2014-11-17 12:50 GMT+01:00 Marcin Baluta <[email protected]>: > Hi Clement, > > > > In shortcut – our goal is to have OpenLDAP and AD (Windows 2k12) fully > synchronized. So far I managed to catch users from OpenLDAP and place them > in desired OU. Now I’m facing a “group syncing” problem and cannot jump > through it. > > I’m receiving this error: [LDAP: error code 65 - 0000207B: UpdErr: > DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0] when LSC tries > to create a group in AD. As I can guess - I’m missing some attribute > required by AD… or maybe something different. > > > > Task for group syncing: > > > > <task> > > <name>Groups</name> > > <bean>org.lsc.beans.SimpleBean</bean> > > <ldapSourceService> > > <name>LDAPsource-service-groups</name> > > <connection reference="LDAPsource" /> > > <baseDn>ou=groups,dc=xxx,dc=xxx,dc=xxx</baseDn> > > <pivotAttributes> > > <string>cn</string> > > </pivotAttributes> > > <fetchedAttributes> > > <string>cn</string> > > <string>description</string> > > <string>memberUID</string> > > <string>member</string> > > </fetchedAttributes> > > > > > <getAllFilter><![CDATA[(objectClass=posixGroup)]]></getAllFilter> > > > <getOneFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></getOneFilter> > > > <cleanFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></cleanFilter> > > </ldapSourceService> > > > > <ldapDestinationService> > > <name>LDAPdestination-service-groups</name> > > <connection reference="LDAPdestination" /> > > <baseDn>OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx</baseDn> > > <pivotAttributes> > > <string>cn</string> > > </pivotAttributes> > > > > <fetchedAttributes> > > <string>cn</string> > > <string>sAMAccountName</string> > > <string>distinguishedName</string> > > <string>description</string> > > <string>objectClass</string> > > <string>memberUID</string> > > <string>member</string> > > </fetchedAttributes> > > > > > <getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter> > > > <getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter> > > > > </ldapDestinationService> > > > > <propertiesBasedSyncOptions> > > <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") + > ", OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx "</mainIdentifier> > > <defaultDelimiter>;</defaultDelimiter> > > <defaultPolicy>FORCE</defaultPolicy> > > > > <conditions> > > <create>true</create> > > <update>true</update> > > <delete>false</delete> > > <changeId>true</changeId> > > </conditions> > > > > <dataset> > > <name>cn</name> > > <policy>FORCE</policy> > > <createValues> > > <string>srcBean.getDatasetFirstValueById("cn")</string> > > </createValues> > > </dataset> > > > > > > <dataset> > > <name>description</name> > > <policy>KEEP</policy> > > <createValues> > > <string>srcBean.getAttributeValuesById("description")</string> > > </createValues> > > </dataset> > > > > <dataset> > > <name>sAMAccountName</name> > > <policy>KEEP</policy> > > <createValues> > > <string>srcBean.getDatasetFirstValueById("cn")</string> > > </createValues> > > </dataset> > > > > <dataset> > > <name>distinguishedName</name> > > <policy>KEEP</policy> > > <createValues> > > <string>"CN=" + srcBean.getDatasetFirstValueById("cn") + ", > OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx "</string> > > </createValues> > > </dataset> > > > > <dataset> > > <name>objectcClass</name> > > <policy>FORCE</policy> > > <createValues> > > <string>"top"</string> > > <string>"group"</string> > > </createValues> > > </dataset> > > > > <dataset> > > <name>member</name> > > <policy>FORCE</policy> > > <forceValues> > > <string> > > > > <![CDATA[js: var dstMembers = > new Array(); > > var membersSrcDn = > srcBean.getDatasetValuesById("member"); > > for (var i=0; i<membersSrcDn.size(); i++) { > > var memberSrcDn = > membersSrcDn.get(i); > > sam = srcLdap.attribute( memberSrcDn, > "sAMAccountName").get(0); > > dstMembers.push(sam) > > } > > dstMembers; > > ]]> > > </string> > > </forceValues> > > </dataset> > > </propertiesBasedSyncOptions> > > </task> > > > > Also very important info – our sAMAccountName is different than UID in > OpenLDAP. I put these datasets in “users sync task”: > > > > <dataset> > > <name>samAccountName</name> > > <policy>KEEP</policy> > > <createValues> > > <string>srcBean.getDatasetFirstValueById('givenName') + "." + > srcBean.getDatasetFirstValueById('sn')</string> > > </createValues> > > </dataset> > > > > <dataset> > > <name>uid</name> > > <policy>KEEP</policy> > > <forceValues> > > <string>srcBean.getDatasetFirstValueById("uid")</string> > > </forceValues> > > </dataset> > > So UID is kept in AD in UID attribute. > > > > Thanks in advance! >
Hi, I don't think that you can put sAMAccountName inside a group entry. Just keep the cn. Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
