Le 26/12/2015 01:22, GOMEZ TORRES HECTOR . a écrit :
Hi, I am setting up LSC on a Windows Server 2012 R2 for sync about
50,000 users from OpenLDAP (in another server) to local Active
Directory, with help of the tutorial
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory.
Seems that I was able to do work it, because at time of launch the
command prompt hangs on something like "dec 23 17:21:50 - INFO -
Starting sync for Test_Task", but problem is that it remained in that
state for about 10 hours. Do you know approximately how long will it be?
Now, I did a test with only one user, and everything looks OK when
adding it the first time, but when running again sync, the password
don't get updated. To resolve this issue, I changed the XML code of
dataset example from KEEP policy and createValues to force values,
looking like this:
/*<dataset>*/
/*<name>unicodePwd</name>*/
/*<policy>FORCE</policy>*/
/*
*/
/*<forceValues>*/
/*<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>*/
/*</forceValues>*/
/*</dataset>*/
And it works!. However, this always overwrites the password,
regardeless if it really changed on source. This situation is
frustrating, because updating it in 50,000 users seems a very time
consuming task. At this time, I haven't found an option for just
updating; I also checked other options, including all combinations of
KEEP, FORCE and MERGE policies with createValues, defaultValues and
forceValues.
A curious thing is that when I change all values an policies to force,
only unicodePwd and pwdLastSet, and not the other, are overwritten.
An output from CMD shows this:
/*C:\Windows\System32>C:\lsc-2.1.3\bin\modified-lsc.bat -f
C:\lsc-2.1.3\etc -s all -c all*/
/*dec 23 18:50:03 - INFO - Logging configuration successfully loaded
from C:\lsc-2.1.3\etc\logback.xml*/
/*dec 23 18:50:03 - INFO - LSC configuration successfully loaded from
C:\lsc-2.1.3\etc\*/
/*dec 23 18:50:03 - INFO - Connecting to LDAP server
ldaps://Server-Active-Directory.domain.org:636/OU=SomeOU,DC=domain,DC=org
<http://server-active-directory.domain.org:636/OU=SomeOU,DC=domain,DC=org> as
CN=Admin,CN=Users,DC=domain,DC=org*/
/*
*/
/*dec 23 18:50:04 - INFO - Connecting to LDAP server
ldap://Server-OpenLDAP:389/uid=Test_User,ou=SomeOU,dc=domain,dc=org as
uid=admin,ou=admins,dc=domain,dc=org*/
/*dec 23 18:50:04 - INFO - Starting sync for Test_Task*/
/*dec 23 18:50:07 - INFO - # Updating object CN=LastName
FirstName,OU=SomeOU,DC=domain,DC=org for Test_Task*/
/*# Wed Dec 23 18:50:07 CST 2015*/
/*dn: CN=LastName FirstName,OU=SomeOU,DC=domain,DC=org*/
/*changetype: modify*/
/*replace: unicodePwd*/
/*unicodePwd:: xXXXxXXXxXXXxxXXXxX==*/
/*-*/
/*replace: pwdLastSet*/
/*pwdLastSet: -1*/
/*-*/
/*
*/
/*dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 1,
successfully mod*/
/*ified entries: 1, errors: 0*/
/*dec 23 18:50:07 - INFO - Starting clean for Duplicar_Usuarios*/
/*dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 0,
successfully mod*/
/*ified entries: 0, errors: 0*/
/*
*/
/*C:\Windows\System32>*/
I was wondering if you can help me doing that the unicodePwd only gets
updated if it was previously modified in source. I don't know if I
missed some configuration or need to change other thing, but, if it is
a bug, I wish that you can fix it :)
A last question: seems that my OpenLDAP only can return 500 users and
Active Directory 1000, and I defined such values in the pageSize value
for both connections in the lsc.xml. Would both be equal to the
minimum of 500 or should be set its own values of 500 (OpenLDAP) and
1000 (Active Directory)?, there is some performance issue?
Thanks in advance.
Hello Hector,
first remark, on <pageSize>: you need to set it for Active Directory,
but you can disable it with OpenLDAP, and configure unlimited searches
for the DN used in your LSC configuration.
Now, to manage password update in AD, you need a second task. The first
task will allow to create the password when the user is created, but
should not be used to update the password (as you have noticed, in this
case the password is updated every time).
The second task will only act on the unicodePwd attribute, and you will
code a condition to check the validity of the password before updating
it. If a BIND on AD works, the the password is good and you don't need
to update it. If not, the update is needed. Here is a sample script to
be used in the <update> condition :
<update>
<![CDATA[
var result = true;
var cl = srcBean.getDatasetFirstValueById("carLicense");
if (cl=="") {
result = false;
}
var employeeNumber =
srcBean.getDatasetFirstValueById("employeeNumber");
var password = SecurityUtils.decrypt(cl);
var bind =
LDAP.canBindSearchRebind("ldap://ad.example.com/dc=example,dc=com??sub?(sAMAccountName="+employeeNumber+")",
"cn=demo,cn=Users,dc=example,dc=com", "Soleil123", password);
if (bind) {
result = false;
}
result;
]]>
</update>
In this code, the encoded password is in carLicense attribute, and the
pivot attribute is employeeNumber in OpenLDAP and sAMAccountName in AD.
You need to adapt the code to your needs.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
