Hi I have set up LSC for syncing between an OpenLDAP server and a Windows 2012 AS server. So far the sync between users on LDAP to AD works like expected. All users that are in group "rdp" in LDAP get synchronised to AD.
Unfortunately the deletion of users from AD that are no longer part of LDAP group "rdp" does not work. When calling lsc with clean option I get the following output: Jan 06 17:55:19 - INFO - Logging configuration successfully loaded from /etc/lsc/openldap2ad/logback.xml Jan 06 17:55:19 - INFO - LSC configuration successfully loaded from /etc/lsc/openldap2ad/ Jan 06 17:55:20 - INFO - Connecting to LDAP server ldaps://ad-server=win,dc=bch,dc=no as [email protected] Jan 06 17:55:20 - INFO - Connecting to LDAP server ldap://ldap-server:389/dc=bch,dc=no as cn=syncuser,dc=bch,dc=no Jan 06 17:55:20 - INFO - Starting sync for Sync_LDAP_to_AD Jan 06 17:55:21 - INFO - All entries: 4, to modify entries: 0, successfully modified entries: 0, errors: 0 Jan 06 17:55:21 - INFO - Starting clean for Sync_LDAP_to_AD Jan 06 17:55:21 - INFO - All entries: 5, to modify entries: 0, successfully modified entries: 0, errors: 0 There have been 5 users in LDAP group "rdp" that were synched to AD. Then I removed one user from LDAP group "rdp" and assumed that this user also would be removed from AD. It didn't. Here's the task part of my config file: <tasks> <task> <name>Sync_LDAP_to_AD</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>openldap-source-service</name> <connection reference="LDAP" /> <baseDn>ou=users,dc=bch,dc=no</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>sn</string> <string>uid</string> <string>userpassword</string> </fetchedAttributes> <getAllFilter><![CDATA[(&(objectClass=inetOrgPerson)(memberOf=cn=rdp,ou=groups,dc=bch,dc=no))]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter> </ldapSourceService> <ldapDestinationService> <name>ad-dst-service</name> <connection reference="AD" /> <baseDn>ou=RDP,dc=win,dc=bch,dc=no</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>objectclass</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>sn</string> <string>unicodePwd</string> <string>userAccountControl</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=RDP,dc=win,dc=bch,dc=no"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> </dataset> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <dataset> <!-- userPrincipalName = uid + "@win.bch.no" --> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("uid") + "@win.bch.no"</string> </forceValues> </dataset> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string> </createValues> </dataset> <dataset> <!-- pwdLastSet = 0 to force user to change password on next connection --> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"0"</string> </createValues> </dataset> <dataset> <!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) --> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd("Y5d.udrwa")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> Any help is appriciated :) /Carsten Med vennlig hilsen / Best regards Carsten Stolzenbach Senior SAP Consultant Basis Consulting AS Tlf: +47 99425560 mailto:[email protected] http://www.basis-consulting.no This email contains information that may be confidential and is the property of Basis Consulting. It is only intended for the recipient it is addressed to. If you are not the rightful recipient you are not authorized to read, print, retain, copy, disseminate, distribute, or use all or part of this message. If you receive this message by mistake, we ask you to notify the sender and erase all copies of it.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
