Thanks for your anwser.
I have implemented memberOf overlay on my central openLDAP server. (thanks for
the tip, seems great)
I can now do searches like :
ldapsearch "(uid=fr.toto.test)" memberOf
which brings the correct membership for that user.
I can now filter my users on the proper community, thanks!
So I still have to make update and delete work with synchronization. Maybe I’m
just using LSC wrong …
I use lsc as a service, so in my mind, when I do “service lsc start”, I
activate the synchronization. While synchronization is activated, objects on
dest LDAP should be created, updated and deleted upon modification/creation on
the source LDAP.
As previously stated, I have :
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>false</changeId>
</conditions>
I do not know if I absolutely need to define a dataset for each of the
attributes of my user object. I would say this is not necessary, but I tried it
nonetheless on a few attributes; making sure that <policy> was on FORCE. In
<forceValues> I enter :
<string><![CDATA[srcBean.getDatasetFirstValueById("givenName")]]></string>
But when I update the attribute givenName of a user, it is not updated on the
synchronized server. Is it necessary to have a dataset per attribute I wish to
update?
It might be an openLDAP version problem ? I’m on slapd 2.4.23 on all of my LDAP
servers.
Any idea on what this no update / no delete behavior could come from ?
Thanks for your help.
De : Clément OUDOT [mailto:[email protected]]
Envoyé : lundi 24 novembre 2014 15:45
À : FOUCHET, Alexandre
Cc : [email protected]; NICOL, Yves
Objet : Re: [lsc-users] [LSC] Filtering and synchonization
2014-11-21 17:51 GMT+01:00 FOUCHET, Alexandre
<[email protected]<mailto:[email protected]>>:
Hi everybody,
Hi Alexandre,
First, I am not really used to work with LDAP, I am not so familiar with the
terminology, so I apologize if my words don’t always make sense to you. I’ll
try my best to make it clear.
I recently installed LSC to implement synchronization between a central
openLDAP master server and several other openLDAP servers (let’s call these
servers “communities”). On the central LDAP, I have a list of users under
“dmdName=users,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”.
On my communities openLDAP servers, I have a similar place where users are
stored. Only difference is that on a community LDAP, I only have the users
belonging to that community, whereas on the central server, every user of any
community is listed.
On the central openLDAP, I also have
“dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”
which lists communities. Each community object contains a list of “member”
attributes, which lists the users belonging to a community. For example, I have
an object :”
cn=com1,dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr”
which is my community n°1, this object contains 10 “member” attributes, each
value being a reference to a user object, for instance :
“uid=fr.admin.nistrateur,dmdName=users,dmdName=portal,dmdName=applications,dc=cap,dc=ad”.
Now, what I did with LSC so far, is to get all the users from the central
openLDAP server to be sent to one destination LDAP server.
I did that by creating 2 LDAP connections, one ldapSourceService with one pivot
attribute (uid), one ldapDestinationService with nearly the same settings as
the ldapSourceService and inside propertiesBasedSyncOptions I have :
<mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("uid") +
",dmdName=users,
dmdName=portal,dmdName=applications,dc=cap,dc=da"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>false</changeId>
</conditions>
I would like to create some filtering so that I don’t synchronize all the
users, but only the ones being mentioned as “member” inside the corresponding
community object.
1- How could I do that ? I have tried to use getAllFilter, getOneFilter
and cleanFilter but I didn’t really get how to effectively use them.
I think the best would be to activate memberOf overlay on your central
OpenLDAP. With it, you will have a memberOf operational attribute in user
entries, and you can use it in getAllFilter, for example :
<getAllFilter>(&(objectClass=inetOrgPerson)(memberOf=cn=com1,dmdName=communities,dmdName=groups,dmdName=portal,dmdName=applications,dc=cap,dc=ad,dc=appli,dc=fr))</getAllFilter>
The other solution is to write javascript code in the <create> solution that
will do a search on your group branc and retrun true only if current user
belongs to the wanted group.
2- With the settings I have now, the synchronization seems to be working
for objects not already existing on the destination LDAP. Users are correctly
created on the destination services, but they are never updated or deleted. How
could I be doing that ? As stated above, inside “conditions”, create update and
delete are all on true but no update or delete operation seem to be
synchronized.
It should be. Any modification found in the source is replicated in the
destination
3- I tried to use “datasets” to force the update of attributes, for
instance :
<dataset>
<name>givenName</name>
<policy>FORCE</policy>
<defaultValues></defaultValues>
<forceValues><string>srcBean.getAttributeFirstValueById("givenName")</string></forceValues>
<createValues></createValues>
<delimiter>,</delimiter>
</dataset>
If my value of the “givenName” attribute from a user object on
the central server is different than the value of the same attribute on the
same user object on the dest LDAP, I would expect it to update the value of the
attribute on the dest. I am wrong on how datasets work ?
No, this should work. But you are using an old method (getAttribute...). Use
getDataset... methods in LSC 2.
4- I noticed there is an executable plugin which allows to replace beans
with scripts. The website mentions example bash scripts in the source RPM. I
could not find those scripts, anyone knows where to find them ? I found a
script called
lsc-executable-add-modify-delete-modrdn.pl<http://lsc-executable-add-modify-delete-modrdn.pl>
in the source RPM, but it was nearly empty (was just functions definitions).
Do I need to write scripts or create my own bean to be able to update / delete
users ?
Some bash examples here:
http://tools.lsc-project.org/projects/lsc/repository/show/plugins/trunk/connectors/executable/src/test/resources/org/lsc/plugins/connectors/executable
Clément.
This message contains information that may be privileged or confidential and is
the property of the Capgemini Group. It is intended only for the person to whom
it is addressed. If you are not the intended recipient, you are not authorized
to read, print, retain, copy, disseminate, distribute, or use this message or
any part thereof. If you receive this message in error, please notify the
sender immediately and delete all copies of this message.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
