[lsc-users] OpenLDAP 2 LDAP synchronization

[Marcin Baluta]

Hi Clement,



In shortcut – our goal is to have OpenLDAP and AD (Windows 2k12) fully
synchronized. So far I managed to catch users from OpenLDAP and place them
in desired OU. Now I’m facing a “group syncing” problem and cannot jump
through it.

I’m receiving this error: [LDAP: error code 65 - 0000207B: UpdErr:
DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0] when LSC tries
to create a group in AD. As I can guess  - I’m missing some attribute
required by AD… or maybe something different.



Task for group syncing:



  <task>

     <name>Groups</name>

     <bean>org.lsc.beans.SimpleBean</bean>

     <ldapSourceService>

      <name>LDAPsource-service-groups</name>

       <connection reference="LDAPsource" />

       <baseDn>ou=groups,dc=xxx,dc=xxx,dc=xxx</baseDn>

        <pivotAttributes>

          <string>cn</string>

        </pivotAttributes>

                <fetchedAttributes>

                  <string>cn</string>

          <string>description</string>

          <string>memberUID</string>

          <string>member</string>

         </fetchedAttributes>




<getAllFilter><![CDATA[(objectClass=posixGroup)]]></getAllFilter>


<getOneFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></getOneFilt
er>


<cleanFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></cleanFilter
>

      </ldapSourceService>



      <ldapDestinationService>

        <name>LDAPdestination-service-groups</name>

        <connection reference="LDAPdestination" />

        <baseDn>OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx</baseDn>

        <pivotAttributes>

          <string>cn</string>

        </pivotAttributes>



                <fetchedAttributes>

                  <string>cn</string>

                  <string>sAMAccountName</string>

                  <string>distinguishedName</string>

                 <string>description</string>

                  <string>objectClass</string>

          <string>memberUID</string>

          <string>member</string>

         </fetchedAttributes>




<getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter>


<getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter>



      </ldapDestinationService>



      <propertiesBasedSyncOptions>

        <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") +
", OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx "</mainIdentifier>

        <defaultDelimiter>;</defaultDelimiter>

        <defaultPolicy>FORCE</defaultPolicy>



<conditions>

         <create>true</create>

         <update>true</update>

         <delete>false</delete>

         <changeId>true</changeId>

        </conditions>



                <dataset>

        <name>cn</name>

        <policy>FORCE</policy>

        <createValues>

         <string>srcBean.getDatasetFirstValueById("cn")</string>

        </createValues>

        </dataset>





                <dataset>

         <name>description</name>

         <policy>KEEP</policy>

         <createValues>

          <string>srcBean.getAttributeValuesById("description")</string>

         </createValues>

        </dataset>



                <dataset>

         <name>sAMAccountName</name>

         <policy>KEEP</policy>

         <createValues>

                  <string>srcBean.getDatasetFirstValueById("cn")</string>

         </createValues>

                </dataset>



                <dataset>

         <name>distinguishedName</name>

         <policy>KEEP</policy>

         <createValues>

          <string>"CN=" + srcBean.getDatasetFirstValueById("cn") + ",
OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx "</string>

         </createValues>

        </dataset>



     <dataset>

      <name>objectcClass</name>

      <policy>FORCE</policy>

      <createValues>

       <string>"top"</string>

       <string>"group"</string>

      </createValues>

     </dataset>



                <dataset>

         <name>member</name>

         <policy>FORCE</policy>

         <forceValues>

          <string>



                                           <![CDATA[js: var dstMembers =
new Array();

                var membersSrcDn = srcBean.getDatasetValuesById("member");


                for  (var i=0; i<membersSrcDn.size(); i++) {

                        var memberSrcDn = membersSrcDn.get(i);


                        sam = srcLdap.attribute( memberSrcDn,
"sAMAccountName").get(0);

                        dstMembers.push(sam)

                }

                dstMembers;

            ]]>

          </string>

         </forceValues>

        </dataset>

      </propertiesBasedSyncOptions>

    </task>



Also very important info – our sAMAccountName is different than UID in
OpenLDAP. I put these datasets in “users sync task”:



<dataset>

       <name>samAccountName</name>

       <policy>KEEP</policy>

       <createValues>

        <string>srcBean.getDatasetFirstValueById('givenName') + "." +
srcBean.getDatasetFirstValueById('sn')</string>

       </createValues>

      </dataset>



<dataset>

       <name>uid</name>

       <policy>KEEP</policy>

       <forceValues>

        <string>srcBean.getDatasetFirstValueById("uid")</string>

       </forceValues>

      </dataset>

So UID is kept in AD in UID attribute.



Thanks in advance!




Marcin Baluta
Systems Administrator


tyntec GmbH
Semerteichstr. 54 - 56 | 44141 Dortmund, Germany
T +49 231 477 90 405 | F +49 231 108 799 2
 <http://www.tyntec.com/> www.tyntec.com




_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users