Hello Clément,
I'm not sure, but it seems that +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById wouldn't
work in a dataset like this:
(Or I made again something wrong, and I apologize)
<dataset>
<name>cn</name>
<policy>KEEP</policy>
<createValues>
<string>js:"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",DC=AD01,DC=xxx,DC=xx,DC=it"</string>
</createValues>
</dataset>
In dry run I got no errors but when I try to sync I got this:
May 09 16:59:34 - ERROR - Error while adding entry
cn=,DC=AD01,DC=xxx,DC=xx,DC=it in directory
:javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr:
DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'cn='
May 09 16:59:34 - ERROR - Error while synchronizing ID
cn=,DC=AD01,DC=xxx,DC=xx,DC=it: java.lang.Exception: Technical problem while
applying modifications to the destination
# Thu May 09 16:59:34 CEST 2019
dn: cn=,DC=AD01,DC=xxx,DC=xx,DC=it
By the way the user which connects to the destination AD must have Domain Admin
rights, is this right?
Best regards!
Michael
-----Ursprüngliche Nachricht-----
Von: lsc-users <[email protected]> Im Auftrag von Clément
OUDOT
Gesendet: Donnerstag, 9. Mai 2019 14:19
An: [email protected]
Betreff: Re: [lsc-users] Need help with the filters
Le 09/05/2019 à 14:03, Pilling, Michael a écrit :
> Hello Soisik,
>
> thanks a lot for your reply. It brought me an big step forward!
> -ldaps is fixed
Great!
>
> But I still have trouble to understand the Filters and how to build them.
> For example
> <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={sAMAccountName}))]]></getOneFilter>
> and I look at the part (sAMAccountName={sAMAccountName})
> Could you explain what it exactly does or where I can read something about it?
What you put into {} is the pivot attribute. You can have some explanation
here: https://lsc-project.org/documentation/latest/basics
> A second big problem is with my cn.
> Somebody changed the way users are created, so if I look at my account the
> distinguishedName looks like:
> CN=Pilling\, Michael,OU=IT,OU=Firenze,DC=xxx,DC=xx,DC=it
>
> I think this is the reason that the main Identifier doesn't work. I have
> created all needed OUs and changed the settings for the accounts at the
> destination side but the mainIdentifier <mainIdentifier>"cn=" +
> srcBean.getDatasetValueById("cn") +
> ",DC=AD01,DC=xxx,DC=xx,DC=it"</mainIdentifier> doesn't work.
> I still get this error:
> May 09 13:38:42 - ERROR - Fail to compute expression: "cn=" +
> srcBean.getDatasetValueById("distinguishedName") +
> ",DC=AD01,DC=xxx,DC=xx,DC=it" on id=CN=Pilling\,
> Michael,OU=IT,OU=Firenze,DC=xxx,DC=xx,DC=it
> Reason: javax.script.ScriptException: TypeError:
> srcBean.getDatasetValueById is not a function in <eval> at line number
> 5 May 09 13:38:42 - ERROR - Error while synchronizing ID
> {samaccountname=xxxxxxxxxxxxxx}:
> org.lsc.exception.LscServiceException: javax.script.ScriptException:
> TypeError: srcBean.getDatasetValueById is not a function in <eval> at
> line number 5
You can use "getDatasetFirstValueById" to get the first value of an attribute.
Note that to construct a DN you must escape special character. So you
mainIdentifier should be:
<mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn"))
+ ",DC=AD01,DC=xxx,DC=xx,DC=it"</mainIdentifier>
See https://lsc-project.org/documentation/latest/upgrade#dn_escaping
--
Clément Oudot | Identity Solutions Manager
[email protected]
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
