Le 09/11/2015 14:35, Dan Williams a écrit :
Hi all,
We are attempting to synchronize a test Active Directory environment
to an OpenLDAP environment.
The initial sync works and it will create the users as expected. Any
syncs after this will result in "error, user already exists" (sorry; I
haven't got the exact error to hand). I think this is an error with us
using the CN as pivot and we also don't seem to be referencing any uID.
The end result will hopefully to sync several separate AD forests to
openLDAP.
I've attached a copy of the XML with our personals removed:
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
<connections>
<ldapConnection>
<name>dst-ldap</name>
<url>ldap://localhost:389/dc=example,dc=com</url>
<username>cn=[accountName],dc=example,dc=com</username>
<password>[password]</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
<saslMutualAuthentication>false</saslMutualAuthentication>
</ldapConnection>
<ldapConnection>
<name>src-ad1</name>
<url>ldap://[ADIPAddress]:389/dc=[Dc],dc=local</url>
<username>[ADUserName]</username>
<password>[ADPassword]</password>
<authentication>SIMPLE</authentication>
<pageSize>1000</pageSize>
</ldapConnection>
</connections>
<audits/>
<tasks>
<task>
<name>MySyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>MySyncTask-src</name>
<connection reference="src-ad1" />
<baseDn>cn=Users,dc=[DC],dc=local</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>objectClass</string>
</fetchedAttributes>
<getAllFilter>(&(cn=*)(objectClass=user))</getAllFilter>
<getOneFilter>(&(objectClass=organizationalPerson)(cn={cn})
)</getOneFilter>
<cleanFilter>(&(objectClass=organizationalPerson)(cn={cn})
)</cleanFilter>
<interval>6</interval>
</ldapSourceService>
<ldapDestinationService>
<name>MySyncTask-dst</name>
<connection reference="dst-ldap"/>
<baseDn>ou=Unit,dc=example,dc=com</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>objectClass</string>
</fetchedAttributes>
<getAllFilter>(objectClass=inetOrgPerson)</getAllFilter>
<getOneFilter>(&(objectClass=organizationalPerson)(cn={cn}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=unit"
</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<name>objectClass</name>
<policy>FORCE</policy>
<forceValues>
<string>"top"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<!-- <string>"user"</string> -->
</forceValues>
<delimiter>,</delimiter>
</dataset>
<dataset>
<name>uid</name>
<policy>FORCE</policy>
<forceValues>
<string>
srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</forceValues>
</dataset>
<dataset>
<name>ds-pwp-password-policy-dn</name>
<policy>FORCE</policy>
<forceValues>
<string>"dc=[DC],dc=local"</string>
</forceValues>
</dataset>
<dataset>
<name>default</name>
<policy>FORCE</policy>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
Any help on the matter would be excellent!
Hello Dan,
first of all, you use some attributes (uid, sAMAccountName,
ds-pwp-password-policy-dn) in datasets that are not declared in
fetchedAttributes, so LSC will not be able to read or write them.
I suggest that you use sAMAccountName as pivot in the source, and uid in
destination. Then add inetOrgPerson in destination objectClass as it is
required to have the uid attirbute in the entry.
See
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory,
you can adapt the doc to have AD as source and OpenLDAP as destination.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
