Le 09/05/2019 à 17:24, Pilling, Michael a écrit :
> Hello Clément,
> I'm not sure, but it seems that +
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById wouldn't
> work in a dataset like this:
> (Or I made again something wrong, and I apologize)
>
> <dataset>
> <name>cn</name>
> <policy>KEEP</policy>
> <createValues>
> <string>js:"cn=" +
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
> ",DC=AD01,DC=xxx,DC=xx,DC=it"</string>
> </createValues>
> </dataset>
You must not use Rdn.escapeValue in a dataset, as the dataset will fill
an attribute value, not the DN. Use the escaping function only in
mainIdentifier.
> In dry run I got no errors but when I try to sync I got this:
>
> May 09 16:59:34 - ERROR - Error while adding entry
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it in directory
> :javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr:
> DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> ]; remaining name 'cn='
> May 09 16:59:34 - ERROR - Error while synchronizing ID
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it: java.lang.Exception: Technical problem while
> applying modifications to the destination
> # Thu May 09 16:59:34 CEST 2019
> dn: cn=,DC=AD01,DC=xxx,DC=xx,DC=it
>
> By the way the user which connects to the destination AD must have Domain
> Admin rights, is this right?
The first issue is that cn has no value (cn=), which means LSC do not
get the cn value from the source. Check if cn is listed in
fetchedAttribute in source service.
Then the user connecting to AD indeed need write privileges. Domain
Admin should be enough for that.
--
Clément Oudot | Identity Solutions Manager
[email protected]
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
