Hello Clément, hello Soisik, Thanks for your help! I think my main problem is, that I haven't completly understand the filter and dataset part of the lsc.xml. I'm working on it!
So what I want to do: I have to different Active Directories ad01 and edu. One called DC=ad01,DC=xxxx,DC=xx,DC=it and the other DC=edu,DC=AD01,DC=xxxx,DC=xx,DC=it Now I want to synchronize from the group TEST-RADIUS all user accounts in DC=edu,DC=AD01,DC=xxxx,DC=xx,DC=it and I would like to put all synced accounts in the group radius. In the group TEST-RADIUS are three accounts one which exist in DC=edu,DC=AD01,DC=xxxx,DC=xx,DC=it and two which should be synced. I found the example from Chris Gilbert and try to modify it. https://chrisgilbert1.wordpress.com/2014/04/04/active-directory-to-openldap-sync-with-lsc/ But my getAllFilter and mainIdentifier should be the group member... I Know there are a lot of Parts that not ready to shown, so be patient with me May 02 10:19:02 - INFO - Logging configuration successfully loaded from /etc/lsc/ad2ad/logback.xml May 02 10:19:02 - INFO - LSC configuration successfully loaded from /etc/lsc/ad2ad/ May 02 10:19:02 - INFO - Connecting to LDAP server ldap://10.10.10.220:389/DC=edu,DC=xxx,DC=xx,DC=it as CN=edu-ad-lookup,CN=Users,DC=edu,DC=xxx,DC=xx,DC=it May 02 10:19:02 - INFO - Connecting to LDAP server ldap://10.16.10.40:389/DC=xxx,DC=xx,DC=it as CN=_ad-lookup,CN=Users,DC=xxx,DC=xx,DC=it May 02 10:19:02 - INFO - Starting sync for MySyncTask May 02 10:19:02 - ERROR - Empty or non existant source (no IDs found) May 02 10:19:02 - INFO - Starting clean for MySyncTask May 02 10:19:02 - INFO - All entries: 22, to modify entries: 22, successfully modified entries: 0, errors: 0 <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0"> <connections> <ldapConnection> <name>source-conn</name> <url>ldap://192.168.14.40:389/DC=xxx,DC=xx,DC=it</url> <username>CN=_ad-lookup,CN=Users,DC=xxx,DC=xx,DC=it</username> <password>Password!</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>1000</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> <ldapConnection> <name>dst-conn</name> <url>ldap://10.0.58.220:389/DC=edu,DC=xxx,DC=xx,DC=it</url> <username>CN=edu-ad-lookup,CN=Users,DC=edu,DC=xxx,DC=xx,DC=it</username> <password>Password!</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>1000</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection> </connections> <tasks> <task> <name>MySyncTask</name> <bean>org.lsc.beans.SimpleBean</bean> <ldapSourceService> <name>GroupSyncTask-src</name> <connection reference="source-conn" /> <baseDn>OU=_Sicherheitsgruppen,OU=Firenze,DC=xxx,DC=xx,DC=it</baseDn> <pivotAttributes> <string>cn</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>member</string> </fetchedAttributes> <getAllFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Firenze,DC=xxx,DC=xx,DC=it))]]></getAllFilter> <getOneFilter>(&(objectClass=group)(cn={cn}))</getOneFilter> <cleanFilter>(&(objectClass=group)(cn={cn}))</cleanFilter> <interval>100</interval> </ldapSourceService> <ldapDestinationService> <name>ad-dst-service</name> <connection reference="dst-conn" /> <baseDn>OU=Firenze,DC=edu,DC=xxx,DC=xx,DC=it</baseDn> <pivotAttributes> <string>sAMAccountName</string> </pivotAttributes> <fetchedAttributes> <string>cn</string> <string>description</string> <string>sn</string> <string>givenName</string> <string>sAMAccountName</string> <string>userPrincipalName</string> </fetchedAttributes> <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={sAMAccountName}))]]></getOneFilter> </ldapDestinationService> <propertiesBasedSyncOptions> <!-- ./mainIdentifier This mandatory node must contain a string Javascript expression that will enforce the object main identifier.--> <mainIdentifier>"group=" + srcBean.getDatasetValueById("group") + ",DC=edu,DC=xxx,DC=xx,DC=it"</mainIdentifier> <!-- ./defaultDelimiter This mandatory node must contain a string Javascript expression that will enforce the object main identifier.--> <defaultDelimiter>;</defaultDelimiter> <defaultPolicy>FORCE</defaultPolicy> <conditions> <create>true</create> <update>true</update> <delete>False</delete> <changeId>false</changeId> </conditions> <dataset> <name>objectclass</name> <policy>KEEP</policy> <createValues> <string>"user"</string> <string>"top"</string> <string>"organizationalPerson"</string> <string>"person"</string> </createValues> </dataset> <dataset> <name>sAMAccountName</name> <policy>KEEP</policy> <createValues> <string>srcBean.getDatasetFirstValueById("sAMAccountName")</string> </createValues> </dataset> <dataset> <!-- userPrincipalName = sAMAccountName + "@edu.xxx.xx.it" --> <name>userPrincipalName</name> <policy>FORCE</policy> <forceValues> <string>srcBean.getDatasetFirstValueById("sAMAccountName") + "@edu.xxx.xx.it"</string> </forceValues> </dataset> <dataset> <name>userAccountControl</name> <policy>KEEP</policy> <createValues> <string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string> </createValues> </dataset> <dataset> <!-- pwdLastSet = 0 to force user to change password on next connection --> <name>pwdLastSet</name> <policy>KEEP</policy> <createValues> <string>"0"</string> </createValues> </dataset> <dataset> <!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) --> <name>unicodePwd</name> <policy>KEEP</policy> <createValues> <string>AD.getUnicodePwd("changeit")</string> </createValues> </dataset> </propertiesBasedSyncOptions> </task> </tasks> </lsc> -----Ursprüngliche Nachricht----- Von: lsc-users <[email protected]> Im Auftrag von Soisik Froger Gesendet: Dienstag, 30. April 2019 18:11 An: [email protected] Betreff: Re: [lsc-users] Need help with the filters On 30/04/2019 17:15, Pilling, Michael wrote: > But when I try: > > > > <getAllFilter>(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=xxxx,DC=AD01,DC=xx,DC=it))</getAllFilter> > > > > It doesn’t work. Is there a way to use the “memberof” syntax? > > > Hi Michael, I do not reproduce any issue with a memberof attribute in the getAllFilter of a ldapSourceService with AD, it picks up the users that are member of that group as expected. How exactly "it doesn't work" ? Do you get any error, no entries, not the entries you expect ? Please send some more log or the configuration of your task so we can help. Regards. -- Soisik Froger | Software Architect [email protected] Worteks | https://www.worteks.com _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
