2015-01-22 9:27 GMT+01:00 Marcos Rey <[email protected]>:
> Hello!
>
Hi,
> I've setting up sync between AD (Windows 2012) to OpenLDAP. User sync works
> like a charm (add, modify, delete) but I'm struggling with group sync.
> Adding members to a group, or adding groups works like a treat, but the
> clean phase fails with a filter error that I'm not able to debug. On the
> freenode channel someone suggested a filter issue (I also believe so) but I
> can't figure out where the problem is. I also enabled the debug level on the
> logs but there's no more information. I'm posting the relevant part of the
> config:
>
> <task>
> <name>sync-ldap-groups</name>
> <bean>org.lsc.beans.SimpleBean</bean>
> <asyncLdapSourceService>
> <name>ad-src-service2</name>
> <connection reference="ad-src-conn" />
> <baseDn>ou=Company,dc=companyaad,dc=company,dc=com</baseDn>
> <pivotAttributes>
> <string>cn</string>
> </pivotAttributes>
> <fetchedAttributes>
> <string>sAMAccountName</string>
> <string>cn</string>
> <string>member</string>
> <string>objectCategory</string>
> </fetchedAttributes>
>
> <getAllFilter>(&(objectClass=group)(sAMAccountType=268435456))</getAllFilter>
> <getOneFilter>(&(objectClass=group)(cn={cn}))</getOneFilter>
> <cleanFilter>(&(objectClass=group)(cn={cn}))</cleanFilter>
> <serverType>ActiveDirectory</serverType>
> </asyncLdapSourceService>
> <ldapDestinationService>
> <name>ldap-dst-service2</name>
> <connection reference="ldap-dest-conn" />
> <baseDn>ou=Groups,dc=company,dc=com</baseDn>
> <pivotAttributes>
> <string>cn</string>
> </pivotAttributes>
> <fetchedAttributes>
> <string>objectClass</string>
> <string>cn</string>
> <string>member</string>
> <string>description</string>
> <string>o</string>
> </fetchedAttributes>
> <getAllFilter>(objectClass=groupOfNames))</getAllFilter>
>
> <getOneFilter>(&(objectClass=groupOfNames)(cn={cn}))</getOneFilter>
> </ldapDestinationService>
> <propertiesBasedSyncOptions>
> <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
> ",ou=Groups,dc=company,dc=com"</mainIdentifier>
> <defaultDelimiter>;</defaultDelimiter>
> <defaultPolicy>FORCE</defaultPolicy>
> <conditions>
> <create>true</create>
> <update>true</update>
> <delete>true</delete>
> </conditions>
> <dataset>
> <name>objectClass</name>
> <policy>KEEP</policy>
> <createValues>
> <string>"groupOfNames"</string>
> <string>"top"</string>
> </createValues>
> </dataset>
> <dataset>
> <name>cn</name>
> <forceValues>
>
> <string>srcBean.getDatasetFirstValueById("sAMAccountName")</string>
> </forceValues>
> </dataset>
> <dataset>
> <name>member</name>
> <forceValues>
> <!--string>srcBean.getDatasetFirstValueById("member")</string-->
> <string>
> <![CDATA[
> var memberIdValues = [];
> var membersSrcDn =
> srcBean.getDatasetValuesById("member");
> var cn = srcBean.getDatasetFirstValueById("cn");
>
> for (var i=0; i<membersSrcDn.size(); i++) {
>
> var memberSrcDn = membersSrcDn.get(i);
> //We want to get the sAMAccountName for each
> group member
> var memberAcct =
> srcLdap.attribute(memberSrcDn, "sAMAccountName").get(0);
> memberAcct = String("cn="+memberAcct);
> memberIdValues.push(memberAcct);
> }
> memberIdValues
> ]]>
> </string>
> </forceValues>
> </dataset>
> <dataset>
> <name>description</name>
> <forceValues>
> <string>srcBean.getDatasetFirstValueById("cn")</string>
> </forceValues>
> </dataset>
> <dataset>
> <name>o</name>
> <forceValues>
>
> <string>srcBean.getDatasetFirstValueById("objectCategory")</string>
> </forceValues>
> </dataset>
> </propertiesBasedSyncOptions>
> </task>
> </tasks>
> </lsc>
>
> And this is the output of the clean phase operation (debug log level
> produces the same output):
>
> Jan 21 17:37:18 - INFO - Logging configuration successfully loaded from
> /etc/lsc/logback.xml
> Jan 21 17:37:18 - INFO - LSC configuration successfully loaded from
> /etc/lsc/
> Jan 21 17:37:18 - INFO - Connecting to LDAP server
> ldap://localhost:389/dc=sapienzaconsulting,dc=com as
> cn=manager,dc=sapienzaconsulting,dc=com
> Jan 21 17:37:18 - INFO - Connecting to LDAP server
> ldap://10.2.14.133:389/dc=sapienzaad,dc=sapienzaconsulting,dc=com as
> cn=tech1,ou=Sapienza,dc=sapienzaad,dc=sapienzaconsulting,dc=com
> Jan 21 17:37:19 - INFO - Starting clean for sync-ldap
> Jan 21 17:37:19 - INFO - All entries: 72, to modify entries: 0,
> successfully modified entries: 0, errors: 0
> Jan 21 17:37:19 - INFO - Starting clean for sync-ldap-groups
> Jan 21 17:37:19 - ERROR -
> javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis;
> remaining name 'ou=Groups'
> Jan 21 17:37:19 - ERROR - Empty or non existant destination (no IDs found)
>
>
> Thanks in advance a lot for reading the message and for your help.
>
Check the getAllFilter in destination service, there is an extra ) at the end:
<getAllFilter>(objectClass=groupOfNames))</getAllFilter>
Remove it...
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
