Hi Clément, Thank you, I understand that. I had removed user from the objectClass attributes, however I was still referencing objectClass in my source fetchedAttributes which broke the sync.
New problem: First sync works correctly. Any additional syncs result in "LDAP: error code 68 - Entry Already Exists". Could this be an issue with the mainIdentifier? Most recent XML is below: <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <connections> <ldapConnection> <name>srcAD</name> <url>ldap://[IP]:389/dc=[DC],dc=local</url> <username>[USERNAME]</username> <password>[PASSWORD]</password> <authentication>SIMPLE</authentication> <pageSize>1000</pageSize> </ldapConnection> <ldapConnection> <name>dstLDAP</name> <url>ldap://localhost:389/dc=example,dc=com</url> <username>cn=admin,dc=example,dc=com</username> <password>[PASSWORD]</password> <authentication>SIMPLE</authentication> </ldapConnection> </connections> <tasks> <task> <name>adUser</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>ad-src-service</name> <connection reference="srcAD" /> <baseDn>cn=Users,dc=appsbroker,dc=local</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>sn</string> <string>unicodePwd</string> <string>userAccountControl</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={sAMAccountName}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=user)(sAMAccountName={sAMAccountName}))]]></cleanFilter> </ldapSourceService> <ldapDestinationService> <name>ldap-dst-service</name> <connection reference="dst-ldap" /> <baseDn>ou=Unit,dc=example,dc=com</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>sn</string> <string>uid</string> <string>userpassword</string> <string>objectClass</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier> "cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=Unit" </mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"inetOrgPerson</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> </dataset> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <dataset> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("uid") + "@example.com"</string> </forceValues> </dataset> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string> </createValues> </dataset> <dataset> <!-- pwdLastSet = 0 to force user to change password on next connection --> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"0"</string> </createValues> </dataset> <dataset> <!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) --> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd("changeit")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> *Dan Williams * Google for work Professional T: 01793 391 420 On 12 November 2015 at 18:58, Clément OUDOT < clement.ou...@savoirfairelinux.com> wrote: > > > Le 12/11/2015 18:05, Dan Williams a écrit : > >> Thanks Clément, >> >> Made the above change and a few others. We are now facing: >> >> " [LDAP: error code 21 - objectClass: value #3 invalid per syntax];" >> >> Moving the values around in the objectClass doesn't make the #3 error >> change. >> >> > > > "user" is not a valid objectClass in OpenLDAP (in LDAP standard more > generally). > > > Please read > http://lsc-project.org/wiki/documentation/howto/activedirectory#non-standard_object_classes > > > > -- > Clément OUDOT > Consultant en logiciels libres, Expert infrastructure et sécurité > Savoir-faire Linux > > -- Follow us on: <https://plus.google.com/+Appsbroker/> <https://twitter.com/appsbroker> <http://www.linkedin.com/company/appsbroker-consulting-limited/careers?trk=top_nav_careers> Appsbroker Consulting Limited, Registered office: Appsbroker House, The Square, Swindon, SN1 3EB, Company Number: 5702796, VAT Number: GB 876 3533 92, Company registered in England and Wales. ________________________________________ PLEASE NOTE AS RECIPIENT OF THIS EMAIL: Any views or opinions presented are solely those of the author and do not represent those of Appsbroker Consulting Limited. This e-mail is confidential and intended solely for the addressee. If you are not the intended recipient, be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. Furthermore, if you are not the intended recipient, please email it back to the sender and then immediately permanently delete it.
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
