Re: [lsc-users] OpenLDAP to AD sync issue (scope)

Thu, 07 Aug 2014 05:59:40 -0700 

Hi !

Thanks for answer. Here is the config made by my colleague: This is a
test config,

Thank you !

<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
    <connections>
        <ldapConnection>
            <name>ldap-src-conn</name>
            <url>ldap://172.18.0.102:389/dc=mycompany??sub</url>
            <username></username>
            <password></password>
            <authentication>SIMPLE</authentication>
            <referral>IGNORE</referral>
            <derefAliases>NEVER</derefAliases>
            <version>VERSION_3</version>
            <pageSize>-1</pageSize>
            <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
            <tlsActivated>false</tlsActivated>
        </ldapConnection>
        <ldapConnection>
            <name>ldap-dst-conn</name>
            <url>ldap://172.16.37.64:389/dc=ads,dc=mycompany??sub</url>
           
<username>CN=Administrator,CN=Users,DC=ADS,dc=mycompany</username>
            <password>MyPassword</password>
            <authentication>SIMPLE</authentication>
            <referral>IGNORE</referral>
            <derefAliases>NEVER</derefAliases>
            <version>VERSION_3</version>
            <pageSize>-1</pageSize>
            <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
            <tlsActivated>false</tlsActivated>
        </ldapConnection>
    </connections>
    <tasks>
        <task>
            <name>People</name>
            <bean>org.lsc.beans.SimpleBean</bean>
            <ldapSourceService>
                <name>ldap-source-service</name>
                <connection reference="ldap-src-conn" />
                <baseDn>ou=people,dc=mycompany</baseDn>
                <pivotAttributes>
                    <string>uid</string>
                </pivotAttributes>
                <fetchedAttributes>
                                        <string>description</string>
                                        <string>cn</string>
                                        <string>sn</string>
                                        <string>userPassword</string>
                                        <string>givenName</string>
                                        <string>uid</string>
                                        <string>mail</string>
                                        <string>uidNumber</string>
                                        <string>gidNumber</string>
                                        <string>homeDirectory</string>
                    <string>gecos</string>
                </fetchedAttributes>
                               
<getAllFilter>(&amp;(objectClass=posixAccount)(!(uid=template)))</getAllFilter>
                               
<getOneFilter>(&amp;(objectClass=posixAccount)(uid={uid}))</getOneFilter>
               
<cleanFilter>(&amp;(objectClass=posixAccount)(uid={uid}))</cleanFilter>
            </ldapSourceService>
            <ldapDestinationService>
                <name>ad-dst-service</name>
                <connection reference="ldap-dst-conn" />
                <baseDn>cn=users,dc=ads,dc=mycompany</baseDn>
                <pivotAttributes>
                    <string>samAccountName</string>
                </pivotAttributes>
                <fetchedAttributes>
                                        <string>description</string>
                                        <string>cn</string>
                                        <string>sn</string>
                                        <string>samAccountName</string>
                                        <string>userPrincipalName</string>
                    <string>name</string>
                    <string>givenName</string>
                    <string>objectClass</string>
                    <string>displayName</string>
                    <string>unicodePwd</string>
                    <string>userAccountControl</string>
                </fetchedAttributes>
                               
<getAllFilter>(&amp;(objectClass=user)(!(objectClass=computer)))</getAllFilter>
                               
<getOneFilter>(&amp;(objectClass=user)(!(objectClass=computer))(sAMAccountName={uid}))</getOneFilter>
            </ldapDestinationService>
            <propertiesBasedSyncOptions>
                <mainIdentifier>"cn=" +
                    srcBean.getDatasetFirstValueById("cn") +
                    ",cn=users,dc=ads,dc=mycompany"</mainIdentifier>
                <defaultDelimiter>;</defaultDelimiter>
                <defaultPolicy>FORCE</defaultPolicy>
                                <conditions>
                                        <create>true</create>
                                        <update>true</update>
                                        <delete>false</delete>
                                        <changeId>true</changeId>
                                </conditions>
                <dataset>
                    <name>cn</name>
                    <policy>KEEP</policy>
                    <createValues>
                       
<string>srcBean.getDatasetFirstValueById("uid")</string>
                    </createValues>
                </dataset>
                                <dataset>
                                        <name>sn</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                               
<string>srcBean.getDatasetFirstValueById("sn")</string>
                                        </forceValues>
                                </dataset>
                                <dataset> <!-- gvds OK -->
                                        <name>name</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                               
<string>srcBean.getDatasetFirstValueById("givenName")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>givenName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                               
<string>srcBean.getDatasetFirstValueById("givenName")</string>
                                        </forceValues>
                                </dataset>

                                <dataset> <!-- gvds OK -->
                                        <name>sAMAccountName</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                               
<string>srcBean.getDatasetFirstValueById("uid")</string>
                                        </createValues>
                                </dataset>
                <dataset>
                    <name>objectClass</name>
                    <policy>KEEP</policy>
                    <createValues>
                        <string>"user"</string>
                        <string>"person"</string>
                        <string>"organizationalPerson"</string>
                    </createValues>
                </dataset>
                                <dataset>
                                        <name>displayName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                               
<string>srcBean.getDatasetFirstValueById("gecos")</string>
                                        </forceValues>
                                </dataset>
                                <dataset>
                                        <name>userPrincipalName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                               
<string>srcBean.getDatasetFirstValueById("uid") +
"@ads.mycompany.com"</string>
                                        </forceValues>
                                </dataset>

                                <dataset>
                                        <name>unicodePwd</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>
                            java.lang.System.out.println("Password" +
(new java.text.SimpleDateFormat("yyyyMMdd")).format(new java.util.Date()) );
                            AD.getUnicodePwd("Password" + (new
java.text.SimpleDateFormat("yyyyMMdd")).format(new java.util.Date())
)</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>userAccountControl</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                               
<string>AD.userAccountControlSet( "0", [ AD.UAC_SET_NORMAL_ACCOUNT,
AD.UAC_SET_PASSWORD_EXPIRED])</string>
                                        </createValues>
                                </dataset>

            </propertiesBasedSyncOptions>
        </task>
        <task>
                        <name>Groups</name>
                        <bean>org.lsc.beans.SimpleBean</bean>
                        <ldapSourceService>
                                <name>ldap-source-service-grp</name>
                <connection reference="ldap-src-conn" />
                <baseDn>ou=Groups,dc=mycompany</baseDn>
                                <pivotAttributes>
                                        <string>cn</string>
                                </pivotAttributes>
                                <fetchedAttributes>
                                        <string>description</string>
                                        <string>gidNumber</string>
                                        <string>memberUid</string>
                    <string>cn</string>
                    <string>sambaSID</string>
                                </fetchedAttributes>
                               
<getAllFilter>(&amp;(objectClass=posixGroup)(!(cn=template))(!(cn=administrators)))</getAllFilter>
                               
<getOneFilter>(&amp;(objectClass=posixGroup)(cn={cn}))</getOneFilter>
                               
<cleanFilter>(&amp;(objectClass=posixGroup)(cn={samAccountName}))</cleanFilter>
                        </ldapSourceService>
                        <ldapDestinationService>
                                <name>ad-dst-service-grp</name>
                                <connection reference="ldap-dst-conn" />
                               
<baseDn>ou=Groups,dc=ads,dc=mycompany</baseDn>
                                <pivotAttributes>
                                        <string>samAccountName</string>
                                </pivotAttributes>
                                <fetchedAttributes>
                                        <string>cn</string>
                    <string>sAMAccountName</string>
                    <string>objectClass</string>
                    <string>member</string>
                                </fetchedAttributes>
                               
<getAllFilter>(&amp;(objectClass=group)(!(objectClass=computer)))</getAllFilter>
                               
<getOneFilter>(&amp;(objectClass=group)(!(objectClass=computer))(sAMAccountName={cn}))</getOneFilter>
                        </ldapDestinationService>
                        <propertiesBasedSyncOptions>
                                <mainIdentifier>"cn=" +
                                       
srcBean.getDatasetFirstValueById("cn") +
                                       
",ou=Groups,dc=ads,dc=mycompany"</mainIdentifier>
                                <defaultDelimiter>;</defaultDelimiter>
                                <defaultPolicy>FORCE</defaultPolicy>
                                <conditions>
                                        <create>true</create>
                                        <update>true</update>
                                        <delete>false</delete>
                                        <changeId>true</changeId>
                                </conditions>
                                <dataset>
                                        <name>cn</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                               
<string>srcBean.getDatasetFirstValueById("cn")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>sAMAccountName</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                               
<string>srcBean.getDatasetFirstValueById("cn")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>member</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string><![CDATA[
                            var srcMembers =
srcBean.getAttributeValuesById("memberUid").toArray();
                            var returnGroups = new Array();
                            for (i in srcMembers) {
                                // TODO pour chaque uid, obtenir le gecos
                                java.lang.System.out.println("srcMember
: "+srcMembers[i]);
                                var usr =
ldap.search("","(&(samaccountname="+srcMembers[i]+")(objectClass=user))").toArray();
                                for (j in usr) {
                                   
java.lang.System.out.println("pushing - "+""+usr[j]+",DC=ads,dc=mycompany");
                                   
returnGroups.push(""+usr[j]+",DC=ads,dc=mycompany");
                                }
                            }
                            returnGroups;
                        ]]></string>
                                        </forceValues>
                                </dataset>
                <dataset>
                    <name>objectClass</name>
                    <policy>KEEP</policy>
                    <createValues>
                        <string>"group"</string>
                    </createValues>
                </dataset>

                        </propertiesBasedSyncOptions>
        </task>
    </tasks>
</lsc>



Le 07/08/14 12:58, Sébastien Bahloul a écrit :
> Hi Gaetan,
>
> LSC is using a SUBTREE scope (LdapSourceService) so it should do the
> job. Can you provide some  details and configuration extract ?
>
> Regards, 
>
> Sebastien BAHLOUL
> IAM / Security specialist
> Ldap Synchronization Connector : http://lsc-project.org
> Blog : http://sbahloul.wordpress.com/
>
>
> 2014-08-07 10:32 GMT+02:00 Gaetan Slongo <[email protected]
> <mailto:[email protected]>>:
>
>     Hi !
>
>     Someone has an idea about this ?
>
>     Thank you
>
>     Gaëtan
>
>
>     Le 04/08/14 15:10, Gaetan Slongo a écrit :
>     > Hi !
>     >
>     > We currently are trying to integrate LSC in our infrastructure.
>     We are
>     > facing to some issues but here is one here on which we cannot find a
>     > "real" answer :
>     >
>     > LSC do not seems to allow us to recursivly sync our OpenLDAP to
>     AD. I
>     > mean it do not sync other OU under the base...?
>     >
>     > If the base is : ou=MyUsers,dc=company,dc=com it will not sync
>     users in
>     > ou=MyOtherUsers,ou=MyUsers,dc=company,dc=com
>     >
>     > This is a normal behavior ?
>     >
>     > Thank you for advance
>     >
>     > _______________________________________________________________
>     > Ldap Synchronization Connector (LSC) - http://lsc-project.org
>     >
>     > lsc-users mailing list
>     > [email protected]
>     <mailto:[email protected]>
>     > http://lists.lsc-project.org/listinfo/lsc-users
>
>
>
>     _______________________________________________________________
>     Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
>     lsc-users mailing list
>     [email protected]
>     <mailto:[email protected]>
>     http://lists.lsc-project.org/listinfo/lsc-users
>
>


<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
	<connections>
		<ldapConnection>
			<name>ldap-src-conn</name>
			<url>ldap://172.18.0.102:389/dc=it-optics,dc=net??sub</url>
			<username></username>
			<password></password>
			<authentication>SIMPLE</authentication>
			<referral>IGNORE</referral>
			<derefAliases>NEVER</derefAliases>
			<version>VERSION_3</version>
			<pageSize>-1</pageSize>
			<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
			<tlsActivated>false</tlsActivated>
		</ldapConnection>
		<ldapConnection>
			<name>ldap-dst-conn</name>
			<url>ldap://172.16.37.64:389/dc=ads,dc=it-optics,dc=com??sub</url>
			<username>CN=Administrator,CN=Users,DC=ADS,DC=IT-OPTICS,DC=COM</username>
			<password>test123*</password>
			<authentication>SIMPLE</authentication>
			<referral>IGNORE</referral>
			<derefAliases>NEVER</derefAliases>
			<version>VERSION_3</version>
			<pageSize>-1</pageSize>
			<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
			<tlsActivated>false</tlsActivated>
		</ldapConnection>
	</connections>
	<tasks>
		<task>
			<name>People</name>
			<bean>org.lsc.beans.SimpleBean</bean>
			<ldapSourceService>
				<name>ldap-source-service</name>
				<connection reference="ldap-src-conn" />
				<baseDn>ou=people,dc=it-optics,dc=net</baseDn>
				<pivotAttributes>
					<string>uid</string>
				</pivotAttributes>
				<fetchedAttributes>
                                        <string>description</string>
                                        <string>cn</string>
                                        <string>sn</string>
                                        <string>userPassword</string>
                                        <string>givenName</string>
                                        <string>uid</string>
                                        <string>mail</string>
                                        <string>uidNumber</string>
                                        <string>gidNumber</string>
                                        <string>homeDirectory</string>
					<string>gecos</string>
				</fetchedAttributes>
                                <getAllFilter>(&amp;(objectClass=posixAccount)(!(uid=template)))</getAllFilter>
                                <getOneFilter>(&amp;(objectClass=posixAccount)(uid={uid}))</getOneFilter>
				<cleanFilter>(&amp;(objectClass=posixAccount)(uid={uid}))</cleanFilter>
			</ldapSourceService>
			<ldapDestinationService>
				<name>ad-dst-service</name>
				<connection reference="ldap-dst-conn" />
				<baseDn>cn=users,dc=ads,dc=it-optics,dc=com</baseDn>
				<pivotAttributes>
					<string>samAccountName</string>
				</pivotAttributes>
				<fetchedAttributes>
                                        <string>description</string>
                                        <string>cn</string>
                                        <string>sn</string>
                                        <string>samAccountName</string>
                                        <string>userPrincipalName</string>
					<string>name</string>
					<string>givenName</string>
					<string>objectClass</string>
					<string>displayName</string>
					<string>unicodePwd</string>
					<string>userAccountControl</string>
				</fetchedAttributes>
                                <getAllFilter>(&amp;(objectClass=user)(!(objectClass=computer)))</getAllFilter>
                                <getOneFilter>(&amp;(objectClass=user)(!(objectClass=computer))(sAMAccountName={uid}))</getOneFilter>
			</ldapDestinationService>
			<propertiesBasedSyncOptions>
				<mainIdentifier>"cn=" +
					srcBean.getDatasetFirstValueById("cn") +
					",cn=users,dc=ads,dc=it-optics,dc=com"</mainIdentifier>
				<defaultDelimiter>;</defaultDelimiter>
				<defaultPolicy>FORCE</defaultPolicy>
                                <conditions>
                                        <create>true</create>
                                        <!--<update>srcBean.getDatasetFirstValueById('updateTimeStamp') &gt; dstBean.getDatasetFirstValueById('updateTimeStamp')</update>-->
					<update>true</update>
					<!-- DO NOT CHANGE THE DELETE VALUE. THIS COULD PURGE AND DESTROY YOU AD/S4-->
                                        <delete>false</delete>
                                        <changeId>true</changeId>
                                </conditions>
				<dataset>
					<name>cn</name>
					<policy>KEEP</policy>
					<createValues>
						<string>srcBean.getDatasetFirstValueById("uid")</string>
					</createValues>
				</dataset>
                                <dataset>
                                        <name>sn</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string>srcBean.getDatasetFirstValueById("sn")</string>
                                        </forceValues>
                                </dataset>
                                <dataset> <!-- gvds OK -->
                                        <name>name</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>srcBean.getDatasetFirstValueById("givenName")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>givenName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string>srcBean.getDatasetFirstValueById("givenName")</string>
                                        </forceValues>
                                </dataset>

                                <dataset> <!-- gvds OK -->
                                        <name>sAMAccountName</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>srcBean.getDatasetFirstValueById("uid")</string>
                                        </createValues>
                                </dataset>
				<dataset>
					<name>objectClass</name>
					<policy>KEEP</policy>
					<createValues>
						<string>"user"</string>
						<string>"person"</string>
						<string>"organizationalPerson"</string>
					</createValues>
				</dataset>
                                <dataset>
                                        <name>displayName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string>srcBean.getDatasetFirstValueById("gecos")</string>
                                        </forceValues>
                                </dataset>
                                <dataset>
                                        <name>userPrincipalName</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string>srcBean.getDatasetFirstValueById("uid") + "@ads.it-optics.com"</string>
                                        </forceValues>
                                </dataset>

                                <dataset>
                                        <name>unicodePwd</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>
							java.lang.System.out.println("Password" + (new java.text.SimpleDateFormat("yyyyMMdd")).format(new java.util.Date()) );
							AD.getUnicodePwd("Password" + (new java.text.SimpleDateFormat("yyyyMMdd")).format(new java.util.Date()) )</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>userAccountControl</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>AD.userAccountControlSet( "0", [ AD.UAC_SET_NORMAL_ACCOUNT, AD.UAC_SET_PASSWORD_EXPIRED])</string>
                                        </createValues>
                                </dataset>

			</propertiesBasedSyncOptions>
		</task>
		<task>
                        <name>Groups</name>
                        <bean>org.lsc.beans.SimpleBean</bean>
                        <ldapSourceService>
                                <name>ldap-source-service-grp</name>
				<connection reference="ldap-src-conn" />
				<baseDn>ou=Groups,dc=it-optics,dc=net</baseDn>
                                <pivotAttributes>
                                        <string>cn</string>
                                </pivotAttributes>
                                <fetchedAttributes>
                                        <string>description</string>
                                        <string>gidNumber</string>
                                        <string>memberUid</string>
					<string>cn</string>
					<string>sambaSID</string>
                                </fetchedAttributes>
                                <getAllFilter>(&amp;(objectClass=posixGroup)(!(cn=template))(!(cn=administrators)))</getAllFilter>
                                <getOneFilter>(&amp;(objectClass=posixGroup)(cn={cn}))</getOneFilter>
                                <cleanFilter>(&amp;(objectClass=posixGroup)(cn={samAccountName}))</cleanFilter>
                        </ldapSourceService>
                        <ldapDestinationService>
                                <name>ad-dst-service-grp</name>
                                <connection reference="ldap-dst-conn" />
                                <baseDn>ou=Groups,dc=ads,dc=it-optics,dc=com</baseDn>
                                <pivotAttributes>
                                        <string>samAccountName</string>
                                </pivotAttributes>
                                <fetchedAttributes>
                                        <string>cn</string>
					<string>sAMAccountName</string>
					<string>objectClass</string>
					<string>member</string>
                                </fetchedAttributes>
                                <getAllFilter>(&amp;(objectClass=group)(!(objectClass=computer)))</getAllFilter>
                                <getOneFilter>(&amp;(objectClass=group)(!(objectClass=computer))(sAMAccountName={cn}))</getOneFilter>
                        </ldapDestinationService>
                        <propertiesBasedSyncOptions>
                                <mainIdentifier>"cn=" +
                                        srcBean.getDatasetFirstValueById("cn") +
                                        ",ou=Groups,dc=ads,dc=it-optics,dc=com"</mainIdentifier>
                                <defaultDelimiter>;</defaultDelimiter>
                                <defaultPolicy>FORCE</defaultPolicy>
                                <conditions>
                                        <create>true</create>
                                        <update>true</update>
                                        <delete>false</delete>
                                        <changeId>true</changeId>
                                </conditions>
                                <dataset>
                                        <name>cn</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>srcBean.getDatasetFirstValueById("cn")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>sAMAccountName</name>
                                        <policy>KEEP</policy>
                                        <createValues>
                                                <string>srcBean.getDatasetFirstValueById("cn")</string>
                                        </createValues>
                                </dataset>
                                <dataset>
                                        <name>member</name>
                                        <policy>FORCE</policy>
                                        <forceValues>
                                                <string><![CDATA[
							var srcMembers = srcBean.getAttributeValuesById("memberUid").toArray();
							var returnGroups = new Array();
							for (i in srcMembers) {
								// TODO pour chaque uid, obtenir le gecos
								java.lang.System.out.println("srcMember : "+srcMembers[i]);
								var usr = ldap.search("","(&(samaccountname="+srcMembers[i]+")(objectClass=user))").toArray();
								for (j in usr) {
									java.lang.System.out.println("pushing - "+""+usr[j]+",DC=ads,DC=it-optics,DC=com");
									returnGroups.push(""+usr[j]+",DC=ads,DC=it-optics,DC=com");
								}
							}
							returnGroups;
						]]></string>
                                        </forceValues>
                                </dataset>
				<dataset>
					<name>objectClass</name>
					<policy>KEEP</policy>
					<createValues>
						<string>"group"</string>
					</createValues>
				</dataset>

                        </propertiesBasedSyncOptions>
		</task>
	</tasks>
</lsc>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to