Hi, I am setting up LSC on a Windows Server 2012 R2 for sync about 50,000
users from OpenLDAP (in another server) to local Active Directory, with
help of the tutorial
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
.
Seems that I was able to do work it, because at time of launch the command
prompt hangs on something like "dec 23 17:21:50 - INFO - Starting sync for
Test_Task", but problem is that it remained in that state for about 10
hours. Do you know approximately how long will it be?
Now, I did a test with only one user, and everything looks OK when adding
it the first time, but when running again sync, the password don't get
updated. To resolve this issue, I changed the XML code of dataset example
from KEEP policy and createValues to force values, looking like this:
*<dataset>*
* <name>unicodePwd</name>*
* <policy>FORCE</policy>*
* <forceValues>*
*
<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>*
* </forceValues>*
*</dataset>*
And it works!. However, this always overwrites the password, regardeless if
it really changed on source. This situation is frustrating, because
updating it in 50,000 users seems a very time consuming task. At this time,
I haven't found an option for just updating; I also checked other options,
including all combinations of KEEP, FORCE and MERGE policies with
createValues, defaultValues and forceValues.
A curious thing is that when I change all values an policies to force, only
unicodePwd and pwdLastSet, and not the other, are overwritten.
An output from CMD shows this:
*C:\Windows\System32>C:\lsc-2.1.3\bin\modified-lsc.bat -f C:\lsc-2.1.3\etc
-s all -c all*
*dec 23 18:50:03 - INFO - Logging configuration successfully loaded from
C:\lsc-2.1.3\etc\logback.xml*
*dec 23 18:50:03 - INFO - LSC configuration successfully loaded from
C:\lsc-2.1.3\etc\*
*dec 23 18:50:03 - INFO - Connecting to LDAP server
ldaps://Server-Active-Directory.domain.org:636/OU=SomeOU,DC=domain,DC=org
<http://server-active-directory.domain.org:636/OU=SomeOU,DC=domain,DC=org> as
CN=Admin,CN=Users,DC=domain,DC=org*
*dec 23 18:50:04 - INFO - Connecting to LDAP server
ldap://Server-OpenLDAP:389/uid=Test_User,ou=SomeOU,dc=domain,dc=org as
uid=admin,ou=admins,dc=domain,dc=org*
*dec 23 18:50:04 - INFO - Starting sync for Test_Task*
*dec 23 18:50:07 - INFO - # Updating object CN=LastName
FirstName,OU=SomeOU,DC=domain,DC=org for Test_Task*
*# Wed Dec 23 18:50:07 CST 2015*
*dn: CN=LastName FirstName,OU=SomeOU,DC=domain,DC=org*
*changetype: modify*
*replace: unicodePwd*
*unicodePwd:: xXXXxXXXxXXXxxXXXxX==*
*-*
*replace: pwdLastSet*
*pwdLastSet: -1*
*-*
*dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 1,
successfully mod*
*ified entries: 1, errors: 0*
*dec 23 18:50:07 - INFO - Starting clean for Duplicar_Usuarios*
*dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 0,
successfully mod*
*ified entries: 0, errors: 0*
*C:\Windows\System32>*
I was wondering if you can help me doing that the unicodePwd only gets
updated if it was previously modified in source. I don't know if I missed
some configuration or need to change other thing, but, if it is a bug, I
wish that you can fix it :)
A last question: seems that my OpenLDAP only can return 500 users and
Active Directory 1000, and I defined such values in the pageSize value for
both connections in the lsc.xml. Would both be equal to the minimum of 500
or should be set its own values of 500 (OpenLDAP) and 1000 (Active
Directory)?, there is some performance issue?
Thanks in advance.
P.D.
This is my lsc.xls:
*<?xml version="1.0" ?>*
*<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd
<http://lsc-project.org/XSD/lsc-core-2.1.xsd>" revision="0">*
* <connections>*
* <ldapConnection>*
* <name>OpenLDAP</name>*
*
<url> ldap://Server-OpenLDAP:389/uid=Test_User,ou=SomeOU,dc=domain,dc=org</url>*
* <username>uid=admin,ou=admins,dc=domain,dc=org</username>*
* <password>Password1</password>*
* <authentication>SIMPLE</authentication>*
* <referral>IGNORE</referral>*
* <derefAliases>NEVER</derefAliases>*
* <version>VERSION_3</version>*
* <pageSize>500</pageSize>*
* <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>*
* <tlsActivated>false</tlsActivated>*
* </ldapConnection>*
* <ldapConnection>*
* <name>Active_Directory</name>*
*
<url> ldaps://Server-Active-Directory.domain.org:636/OU=SomeOU,DC=domain,DC=org
<http://server-active-directory.domain.org:636/OU=SomeOU,DC=domain,DC=org></url>*
* <username>CN=Admin,CN=Users,DC=domain,DC=org</username>*
* <password>Password2</password>*
* <authentication>SIMPLE</authentication>*
* <referral>IGNORE</referral>*
* <derefAliases>NEVER</derefAliases>*
* <version>VERSION_3</version>*
* <pageSize>1000</pageSize>*
* <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>*
* <tlsActivated>false</tlsActivated>*
* </ldapConnection>*
* </connections>*
* <tasks>*
* <task>*
* <name>Test_Task</name>*
* <bean>org.lsc.beans.SimpleBean</bean>*
* <ldapSourceService>*
* <name>OpenLDAP_Openning</name>*
* <connection reference="OpenLDAP" />*
* <baseDn>uid=Test_User,ou=SomeOU,dc=domain,dc=org</baseDn>*
* <pivotAttributes>*
* <string>uid</string>*
* </pivotAttributes>*
* <fetchedAttributes>*
* <string>cn</string>*
* <string>uid</string>*
* <string>userPassword</string>*
* </fetchedAttributes>*
* <getAllFilter>(objectClass=inetOrgPerson)</getAllFilter>*
*
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>*
*
<cleanFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</cleanFilter>*
* </ldapSourceService>*
* <ldapDestinationService>*
* <name>Active_Directory_Openning</name>*
* <connection reference="Active_Directory" />*
* <baseDn>OU=SomeOU,DC=domain,DC=org</baseDn>*
* <pivotAttributes>*
* <string>sAMAccountName</string>*
* </pivotAttributes>*
* <fetchedAttributes>*
* <string>objectClass</string>*
* <string>cn</string>*
* <string>pwdLastSet</string>*
* <string>sAMAccountName</string>*
* <string>unicodePwd</string>*
* <string>userAccountControl</string>*
* <string>userPrincipalName</string>*
* </fetchedAttributes>*
* <getAllFilter>(objectClass=user)</getAllFilter>*
*
<getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter>*
* </ldapDestinationService>*
* <propertiesBasedSyncOptions>*
* <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") +
",OU=SomeOU,DC=domain,DC=org"</mainIdentifier>*
* <defaultDelimiter>;</defaultDelimiter>*
* <defaultPolicy>FORCE</defaultPolicy>*
* <conditions>*
* <create>true</create>*
* <update>true</update>*
* <delete>true</delete>*
* <changeId>true</changeId>*
* </conditions>*
* <dataset>*
* <name>objectClass</name>*
* <policy>KEEP</policy>*
* <createValues>*
* <string>"user"</string>*
* <string>"organizationalPerson"</string>*
* <string>"person"</string>*
* <string>"top"</string>*
* </createValues>*
* </dataset>*
* <dataset>*
* <name>pwdLastSet</name>*
* <policy>KEEP</policy>*
* <createValues>*
* <string>"-1"</string>*
* </createValues>*
* </dataset>*
* <dataset>*
* <name>sAMAccountName</name>*
* <policy>KEEP</policy>*
* <createValues>*
* <string>srcBean.getDatasetFirstValueById("uid")</string>*
* </createValues>*
* </dataset>*
* <dataset>*
* <name>unicodePwd</name>*
* <policy>FORCE</policy>*
* <forceValues>*
*
<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>*
* </forceValues>*
* </dataset>*
* <dataset>*
* <name>userAccountControl</name>*
* <policy>KEEP</policy>*
* <createValues>*
* <string>AD.userAccountControlSet("0", [AD.UAC_SET_NORMAL_ACCOUNT,
AD.UAC_SET_DONT_EXPIRE_PASSWORD])</string>*
* </createValues>*
* </dataset>*
* <dataset>*
* <name>userPrincipalName</name>*
* <policy>KEEP</policy>*
* <createValues>*
* <string>srcBean.getDatasetFirstValueById("uid") + "@domain.org
<http://domain.org/>"</string>*
* </createValues>*
* </dataset>*
* </propertiesBasedSyncOptions>*
* </task>*
* </tasks>*
atte.:
Héctor Gómez
México
--
--
Universidad de Colima
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
