OK Clémet, thanks for your answer. Let me check it and I will comment you what happens.
Héctor Gómez México Atentamente: Héctor Gómez Torres Universidad de Colima Colima, México. 2016-01-04 3:34 GMT-06:00 Clément OUDOT <[email protected]> : > > > Le 26/12/2015 01:22, GOMEZ TORRES HECTOR . a écrit : > > Hi, I am setting up LSC on a Windows Server 2012 R2 for sync about 50,000 > users from OpenLDAP (in another server) to local Active Directory, with > help of the tutorial > http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory > . > > Seems that I was able to do work it, because at time of launch the command > prompt hangs on something like "dec 23 17:21:50 - INFO - Starting sync for > Test_Task", but problem is that it remained in that state for about 10 > hours. Do you know approximately how long will it be? > > Now, I did a test with only one user, and everything looks OK when adding > it the first time, but when running again sync, the password don't get > updated. To resolve this issue, I changed the XML code of dataset example > from KEEP policy and createValues to force values, looking like this: > > *<dataset>* > * <name>unicodePwd</name>* > * <policy>FORCE</policy>* > > * <forceValues>* > * > <string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>* > * </forceValues>* > *</dataset>* > > And it works!. However, this always overwrites the password, regardeless > if it really changed on source. This situation is frustrating, because > updating it in 50,000 users seems a very time consuming task. At this time, > I haven't found an option for just updating; I also checked other options, > including all combinations of KEEP, FORCE and MERGE policies with > createValues, defaultValues and forceValues. > > A curious thing is that when I change all values an policies to force, > only unicodePwd and pwdLastSet, and not the other, are overwritten. > > An output from CMD shows this: > > *C:\Windows\System32>C:\lsc-2.1.3\bin\modified-lsc.bat -f C:\lsc-2.1.3\etc > -s all -c all* > *dec 23 18:50:03 - INFO - Logging configuration successfully loaded from > C:\lsc-2.1.3\etc\logback.xml* > *dec 23 18:50:03 - INFO - LSC configuration successfully loaded from > C:\lsc-2.1.3\etc\* > *dec 23 18:50:03 - INFO - Connecting to LDAP server > ldaps://Server-Active-Directory.domain.org:636/OU=SomeOU,DC=domain,DC=org > <http://server-active-directory.domain.org:636/OU=SomeOU,DC=domain,DC=org> as > CN=Admin,CN=Users,DC=domain,DC=org* > > *dec 23 18:50:04 - INFO - Connecting to LDAP server > ldap://Server-OpenLDAP:389/uid=Test_User,ou=SomeOU,dc=domain,dc=org as > uid=admin,ou=admins,dc=domain,dc=org* > *dec 23 18:50:04 - INFO - Starting sync for Test_Task* > *dec 23 18:50:07 - INFO - # Updating object CN=LastName > FirstName,OU=SomeOU,DC=domain,DC=org for Test_Task* > *# Wed Dec 23 18:50:07 CST 2015* > *dn: CN=LastName FirstName,OU=SomeOU,DC=domain,DC=org* > *changetype: modify* > *replace: unicodePwd* > *unicodePwd:: xXXXxXXXxXXXxxXXXxX==* > *-* > *replace: pwdLastSet* > *pwdLastSet: -1* > *-* > > *dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 1, > successfully mod* > *ified entries: 1, errors: 0* > *dec 23 18:50:07 - INFO - Starting clean for Duplicar_Usuarios* > *dec 23 18:50:07 - INFO - All entries: 1, to modify entries: 0, > successfully mod* > *ified entries: 0, errors: 0* > > *C:\Windows\System32>* > > I was wondering if you can help me doing that the unicodePwd only gets > updated if it was previously modified in source. I don't know if I missed > some configuration or need to change other thing, but, if it is a bug, I > wish that you can fix it :) > > A last question: seems that my OpenLDAP only can return 500 users and > Active Directory 1000, and I defined such values in the pageSize value for > both connections in the lsc.xml. Would both be equal to the minimum of 500 > or should be set its own values of 500 (OpenLDAP) and 1000 (Active > Directory)?, there is some performance issue? > > Thanks in advance. > > > Hello Hector, > > first remark, on <pageSize>: you need to set it for Active Directory, but > you can disable it with OpenLDAP, and configure unlimited searches for the > DN used in your LSC configuration. > > Now, to manage password update in AD, you need a second task. The first > task will allow to create the password when the user is created, but should > not be used to update the password (as you have noticed, in this case the > password is updated every time). > > The second task will only act on the unicodePwd attribute, and you will > code a condition to check the validity of the password before updating it. > If a BIND on AD works, the the password is good and you don't need to > update it. If not, the update is needed. Here is a sample script to be used > in the <update> condition : > > <update> > <![CDATA[ > var result = true; > > var cl = srcBean.getDatasetFirstValueById("carLicense"); > > if (cl=="") { > result = false; > } > > var employeeNumber = > srcBean.getDatasetFirstValueById("employeeNumber"); > var password = SecurityUtils.decrypt(cl); > > var bind = LDAP.canBindSearchRebind( > "ldap://ad.example.com/dc=example,dc=com??sub?(sAMAccountName="+employeeNumber+")", > "cn=demo,cn=Users,dc=example,dc=com", "Soleil123", password); > > if (bind) { > result = false; > } > result; > ]]> > </update> > > In this code, the encoded password is in carLicense attribute, and the > pivot attribute is employeeNumber in OpenLDAP and sAMAccountName in AD. You > need to adapt the code to your needs. > > -- > Clément OUDOT > Consultant en logiciels libres, Expert infrastructure et sécurité > Savoir-faire Linux > > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users > -- -- Universidad de Colima
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
