OK Clémet, thanks for your answer. Let me check it and I will comment you
what happens.

Héctor Gómez
México



Atentamente:

Héctor Gómez Torres
Universidad de Colima
Colima, México.

2016-01-04 3:34 GMT-06:00 Clément OUDOT <[email protected]>
:

>
>
> Le 26/12/2015 01:22, GOMEZ TORRES HECTOR . a écrit :
>
> Hi, I am setting up LSC on a Windows Server 2012 R2 for sync about 50,000
> users from OpenLDAP (in another server) to local Active Directory, with
> help of the tutorial
> http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
> .
>
> Seems that I was able to do work it, because at time of launch the command
> prompt hangs on something like "dec 23 17:21:50 - INFO  - Starting sync for
> Test_Task", but problem is that it remained in that state for about 10
> hours. Do you know approximately how long will it be?
>
> Now, I did a test with only one user, and everything looks OK when adding
> it the first time, but when running again sync, the password don't get
> updated. To resolve this issue, I changed the XML code of dataset example
> from KEEP policy and createValues to force values, looking like this:
>
> *<dataset>*
> * <name>unicodePwd</name>*
> * <policy>FORCE</policy>*
>
> * <forceValues>*
> *
> <string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>*
> * </forceValues>*
> *</dataset>*
>
> And it works!. However, this always overwrites the password, regardeless
> if it really changed on source. This situation is frustrating, because
> updating it in 50,000 users seems a very time consuming task. At this time,
> I haven't found an option for just updating; I also checked other options,
> including all combinations of KEEP, FORCE and MERGE policies with
> createValues, defaultValues and forceValues.
>
> A curious thing is that when I change all values an policies to force,
> only unicodePwd and pwdLastSet, and not the other, are overwritten.
>
> An output from CMD shows this:
>
> *C:\Windows\System32>C:\lsc-2.1.3\bin\modified-lsc.bat -f C:\lsc-2.1.3\etc
> -s all -c all*
> *dec 23 18:50:03 - INFO  - Logging configuration successfully loaded from
> C:\lsc-2.1.3\etc\logback.xml*
> *dec 23 18:50:03 - INFO  - LSC configuration successfully loaded from
> C:\lsc-2.1.3\etc\*
> *dec 23 18:50:03 - INFO  - Connecting to LDAP server
> ldaps://Server-Active-Directory.domain.org:636/OU=SomeOU,DC=domain,DC=org
> <http://server-active-directory.domain.org:636/OU=SomeOU,DC=domain,DC=org> as
> CN=Admin,CN=Users,DC=domain,DC=org*
>
> *dec 23 18:50:04 - INFO  - Connecting to LDAP server
> ldap://Server-OpenLDAP:389/uid=Test_User,ou=SomeOU,dc=domain,dc=org as
> uid=admin,ou=admins,dc=domain,dc=org*
> *dec 23 18:50:04 - INFO  - Starting sync for Test_Task*
> *dec 23 18:50:07 - INFO  - # Updating object CN=LastName
> FirstName,OU=SomeOU,DC=domain,DC=org for Test_Task*
> *# Wed Dec 23 18:50:07 CST 2015*
> *dn: CN=LastName FirstName,OU=SomeOU,DC=domain,DC=org*
> *changetype: modify*
> *replace: unicodePwd*
> *unicodePwd:: xXXXxXXXxXXXxxXXXxX==*
> *-*
> *replace: pwdLastSet*
> *pwdLastSet: -1*
> *-*
>
> *dec 23 18:50:07 - INFO  - All entries: 1, to modify entries: 1,
> successfully mod*
> *ified entries: 1, errors: 0*
> *dec 23 18:50:07 - INFO  - Starting clean for Duplicar_Usuarios*
> *dec 23 18:50:07 - INFO  - All entries: 1, to modify entries: 0,
> successfully mod*
> *ified entries: 0, errors: 0*
>
> *C:\Windows\System32>*
>
> I was wondering if you can help me doing that the unicodePwd only gets
> updated if it was previously modified in source. I don't know if I missed
> some configuration or need to change other thing, but, if it is a bug, I
> wish that you can fix it :)
>
> A last question: seems that my OpenLDAP only can return 500 users and
> Active Directory 1000, and I defined such values in the pageSize value for
> both connections in the lsc.xml. Would both be equal to the minimum of 500
> or should be set its own values of 500 (OpenLDAP)  and 1000 (Active
> Directory)?, there is some performance issue?
>
> Thanks in advance.
>
>
> Hello Hector,
>
> first remark, on <pageSize>: you need to set it for Active Directory, but
> you can disable it with OpenLDAP, and configure unlimited searches for the
> DN used in your LSC configuration.
>
> Now, to manage password update in AD, you need a second task. The first
> task will allow to create the password when the user is created, but should
> not be used to update the password (as you have noticed, in this case the
> password is updated every time).
>
> The second task will only act on the unicodePwd attribute, and you will
> code a condition to check the validity of the password before updating it.
> If a BIND on AD works, the the password is good and you don't need to
> update it. If not, the update is needed. Here is a sample script to be used
> in the <update> condition :
>
>           <update>
>           <![CDATA[
>                 var result = true;
>
>                 var cl = srcBean.getDatasetFirstValueById("carLicense");
>
>                 if (cl=="") {
>                         result = false;
>                 }
>
>                 var employeeNumber =
> srcBean.getDatasetFirstValueById("employeeNumber");
>                 var password = SecurityUtils.decrypt(cl);
>
>                 var bind = LDAP.canBindSearchRebind(
> "ldap://ad.example.com/dc=example,dc=com??sub?(sAMAccountName="+employeeNumber+")",
> "cn=demo,cn=Users,dc=example,dc=com", "Soleil123", password);
>
>                 if (bind) {
>                         result = false;
>                 }
>                 result;
>           ]]>
>           </update>
>
> In this code, the encoded password is in carLicense attribute, and the
> pivot attribute is employeeNumber in OpenLDAP and sAMAccountName in AD. You
> need to adapt the code to your needs.
>
> --
> Clément OUDOT
> Consultant en logiciels libres, Expert infrastructure et sécurité
> Savoir-faire Linux
>
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing list
> [email protected]
> http://lists.lsc-project.org/listinfo/lsc-users
>

-- 
--
Universidad de Colima
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to