The clean task is not needed to manage group membership. A clean task will only manage the existence of the group itself. The sync task will always perform a replace on the group membership attribute which would explicitly remove group members that no longer exist in the source.
-Jon C. Kidder American Electric Power Middleware Services Email: [email protected]<mailto:[email protected]> Phone: 614-716-4970 From: [email protected] [mailto:[email protected]] On Behalf Of Arthur TEBOUL Sent: Tuesday, March 31, 2015 7:43 AM To: [email protected] Subject: [lsc-users] Cleaning task for groups members This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. ________________________________ Dear all, It is amazing how powerful LSC is and I would like to thank you about it. I am facing a little issue, here is the context: I have a group sync task between AD-->OpenLDAP, my groups are synchronized successfully with its members. However, I am not able to set the cleaning task properly in order to delete OpenLDAP group members if they are not present anymore in AD one, I have no error messages but it does nothing. Please could you help me setting the cleaning task properly ? Here is my lsc.xml content: <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <connections> <ldapConnection> <name>ldap-src-conn</name> <url>ldap://80.15.1.185:389/dc=test,dc=local</url> <username>cn=Administrateur,cn=Users,dc=ad-poc,dc=test,dc=local</username> <password>Server2012!</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> <ldapConnection> <name>ldap-dst-conn</name> <url>ldap://127.0.0.1:389/dc=test,dc=local</url> <username>cn=admin,dc=test,dc=local</username> <password>xxxxxxxxx </password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> </connections> <tasks> <task> <name>People</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>ad-source-service</name> <connection reference="ldap-src-conn" /> <baseDn>cn=Users,dc=ad-poc,dc=test,dc=local</baseDn> <pivotAttributes> <string>samAccountName</string> </pivotAttributes> <fetchedAttributes> <string>description</string> <string>cn</string> <string>sn</string> <string>givenName</string> <string>samAccountName</string> <string>userPrincipalName</string> <string>mail</string> <string>objectClass</string> </fetchedAttributes> <getAllFilter>(objectClass=user)</getAllFilter> <getOneFilter>(&(objectClass=user)(samAccountName={samAccountName}))</getOneFilter> <cleanFilter>(&(objectClass=user)(samAccountName={uid}))</cleanFilter> </ldapSourceService> <ldapDestinationService> <name>openldap-dst-service</name> <connection reference="ldap-dst-conn" /> <baseDn>ou=People,dc=test,dc=local</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>description</string> <string>cn</string> <string>sn</string> <string>userPassword</string> <string>objectClass</string> <string>uid</string> <string>mail</string> <string>givenName</string> </fetchedAttributes> <getAllFilter>(objectClass=inetorgperson)</getAllFilter> <getOneFilter>(&(objectClass=inetorgperson)(uid={samAccountName}))</getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("samAccountName") + ",ou=People,dc=test,dc=local"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <dataset> <name>description</name> <policy>FORCE</policy> <forceValues> <string>js:(srcBean.getDatasetFirstValueById("sn") != null ? srcBean.getDatasetFirstValueById("sn").toUpperCase() : null )</string> </forceValues> </dataset> <dataset> <name>userPassword</name> <policy>KEEP</policy> <createValues> <string>js:"{SASL}" + srcBean.getDatasetFirstValueById("userPrincipalName")</string> </createValues> </dataset> <dataset> <name>sn</name> <policy>FORCE</policy> <createValues> <string>js:(srcBean.getDatasetFirstValueById("sn") != null ? srcBean.getDatasetFirstValueById("sn").toUpperCase() : srcBean.getDatasetFirstValueById("cn") )</string> </createValues> </dataset> <dataset> <name>description</name> <policy>FORCE</policy> <forceValues> <string>js:(srcBean.getDatasetFirstValueById("sn") != null ? srcBean.getDatasetFirstValueById("sn").toUpperCase() : null )</string> </forceValues> </dataset> <dataset> <name>uid</name> <policy>KEEP</policy> <createValues> <string>js:srcBean.getDatasetFirstValueById("samAcccountName")</string> </createValues> </dataset> <dataset> <name>objectClass</name> <policy>KEEP</policy> <createValues> <string>"inetOrgPerson"</string> </createValues> </dataset> <dataset> <name>userPassword</name> <policy>KEEP</policy> <createValues> <string>"changethis"</string> </createValues> </dataset> <dataset> <name>givenName</name> <policy>FORCE</policy> <createValues> <string>js:srcBean.getDatasetFirstValueById("givenName")</string> </createValues> </dataset> <dataset> <name>mail</name> <policy>FORCE</policy> <createValues> <string>js:srcBean.getDatasetFirstValueById("mail")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> <task> <name>adGroup</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>group-source-service</name> <connection reference="ldap-src-conn" /> <baseDn>ou=Groupes,dc=ad-poc,dc=test,dc=local</baseDn> <pivotAttributes> <string>cn</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>member</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=group)(cn={cn}))(member={member})]]></cleanFilter> </ldapSourceService> <ldapDestinationService> <name>group-dst-service</name> <connection reference="ldap-dst-conn" /> <baseDn>ou=Groupes,dc=test,dc=local</baseDn> <pivotAttributes> <string>cn</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>uniqueMember</string> <string>objectClass</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=groupOfNames)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=groupOfNames)(cn={cn}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",ou=Groupes,dc=test,dc=local"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectClass</name> <policy>FORCE</policy> <forceValues> <string>"top"</string> <string>"groupOfNames"</string> </forceValues> </dataset> <dataset> <name>cn</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("cn")</string> </forceValues> </dataset> <dataset> <name>dn</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("dn")</string> </forceValues> </dataset> <dataset> <name>Member</name> <policy>FORCE</policy> <forceValues> <string> <![CDATA[rjs: var membersSrcDn = srcBean.getDatasetValuesById("member"); var membersDstDn = []; for (var i=0; i<membersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); var sAMAccountName = ""; try { sAMAccountName = srcLdap.attribute(memberSrcDn, "sAMAccountName").get(0); } catch(e) { continue; } var destDn = ldap.search("ou=People", "(uid=" + sAMAccountName + ")"); if (destDn.size() == 0 || destDn.size() > 1) { continue; } var destMemberDn = destDn.get(0) + "," + ldap.getContextDn(); membersDstDn.push(destMemberDn); } membersDstDn ]]> </string> </forceValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> Thanks in advance ! Arthur
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
