Are you sure? Because my pivot attributes don't contain any chars that need to be escaped (they are sAMAccountName and uid). And my filters only use those pivot attributes. It's just the cn, a fetched attribute that is used to build the main identifier, that contains a comma.
Von: Jon C Kidder [mailto:[email protected]] Gesendet: Freitag, 14. Februar 2014 14:49 An: Pallier, Manuel / BEKO Graz; [email protected] Betreff: RE: How to use commas in DN? This looks a lot like bug #637 http://tools.lsc-project.org/issues/637 -Jon C. Kidder American Electric Power Middleware Services Email: [email protected]<mailto:[email protected]> Phone: 614-716-4970 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Pallier, Manuel / BEKO Graz Sent: Friday, February 14, 2014 4:51 AM To: [email protected]<mailto:[email protected]> Subject: [lsc-users] How to use commas in DN? This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. ________________________________ Hi, I recently started using LSC and I'm having a problem with commas in DNs. I'm syncing from Active Directory 2008 R2 to openLDAP 2.4 and would like to use the CN of my users as the first part of the DN. But the problem is that all CNs in the Active Directory are in the format "Surname, Forename", so they contain a comma. A simple DN configuration like the following doesn't work at all: <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=AD,ou=people,dc=bekoag,dc=local"</mainIdentifier> It results in the following error for each user: Feb 14 10:13:40 - ERROR - Error while synchronizing ID cn=Pallier, Manuel,ou=AD,ou=people,dc=bekoag,dc=local: java.lang.RuntimeException: org.apache.directory.shared.ldap.model.exception.LdapInvalidDnException: ERR_04196 Unexpected character ',' at position 19. Excpected start of attributeType descr. # Fri Feb 14 10:13:40 CET 2014 dn: cn=Pallier, Manuel,ou=AD,ou=people,dc=bekoag,dc=local changetype: add So I've tried the following configuration: <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn").replace(",", "\\,") + ",ou=AD,ou=people,dc=bekoag,dc=local"</mainIdentifier> This works for creating the users, but no changes are synchronized afterwards. If I change the configuration to the following, everything, including updates, works fine: <mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("sAMAccountName") + ",ou=AD,ou=people,dc=bekoag,dc=local"</mainIdentifier> I think this is because the DNs are read differently from Active Directory and openLDAP, which then prevents LSC from matching the entries for updates. Here is an example output from ldapsearch on Active Directory: ldapsearch -x -H ldap://adserver -D 'username' -W '(cn=pallier*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=bekoag,dc=local> (default) with scope subtree # filter: (cn=pallier*) # requesting: ALL # # Pallier\2C Manuel, MA_Produktion, Benutzer, INF, Graz, BEKOAG, bekoag.local dn: CN=Pallier\, Manuel,OU=MA_Produktion,OU=Benutzer,OU=INF,OU=Graz,OU=BEKOAG,DC=bekoag,DC=local cn: Pallier, Manuel And here the openLDAP entry that was created by LSC: ldapsearch -x -H ldap://localhost -D 'cn=Administrator,dc=bekoag,dc=local' -W '(cn=pallier*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=bekoag,dc=local> (default) with scope subtree # filter: (cn=pallier*) # requesting: ALL # # Pallier\2C Manuel, AD, people, bekoag.local dn: cn=Pallier\2C Manuel,ou=AD,ou=people,dc=bekoag,dc=local cn: Pallier, Manuel Note that ldapsearch on Active Directory shows "\2C" for the comma in the commented DN, but "\," in the actual DN attribute whereas ldapsearch on openLDAP shows "\2C" for both. If someone has an idea how to solve that problem (other than not using CN in the DN) any help would be greatly appreciated. I've attached my whole configuration file for reference (in the working state with uid in the DN, but the problematic mainIdentifier-Tag is also there, just commented out).
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
