name>active-directory</name> >> <url>ldaps://dc1.ad.abc.net:636/DC=ad,DC=abc,DC=net</url> >> <username>CN=ldap,OU=SpecialUsers,DC=ad,DC=abc,DC=net</username> >> <password>passowrd</password> >> <authentication>SIMPLE</authentication> >> <referral>IGNORE</referral> >> <derefAliases>NEVER</derefAliases> >> <version>VERSION_3</version> >> <pageSize>-1</pageSize> >> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> >> <tlsActivated>true</tlsActivated> >> </ldapConnection> >> </connections> >> >> <tasks> >> <task> >> <name>users</name> >> <bean>org.lsc.beans.SimpleBean</bean> >> <asyncLdapSourceService> >> <name>src-openldap-users</name> >> <connection reference="openldap" /> >> <baseDn>ou=People,dc=abc,dc=net</baseDn> >> <pivotAttributes> >> <string>uid</string> >> </pivotAttributes> >> <fetchedAttributes> >> <string>uid</string> >> <string>sn</string> >> <string>givenName</string> >> <string>displayName</string> >> <string>eduPersonPrimaryAffiliation</string> >> <string>fhvPersonNotes</string> >> </fetchedAttributes> >> >> <getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter> >> <getOneFilter>(uid={uid})</getOneFilter> >> >> <cleanFilter>(&(objectClass=inetorgperson)(uid={samAccountName}))</cleanFilter> >> <serverType>OpenLDAP</serverType> >> </asyncLdapSourceService> >> <ldapDestinationService> >> <name>dst-ad-users</name> >> <connection reference="active-directory" /> >> <baseDn>OU=FHusers,DC=ad,DC=abc,DC=net</baseDn> >> <pivotAttributes> >> <string>sAMAccountName</string> >> </pivotAttributes> >> <fetchedAttributes> >> <string>sn</string> >> <string>givenName</string> >> <string>displayName</string> >> <string>userAccountControl</string> >> </fetchedAttributes> >> >> <getAllFilter>(&(sAMAccountName=*)(objectClass=user))</getAllFilter> >> <getOneFilter>(sAMAccountName={uid})</getOneFilter> >> </ldapDestinationService> >> <propertiesBasedSyncOptions> >> <mainIdentifier><![CDATA[ >> var mainident = ""; >> var affiliation = >> srcBean.getDatasetFirstValueById("eduPersonPrimaryAffiliation"); >> if (affiliation == "employee") { >> mainident = "CN=" + srcBean.getDatasetFirstValueById("sn") + " " >> + srcBean.getDatasetFirstValueById("givenName") + >> ",OU=FHusers,DC=ad,DC=abc,DC=net"; >> } else { >> mainident = "CN=" + srcBean.getDatasetFirstValueById("uid") + >> ",OU=FHusers,DC=ad,DC=abc,DC=net"; >> } >> mainident >> ]]></mainIdentifier> >> <defaultDelimiter>;</defaultDelimiter> >> <defaultPolicy>KEEP</defaultPolicy> >> <conditions> >> <create>false</create> >> <update>true</update> >> <delete>false</delete> >> <changeId>true</changeId> >> </conditions> >> <dataset> >> <name>sn</name> >> <policy>FORCE</policy> >> <forceValues> >> >> <string>srcBean.getDatasetFirstValueById("sn").toUpperCase()</string> >> </forceValues> >> </dataset> >> <dataset> >> <name>displayName</name> >> <policy>FORCE</policy> >> <forceValues> >> <string>srcBean.getDatasetFirstValueById("sn").toUpperCase() + " >> " + srcBean.getDatasetFirstValueById("givenName")</string> >> </forceValues> >> </dataset> >> <dataset> >> <name>userAccountControl</name> >> <policy>FORCE</policy> >> <forceValues> >> <string> >> var uac = >> dstBean.getDatasetFirstValueById('userAccountControl'); >> if (srcBean.getDatasetFirstValueById('fhvPersonNotes') == >> "disable") { >> uac = >> AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'), >> [AD.UAC_SET_ACCOUNTDISABLE]); >> } else { >> uac = >> AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'), >> [AD.UAC_UNSET_ACCOUNTDISABLE]); >> } >> uac; >> </string> >> </forceValues> >> </dataset> >> </propertiesBasedSyncOptions> >> </task> >> </tasks> >> </lsc> >> >> On Apr 19, 2013, at 15:36 , Sébastien Bahloul <[email protected]> >> wrote: >> >>> Hi Christian, >>> >>> Can you give a little bit more information ? The way you are launching LSC, >>> the filter you use to look for updated OpenLDAP entries, ... >>> >>> Kind regards, >>> >>> Sebastien BAHLOUL >>> IAM / Security specialist >>> Ldap Synchronization Connector : http://lsc-project.org >>> Blog : http://sbahloul.wordpress.com/ >>> >>> >>> 2013/4/19 Christian Bösch <[email protected]> >>> Hi, >>> >>> I have an asynchronous task running to sync openldap to AD. >>> Before I delete users from openldap I set an attribute's value to >>> "disable", wait 30 sec and delete it. >>> With lsc I can then disable the user in AD, but that only works for the >>> first time after restarting lsc. >>> Following disables are not triggered anymore unless I restart lsc again. >>> Any assumptions? >>> >>> Regards, >>> Christian >>> >>> >>> --- >>> <dataset> >>> <name>userAccountControl</name> >>> <policy>FORCE</policy> >>> <forceValues> >>> <string> >>> var uac = >>> dstBean.getDatasetFirstValueById('userAccountControl'); >>> if (srcBean.getDatasetFirstValueById('PersonNotes') == >>> "disable") { >>> uac = >>> AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'), >>> [AD.UAC_SET_ACCOUNTDISABLE]); >>> } else { >>> uac = >>> AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'), >>> [AD.UAC_UNSET_ACCOUNTDISABLE]); >>> } >>> uac; >>> </string> >>> </forceValues> >>> </dataset> >>> --- >>> _______________________________________________________________ >>> Ldap Synchronization Connector (LSC) - http://lsc-project.org >>> >>> lsc-users mailing list >>> [email protected] >>> http://lists.lsc-project.org/listinfo/lsc-users >>> >>> >> > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
