2015-03-11 8:39 GMT+01:00 Jephte Clain <[email protected]>: > Le 26/02/2015 16:59, Clément OUDOT a écrit : > >> 2015-02-26 13:21 GMT+01:00 Jephte Clain <[email protected]>: >>> >>> Le 26/02/2015 12:59, Clément OUDOT a écrit : >>> >>>> 2015-02-26 7:38 GMT+01:00 Jephte Clain <[email protected]>: >>>>> >>>>> >>>>> hello, >>>>> >>>>> I'd like to force the order of the sync tasks, e.g synchronising groups >>>>> AFTER synchronising users. >>>>> >>>>> in my lsc.xml, the group task is after the user task. >>>>> >>>>> but, with lsc -s all, the two tasks seems to run in parallel. I thought >>>>> it >>>>> was because of the number of threads. >>>>> >>>>> so I tried with lsc -s all -t 1 >>>>> but now, I can see the groups task is run BEFORE the users task. >>>>> >>>>> so I tried with lsc -s users,groups >>>>> it's the same: the groups task is run BEFORE the users task. >>>>> >>>>> so I tried with lsc -s users,groups -t 1 >>>>> still no luck :-( >>>>> >>>>> *** So, how can I order the tasks? >>>>> >>>>> Usually, I run lsc as an asynchronous task. btw, the service is >>>>> restarted >>>>> every morning. >>>>> *** is it possible with this method to order the tasks? >>>>> >>>>> When I start the asynchronous service, it would: >>>>> - search for the users, synchronize them, then notify the groups task, >>>>> then >>>>> wait for new modifications on user accounts >>>>> - wait for a notify from the users task, search for the groups, >>>>> synchronize >>>>> then, then wait for new modifications on groups >>>>> - from now on, each modification is processed normally in each thread. >>>>> >>>>> Is this possible at all? >>>>> >>>> >>>> The task order is the one of lsc.xml task declaration. >>> >>> >>> >>> well, I don't understand why it does the groups first then the users... >>> in >>> lsc.xml user sync comes first 8-| >>> >>>> >>>> You can force a task order with for example: lsc -s user && lsc -s group >>> >>> >>> >>> Yes, evidently >>> >>> But I'd like to use asynchronous mode. >>> - Updating the password in AD as soon as it is modified in OpenLDAP is >>> nice. >>> - Also, because lsc cannot read unicodePwd from AD, running the task >>> synchronously rewrite the password again and again. Restarting the >>> service >>> every day ensure it only does that once a day :-) >> >> >> For this case, we create a "password" task with an update condition >> which will check hte authentication. If the authentication fails, then >> LSC will push the password. >> >> To do this check, we use this method: >> >> http://lsc-project.org/javadoc/2.0-SNAPSHOT/org/lsc/utils/directory/LDAP.html#canBindSearchRebind(java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String) >> >> >> Clément. >> > > Hello, > > I just tried this method. I have two tasks: user-task to create/synchronize > user info (with conditions create, update, delete, changeId); password-task > to synchronise password infos (with condition update only) > > there are two problems: > > - in async mode, only user-task is run when the ldap object is modified. the > password-task is never run. shall I use a different <ldapConnection> for the > password-task?
No it should work, but I never tested this kind of configuration (launching 2 async task in the same process). It may be better to start one process for each async task. > > - I guess there is some sort of connexion rate limiting in AD because the > password-task fails for several accounts with LdapErr: DSID-0C090724 > > the probleme is not with the password, because when I start the task for one > user, it always succeed. however, trying to validate the connection for > thousands accounts in a row does not work. > In the AD's event viewer, I can see thousands of connexion attempts, with a > lot of failures. > How do you solve this issue? is it possible to limit the lsc's update rate? > Remember, I have to restart the lsc process each morning, so the issue will > arise every day. Also, if I cannot make async mode work, I'll have to run > lsc regularly, say every 5 minutes. I don't want to fill the logs with > rejected connexion attempts > I never had limitation on AD connection. Could you send the complete AD error message? Clément. _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
