2015-01-06 18:13 GMT+01:00 Carsten Stolzenbach <[email protected] >:
> Hi > > I have set up LSC for syncing between an OpenLDAP server and a Windows > 2012 AS server. So far the sync between users on LDAP to AD works like > expected. All users that are in group "rdp" in LDAP get synchronised to AD. > > Unfortunately the deletion of users from AD that are no longer part of > LDAP group "rdp" does not work. When calling lsc with clean option I get > the following output: > > Jan 06 17:55:19 <http://airmail.calendar/2015-01-06%2017:55:19%20CET> - > INFO - Logging configuration successfully loaded from > /etc/lsc/openldap2ad/logback.xml > Jan 06 17:55:19 <http://airmail.calendar/2015-01-06%2017:55:19%20CET> - > INFO - LSC configuration successfully loaded from /etc/lsc/openldap2ad/ > Jan 06 17:55:20 <http://airmail.calendar/2015-01-06%2017:55:20%20CET> - > INFO - Connecting to LDAP server ldaps://ad-server=win,dc=bch,dc=no as > [email protected] > Jan 06 17:55:20 <http://airmail.calendar/2015-01-06%2017:55:20%20CET> - > INFO - Connecting to LDAP server ldap://ldap-server:389/dc=bch,dc=no as > cn=syncuser,dc=bch,dc=no > Jan 06 17:55:20 <http://airmail.calendar/2015-01-06%2017:55:20%20CET> - > INFO - Starting sync for Sync_LDAP_to_AD > Jan 06 17:55:21 <http://airmail.calendar/2015-01-06%2017:55:21%20CET> - > INFO - All entries: 4, to modify entries: 0, successfully modified > entries: 0, errors: 0 > Jan 06 17:55:21 <http://airmail.calendar/2015-01-06%2017:55:21%20CET> - > INFO - Starting clean for Sync_LDAP_to_AD > Jan 06 17:55:21 <http://airmail.calendar/2015-01-06%2017:55:21%20CET> - > INFO - All entries: 5, to modify entries: 0, successfully modified > entries: 0, errors: 0 > > There have been 5 users in LDAP group "rdp" that were synched to AD. Then > I removed one user from LDAP group "rdp" and assumed that this user also > would be removed from AD. It didn't. > > Here's the task part of my config file: > > <tasks> > <task> > <name>Sync_LDAP_to_AD</name> > <bean>org.lsc.beans.SimpleBean</bean> > > <ldapSourceService> > <name>openldap-source-service</name> > <connection reference="LDAP" /> > <baseDn>ou=users,dc=bch,dc=no</baseDn> > <pivotAttributes> > <string>uid</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>description</string> > <string>givenName</string> > <string>mail</string> > <string>sn</string> > <string>uid</string> > <string>userpassword</string> > </fetchedAttributes> > > <getAllFilter><![CDATA[(&(objectClass=inetOrgPerson)(memberOf=cn=rdp,ou=groups,dc=bch,dc=no))]]></getAllFilter> > > <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> > > <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter> > </ldapSourceService> > > <ldapDestinationService> > <name>ad-dst-service</name> > <connection reference="AD" /> > <baseDn>ou=RDP,dc=win,dc=bch,dc=no</baseDn> > <pivotAttributes> > <string>sAMAccountName</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>description</string> > <string>givenName</string> > <string>mail</string> > <string>objectclass</string> > <string>pwdLastSet</string> > <string>sAMAccountName</string> > <string>sn</string> > <string>unicodePwd</string> > <string>userAccountControl</string> > <string>userPrincipalName</string> > </fetchedAttributes> > <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> > > <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> > </ldapDestinationService> > > <propertiesBasedSyncOptions> > <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + > ",ou=RDP,dc=win,dc=bch,dc=no"</mainIdentifier> > <defaultDelimiter>;</defaultDelimiter> > <defaultPolicy>FORCE</defaultPolicy> > <conditions> > <create>true</create> > <update>true</update> > <delete>true</delete> > <changeId>true</changeId> > </conditions> > <dataset> > <name>objectclass</name> > <policy>KEEP</policy> > <createValues> > <string>"user"</string> > <string>"organizationalPerson"</string> > <string>"person"</string> > <string>"top"</string> > </createValues> > </dataset> > <dataset> > <name>sAMAccountName</name> > <policy>KEEP</policy> > <createValues> > <string>srcBean.getDatasetFirstValueById("uid")</string> > </createValues> > </dataset> > <dataset> > <!-- userPrincipalName = uid + "@win.bch.no" --> > <name>userPrincipalName</name> > <policy>FORCE</policy> > <forceValues> > <string>srcBean.getDatasetFirstValueById("uid") + "@win.bch.no > "</string> > </forceValues> > </dataset> > <dataset> > <name>userAccountControl</name> > <policy>KEEP</policy> > <createValues> > <string>AD.userAccountControlSet( "0", > [AD.UAC_SET_NORMAL_ACCOUNT])</string> > </createValues> > </dataset> > <dataset> > <!-- pwdLastSet = 0 to force user to change password on next > connection --> > <name>pwdLastSet</name> > <policy>KEEP</policy> > <createValues> > <string>"0"</string> > </createValues> > </dataset> > <dataset> > <!-- unicodePwd = "changeit" at creation (requires SSL > connection to AD) --> > <name>unicodePwd</name> > <policy>KEEP</policy> > <createValues> > <string>AD.getUnicodePwd("Y5d.udrwa")</string> > </createValues> > </dataset> > </propertiesBasedSyncOptions> > </task> > > </tasks> > > > Any help is appriciated :) > > Hi, add (memberOf=cn=rdp,ou=groups,dc=bch,dc=no) in the "cleanFilter". Clément.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
