Re: [lsc-users] LSC - Users deletion during sync

Thu, 31 May 2018 05:06:52 -0700 

Le 31/05/2018 à 09:56, Clément OUDOT a écrit :


Le 31/05/2018 à 09:32, Julien TEHERY a écrit :

Hi there,



Hello Julien,


One question about AD provisionning from LDAP.
I successfully imported users from an ldap into a fresh new samba4-AD
server (thanks to LSC!), in order to migrate users from an old samba
3.5 domaine to the new one.
Now the two domains live together and i intend to keep users
synchronized from the old one to the new one during the migration.

New users created in the samba4 domain won't have to be deleted, as
they will be created only in the new one.
On the contrary, actions made on users from the old LDAP will habe to
be replicated to Samba4-AD (mainly fields update and users deletion).

At the moment, if i re launch my sync task with th "delete" option,
new users created to the new domain (that don't exist in the old one)
will be deleted (exepted domain administrator and specific samba4
system accounts).

Is there a way to keep both annuary synchronized without delete new
users in the new domain?


Yes, you need to have an attribute in user entry that allows to know
which entry is linked to old directory. You can for example force a
field like "description" or "employeeType" with a value, and configure
getAllFilter in destination to only match these entries.



Thanks Clément, you're perfectly right and it's very simple.
I found out what attribute to use to do this.


One more question, this time about groups sync: I succeeded in importing 
groups from former LDAP to Samba4-AD, but those remain empty.
I don't have memberof or uniqueMember attributes ins source LDAP (since 
overlay memberof isn't activated on it..)



Is there a way to sync users, gathering informations from memberUid 
attribute to populate AD groups?



I tried filtering on posixGroups instead of groupOfUniqueNames to get 
memberUid instead of uniqueMember

Here are the details of my task:

    <task>
      <name>LDAPGROUPS2AD</name>

      <bean>org.lsc.beans.SimpleBean</bean>
       <asyncLdapSourceService>
        <name>group-source-service</name>
        <connection reference="ldap-source-conn-group" />
<baseDn>ou=groupes,dc=sourcedomain,dc=lan</baseDn>
        <pivotAttributes>
          <string>cn</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>cn</string>
          <string>description</string>
          <string>memberUid</string>
          <string>gidNumber</string>
        </fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=posixgroup)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=posixgroup)(cn={cn}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=posixgroup)(cn={cn}))]]></cleanFilter>
        <serverType>OpenLDAP</serverType>
      </asyncLdapSourceService>

      <ldapDestinationService>
        <name>group-dst-service</name>
        <connection reference="ldap-dst-conn-group" />
        <baseDn>OU=Groups,DC=destdomain,DC=lan</baseDn>
        <pivotAttributes>
          <string>cn</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>cn</string>
          <string>description</string>
          <string>member</string>
          <string>objectClass</string>
          <string>gidNumber</string>
        </fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter>
      </ldapDestinationService>
      <propertiesBasedSyncOptions>

        <mainIdentifier>js:"cn=" + 
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) 
+ ",OU=Groups,DC=dstdomain,DC=lan"</mainIdentifier>

        <defaultDelimiter>;</defaultDelimiter>
        <defaultPolicy>FORCE</defaultPolicy>
        <conditions>
          <create>true</create>
          <update>true</update>
          <delete>false</delete>
          <changeId>true</changeId>
        </conditions>
        <dataset>
          <name>objectclass</name>
          <policy>KEEP</policy>
          <createValues>
            <string>"group"</string>
            <string>"top"</string>
          </createValues>
        </dataset>
        <dataset>
          <name>member</name>
          <policy>FORCE</policy>
          <forceValues>
            <string>
            <![CDATA[rjs:

                 var membersSrcDn = 
srcBean.getDatasetValuesById("memberUid");

                 var membersDstDn = [];
                 for  (var i=0; i<membersSrcDn.size(); i++) {
                         var memberSrcDn = membersSrcDn.get(i);
                         var uid = "";
                         try {

                                 uid = srcLdap.attribute(memberSrcDn, 
"uid").get(0);

                         } catch(e) {
                                 continue;
                         }

                         var destDn = ldap.search("CN=Users", 
"(sAMAccountName=" + uid + ")");

                         if (destDn.size() == 0 || destDn.size() > 1) {
                                 continue;
                         }

                         var destMemberDn = destDn.get(0) + "," + 
ldap.getContextDn();

                         membersDstDn.push(destMemberDn);
                 }
                 membersDstDn
            ]]>
            </string>
          </forceValues>
        </dataset>
      </propertiesBasedSyncOptions>
    </task>




When launching LSC I actually get this error, As i don't seem to get the 
memberUid attribute:



Caused by: java.lang.RuntimeException: 
org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: 
ERR_04202 A value is missing on some RDN


My guess is that I have something wrong with the destDn scope..

Any idea?

Thanks
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users





















					Reply via email to