2014-11-21 17:51 GMT+01:00 FOUCHET, Alexandre <
[email protected]>:
> Hi everybody,
>
Hi Alexandre,
>
>
> First, I am not really used to work with LDAP, I am not so familiar with
> the terminology, so I apologize if my words don’t always make sense to you.
> I’ll try my best to make it clear.
>
>
>
> I recently installed LSC to implement synchronization between a central
> openLDAP master server and several other openLDAP servers (let’s call these
> servers “communities”). On the central LDAP, I have a list of users under
> “dmdName=users,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”.
> On my communities openLDAP servers, I have a similar place where users are
> stored. Only difference is that on a community LDAP, I only have the users
> belonging to that community, whereas on the central server, every user of
> any community is listed.
>
>
>
> On the central openLDAP, I also have
> “dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”
> which lists communities. Each community object contains a list of “member”
> attributes, which lists the users belonging to a community. For example, I
> have an object :”
> cn=com1,dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”
> which is my community n°1, this object contains 10 “member” attributes,
> each value being a reference to a user object, for instance :
> “uid=fr.admin.nistrateur,dmdName=users,dmdName=portal,dmdName=applications,dc=cap,dc=ad”.
>
>
>
> Now, what I did with LSC so far, is to get all the users from the central
> openLDAP server to be sent to one destination LDAP server.
>
> I did that by creating 2 LDAP connections, one ldapSourceService with one
> pivot attribute (uid), one ldapDestinationService with nearly the same
> settings as the ldapSourceService and inside propertiesBasedSyncOptions I
> have :
>
> <mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("uid") +
> ",dmdName=users,
> dmdName=portal,dmdName=applications,dc=cap,dc=da"</mainIdentifier>
>
> <defaultDelimiter>;</defaultDelimiter>
>
> <defaultPolicy>FORCE</defaultPolicy>
>
> <conditions>
>
> <create>true</create>
>
> <update>true</update>
>
> <delete>true</delete>
>
> <changeId>false</changeId>
>
> </conditions>
>
>
>
> I would like to create some filtering so that I don’t synchronize all the
> users, but only the ones being mentioned as “member” inside the
> corresponding community object.
>
>
>
> 1- How could I do that ? I have tried to use getAllFilter,
> getOneFilter and cleanFilter but I didn’t really get how to effectively use
> them.
>
I think the best would be to activate memberOf overlay on your central
OpenLDAP. With it, you will have a memberOf operational attribute in user
entries, and you can use it in getAllFilter, for example :
<getAllFilter>(&(objectClass=inetOrgPerson)(memberOf=
cn=com1,dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr
))</getAllFilter>
The other solution is to write javascript code in the <create> solution
that will do a search on your group branc and retrun true only if current
user belongs to the wanted group.
2- With the settings I have now, the synchronization seems to be
> working for objects not already existing on the destination LDAP. Users are
> correctly created on the destination services, but they are never updated
> or deleted. How could I be doing that ? As stated above, inside
> “conditions”, create update and delete are all on true but no update or
> delete operation seem to be synchronized.
>
It should be. Any modification found in the source is replicated in the
destination
> 3- I tried to use “datasets” to force the update of attributes, for
> instance :
>
> <dataset>
>
> <name>givenName</name>
>
> <policy>FORCE</policy>
>
> <defaultValues></defaultValues>
>
>
> <forceValues><string>srcBean.getAttributeFirstValueById("givenName")</string></forceValues>
>
> <createValues></createValues>
>
> <delimiter>,</delimiter>
>
> </dataset>
>
> If my value of the “givenName” attribute from a user
> object on the central server is different than the value of the same
> attribute on the same user object on the dest LDAP, I would expect it to
> update the value of the attribute on the dest. I am wrong on how datasets
> work ?
>
No, this should work. But you are using an old method (getAttribute...).
Use getDataset... methods in LSC 2.
> 4- I noticed there is an executable plugin which allows to replace
> beans with scripts. The website mentions example bash scripts in the source
> RPM. I could not find those scripts, anyone knows where to find them ? I
> found a script called lsc-executable-add-modify-delete-modrdn.pl in the
> source RPM, but it was nearly empty (was just functions definitions). Do I
> need to write scripts or create my own bean to be able to update / delete
> users ?
>
>
>
Some bash examples here:
http://tools.lsc-project.org/projects/lsc/repository/show/plugins/trunk/connectors/executable/src/test/resources/org/lsc/plugins/connectors/executable
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
