Le 20/06/2017 à 14:41, futhwo a écrit :
Hello,
I have a problem trying to sync users from my existing LDAP directory
to an AD forest created on a Windows 2012 server.
I followed every tutorial, but still when I try to run the task I get
an ldap error 53 (WILL_NOT_PERFORM).
The attributes that I am trying to write are those:
mail
sAMAccountName
givenName
instanceType
cn
objectclass: user
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn
userAccountControl
userPrincipalName
objectCategory
Looking at the schema definition for the "person" objectClass I saw
there is a MUST attribute called ntSecurityDescriptor, which is a long
binary string (I got it with an ldapsearch on an existing user), and I
do not know how i can write it into the AD ldap connection so that the
resulting ldapmodify operation would respect the schema constraints
relative to this objectClass.
Did anyone managed to obtain my goal (sync from LDAP to AD "2012
edition)?
No, you are not forced to write instanceType and ntSecurityDescriptor
attributes, they will be generated by AD.
But you must use LDAPS to write a new account in AD, unless you
configure LSC to create an unactivated account with according values in
userAccountControl. Else, you need to set the password (unicodePwd) and
use LDAPS.
See also https://lsc-project.org/documentation/howto/activedirectory
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
