Hi Clement,
i ve just done a test to see if the binary data is transformed by lsc. So
for my test i've run my lsc task to add the user:
# /usr/local/lsc-2.1.3/bin/lsc -f /usr/local/lsc-2.1.3/etc/lsc/ad2openldap
-s all
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "uid" is in KEEP status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "uid" with values
[AMARTESS]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "mailHost" is in FORCE
status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "mailHost" with
values [mx.exemple.fr]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "userPassword" is in
FORCE status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "userPassword"
with values [{SASL}[email protected]]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "mail" is in FORCE status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "mail" will not be
written to the destination
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "givenName" is in FORCE
status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "givenName" with
values [AMARTEST]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "mailLocalAddress" is in
FORCE status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "mailLocalAddress" will
not be written to the destination
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "cn" is in FORCE status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "cn" with values
[AMARTESS]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "sn" is in FORCE status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "sn" with values
[AMARTESSA]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "binarysid" is in FORCE
status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "binarysid" with
values [�;2y�U�Qjf��]
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Attribute "objectclass" is in KEEP
status
sept. 03 13:21:17 - DEBUG - In object
"uid=AMARTESS,ou=users,dc=test,dc=fr": Adding attribute "objectclass" with
values [inetOrgPerson, organizationalPerson, inetLocalMailRecipient,
person, top, test64]
sept. 03 13:21:18 - INFO - # Adding new object
uid=AMARTESS,ou=users,dc=test,dc=fr for adUser
# Thu Sep 03 13:21:18 CEST 2015
dn: uid=AMARTESS,ou=users,dc=test,dc=fr
changetype: add
uid: AMARTESS
mailHost: kusiel.exemple.fr
userPassword: {SASL}[email protected]
givenName: AMARTEST
cn: AMARTESS
sn: AMARTESSA
binarysid:: AQUAAAAAAAUVAAAA77+9OzJ577+9Ve+/vVEdA2pm77+977+9AAA=
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: inetLocalMailRecipient
objectclass: person
objectclass: top
objectclass: test64
So the user is added to my ldap, but when i do a search with this query
filter
binarysid="\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00"
ther is no result returned:
slapd[9141]: conn=1027 op=1 SRCH base="dc=test,dc=fr" scope=2 deref=0
filter="(binarysid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00)"
slapd[9141]: conn=1027 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Now i've taken the value of the base64 encoded objectsid of my active
directory, and i've added the data to my binarysid attribute with
ldapmodify. Here is the ldif file:
dn: uid=AMARTESS,ou=users,dc=test,dc=fr
changetype: modify
replace: binarysid
binarysid:: AQUAAAAAAAUVAAAAzjsyecVVwlEdA2pm7fsAAA==
And now if i do the same query on the binarysid attribute, i've the right
result...
slapd[9141]: conn=1029 op=1 SRCH base="dc=test,dc=fr" scope=2 deref=0
filter="(binarysid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00)"
slapd[9141]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
objectsid is declared as a binary attribute in my ldap source connection
and binarysid is also declared as binary attribute in my ldap dest service.
I know i'm missing something, but i can't see what...
2015-08-27 16:23 GMT+02:00 Clément OUDOT <[email protected]
>:
>
>
> Le 27/08/2015 16:09, Armando Martins a écrit :
>
> that's what i have done.... I'm a little bit lost so their is my full
> config file.
>
> <!-- Definition Source Active directory -->
> <ldapConnection>
> <name>AD-source</name>
> <url>ldap://ad.exemple.fr:389/dc=exemple,dc=fr</url>
> <username>cn=readaccount,cn=users,dc=exemple,dc=fr</username>
> <password>secret</password>
> <authentication>SIMPLE</authentication>
> <referral>IGNORE</referral>
> <derefAliases>NEVER</derefAliases>
> <version>VERSION_3</version>
> <pageSize>10</pageSize>
> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
> <tlsActivated>false</tlsActivated>
> <binaryAttributes>
> <string>objectsid</string>
> </binaryAttributes>
> </ldapConnection>
>
> <!-- Definition Destination Openldap -->
> <ldapConnection>
> <name>openldap-destination</name>
> <url>ldap://localhost:389/dc=test,dc=fr</url>
> <username>cn=root,dc=test,dc=fr</username>
> <password>secret</password>
> <authentication>SIMPLE</authentication>
> <referral>IGNORE</referral>
> <derefAliases>NEVER</derefAliases>
> <version>VERSION_3</version>
> <pageSize>10</pageSize>
> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
> <tlsActivated>false</tlsActivated>
> <binaryAttributes>
> <string>userCertificate</string>
> </binaryAttributes>
> </ldapConnection>
> </connections>
>
> <tasks>
> <task>
> <name>adUser</name>
> <bean>org.lsc.beans.SimpleBean</bean>
> <ldapSourceService>
> <name>AD-source-service</name>
> <connection reference="AD-source" />
> <baseDn>dc=exemple,dc=fr</baseDn>
> <pivotAttributes>
> <string>objectsid</string>
> </pivotAttributes>
> <fetchedAttributes>
> <string>cn</string>
> <string>givenName</string>
> <string>mail</string>
> <string>sn</string>
> <string>objectsid</string>
> <string>sAMAccountName</string>
> </fetchedAttributes>
> <!-- <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> -->
>
> <getAllFilter><![CDATA[(&(objectClass=user)(objectsid=S-1-5-21-2033335246-1371690437-1718223645-64493))]]></getAllFilter>
>
> <getOneFilter><![CDATA[(&(objectClass=user)(objectsid={objectsid}))]]></getOneFilter>
>
> <cleanFilter><![CDATA[(&(objectClass=user)(objectsid={userCertificate}))]]></cleanFilter>
> </ldapSourceService>
>
> <ldapDestinationService>
> <name>openldap-dst-service</name>
> <connection reference="openldap-destination" />
> <baseDn>ou=users,dc=test,dc=fr</baseDn>
> <pivotAttributes>
> <string>userCertificate</string>
> </pivotAttributes>
> <fetchedAttributes>
> <string>cn</string>
> <string>givenName</string>
> <string>mail</string>
> <string>sn</string>
> <string>uid</string>
> <string>userCertificate</string>
> <string>objectclass</string>
> <string>mailHost</string>
> <string>mailLocalAddress</string>
> <string>userPassword</string>
> </fetchedAttributes>
>
> <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter>
>
> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(userCertificate={objectsid}))]]></getOneFilter>
> </ldapDestinationService>
> <propertiesBasedSyncOptions>
> <mainIdentifier>"uid=" +
> srcBean.getDatasetFirstValueById("sAMAccountName") +
> ",ou=users,dc=test,dc=fr"</mainIdentifier>
> <defaultDelimiter>;</defaultDelimiter>
> <defaultPolicy>FORCE</defaultPolicy>
> <conditions>
> <create>true</create>
> <update>true</update>
> <delete>true</delete>
> <changeId>true</changeId>
> </conditions>
> <dataset>
> <name>objectclass</name>
> <policy>KEEP</policy>
> <createValues>
> <string>"inetOrgPerson"</string>
> <string>"organizationalPerson"</string>
> <string>"inetLocalMailRecipient"</string>
> <string>"person"</string>
> <string>"top"</string>
> </createValues>
> </dataset>
> <dataset>
> <name>uid</name>
> <policy>KEEP</policy>
> <createValues>
> <string>srcBean.getDatasetFirstValueById("sAMAccountName")</string>
> </createValues>
> </dataset>
> <dataset>
> <name>userCertificate</name>
> <policy>KEEP</policy>
> <createValues>
> <string>srcBean.getDatasetFirstValueById("objectsid")</string>
> </createValues>
> <delimiter></delimiter>
> </dataset>
> <!-- userPassword -->
> <dataset>
> <name>userPassword</name>
> <policy>FORCE</policy>
> <createValues>
> <string>"{SASL}" +
> srcBean.getDatasetFirstValueById("sAMAccountName") + "@exemple.fr
> "</string>
> </createValues>
> </dataset>
> <dataset>
> <name>mailhost</name>
> <policy>FORCE</policy>
> <createValues>
> <string>"127.0.0.1"</string>
> </createValues>
> </dataset>
> </propertiesBasedSyncOptions>
>
> </task>
> </tasks>
> </lsc>
>
> With this config i always have this message
> : javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error
> code 17 - userCertificate: requires ;binary transfer];
>
> If someone have an idea i will really appreciate :p
>
>
>
> Well, userCertificate is not a pure binary attribute, its syntax is
> 1.3.6.1.4.1.1466.115.121.1.8 while binary syntax is
> 1.3.6.1.4.1.1466.115.121.1.5.
>
> But for me tests, I create an attribute with octet string syntax
> (1.3.6.1.4.1.1466.115.121.1.40) because binary syntax has no matching rule.
> I am then able to use this attribute to store the binary value of objectSid.
>
> --
> Clément OUDOT
> Consultant en logiciels libres, Expert infrastructure et sécurité
> Savoir-faire Linux
> 87, rue de Turbigo - 75003 PARIS
>
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing list
> [email protected]
> http://lists.lsc-project.org/listinfo/lsc-users
>
--
Armando Martins
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
