Hi Clément, Thank you for the suggestion.
I've created a new xml file based on the link you provided. We are facing a "Synchronization aborted because no source object has been found !"error. I am actively working on this but would appreciate advice in the mean time. Here is the new XML: <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <connections> <ldapConnection> <name>srcAD</name> <url>ldap://[IPADDRESS]:389/dc=[DC],dc=local</url> <username>[USERNAME]</username> <password>[PASSWORD]</password> <authentication>SIMPLE</authentication> <pageSize>1000</pageSize> </ldapConnection> <ldapConnection> <name>dstLDAP</name> <url>ldap://localhost:389/dc=example,dc=com</url> <username>cn=admin,dc=example,dc=com</username> <password>[PASSWORD]</password> <authentication>SIMPLE</authentication> </ldapConnection> </connections> <tasks> <task> <name>adUser</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>ad-src-service</name> <connection reference="srcAD" /> <baseDn>cn=Users,dc=[DC]dc=local</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>objectclass</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>sn</string> <string>unicodePwd</string> <string>userAccountControl</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></cleanFilter> </ldapSourceService> <ldapDestinationService> <name>ldap-dst-service</name> <connection reference="dst-ldap" /> <baseDn>ou=Unit,dc=example,dc=com</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>sn</string> <string>uid</string> <string>userpassword</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier> "cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=Unit,dc=example,dc=com" </mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> </dataset> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <dataset> <!-- userPrincipalName = uid + "@lsc-project.org" --> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("uid") + "@example.com"</string> </forceValues> </dataset> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string> </createValues> </dataset> <dataset> <!-- pwdLastSet = 0 to force user to change password on next connection --> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"0"</string> </createValues> </dataset> <dataset> <!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) --> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd("changeit")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> *Dan Williams * Google for work Professional T: 01793 391 420 On 9 November 2015 at 14:02, Clément OUDOT < [email protected]> wrote: > > > Le 09/11/2015 14:35, Dan Williams a écrit : > > > Hi all, > > We are attempting to synchronize a test Active Directory environment to an > OpenLDAP environment. > > The initial sync works and it will create the users as expected. Any syncs > after this will result in "error, user already exists" (sorry; I haven't > got the exact error to hand). I think this is an error with us using the CN > as pivot and we also don't seem to be referencing any uID. > > The end result will hopefully to sync several separate AD forests to > openLDAP. > > I've attached a copy of the XML with our personals removed: > > > <?xml version="1.0" ?> > <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> > > <connections> > <ldapConnection> > <name>dst-ldap</name> > <url>ldap://localhost:389/dc=example,dc=com</url> > <username>cn=[accountName],dc=example,dc=com</username> > <password>[password]</password> > <authentication>SIMPLE</authentication> > <referral>IGNORE</referral> > <derefAliases>NEVER</derefAliases> > <version>VERSION_3</version> > <pageSize>-1</pageSize> > <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> > <tlsActivated>false</tlsActivated> > <saslMutualAuthentication>false</saslMutualAuthentication> > </ldapConnection> > > <ldapConnection> > <name>src-ad1</name> > <url>ldap://[ADIPAddress]:389/dc=[Dc],dc=local</url> > <username>[ADUserName]</username> > <password>[ADPassword]</password> > <authentication>SIMPLE</authentication> > <pageSize>1000</pageSize> > </ldapConnection> > > </connections> > <audits/> > <tasks> > <task> > <name>MySyncTask</name> > <bean>org.lsc.beans.SimpleBean</bean> > <ldapSourceService> > <name>MySyncTask-src</name> > <connection reference="src-ad1" /> > <baseDn>cn=Users,dc=[DC],dc=local</baseDn> > <pivotAttributes> > <string>cn</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>sn</string> > <string>objectClass</string> > </fetchedAttributes> > <getAllFilter>(&(cn=*)(objectClass=user))</getAllFilter> > <getOneFilter>(&(objectClass=organizationalPerson)(cn={cn}) > )</getOneFilter> > <cleanFilter>(&(objectClass=organizationalPerson)(cn={cn}) > )</cleanFilter> > <interval>6</interval> > </ldapSourceService> > <ldapDestinationService> > <name>MySyncTask-dst</name> > <connection reference="dst-ldap"/> > <baseDn>ou=Unit,dc=example,dc=com</baseDn> > <pivotAttributes> > <string>cn</string> > </pivotAttributes> > <fetchedAttributes> > <string>cn</string> > <string>sn</string> > <string>objectClass</string> > </fetchedAttributes> > <getAllFilter>(objectClass=inetOrgPerson)</getAllFilter> > > <getOneFilter>(&(objectClass=organizationalPerson)(cn={cn}))</getOneFilter> > </ldapDestinationService> > <propertiesBasedSyncOptions> > <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + > ",ou=unit" > </mainIdentifier> > <defaultDelimiter>;</defaultDelimiter> > <defaultPolicy>FORCE</defaultPolicy> > <dataset> > <name>objectClass</name> > <policy>FORCE</policy> > <forceValues> > <string>"top"</string> > <string>"organizationalPerson"</string> > <string>"person"</string> > <!-- <string>"user"</string> --> > </forceValues> > <delimiter>,</delimiter> > </dataset> > <dataset> > <name>uid</name> > <policy>FORCE</policy> > <forceValues> > <string> > srcBean.getDatasetFirstValueById("sAMAccountName")</string> > </forceValues> > </dataset> > <dataset> > <name>ds-pwp-password-policy-dn</name> > <policy>FORCE</policy> > <forceValues> > <string>"dc=[DC],dc=local"</string> > </forceValues> > </dataset> > <dataset> > <name>default</name> > <policy>FORCE</policy> > </dataset> > </propertiesBasedSyncOptions> > </task> > > </tasks> > </lsc> > > Any help on the matter would be excellent! > > > Hello Dan, > > first of all, you use some attributes (uid, sAMAccountName, > ds-pwp-password-policy-dn) in datasets that are not declared in > fetchedAttributes, so LSC will not be able to read or write them. > > I suggest that you use sAMAccountName as pivot in the source, and uid in > destination. Then add inetOrgPerson in destination objectClass as it is > required to have the uid attirbute in the entry. > > See > http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory, > you can adapt the doc to have AD as source and OpenLDAP as destination. > > -- > Clément OUDOT > Consultant en logiciels libres, Expert infrastructure et sécurité > Savoir-faire Linux > > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users > -- Follow us on: <https://plus.google.com/+Appsbroker/> <https://twitter.com/appsbroker> <http://www.linkedin.com/company/appsbroker-consulting-limited/careers?trk=top_nav_careers> Appsbroker Consulting Limited, Registered office: Appsbroker House, The Square, Swindon, SN1 3EB, Company Number: 5702796, VAT Number: GB 876 3533 92, Company registered in England and Wales. ________________________________________ PLEASE NOTE AS RECIPIENT OF THIS EMAIL: Any views or opinions presented are solely those of the author and do not represent those of Appsbroker Consulting Limited. This e-mail is confidential and intended solely for the addressee. If you are not the intended recipient, be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. Furthermore, if you are not the intended recipient, please email it back to the sender and then immediately permanently delete it.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
