Hi, after we did the task for AD to OpenLdap, we added another script to
synchronise from ldap to AD and I don't know if it works or not. I
explain:After we run the command #/usr/bin/lsc -f /etc/lsc/ldapSyncAD/ -s all
-c all, there is no error and all the modifications are successfull.Certificate
SSL from AD has already been generated in java home. But when we add a user in
Active Directory, it doesn't appear in slapcat list then we run again this
command and it says the new user from the AD is deleted. Also we tested to
change the users password from OpenLdap, but nothing changes in AD, but if we
change it from the AD, it changes in OpenLdap.Here is the second script for
synchronising the OpenLdap to Active Directory <?xml version="1.0" ?><lsc
xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
<connections> <ldapConnection> <name>AD</name>
<url>ldap://192.168.56.128:636/dc=teknetgroup,dc=mg</url>
<username>cn=Administrator,cn=Users,dc=teknetgroup,dc=mg</username>
<password>Root2016</password> <authentication>SIMPLE</authentication>
<pageSize>1000</pageSize> </ldapConnection> <ldapConnection>
<name>openldap</name> <url>ldap://localhost:389/dc=teknetgroup,dc=mg</url>
<username>cn=admin,dc=teknetgroup,dc=mg</username>
<password>root</password> <authentication>SIMPLE</authentication>
</ldapConnection> </connections> <tasks> <task> <name>adUsers</name>
<bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService>
<name>openldap-source-service</name> <connection reference="openldap" />
<baseDn>ou=people,dc=teknetgroup,dc=mg</baseDn> <pivotAttributes>
<string>uid</string> </pivotAttributes>
<fetchedAttributes> <string>cn</string>
<string>description</string> <string>givenName</string>
<string>mail</string> <string>sn</string>
<string>uid</string> <string>userpassword</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter>
</ldapSourceService> <ldapDestinationService>
<name>ad-dst-service</name> <connection reference="AD" />
<baseDn>ou=Comptes,dc=teknetgroup,dc=mg</baseDn> <pivotAttributes>
<string>sAMAccountName</string> <string>sn</string>
<string>unicodePwd</string> <string>userAccountControl</string>
<string>userPrincipalName</string> </fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter>
</ldapDestinationService> <propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") +
",ou=Comptes,dc=teknetgroup,dc=mg"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy>
<conditions> <create>true</create> <update>true</update>
<delete>true</delete> <changeId>true</changeId> </conditions>
<dataset> <name>objectclass</name> <policy>KEEP</policy>
<createValues> <string>"user"</string>
<string>"organizationalPerson"</string> <string>"person"</string>
<string>"top"</string> </createValues> </dataset> <dataset>
<name>sAMAccountName</name> <policy>KEEP</policy> <createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string> </createValues>
</dataset> <dataset> <!-- userPrincipalName = uid + "@lsc-project.org"
--> <name>userPrincipalName</name> <policy>FORCE</policy>
<forceValues> <string>srcBean.getDatasetFirstValueById("uid") +
"@teknetgroup.mg"</string> </forceValues> </dataset> <dataset>
<name>userAccountControl</name> <policy>KEEP</policy> <createValues>
<string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues> </dataset> <dataset> <!-- pwdLastSet = 0 to force
user to change password on next connection --> <name>pwdLastSet</name>
<policy>KEEP</policy> <createValues> <string>"0"</string>
</createValues> </dataset> <dataset> <!-- unicodePwd = "changeit" at
creation (requires SSL connection to AD) --> <name>unicodePwd</name>
<policy>KEEP</policy> <createValues>
<string>AD.getUnicodePwd("changeit")</string> </createValues> </dataset>
</propertiesBasedSyncOptions> </task> </tasks></lsc>
Thanks in advance
Le Mercredi 14 décembre 2016 13h39, Clément OUDOT
<clement.ou...@savoirfairelinux.com> a écrit :
Le 13/12/2016 à 12:09, Hasina Stella RASOMANANDRANTO a écrit :
Hi Clement, thanks a lot it works. I tried to add "@teknetgroup.mg" with
<string>"{SASL}" + srcBean.getDatasetFirstValueById("userPrincipalName") +
"@teknetgroup.mg"</string> but it didn't work, then I removed it and configure
sasl for ldap, the truth is we want to synchronise everything from Active
directory to openldap and if we update something in ldap it should be seen in
the AD, and the database should stay in ldap in case the AD crashes.I was
wondering if there is a way to do it with one script, or shall I really set up
two lsc.xml, one for AD to ldap then one for ldap to AD.
Hi,
you will need two connectors, or two tasks: one from AD to OpenLDAP, the other
from OpenLDAP to AD.
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users
