Hi, I'm making a first attempt to synchronize group membership from our openldap server to our active directory server. Groups are created correctly, but unfortunately I'm receiving some errors while syncing the group membership. Here's the config I'm using right now:
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <connections> <!-- Connection to Active Directory. --> <ldapConnection> <name>AD</name> <url>ldaps://addc.adds.example.com:636/dc=example,dc=com</url> <username>cn=Administrator,cn=Users,dc=adds,dc=example,dc=com</username> <password>REDACTED</password> <authentication>SIMPLE</authentication> <pageSize>1000</pageSize> </ldapConnection> <!-- Connection to OpenLDAP. --> <ldapConnection> <name>openldap</name> <url>ldaps://ldap.intranet.example.com:636/dc=example,dc=com</url> <username>cn=admin,dc=example,dc=com</username> <password>REDACTED</password> <authentication>SIMPLE</authentication> <pageSize>1000</pageSize> </ldapConnection> </connections> <!-- Tasks configuration. --> <tasks> <!-- Task for synchronize users from OpenLDAP to Active Directory. --> <task> <name>SyncPeople</name> <bean>org.lsc.beans.SimpleBean</bean> <!-- LDAP source service. --> <ldapSourceService> <name>openldap-source-service</name> <connection reference="openldap" /> <baseDn>ou=People,dc=example,dc=com</baseDn> <pivotAttributes> <string>uid</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>sn</string> <string>uid</string> <string>userpassword</string> <string>homePhone</string> <string>randomstuff</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter> </ldapSourceService> <!-- LDAP destination service. --> <ldapDestinationService> <name>ad-dst-service</name> <connection reference="AD" /> <baseDn>ou=People,dc=adds,dc=example,dc=com</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>objectclass</string> <string>cn</string> <string>description</string> <string>givenName</string> <string>mail</string> <string>pwdLastSet</string> <string>sAMAccountName</string> <string>sn</string> <string>unicodePwd</string> <string>userAccountControl</string> <string>userPrincipalName</string> <string>homePhone</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter> </ldapDestinationService> <!-- Synchronization rules. --> <propertiesBasedSyncOptions> <mainIdentifier>js:"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=" + getOu(srcBean.DN) + ",dc=adds,dc=example,dc=com"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <!-- objectClass = user/organizationalPerson/person/top --> <dataset> <name>objectClass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"organizationalPerson"</string> <string>"person"</string> <string>"top"</string> </createValues> <delimiter>,</delimiter> </dataset> <!-- sAMAccountName = uid --> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("uid")</string> </createValues> </dataset> <!-- userPrincipalName = uid + "@domainName.org" --> <dataset> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("uid") + "@example.com"</string> </forceValues> </dataset> <!-- Configuring account like normal and non admin. --> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [ AD.UAC_SET_PASSWD_NOTREQD,AD.UAC_SET_NORMAL_ACCOUNT ])</string> </createValues> </dataset> <!-- pwdLastSet = -1; no require to user for changing password on next logon. --> <dataset> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"0"</string> </createValues> </dataset> <dataset> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd(srcBean.getDatasetFirstValueById("userpassword"))</string> </createValues> </dataset> </propertiesBasedSyncOptions> <scriptInclude> <string>../scripts/getOu.js</string> </scriptInclude> </task> <!-- Task for synchronize groups from OpenLDAP to Active Directory. --> <task> <name>group</name> <bean>org.lsc.beans.SimpleBean</bean> <asyncLdapSourceService> <name>group-source-service</name> <connection reference="openldap" /> <baseDn>ou=Group,dc=example,dc=com</baseDn> <pivotAttributes> <string>cn</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>memberUid</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=posixGroup)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></getOneFilter> <cleanFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></cleanFilter> <serverType>OpenLDAP</serverType> </asyncLdapSourceService> <ldapDestinationService> <name>group-dst-service</name> <connection reference="AD" /> <baseDn>OU=Group,DC=adds,DC=example,DC=com</baseDn> <pivotAttributes> <string>cn</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>member</string> <string>objectClass</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",OU=Group,DC=adds,DC=example,DC=com"</mainIdentifier> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>true</delete> <changeId>true</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"group"</string> <string>"top"</string> </createValues> </dataset> <dataset> <name>member</name> <policy>FORCE</policy> <forceValues> <string> <![CDATA[ rdjs: var membersSrcDn = srcBean.getDatasetValuesById("memberUid"); var membersDstDn = []; for (var i=0; i<membersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); var uid = ""; try { uid = srcLdap.attribute(memberSrcDn, "uid").get(0); } catch(e) { continue; } var destDn = ldap.search("ou=People", "(sAMAccountName=" + uid + ")"); if (destDn.size() == 0 || destDn.size() > 1) { continue; } var destMemberDn = destDn.get(0) + "," + ldap.getContextDn(); membersDstDn.push(destMemberDn); } membersDstDn ]]> </string> </forceValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> This is the error I'm receiving: Jun 07 15:43:40 - ERROR - All entries: 69, to modify entries: 1, successfully modified entries: 0, errors: 1 Jun 07 15:43:40 - INFO - Starting clean for SyncPeople Jun 07 15:43:40 - DEBUG - Using pagedResults control for 1000 entries at a time Jun 07 15:43:41 - INFO - All entries: 68, to modify entries: 0, successfully modified entries: 0, errors: 0 Jun 07 15:43:41 - INFO - Starting sync for group Jun 07 15:43:41 - DEBUG - In object "CN=vpn-smp-production,OU=Group,DC=adds,DC=example,DC=com": List of attributes considered for writing in destination: [member, cn, description, objectClass] Jun 07 15:43:41 - DEBUG - In object "CN=vpn-smp-production,OU=Group,DC=adds,DC=example,DC=com": Attribute "member" is in FORCE status Jun 07 15:43:41 - ERROR - Programmatic error java.lang.reflect.InvocationTargetException: null at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_67] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_67] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_67] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_67] at org.lsc.jndi.ScriptableObject.wrap(ScriptableObject.java:92) [lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableObject.wrapString(ScriptableObject.java:155) [lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableJndiServices.attribute(ScriptableJndiServices.java:211) [lsc-core-2.1.3.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_67] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_67] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_67] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_67] at sun.org.mozilla.javascript.internal.MemberBox.invoke(MemberBox.java:167) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.NativeJavaMethod.call(NativeJavaMethod.java:245) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Interpreter.interpretLoop(Interpreter.java:1706) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Interpreter.interpret(Interpreter.java:849) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.InterpretedFunction.call(InterpretedFunction.java:162) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.ContextFactory.doTopCall(ContextFactory.java:430) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine$1.superDoTopCall(RhinoScriptEngine.java:116) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine$1.doTopCall(RhinoScriptEngine.java:109) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.ScriptRuntime.doTopCall(ScriptRuntime.java:3160) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.InterpretedFunction.exec(InterpretedFunction.java:173) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Context.evaluateReader(Context.java:1169) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine.eval(RhinoScriptEngine.java:214) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine.eval(RhinoScriptEngine.java:240) [na:1.7.0_67] at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:233) [na:1.7.0_67] at org.lsc.utils.JScriptEvaluator.instanceEval(JScriptEvaluator.java:222) [lsc-core-2.1.3.jar:na] at org.lsc.utils.JScriptEvaluator.evalToStringList(JScriptEvaluator.java:119) [lsc-core-2.1.3.jar:na] at org.lsc.utils.ScriptingEvaluator.evalToStringList(ScriptingEvaluator.java:136) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.getValuesToSet(BeanComparator.java:602) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.getUpdatedObject(BeanComparator.java:284) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.calculateModifications(BeanComparator.java:176) [lsc-core-2.1.3.jar:na] at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:773) [lsc-core-2.1.3.jar:na] at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:707) [lsc-core-2.1.3.jar:na] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_67] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_67] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_67] Caused by: java.lang.RuntimeException: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN at org.lsc.jndi.JndiServices.rewriteBase(JndiServices.java:659) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.JndiServices.doReadEntry(JndiServices.java:691) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.JndiServices.readEntry(JndiServices.java:666) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableJndiServices._attr(ScriptableJndiServices.java:218) [lsc-core-2.1.3.jar:na] ... 36 common frames omitted Caused by: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:279) ~[api-all-1.0.0-M22.jar:1.0.0-M22] at org.apache.directory.api.ldap.model.name.Dn.<init>(Dn.java:211) ~[api-all-1.0.0-M22.jar:1.0.0-M22] at org.lsc.jndi.JndiServices.rewriteBase(JndiServices.java:647) ~[lsc-core-2.1.3.jar:na] ... 39 common frames omitted Jun 07 15:43:41 - ERROR - Programmatic error java.lang.reflect.InvocationTargetException: null at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_67] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_67] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_67] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_67] at org.lsc.jndi.ScriptableObject.wrap(ScriptableObject.java:92) [lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableObject.wrapString(ScriptableObject.java:155) [lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableJndiServices.attribute(ScriptableJndiServices.java:211) [lsc-core-2.1.3.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_67] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_67] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_67] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_67] at sun.org.mozilla.javascript.internal.MemberBox.invoke(MemberBox.java:167) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.NativeJavaMethod.call(NativeJavaMethod.java:245) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Interpreter.interpretLoop(Interpreter.java:1706) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Interpreter.interpret(Interpreter.java:849) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.InterpretedFunction.call(InterpretedFunction.java:162) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.ContextFactory.doTopCall(ContextFactory.java:430) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine$1.superDoTopCall(RhinoScriptEngine.java:116) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine$1.doTopCall(RhinoScriptEngine.java:109) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.ScriptRuntime.doTopCall(ScriptRuntime.java:3160) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.InterpretedFunction.exec(InterpretedFunction.java:173) [na:1.7.0_67] at sun.org.mozilla.javascript.internal.Context.evaluateReader(Context.java:1169) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine.eval(RhinoScriptEngine.java:214) [na:1.7.0_67] at com.sun.script.javascript.RhinoScriptEngine.eval(RhinoScriptEngine.java:240) [na:1.7.0_67] at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:233) [na:1.7.0_67] at org.lsc.utils.JScriptEvaluator.instanceEval(JScriptEvaluator.java:222) [lsc-core-2.1.3.jar:na] at org.lsc.utils.JScriptEvaluator.evalToStringList(JScriptEvaluator.java:119) [lsc-core-2.1.3.jar:na] at org.lsc.utils.ScriptingEvaluator.evalToStringList(ScriptingEvaluator.java:136) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.getValuesToSet(BeanComparator.java:602) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.getUpdatedObject(BeanComparator.java:284) [lsc-core-2.1.3.jar:na] at org.lsc.beans.BeanComparator.calculateModifications(BeanComparator.java:176) [lsc-core-2.1.3.jar:na] at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:773) [lsc-core-2.1.3.jar:na] at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:707) [lsc-core-2.1.3.jar:na] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_67] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_67] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_67] Caused by: java.lang.RuntimeException: org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: ERR_04202 A value is missing on some RDN at org.lsc.jndi.JndiServices.rewriteBase(JndiServices.java:659) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.JndiServices.doReadEntry(JndiServices.java:691) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.JndiServices.readEntry(JndiServices.java:666) ~[lsc-core-2.1.3.jar:na] at org.lsc.jndi.ScriptableJndiServices._attr(ScriptableJndiServices.java:218) [lsc-core-2.1.3.jar:na] ... 36 common frames omitted I assume the error is in the javascript code, but I'm at a loss on finding out where exactly, or how to do the debugging. Can anyone point me in the right direction? Any help would be greatly appreciated! Cheers, Frederic _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
