Le 10/07/2015 14:43, Biernath, Jutta a écrit :
Hi,
Hi,
we synchronize OpenLDAP with an Active Directory which is run by
another unit, i.e. we have no influence on the configuration of the
AD. We synchronize groups and their members instead of users,
according to your
http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups?s[]=ad
<http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups?s%5b%5d=ad>
.
This works very well, as long as the groups are small. Unfortunately
we have groups with up to 35.000 members. When I try to synchronize
them I get the following error:
Jul 10 13:56:56 - ERROR - Error while modifying entry XXXX in
directory :javax.naming.NamingException: LDAP response read timed out,
timeout used:-1ms.; remaining name 'XXXX'
Jul 10 13:56:56 - ERROR - Error while synchronizing ID XXXX:
java.lang.Exception: Technical problem while applying modifications to
the destination
In your documentation you recommend to add
<pageSize>1000</pageSize>
to the AD connection in the lsc.xml file. I have tried this, but it
didn’t help.
Indeed, this just allow to page entries, not values in an attribute
(which is called range). With AD , this script could help to manage
range of attributes:
http://lsc-project.org/wiki/documentation/howto/adrangescript
With the –t and –i parameters when launching the full Sync I have
managed to synchronize the entire group
lsc -f /lsc/conf -s all –t50 -i100000
but although all members are seemingly synchronized there is still the
same error in the log file, and the entry ends with
Jul 10 13:56:56 - ERROR - All entries: 1, to modify entries: 1,
successfully modified entries: 0, errors: 1
I would advice to set threads to 1 (-t1). You indeed found the good
parameter to set the timeout value: -i. But it is not normal to have an
error, what shows the log file?
If I then run the LSC daemon with the same –t and –i -parameters the
initial run again seems to synchronize all members, but the log file
again shows the same error. And even worse: the automatical
synchronizing doesn’t work any more afterwards: If I afterwards add a
member to the OpenLDAP group it is not synchronized with the AD group.
Is there any possibility to manipulate the time out value?
It should be with the -i parameter. If it doesn't work, it maybe a bug
with the daemon mode. Are you sure to not have time limitations
configured on OpenLDAP side?
Also I have seen that if a group is synchronized all members are
replaced. Can that be reduced on one specific member, i.e. with
deleting/adding a this single member instead of replacing all members?
Unfortunately not, because LSC must get the full entry to compare it to
the destination entry and compute the differences.
Maybe you should try to run LSC in batch mode as a workaround, let's say
every five minutes, to get a working synchronization.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
