hi ! very nice !! thank you
Le 30/01/2016 00:41, GOMEZ TORRES HECTOR . a écrit :
Hi to everybody.Finally, I was able to get working the sync operation from OpenLDAP to Active Directory. I will leave here the contents of a sample lsc.xml file with the hope of it would be useful for those that need something similar.With the following config, is possible to run sync and clean tasks, and to update values only when they changes, including the passwords; simply copy the below text in a new text file, rename it as *lsc.xml* and save in */lsc_path/*\etc/./ Inside this configuration you will find comments for each section and useful links to get more info about particular points.To run LSC efficiently from Windows, only is necessary to execute in a CMD shell this instruction:*C:\lsc\bin\lsc.bat -f C:\lsc\etc -s all -c a._Duplicate_users >> C:\lsc\log.log*,supposing that lsc folder is */C:\lsc/*. If your path contains spaces, you will need to use double quotes (*"*) surrounding it. The inner string */-f C:\lsc\etc/* is necessary for indicate the path to lsc.xml file; ideally you wouldn't need specify it, but, at least on Windows, if you omit that, LSC will be unable to load it, and therefore, will fail showing an error. The last string */>> C:\lsc\log.log/* is for redirect all console outputs to a log file; LSC makes his own log file in %TEMP%\lsc.log, but it only lists dates of start and stop of the program.Other issue on Windows is that lsc.bat fails if you try to run it after decompressing, and to get working it, you will need to edit the following:*-> Add final backslashes (\) in these lines:* / / /SET CFG_DIR=%LSC_HOME%\etc/ /SET LIB_DIR=%LSC_HOME%\lib/ to /SET CFG_DIR=%LSC_HOME%\etc*\*/ /SET LIB_DIR=%LSC_HOME%\lib*\*/ *-> Remove double quotes (") from this others:* /REM Find the java.exe executable/ /:get_java//IF DEFINED JAVA_HOME ( SET JAVA_COMMAND=%JAVA_HOME%\bin\java.exe) ELSE ( SET JAVA_COMMAND=)//IF NOT EXIST *"*%JAVA_COMMAND%*"* ( SET PATHQ=*"*%PATH%*"*/ / GOTO findJava )/ /goto:eof/ to /REM Find the java.exe executable/ /:get_java//IF DEFINED JAVA_HOME ( SET JAVA_COMMAND=%JAVA_HOME%\bin\java.exe) ELSE ( SET JAVA_COMMAND=)//IF NOT EXIST %JAVA_COMMAND% ( SET PATHQ=%PATH%/ / GOTO findJava )/ /goto:eof/With those modifications, you will be able to run lsc.bat without problems. To get an idea of the amount of time that this process involves, synchronizing about 50,000 users between 2 servers on the same network takes about 2 hours for first charge and an hour for successive operations.I want to give thanks to Clément Oudot for his valuable help; to those others LSC users that asked before me; and to all LSC developer team for this great tool.*/--- Begin of lsc.xml (exclude this) ---/* <?xml version="1.0" ?><!-- Sample LSC configuration file for duplicate OpenLDAP users into Active Directory. Specifically, this file configures LSC for getting "uid", "userPassword" and "sn" from OpenLDAP and use those values for create/sync users in Active Directory, but different attributes can be used for particular cases. - References: http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectoryhttp://lsc-project.org/wiki/documentation/howto/activedirectory http://lsc-project.org/wiki/documentation/latest/start http://lsc-project.org/wiki/documentation/latest/configuration/start --> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <!-- Connections configuration.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/connections/ldap --><connections> <!-- Connection to OpenLDAP. --> <ldapConnection> <name>OpenLDAP</name><url>ldap://OLserver.domainName.org:389/ou=ouName,dc=domainName,dc=org <http://OLserver.domainName.org:389/ou=ouName,dc=domainName,dc=org></url><username>cn=root,dc=domainName,dc=org</username> <password>OLpassword</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> <!-- SSL connection to Active Directory. --> <ldapConnection> <name>Active_Directory</name> <url>ldaps://ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org <http://ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org></url> <username>CN=Administrator,CN=Users,DC=domainName,DC=org</username> <password>ADpassword</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>1000</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> </connections> <!-- Tasks configuration.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/tasks --><tasks> <!-- Task for synchronize users from OpenLDAP to Active Directory. --> <task> <name>a._Duplicate_users</name> <bean>org.lsc.beans.SimpleBean</bean> <!-- LDAP source service.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/service/sourceldap --><ldapSourceService> <name>OpenLDAP_opening_1</name> <connection reference="OpenLDAP" /> <baseDn>ou=ouName,dc=domainName,dc=org</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>sn</string> <string>uid</string> <string>userPassword</string> </fetchedAttributes> <getAllFilter>(objectClass=inetOrgPerson)</getAllFilter> <getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter> <cleanFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</cleanFilter> </ldapSourceService> <!-- LDAP destination service.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/service/destinationldap --><ldapDestinationService> <name>Active_Directory_opening_1</name> <connection reference="Active_Directory" /> <baseDn>OU=ouName,DC=domainName,DC=org</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>objectClass</string> <string>cn</string> <string>displayName</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>unicodePwd</string> <string>userAccountControl</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter>(objectClass=user)</getAllFilter> <getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter> </ldapDestinationService> <!-- Synchronization rules.- References: http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/activedirectory --><propertiesBasedSyncOptions><mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid") + ",OU=ouName,DC=domainName,DC=org"</mainIdentifier><defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <!-- objectClass = user/organizationalPerson/person/top- Reference: http://lsc-project.org/wiki/documentation/howto/activedirectory#Non-standard_object_classes --><dataset> <name>objectClass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> </dataset> <!-- cn = uid --> <dataset> <name>cn</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <!-- displayName = sn --> <dataset> <name>displayName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("sn")</string> </forceValues> </dataset><!-- pwdLastSet = -1; no require to user for changing password on next logon. - Reference: https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c3caa80-9e97-4808-96a8-5af696aaa7b3/pwdlastset-possible-to-change-?forum=winserverDS --><dataset> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"-1"</string> </createValues> </dataset> <!-- sAMAccountName = uid --> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset><!-- unicodePwd = userPassword; requires SSL connection to Active Directory. - Reference: http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String) <http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd%28java.lang.String%29> --><dataset> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string> </createValues> </dataset> <!-- Configuring account like normal and non admin.- References: http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#userAccountControlSet(int <http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#userAccountControlSet%28int>, java.lang.String[])http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#UAC_SET_NORMAL_ACCOUNThttp://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#UAC_SET_DONT_EXPIRE_PASSWORD --><dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues><string>AD.userAccountControlSet("0", [AD.UAC_SET_NORMAL_ACCOUNT, AD.UAC_SET_DONT_EXPIRE_PASSWORD])</string></createValues> </dataset> <!-- userPrincipalName = uid + "@domainName.org" --> <dataset> <name>userPrincipalName</name> <policy>KEEP</policy> <createValues><string>srcBean.getDatasetFirstValueById("uid") + "@domainName.org"</string></createValues> </dataset> </propertiesBasedSyncOptions> </task><!-- Task for check password changes in OpenLDAP and replicate them into Active Directory. --><task> <name>b._Update_passwords</name> <bean>org.lsc.beans.SimpleBean</bean> <!-- LDAP source service.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/service/sourceldap --><ldapSourceService> <name>OpenLDAP_opening_2</name> <connection reference="OpenLDAP" /> <baseDn>ou=ouName,dc=domainName,dc=org</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>uid</string> <string>userPassword</string> </fetchedAttributes> <getAllFilter>(objectClass=inetOrgPerson)</getAllFilter> <getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter> <cleanFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</cleanFilter> </ldapSourceService> <!-- LDAP destination service.- Reference: http://lsc-project.org/wiki/documentation/latest/configuration/service/destinationldap --><ldapDestinationService> <name>Active_Directory_opening_2</name> <connection reference="Active_Directory" /> <baseDn>OU=ouName,DC=domainName,DC=org</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>unicodePwd</string> </fetchedAttributes> <getAllFilter>(objectClass=user)</getAllFilter> <getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter> </ldapDestinationService> <!-- Synchronization rules.- References: http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/activedirectory --><propertiesBasedSyncOptions><mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid") + ",OU=ouName,DC=domainName,DC=org"</mainIdentifier><defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>false</create> <!-- Condition for password updates.- References: http://lists.lsc-project.org/pipermail/lsc-users/2016-January/002824.htmlhttp://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/ldap http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/LDAP.html --><update>!(LDAP.canBind("ldaps://ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org <http://ADserver.domainName.org:636/OU=ouName,DC=domainName,DC=org>", "CN=Administrator,CN=Users,DC=domainName,DC=org", "ADpassword", "CN=" + srcBean.getDatasetFirstValueById("uid") + ",OU=ouName,DC=domainName,DC=org", srcBean.getDatasetFirstValueById("userPassword")))</update><delete>false</delete> <changeId>false</changeId> </conditions><!-- unicodePwd = userPassword; requires SSL connection to Active Directory. - Reference: http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String) <http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd%28java.lang.String%29> --><dataset> <name>unicodePwd</name> <policy>FORCE</policy> <forceValues> <string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userPassword"))</string> </forceValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> */--- End of lsc.xml (exclude this) ---/* Sincerely: Héctor Gómez. México. -- Universidad de Colima _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
-- --- Gilles Galboud, Ing. Système & Réseau UMR CNRS 5005 - Laboratoire Ampère [email protected] Ecole Centrale de Lyon +33(0)4 72 18 61 02 36 Avenue Guy de Collongue 69134 Ecully cedex
<<attachment: gilles_galboud.vcf>>
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
