Hi to everybody.
Finally, I was able to get working the sync operation from OpenLDAP to
Active Directory. I will leave here the contents of a sample lsc.xml file
with the hope of it would be useful for those that need something similar.
With the following config, is possible to run sync and clean tasks, and to
update values only when they changes, including the passwords; simply copy
the below text in a new text file, rename it as *lsc.xml* and save in
*lsc_path*\etc*.* Inside this configuration you will find comments for each
section and useful links to get more info about particular points.
To run LSC efficiently from Windows, only is necessary to execute in a CMD
shell this instruction:
*C:\lsc\bin\lsc.bat -f C:\lsc\etc -s all -c a._Duplicate_users >>
C:\lsc\log.log*
,supposing that lsc folder is *C:\lsc*. If your path contains spaces, you
will need to use double quotes (*"*) surrounding it. The inner string *-f
C:\lsc\etc* is necessary for indicate the path to lsc.xml file; ideally you
wouldn't need specify it, but, at least on Windows, if you omit that, LSC
will be unable to load it, and therefore, will fail showing an error. The
last string *>> C:\lsc\log.log* is for redirect all console outputs to a
log file; LSC makes his own log file in %TEMP%\lsc.log, but it only lists
dates of start and stop of the program.
Other issue on Windows is that lsc.bat fails if you try to run it after
decompressing, and to get working it, you will need to edit the following:
*-> Add final backslashes (\) in these lines:*
*SET CFG_DIR=%LSC_HOME%\etc*
*SET LIB_DIR=%LSC_HOME%\lib*
to
*SET CFG_DIR=%LSC_HOME%\etc\*
*SET LIB_DIR=%LSC_HOME%\lib\*
*-> Remove double quotes (") from this others:*
*REM Find the java.exe executable*
*:get_java*
* IF DEFINED JAVA_HOME ( SET JAVA_COMMAND=%JAVA_HOME%\bin\java.exe) ELSE (
SET JAVA_COMMAND=)*
* IF NOT EXIST "%JAVA_COMMAND%" ( SET PATHQ="%PATH%"*
* GOTO findJava )*
*goto:eof*
to
*REM Find the java.exe executable*
*:get_java*
* IF DEFINED JAVA_HOME ( SET JAVA_COMMAND=%JAVA_HOME%\bin\java.exe) ELSE (
SET JAVA_COMMAND=)*
* IF NOT EXIST %JAVA_COMMAND% ( SET PATHQ=%PATH%*
* GOTO findJava )*
*goto:eof*
With those modifications, you will be able to run lsc.bat without problems.
To get an idea of the amount of time that this process involves,
synchronizing about 50,000 users between 2 servers on the same network
takes about 2 hours for first charge and an hour for successive operations.
I want to give thanks to Clément Oudot for his valuable help; to those
others LSC users that asked before me; and to all LSC developer team for
this great tool.
*--- Begin of lsc.xml (exclude this) ---*
<?xml version="1.0" ?>
<!-- Sample LSC configuration file for duplicate OpenLDAP users into Active
Directory. Specifically, this file configures LSC for getting "uid",
"userPassword" and "sn" from OpenLDAP and use those values for create/sync
users in Active Directory, but different attributes can be used for
particular cases.
- References:
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
http://lsc-project.org/wiki/documentation/howto/activedirectory
http://lsc-project.org/wiki/documentation/latest/start
http://lsc-project.org/wiki/documentation/latest/configuration/start -->
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
<!-- Connections configuration.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/connections/ldap
-->
<connections>
<!-- Connection to OpenLDAP. -->
<ldapConnection>
<name>OpenLDAP</name>
<url>ldap://OLserver.domainName.org:389/ou=ouName,dc=domainName,dc=org</url>
<username>cn=root,dc=domainName,dc=org</username>
<password>OLpassword</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<!-- SSL connection to Active Directory. -->
<ldapConnection>
<name>Active_Directory</name>
<url>ldaps://ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org
</url>
<username>CN=Administrator,CN=Users,DC=domainName,DC=org</username>
<password>ADpassword</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<!-- Tasks configuration.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/tasks -->
<tasks>
<!-- Task for synchronize users from OpenLDAP to Active Directory. -->
<task>
<name>a._Duplicate_users</name>
<bean>org.lsc.beans.SimpleBean</bean>
<!-- LDAP source service.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/service/sourceldap
-->
<ldapSourceService>
<name>OpenLDAP_opening_1</name>
<connection reference="OpenLDAP" />
<baseDn>ou=ouName,dc=domainName,dc=org</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>sn</string>
<string>uid</string>
<string>userPassword</string>
</fetchedAttributes>
<getAllFilter>(objectClass=inetOrgPerson)</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
<cleanFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</cleanFilter>
</ldapSourceService>
<!-- LDAP destination service.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/service/destinationldap
-->
<ldapDestinationService>
<name>Active_Directory_opening_1</name>
<connection reference="Active_Directory" />
<baseDn>OU=ouName,DC=domainName,DC=org</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>objectClass</string>
<string>cn</string>
<string>displayName</string>
<string>pwdLastSet</string>
<string>sAMAccountName</string>
<string>unicodePwd</string>
<string>userAccountControl</string>
<string>userPrincipalName</string>
</fetchedAttributes>
<getAllFilter>(objectClass=user)</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter>
</ldapDestinationService>
<!-- Synchronization rules.
- References:
http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions
http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/activedirectory
-->
<propertiesBasedSyncOptions>
<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid") +
",OU=ouName,DC=domainName,DC=org"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<!-- objectClass = user/organizationalPerson/person/top
- Reference:
http://lsc-project.org/wiki/documentation/howto/activedirectory#Non-standard_object_classes
-->
<dataset>
<name>objectClass</name>
<policy>KEEP</policy>
<createValues>
<string>"user"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
</createValues>
</dataset>
<!-- cn = uid -->
<dataset>
<name>cn</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<!-- displayName = sn -->
<dataset>
<name>displayName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("sn")</string>
</forceValues>
</dataset>
<!-- pwdLastSet = -1; no require to user for changing password on next
logon.
- Reference:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c3caa80-9e97-4808-96a8-5af696aaa7b3/pwdlastset-possible-to-change-?forum=winserverDS
-->
<dataset>
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>"-1"</string>
</createValues>
</dataset>
<!-- sAMAccountName = uid -->
<dataset>
<name>sAMAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<!-- unicodePwd = userPassword; requires SSL connection to Active Directory.
- Reference:
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String)
-->
<dataset>
<name>unicodePwd</name>
<policy>KEEP</policy>
<createValues>
<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>
</createValues>
</dataset>
<!-- Configuring account like normal and non admin.
- References:
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#userAccountControlSet(int,
java.lang.String[])
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#UAC_SET_NORMAL_ACCOUNT
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#UAC_SET_DONT_EXPIRE_PASSWORD
-->
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet("0", [AD.UAC_SET_NORMAL_ACCOUNT,
AD.UAC_SET_DONT_EXPIRE_PASSWORD])</string>
</createValues>
</dataset>
<!-- userPrincipalName = uid + "@domainName.org" -->
<dataset>
<name>userPrincipalName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid") + "@domainName.org"</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
<!-- Task for check password changes in OpenLDAP and replicate them into
Active Directory. -->
<task>
<name>b._Update_passwords</name>
<bean>org.lsc.beans.SimpleBean</bean>
<!-- LDAP source service.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/service/sourceldap
-->
<ldapSourceService>
<name>OpenLDAP_opening_2</name>
<connection reference="OpenLDAP" />
<baseDn>ou=ouName,dc=domainName,dc=org</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>uid</string>
<string>userPassword</string>
</fetchedAttributes>
<getAllFilter>(objectClass=inetOrgPerson)</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
<cleanFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</cleanFilter>
</ldapSourceService>
<!-- LDAP destination service.
- Reference:
http://lsc-project.org/wiki/documentation/latest/configuration/service/destinationldap
-->
<ldapDestinationService>
<name>Active_Directory_opening_2</name>
<connection reference="Active_Directory" />
<baseDn>OU=ouName,DC=domainName,DC=org</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>unicodePwd</string>
</fetchedAttributes>
<getAllFilter>(objectClass=user)</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter>
</ldapDestinationService>
<!-- Synchronization rules.
- References:
http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions
http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/activedirectory
-->
<propertiesBasedSyncOptions>
<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid") +
",OU=ouName,DC=domainName,DC=org"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>false</create>
<!-- Condition for password updates.
- References:
http://lists.lsc-project.org/pipermail/lsc-users/2016-January/002824.html
http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/ldap
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/LDAP.html
-->
<update>!(LDAP.canBind("ldaps://
ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org",
"CN=Administrator,CN=Users,DC=domainName,DC=org", "ADpassword", "CN=" +
srcBean.getDatasetFirstValueById("uid") +
",OU=ouName,DC=domainName,DC=org",
srcBean.getDatasetFirstValueById("userPassword")))</update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<!-- unicodePwd = userPassword; requires SSL connection to Active Directory.
- Reference:
http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String)
-->
<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<forceValues>
<string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
*--- End of lsc.xml (exclude this) ---*
Sincerely:
Héctor Gómez.
México.
--
--
Universidad de Colima
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
