Re: [lsc-users] Sync AD Group To OpenLDAP

[W. Ho]

Another test I did:

I removed groupOfUniqueNames from the destination OpenLDAP objectClass.  The 
new error message is below:

ERROR - Error while adding entry cn=test,ou=Groups,ou=Dept,dc=sample,dc=net in 
directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 
65 - object class 'groupOfNames' requires attribute 'member']; remaining name 
'cn=test,ou=Groups,ou=Dept'
Dec 04 14:13:34 - ERROR - Error while synchronizing ID 
cn=test,ou=Groups,ou=Dept,dc=sample,dc=net: java.lang.Exception: Technical 
problem while applying modifications to the destination

I also changed OpenLDAP attributes from uniqueMember to member but the result 
is the same.

I am able to manually export groups from AD in ldif format and run ldapadd to 
add them to OpenLDAP.  This is just to verify LDAP structure and required 
attributes are correct.

Thoughts?

From: ho9...@hotmail.com
To: clem.ou...@gmail.com
CC: lsc-users@lists.lsc-project.org
Subject: RE: [lsc-users] Sync AD Group To OpenLDAP
Date: Thu, 4 Dec 2014 11:03:04 -0800




Hi,

I removed the objectClass from source fetchedAttributes and got the same error.

Next, I changed the logger to DEBUG level.  Here is the error message:

Dec 04 10:53:23 - ERROR - Error while adding entry 
cn=test,ou=Groups,ou=Dept,dc=sample,dc=net in directory 
:javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 
invalid structural object class chain (groupOfNames/groupOfUniqueNames)]; 
remaining name 'cn=test,ou=Groups,ou=Dept'
Dec 04 10:53:23 - ERROR - Error while synchronizing ID 
cn=test,ou=Groups,ou=Dept,dc=sample,dc=net: java.lang.Exception: Technical 
problem while applying modifications to the destination

After searching the Internet, it seems the problem is related to nis.schema 
versus rfc2307bis.schema.  I went ahead to rebuild OpenLDAP by removing 
nis.schema and adding rfc2307bis.schema.  This does not change any behavior at 
all.  The user sync went through without any issue but the group sync still 
failed with the same error message.

Any suggestions?

By the way, the system backgrounds:
OS: CentOS 6.5 64-bit
LSC: version 2.1.1
Java: Oracle/Sun JDK 1.7.0.71
MS 2008R2 64-bit

Thanks,

Date: Thu, 4 Dec 2014 09:05:15 +0100
Subject: Re: [lsc-users] Sync AD Group To OpenLDAP
From: clem.ou...@gmail.com
To: ho9...@hotmail.com
CC: lsc-users@lists.lsc-project.org



2014-12-04 1:29 GMT+01:00 W. Ho <ho9...@hotmail.com>:



Team,

I have successfully sync'ed AD users to OpenLDAP.  Now I am adding the group 
sync and having some issues.

I created a task section for group sync based on the instruction from the 
tutorial.  When I execute the sync I got the below error message.  I believe it 
has issue to create objectClass in the destination LDAP group ou but I am not 
sure why it fails.  Any help is very appreciated.

Dec 03 12:30:07 - ERROR - Error while adding entry 
cn=test,ou=Groups,ou=Dept,dc=sample,dc=net in directory 
:javax.naming.directory.InvalidAttributeValueException: [LDAP: error 
code 21 - objectClass: value #0 invalid per syntax]; remaining name 
'cn=test,ou=Groups,ou=Dept'
Dec 03 12:30:07 - ERROR - Error while 
synchronizing ID cn=test,ou=Groups,ou=Dept,dc=sample,dc=net: 
java.lang.Exception: Technical problem while applying modifications to 
the destination

<task>
    <name>adGroup</name>
    <bean>org.lsc.beans.SimpleBean</bean>
    <ldapSourceService>
        <name>group-source-service</name>
        <connection reference="AD" />
        <baseDn>ou=Groups,ou=Dept,dc=sample,dc=net</baseDn>
        <pivotAttributes>
          <string>cn</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>dn</string>
          <string>cn</string>
          <string>description</string>
          <string>member</string>
      <string>objectClass</string>
        </fetchedAttributes>
    <getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter>
        <getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter>
        <cleanFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></cleanFilter>
      </ldapSourceService>
      <ldapDestinationService>
        <name>group-dst-service</name>
        <connection reference="openldap" />
        <baseDn>ou=Groups,ou=Dept,dc=sample,dc=net</baseDn>
        <pivotAttributes>
          <string>cn</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>dn</string>
          <string>cn</string>
          <string>description</string>
          <string>uniqueMember</string>
          <string>objectClass</string>
         </fetchedAttributes>
     <getAllFilter><![CDATA[(objectClass=groupOfNames)]]></getAllFilter>
     
<getOneFilter><![CDATA[(&(objectClass=groupOfNames)(cn={cn}))]]></getOneFilter>
     </ldapDestinationService>  
       <propertiesBasedSyncOptions>
        <mainIdentifier>js:"cn=" + 
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + 
",ou=Groups,ou=Dept,dc=sample,dc=net"</mainIdentifier>
        <defaultDelimiter>;</defaultDelimiter>
    <defaultPolicy>FORCE</defaultPolicy>
    <conditions>
      <create>true</create>
      <update>true</update>
      <delete>true</delete>
      <changeId>true</changeId>
    </conditions>
    <dataset>
      <name>objectclass</name>
      <policy>FORCE</policy>
      <createValues>
        <string>"top"</string>
        <string>"groupOfNames"</string>
      </createValues>
    </dataset>
    <dataset>
         <name>cn</name>
          <policy>FORCE</policy>
           <forceValues>
            <string>srcBean.getDatasetFirstValueById("cn")</string>
           </forceValues>
        </dataset>
        <dataset>
         <name>dn</name>
          <policy>FORCE</policy>
           <forceValues>
            <string>srcBean.getDatasetFirstValueById("dn")</string>
           </forceValues>
        </dataset>
    <dataset>
         <name>uniqueMember</name>
         <policy>FORCE</policy>
         <forceValues>
           <string>
           <![CDATA[rjs:
                var membersSrcDn = srcBean.getDatasetValuesById("member");
                var membersDstDn = [];
                for  (var i=0; i<membersSrcDn.size(); i++) {
                     var memberSrcDn = membersSrcDn.get(i);
                     var sAMAccountName = "";
                     try {
                         sAMAccountName = srcLdap.attribute(memberSrcDn, 
"sAMAccountName").get(0);
                        } catch(e) {
                            continue;
                        }
                     var destDn = ldap.search("ou=Users,ou=Dept", "(uid=" + 
sAMAccountName + ")");
                     if (destDn.size() == 0 || destDn.size() > 1) {
                              continue;
                      }
                     var destMemberDn = destDn.get(0) + "," +  
ldap.getContextDn();
                     membersDstDn.push(destMemberDn);
                }
                membersDstDn
           ]]>
           </string>
         </forceValues>
      </dataset>
      </propertiesBasedSyncOptions>
    </task>

                                          


Hi, try to remove objectClass from source fetchedAttributes.


If it does not work, try to set DEBUG level in logback.xml to see what is sent 
by LSC to OpenLDAP.




Clément.
                                                                                
  
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users