Le 17/07/2015 13:05, Thomas Peter a écrit :
Hi,
Hello Thomas,
I'm fairly new to LSC and openLdap and I'm trying to do the following:
I do have an application (I'm not the vendor) that can authenticate
users via ldap and I have an AD of which I'm not responsible for.
Currently this app is configured to do authentication against a local
password-file.
I'd like to change this so users can utilize their AD password.
BUT every person has 2 accounts: "username" and "usernameSuffix"
AD does not know about usernameSuffix but the users should be able to
login with both accounts by using the same password.
The ldap-noop I am I asked if this is feasible at all in irc
#ltb-project and got an anwer by KPTN:
"a solution is to install an OpenLDAP server, synchronize it withAD
with LSC, use sasldelagation for passwords, and register the 2 logins
in OpenLDAP user entry"
So here I am, having my openldap running, lsc installed lsc.xml
assebled and only getting
Jul 17 12:52:37 - INFO - Starting sync for MySyncTask
Jul 17 12:52:38 - ERROR - Synchronization aborted because no source
object has been found !
...
I tried to turn on debug logging to get a hint what I might have
configured wrong but failed.
my lsc.xml is this:
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
<connections>
<ldapConnection>
<name>ldap-src-conn</name>
<url>ldap://adserver.local:389/OU=Standard,OU=company,OU=DEP-Benutzerkonten,DC=de,DC=local,DC=lan</url>
<username>ude\ALGOLDAP</username>
<password>Taippub6</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
You should use a page size with active directory, see
http://lsc-project.org/wiki/documentation/howto/activedirectory#search_results_size_limit
<ldapConnection>
<name>ldap-dst-conn</name>
<url>ldap://127.0.0.1:9389/DC=de,DC=local,DC=lan</url>
<username>cn=Manager,DC=de,DC=local,DC=lan</username>
<password>secret</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<audits>
<csvAudit>
<name>csv</name>
<append>true</append>
<operations>create, delete</operations>
<file>/tmp/dump.csv</file>
<datasets>cn, dn</datasets>
<separator>,</separator>
</csvAudit>
</audits>
<tasks>
<task>
<name>MySyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>ldap-src-service</name>
<connection reference="ldap-src-conn"></connection>
<baseDn>OU=Standard,OU=company,OU=DEP-Benutzerkonten,DC=de,DC=local,DC=lan</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>givenName</string>
<string>name</string>
<string>mail</string>
<string>sAMAccountName</string>
<string>userPrincipalName</string>
</fetchedAttributes>
<getAllFilter>(&(objectClass=organizationalPerson))</getAllFilter>
<getOneFilter>(&(objectClass=organizationalPerson)(uid={samAccountName}))</getOneFilter>
You should use (objectClass=user) to match entries in AD. And the One
Filter should be (samAccountName={samAccountName}). See
http://lsc-project.org/wiki/documentation/latest/basics
<interval>6</interval>
</ldapSourceService>
<ldapDestinationService>
<name>ldap-dst-service</name>
<connection reference="ldap-dst-conn"></connection>
<baseDn>DC=de,DC=local,DC=lan</baseDn>
<pivotAttributes>
<string>mail</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>givenName</string>
<string>name</string>
<string>mail</string>
<string>sAMAccountName</string>
<string>userPrincipalName</string>
</fetchedAttributes>
Some AD attributes do not exists in OpenLDAP schema, don't use them here.
<getAllFilter>(&(objectClass=organizationalPerson))</getAllFilter>
<getOneFilter>(&(objectClass=organizationalPerson)(uid={samAccountName}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetValueById("cn") +
",ou=People,DC=de,DC=local,DC=lan"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>objectClass</name>
<policy>KEEP</policy>
<defaultValues></defaultValues>
<forceValues></forceValues>
<createValues>
<string>"user"</string>
<string>"top"</string>
</createValues>
<delimiter>,</delimiter>
</dataset>
"user" is not a valid OpenLDAP objectclass.
</propertiesBasedSyncOptions>
</task>
</tasks>
You should try to read these documentations to know how to sync between
AD and OpenLDAP :
*
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
* http://lsc-project.org/wiki/documentation/howto/activedirectory
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
