Works like a charm!
Thanks a lot for your fast and perfect help :)
For the record: the changed entry looks like this now:
<cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName})(memberOf=cn=rdp,ou=groups,dc=bch,dc=no))]]></cleanFilter>
/Carsten
On 6 January 2015 at 18:20:01, Clément OUDOT ([email protected]) wrote:
2015-01-06 18:13 GMT+01:00 Carsten Stolzenbach <[email protected]>:
Hi
I have set up LSC for syncing between an OpenLDAP server and a Windows 2012 AS
server. So far the sync between users on LDAP to AD works like expected. All
users that are in group "rdp" in LDAP get synchronised to AD.
Unfortunately the deletion of users from AD that are no longer part of LDAP
group "rdp" does not work. When calling lsc with clean option I get the
following output:
Jan 06 17:55:19 - INFO - Logging configuration successfully loaded from
/etc/lsc/openldap2ad/logback.xml
Jan 06 17:55:19 - INFO - LSC configuration successfully loaded from
/etc/lsc/openldap2ad/
Jan 06 17:55:20 - INFO - Connecting to LDAP server
ldaps://ad-server=win,dc=bch,dc=no as [email protected]
Jan 06 17:55:20 - INFO - Connecting to LDAP server
ldap://ldap-server:389/dc=bch,dc=no as cn=syncuser,dc=bch,dc=no
Jan 06 17:55:20 - INFO - Starting sync for Sync_LDAP_to_AD
Jan 06 17:55:21 - INFO - All entries: 4, to modify entries: 0, successfully
modified entries: 0, errors: 0
Jan 06 17:55:21 - INFO - Starting clean for Sync_LDAP_to_AD
Jan 06 17:55:21 - INFO - All entries: 5, to modify entries: 0, successfully
modified entries: 0, errors: 0
There have been 5 users in LDAP group "rdp" that were synched to AD. Then I
removed one user from LDAP group "rdp" and assumed that this user also would be
removed from AD. It didn't.
Here's the task part of my config file:
<tasks>
<task>
<name>Sync_LDAP_to_AD</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>openldap-source-service</name>
<connection reference="LDAP" />
<baseDn>ou=users,dc=bch,dc=no</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>description</string>
<string>givenName</string>
<string>mail</string>
<string>sn</string>
<string>uid</string>
<string>userpassword</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(objectClass=inetOrgPerson)(memberOf=cn=rdp,ou=groups,dc=bch,dc=no))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>ad-dst-service</name>
<connection reference="AD" />
<baseDn>ou=RDP,dc=win,dc=bch,dc=no</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>description</string>
<string>givenName</string>
<string>mail</string>
<string>objectclass</string>
<string>pwdLastSet</string>
<string>sAMAccountName</string>
<string>sn</string>
<string>unicodePwd</string>
<string>userAccountControl</string>
<string>userPrincipalName</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=RDP,dc=win,dc=bch,dc=no"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"user"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
</createValues>
</dataset>
<dataset>
<name>sAMAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<dataset>
<!-- userPrincipalName = uid + "@win.bch.no" -->
<name>userPrincipalName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid") +
"@win.bch.no"</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<!-- pwdLastSet = 0 to force user to change password on next connection
-->
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>"0"</string>
</createValues>
</dataset>
<dataset>
<!-- unicodePwd = "changeit" at creation (requires SSL connection
to AD) -->
<name>unicodePwd</name>
<policy>KEEP</policy>
<createValues>
<string>AD.getUnicodePwd("Y5d.udrwa")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
Any help is appriciated :)
Hi,
add (memberOf=cn=rdp,ou=groups,dc=bch,dc=no) in the "cleanFilter".
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
