Hello all,
I've got a lot to work but I have still some problems:

1.  my cleanFilter for the user isn't working. 
I would like to delete an account if it is removed from TEST-RADIUS

2.  my group TEST-RADIUS always produce an error:

May 22 16:36:04 - ERROR - Error while modifying entry 
CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it in 
directory :javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 
00000562: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0
]; remaining name 'CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna'
May 22 16:36:04 - ERROR - Error while synchronizing ID 
CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it: 
java.lang.Exception: Technical problem while applying modifications to the 
destination

Is this because the group exist? Can I avoid that the group is always new 
created?
Sure the member should be updated...

3. I would like to create a description, but              <string>"Access for" 
+ srcBean.getDatasetFirstValueById("sn")+ 
srcBean.getDatasetFirstValueById("givenName")</string>
Doesn't work.

4. I think every user account should be created in it's OU I have created the 
OU's but they always created in OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it.
It is not a big Problem my colleagues likes the behavior...

Could you give me again a tip ?
Best regards,
Michael




 
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">

        <connections>
                <ldapConnection>
                        <name>source-conn</name>
                        <url>ldap://192.168.20.15:389/DC=xxx,DC=xx,DC=it</url>
                        
<username>CN=_ad-user,CN=Users,DC=xxx,DC=xx,DC=it</username>
                        <password>password!</password>
                        <authentication>SIMPLE</authentication>
                        <referral>IGNORE</referral>
                        <derefAliases>NEVER</derefAliases>
                        <version>VERSION_3</version>
                        <pageSize>1000</pageSize>
                        <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
                        <tlsActivated>false</tlsActivated>
                </ldapConnection>
                

                <ldapConnection>
                        <name>dst-conn</name>
                        
<url>ldaps://DC-AD01.edu.xxx.xx.it:636/DC=edu,DC=xxx,DC=xx,DC=it</url>
                        
<username>CN=ad01-ad-user,CN=Users,DC=edu,DC=xxx,DC=xx,DC=it</username>
                        <password>password!</password>
                        <authentication>SIMPLE</authentication>
                        <referral>IGNORE</referral>
                        <derefAliases>NEVER</derefAliases>
                        <version>VERSION_3</version>
                        <pageSize>1000</pageSize>
                        <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
                        <tlsActivated>false</tlsActivated>
                </ldapConnection>

        </connections>

 <tasks>

    <task>
      <name>A-Sync-People-Task</name>
                <bean>org.lsc.beans.SimpleBean</bean>
                 
        <ldapSourceService>
        
        <name>GetPeoplefromGroupTask-src</name>
        <connection reference="source-conn" />
        <baseDn>OU=Bologna,DC=xxx,DC=xx,DC=it</baseDn>
                
        <pivotAttributes>
          <string>sAMAccountName</string>
        </pivotAttributes>
                
    <fetchedAttributes>
                    <string>objectclass</string>
                                <string>sn</string>
                                <string>givenName</string>
                                <string>userPrincipalName</string>
                                <string>name</string>
                                <string>cn</string>
                                <string>sAMAccountName</string>
                                
    </fetchedAttributes>
        

<getAllFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=xxx,DC=xx,DC=it))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName})(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=xxx,DC=xx,DC=it))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName}))]]></cleanFilter>
    
        <interval>100</interval>
 </ldapSourceService>   

 <ldapDestinationService>
          
        <name>ad-dst-service</name>
        <connection reference="dst-conn" />
        <baseDn>OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it</baseDn>
        <pivotAttributes>
          <string>sAMAccountName</string>
        </pivotAttributes>
        <fetchedAttributes>
                      <string>objectclass</string>
                                <string>sn</string>
                                <string>givenName</string>
                                <string>sAMAccountName</string>
                                <string>userPrincipalName</string>
                                <string>cn</string>
                                
        </fetchedAttributes>
        
<getAllFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=fi,DC=it))]]></getAllFilter>
        
<getOneFilter><![CDATA[(&((objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName})))]]></getOneFilter>
                
      </ldapDestinationService>
          
          
<propertiesBasedSyncOptions>

<!--    ./mainIdentifier This mandatory node must contain a string Javascript 
expression that will enforce the object main identifier.-->
<mainIdentifier>"cn=" + 
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + 
",OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it"</mainIdentifier>
<!--    ./defaultDelimiter This mandatory node must contain a string Javascript 
expression that will enforce the object main identifier.-->

<defaultDelimiter>;</defaultDelimiter>
        
<defaultPolicy>MERGE</defaultPolicy>

        <conditions>
          <create>true</create>
          <update>true</update>
          <delete>true</delete>
          <changeId>true</changeId>
        </conditions>
                
    <dataset>
         <name>cn</name>
         <policy>KEEP</policy>
          <createValues>
             <string>srcBean.getDatasetFirstValueById("cn")</string>
           </createValues>
    </dataset>

    <dataset>
         <name>sn</name>
         <policy>KEEP</policy>
          <createValues>
            <string>srcBean.getDatasetFirstValueById("sn")</string>
          </createValues>  
    </dataset>
     
    <dataset>
         <name>givenName</name>
         <policy>KEEP</policy>
          <createValues>
            <string>srcBean.getDatasetFirstValueById("givenName")</string>
          </createValues>
     </dataset> 

    <dataset>
      <name>objectclass</name>
      <policy>KEEP</policy>
      <createValues>
           <string>"organizationalPerson"</string>
       <string>"person"</string>
       <string>"top"</string>
           <string>"user"</string>       
      </createValues>
    </dataset>
        
    <dataset>
      <name>description</name>
         <policy>KEEP</policy>
           <createValues>
             <string>" Access for " + srcBean.getDatasetFirstValueById("sn")+ 
srcBean.getDatasetFirstValueById("givenName")</string>
           </createValues>
    </dataset>
    
        <dataset>
      <name>description</name>
         <policy>KEEP</policy>
           <createValues>
             <string>Zugang srcBean.getDatasetFirstValueById("sn")</string>
           </createValues>
    </dataset>

        <dataset>
     <!-- userPrincipalName = sAMAccountName + "@ad01.xxx.xx.it" -->
     <name>userPrincipalName</name>
     <policy>KEEP</policy>
     <forceValues>
      <string>srcBean.getDatasetFirstValueById("sAMAccountName") + 
"@ad01.xxx.xx.it"</string>
     </forceValues>
    </dataset>
        
    <dataset>
        <name>userAccountControl</name>
        <policy>MERGE</policy>
         <createValues>
           <string>AD.userAccountControlSet( "0", 
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
         </createValues>
    </dataset>
        
    <dataset>
     <!-- pwdLastSet = 0 to force user to change password on next connection 
--> 
     <name>pwdLastSet</name>
     <policy>KEEP</policy>
     <createValues>
      <string>"0"</string>
     </createValues>
    </dataset>
        
<dataset>
     <name>unicodePwd</name>
     <policy>KEEP</policy>
     <createValues>
      <string>AD.getUnicodePwd("changeit")</string>
     </createValues>  
    </dataset>


      
      </propertiesBasedSyncOptions>
           
  </task>
  
        <task>
          <name>Z-Sync-Group-Task</name>
                <bean>org.lsc.beans.SimpleBean</bean>
                 
        <ldapSourceService>
        <name>LoadGroupMember-src</name>
        <connection reference="source-conn" />
        <baseDn>OU=Bologna,DC=xxx,DC=xx,DC=it</baseDn>
                
        <pivotAttributes>
          <string>cn</string>
                  <string></string>
        </pivotAttributes>
                
        <fetchedAttributes>
          <string>cn</string>
          <string>member</string>
          <string>objectClass</string>
        </fetchedAttributes>
        
        
<getAllFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></getAllFilter>
        
<getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]></getOneFilter>
        
<cleanFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></cleanFilter>
        <interval>100</interval>
      </ldapSourceService>      

      <ldapDestinationService>
        <name>ad-dst-service02</name>
             <connection reference="dst-conn" />
        <baseDn>OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it</baseDn>
                
        <pivotAttributes>
             <string>cn</string>
        </pivotAttributes>
                
        <fetchedAttributes>
             <string>cn</string>
             <string>member</string>
             <string>objectClass</string>
        </fetchedAttributes>
                
        
<getAllFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></getAllFilter>
        
<getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]></getOneFilter>
        
      </ldapDestinationService>
          
<propertiesBasedSyncOptions>
   <mainIdentifier>"cn=" + 
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + 
",OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it"</mainIdentifier>
    <defaultDelimiter>;</defaultDelimiter>
        
        <defaultPolicy>MERGE</defaultPolicy>
        <conditions>
          <create>true</create>
          <update>true</update>
          <delete>true</delete>
          <changeId>true</changeId>
        </conditions>
                
       <dataset>
          <name>objectclass</name>
          <policy>KEEP</policy>
          <createValues>
            <string>"group"</string>
            <string>"top"</string>
          </createValues>
       </dataset>
        
  <dataset>
         <name>member</name>
         <policy>MERGE</policy>
         <forceValues>
           <string>
           <![CDATA[rjs:
                var membersSrcDn = srcBean.getDatasetValuesById("Member");
                var membersDstDn = [];
                for  (var i=0; i<membersSrcDn.size(); i++) {
                        var memberSrcDn = membersSrcDn.get(i);
                        var uid = "";
                        try {
                                uid = srcLdap.attribute(memberSrcDn, 
"sAMAccountName").get(0);
                        } catch(e) {
                                continue;
                        }
                        var destDn = ldap.search("OU=Bologna", 
"(sAMAccountName=" + uid + ")");
                        if (destDn.size() == 0 || destDn.size() > 1) {
                                continue;
                        }
                        var destMemberDn = destDn.get(0) + "," +  
ldap.getContextDn();
                        membersDstDn.push(destMemberDn);
                }
                membersDstDn
           ]]>
           </string>
         </forceValues>
  </dataset>
 
   </propertiesBasedSyncOptions>
          
          
        </task>
  
 </tasks>

</lsc>





-----Ursprüngliche Nachricht-----
Von: lsc-users <[email protected]> Im Auftrag von Clément 
OUDOT
Gesendet: Freitag, 10. Mai 2019 11:33
An: [email protected]
Betreff: Re: [lsc-users] Need help with the filters


Le 09/05/2019 à 17:24, Pilling, Michael a écrit :
> Hello Clément,
> I'm not sure, but it seems that + 
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById wouldn't 
> work in a dataset like this:
> (Or I made again something wrong, and I apologize)
>
> <dataset>
>          <name>cn</name>
>          <policy>KEEP</policy>
>           <createValues>
>             <string>js:"cn=" + 
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + 
> ",DC=AD01,DC=xxx,DC=xx,DC=it"</string>
>           </createValues>
>         </dataset>


You must not use Rdn.escapeValue in a dataset, as the dataset will fill an 
attribute value, not the DN. Use the escaping function only in mainIdentifier.


> In dry run I got no errors but when I try to sync I got this:
>
> May 09 16:59:34 - ERROR - Error while adding entry 
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it in directory 
> :javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: 
> DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name 
> 'cn='
> May 09 16:59:34 - ERROR - Error while synchronizing ID 
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it: java.lang.Exception: Technical problem 
> while applying modifications to the destination # Thu May 09 16:59:34 
> CEST 2019
> dn: cn=,DC=AD01,DC=xxx,DC=xx,DC=it
>
> By the way the user which connects to the destination AD must have Domain 
> Admin rights, is this right?


The first issue is that cn has no value (cn=), which means LSC do not get the 
cn value from the source. Check if cn is listed in fetchedAttribute in source 
service.

Then the user connecting to AD indeed need write privileges. Domain Admin 
should be enough for that.



--
Clément Oudot | Identity Solutions Manager

[email protected]

Worteks | https://www.worteks.com

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users

Reply via email to