[lsc-users] Clean phase failure during group sync AD->LDAP (deleting group members)

[Marcos Rey]

Hello!

I've setting up sync between AD (Windows 2012) to OpenLDAP. User sync works
like a charm (add, modify, delete) but I'm struggling with group sync.
Adding members to a group, or adding groups works like a treat, but the
clean phase fails with a filter error that I'm not able to debug. On the
freenode channel someone suggested a filter issue (I also believe so) but I
can't figure out where the problem is. I also enabled the debug level on
the logs but there's no more information. I'm posting the relevant part of
the config:

 *   <task>*
*      <name>sync-ldap-groups</name>*
*      <bean>org.lsc.beans.SimpleBean</bean>*
*      <asyncLdapSourceService>*
*        <name>ad-src-service2</name>*
*        <connection reference="ad-src-conn" />*
*        <baseDn>ou=Company,dc=companyaad,dc=company,dc=com</baseDn>*
*        <pivotAttributes>*
*          <string>cn</string>*
*        </pivotAttributes>*
*        <fetchedAttributes>*
*          <string>sAMAccountName</string>*
*          <string>cn</string>*
*          <string>member</string>*
*          <string>objectCategory</string>*
*        </fetchedAttributes>*
*
<getAllFilter>(&amp;(objectClass=group)(sAMAccountType=268435456))</getAllFilter>*
*        <getOneFilter>(&amp;(objectClass=group)(cn={cn}))</getOneFilter>*
*        <cleanFilter>(&amp;(objectClass=group)(cn={cn}))</cleanFilter>*
*        <serverType>ActiveDirectory</serverType>*
*      </asyncLdapSourceService>*
*      <ldapDestinationService>*
*        <name>ldap-dst-service2</name>*
*        <connection reference="ldap-dest-conn" />*
*        <baseDn>ou=Groups,dc=company,dc=com</baseDn>*
*        <pivotAttributes>*
*          <string>cn</string>*
*        </pivotAttributes>*
*        <fetchedAttributes>*
*          <string>objectClass</string>*
*          <string>cn</string>*
*          <string>member</string>*
*          <string>description</string>*
*          <string>o</string>*
*        </fetchedAttributes>*
*        <getAllFilter>(objectClass=groupOfNames))</getAllFilter>*
*
<getOneFilter>(&amp;(objectClass=groupOfNames)(cn={cn}))</getOneFilter>*
*      </ldapDestinationService>*
*      <propertiesBasedSyncOptions>*
*        <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=Groups,dc=company,dc=com"</mainIdentifier>*
*        <defaultDelimiter>;</defaultDelimiter>*
*        <defaultPolicy>FORCE</defaultPolicy>*
*        <conditions>*
*                <create>true</create>*
*                <update>true</update>*
*                <delete>true</delete>*
*        </conditions>*
*        <dataset>*
*          <name>objectClass</name>*
*          <policy>KEEP</policy>*
*          <createValues>*
*                <string>"groupOfNames"</string>*
*                <string>"top"</string>*
*          </createValues>*
*        </dataset>*
*        <dataset>*
*          <name>cn</name>*
*          <forceValues>*
*
<string>srcBean.getDatasetFirstValueById("sAMAccountName")</string>*
*          </forceValues>*
*        </dataset>*
*        <dataset>*
*          <name>member</name>*
*          <forceValues>*
*
<!--string>srcBean.getDatasetFirstValueById("member")</string-->*
*            <string>*
*                <![CDATA[*
*                        var memberIdValues = [];*
*                        var membersSrcDn =
srcBean.getDatasetValuesById("member");*
*                        var cn = srcBean.getDatasetFirstValueById("cn");*

*                        for  (var i=0; i<membersSrcDn.size(); i++) {*

*                                var memberSrcDn = membersSrcDn.get(i);*
*                                //We want to get the sAMAccountName for
each group member*
*                                var memberAcct =
srcLdap.attribute(memberSrcDn, "sAMAccountName").get(0);*
*                                memberAcct = String("cn="+memberAcct);*
*                                memberIdValues.push(memberAcct);*
*                        }*
*                        memberIdValues*
*                ]]>*
*            </string>*
*          </forceValues>*
*        </dataset>*
*        <dataset>*
*          <name>description</name>*
*          <forceValues>*
*                <string>srcBean.getDatasetFirstValueById("cn")</string>*
*          </forceValues>*
*        </dataset>*
*        <dataset>*
*         <name>o</name>*
*         <forceValues>*
*
<string>srcBean.getDatasetFirstValueById("objectCategory")</string>*
*         </forceValues>*
*        </dataset>*
*      </propertiesBasedSyncOptions>*
*    </task>*
*  </tasks>*
*</lsc>*

And this is the output of the clean phase operation (debug log level
produces the same output):

Jan 21 17:37:18 - INFO  - Logging configuration successfully loaded from
/etc/lsc/logback.xml
Jan 21 17:37:18 - INFO  - LSC configuration successfully loaded from
/etc/lsc/
Jan 21 17:37:18 - INFO  - Connecting to LDAP server
ldap://localhost:389/dc=sapienzaconsulting,dc=com as
cn=manager,dc=sapienzaconsulting,dc=com
Jan 21 17:37:18 - INFO  - Connecting to LDAP server ldap://
10.2.14.133:389/dc=sapienzaad,dc=sapienzaconsulting,dc=com as
cn=tech1,ou=Sapienza,dc=sapienzaad,dc=sapienzaconsulting,dc=com
Jan 21 17:37:19 - INFO  - Starting clean for sync-ldap
Jan 21 17:37:19 - INFO  - All entries: 72, to modify entries: 0,
successfully modified entries: 0, errors: 0
Jan 21 17:37:19 - INFO  - Starting clean for sync-ldap-groups
Jan 21 17:37:19 - ERROR -
javax.naming.directory.InvalidSearchFilterException: Unbalanced
parenthesis; remaining name 'ou=Groups'
Jan 21 17:37:19 - ERROR - Empty or non existant destination (no IDs found)


Thanks in advance a lot for reading the message and for your help.

Regards,

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users