Hi, I am using LSC to provision users to DACS/DVS from an external LDAP. In LSC config file userPassword is set to ALWAYS-ENABLE-PASSWORD-AUTHENTICATION:
<dataset>
<!-- This dataset ensure that the
password authentication factor will always be activated on DACS -->
<name>userPassword</name>
<policy>FORCE</policy>
<forceValues>
<string>"ALWAYS-ENABLE-PASSWORD-AUTHENTICATION"</string>
</forceValues>
</dataset>
All users are correctly added/modified in DACS and DVS, but some users are
being deactivated in DACS once LSC finishes its task.
For example these 2 users (julienuser and dmi_test): givenName of both users
were updated in DACS, but julienuser was deactivated, while dmi_test remains
activated. The only difference I notice in the log file is that userPassword:
ALWAYS-ENABLE-PASSWORD-AUTHENTICATION is missing from julienuser
Oct 15 15:42:23 - INFO - # Updating object
uid=julienuser,ou=users,ou=smartland.gov,dc=e-gep,dc=com for SyncToDacs
# Thu Oct 15 15:42:23 CEST 2015
dn: uid=julienuser,ou=users,ou=smartland.gov,dc=e-gep,dc=com
changetype: modify
replace: givenName
givenName: JulienU
-
delete: modifyTimestamp
-
Oct 15 15:42:24 - INFO - # Updating object
uid=dmi_test,ou=users,ou=GCAtenancy.com,dc=e-gep,dc=com for SyncToDacs
# Thu Oct 15 15:42:24 CEST 2015
dn: uid=dmi_test,ou=users,ou=GCAtenancy.com,dc=e-gep,dc=com
changetype: modify
replace: userPassword
userPassword: ALWAYS-ENABLE-PASSWORD-AUTHENTICATION
-
replace: givenName
givenName: ABC
-
delete: modifyTimestamp
-
Please find attached lsc.xml and the complete log file
Any ideas how can I bypass this issue?
Thanks,
Daniela
[cid:[email protected]]
Daniela MICH
ALCATEL-LUCENT Romania
lsc.log
Description: lsc.log
<?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; xmlns:dla="http://dictao.com/ns/dacs/lsc-agent-1.0"; revision="0"> <connections> <ldapConnection> <name>ldap-ids-conn</name> <!-- replace OpenLDAP hostname--> <url>ldap://gcep-ldap-ctrl.integration.e-gep.com:389/dc=e-gep,dc=com</url> <username>cn=gcadmin,dc=e-gep,dc=com</username> <password>gcadmin</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> <saslMutualAuthentication>false</saslMutualAuthentication> <binaryAttributes> <string>userPassword</string> <string>userCertificate</string> </binaryAttributes> </ldapConnection> <pluginConnection> <name>dacs-dst-conn</name> <url>NOT-USED</url> <username></username> <password></password> <dla:dacsProvisioningConnectionSettings> <!-- replace DACS hostname--> <!-- DMI <dla:provisioningUrl>https://gcep-dacs-ctrl.integration.e-gep.com:25000/dacsprovisioning/DACSProvisioningWS</dla:provisioningUrl> <dla:repositoryUrl>https://gcep-dacs-ctrl.integration.e-gep.com:25000/dacsrepositoryws/DACSRepositoryWS</dla:repositoryUrl> --> <dla:provisioningUrl>https://gcep-dacs1-ctrl.integration.e-gep.com:25000/dacsprovisioning/DACSProvisioningWS</dla:provisioningUrl> <dla:repositoryUrl>https://gcep-dacs1-ctrl.integration.e-gep.com:25000/dacsrepositoryws/DACSRepositoryWS</dla:repositoryUrl> <dla:TrustStore> <dla:File>certificate/dacs/dacs-cacerts.dacs.jks</dla:File> <dla:Type>JKS</dla:Type> <dla:Password>changeit</dla:Password> </dla:TrustStore> <dla:ClientStore> <dla:File>certificate/dacs/dacs-DemoDacsProvisioning.p12</dla:File> <dla:Type>PKCS12</dla:Type> <dla:Password>password</dla:Password> </dla:ClientStore> </dla:dacsProvisioningConnectionSettings> </pluginConnection> <pluginConnection> <name>dvs-dst-conn</name> <url>NOT-USED</url> <username></username> <password></password> <dla:dvsProvisioningConnectionSettings> <!-- replace DVS hostname--> <!-- DMI <dla:url>https://gcep-dxs-ctrl.integration.e-gep.com:24100/DVSCommand/DVSProvisioningFrontEnd</dla:url> --> <dla:url>https://gcep-dxs1-ctrl.integration.e-gep.com:24100/DVSCommand/DVSProvisioningFrontEnd</dla:url> <dla:TrustStore> <dla:File>certificate/dvs/dvs-clientCa.jks</dla:File> <dla:Type>JKS</dla:Type> <dla:Password>changeit</dla:Password> </dla:TrustStore> <dla:ClientStore> <dla:File>certificate/dvs/dvs-DXSDevGroupServer.p12</dla:File> <dla:Type>PKCS12</dla:Type> <dla:Password>password</dla:Password> </dla:ClientStore> </dla:dvsProvisioningConnectionSettings> </pluginConnection> </connections> <audits /> <tasks> <task> <name>SyncToDacs</name> <bean>org.lsc.beans.SimpleBean</bean> <asyncLdapSourceService> <name>openldap-source-service-to-dacs</name> <connection reference="ldap-ids-conn" /> <baseDn>dc=e-gep,dc=com</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>givenName</string> <string>sn</string> <string>mobile</string> <string>uid</string> <string>userPassword</string> <string>entryDN</string> <!--<string>modifyTimestamp</string>--> </fetchedAttributes> <getAllFilter><![CDATA[(&(objectClass=customobjectClass)(uid=*)(!(uid=gcadmin))))]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=customobjectClass)(entryDN={id}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=customobjectClass)(entryDN={id}))]]></cleanFilter> <serverType>OpenLDAP</serverType> </asyncLdapSourceService> <!-- This DACS service will use the following attributes: givenName, sn, uid, description, userPassword, mobile, userCertificate, serialNumber. "givenName" and "sn" values are used to fill the friendly name field. "uid" value is used as the application login. "description" is parsed and used as birth date. "userPassword" is used to identify if the user can be authenticated through his password. "mobile" is used to identify if the user can be authenticated by SMS TAN/OTP. "userCertificate" is used to identify if the user can be authenticated by X509v3 certificate. "serialNumber" is used to identify if the user can be authenticated by OATH authenticator which is identified by its serial number.--> <pluginDestinationService implementationClass="org.lsc.plugins.connectors.dictao.dacs.DacsProvisioningService"> <name>dacs-dst</name> <connection reference="dacs-dst-conn" /> <dla:dacsProvisioningServiceSettings> <dla:groupId>GRP_0_00_SYSTEM</dla:groupId> <!-- dla:applicationId>https://gcep-ids</dla:applicationId --> <dla:applicationId>https://gcep-ids1</dla:applicationId> <dla:dateFormat>dd/MM/yyyy</dla:dateFormat> </dla:dacsProvisioningServiceSettings> </pluginDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>srcBean.getMainIdentifier()</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <!-- Default policy to FORCE means that exact values from source service will replace corresponding data on destination service --> <defaultPolicy>FORCE</defaultPolicy> <dataset> <!-- This dataset ensure that the password authentication factor will always be activated on DACS --> <name>userPassword</name> <policy>FORCE</policy> <forceValues> <string>"ALWAYS-ENABLE-PASSWORD-AUTHENTICATION"</string> <!--<string>srcBean.getDatasetFirstValueById("userPassword")</string>--> </forceValues> </dataset> <dataset> <name>uid</name> <policy>FORCE</policy> <forceValues> <string>js:srcBean.getDatasetFirstValueById("uid")+"@"+srcLdap.attribute(srcLdap.sup(srcBean.getDistinguishedName(),"2"),"ou").get(0)</string> </forceValues> </dataset> </propertiesBasedSyncOptions> </task> <task> <name>SyncToDvs</name> <bean>org.lsc.beans.SimpleBean</bean> <asyncLdapSourceService> <name>openldap-source-service-to-dvs</name> <connection reference="ldap-ids-conn" /> <baseDn>dc=e-gep,dc=com</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <!-- <string>description</string> --> <string>entryDN</string> <string>givenName</string> <string>sn</string> <string>mobile</string> <string>uid</string> <string>mail</string> <!--<string>modifyTimestamp</string>--> <string>description</string> <string>userPassword</string> </fetchedAttributes> <getAllFilter><![CDATA[(&(objectClass=customobjectClass)(uid=*)(!(uid=gcadmin)))]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=customobjectClass)(entryDN={id}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=customobjectClass)(entryDN={id}))]]></cleanFilter> <serverType>OpenLDAP</serverType> </asyncLdapSourceService> <pluginDestinationService implementationClass="org.lsc.plugins.connectors.dictao.dvs.DvsProvisioningService"> <name>dvs-dst</name> <connection reference="dvs-dst-conn" /> <dla:dvsProvisioningServiceSettings> <dla:groupId>GRP_DEV</dla:groupId> <dla:userLevel>OPERATOR</dla:userLevel> <dla:dateFormat>dd/MM/yyyy</dla:dateFormat> <dla:scope>SCOPE</dla:scope> </dla:dvsProvisioningServiceSettings> </pluginDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>srcBean.getMainIdentifier()</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <dataset> <name>uid</name> <policy>FORCE</policy> <forceValues> <string>js:srcBean.getDatasetFirstValueById("uid")+"@"+srcLdap.attribute(srcLdap.sup(srcBean.getDistinguishedName(),"2"),"ou").get(0) </string> </forceValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc>
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
