Hello all,
I've got a lot to work but I have still some problems:
1. my cleanFilter for the user isn't working.
I would like to delete an account if it is removed from TEST-RADIUS
2. my group TEST-RADIUS always produce an error:
May 22 16:36:04 - ERROR - Error while modifying entry
CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it in
directory :javax.naming.NameAlreadyBoundException: [LDAP: error code 68 -
00000562: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0
]; remaining name 'CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna'
May 22 16:36:04 - ERROR - Error while synchronizing ID
CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it:
java.lang.Exception: Technical problem while applying modifications to the
destination
Is this because the group exist? Can I avoid that the group is always new
created?
Sure the member should be updated...
3. I would like to create a description, but <string>"Access for"
+ srcBean.getDatasetFirstValueById("sn")+
srcBean.getDatasetFirstValueById("givenName")</string>
Doesn't work.
4. I think every user account should be created in it's OU I have created the
OU's but they always created in OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it.
It is not a big Problem my colleagues likes the behavior...
Could you give me again a tip ?
Best regards,
Michael
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd"; revision="0">
<connections>
<ldapConnection>
<name>source-conn</name>
<url>ldap://192.168.20.15:389/DC=xxx,DC=xx,DC=it</url>
<username>CN=_ad-user,CN=Users,DC=xxx,DC=xx,DC=it</username>
<password>password!</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>dst-conn</name>
<url>ldaps://DC-AD01.edu.xxx.xx.it:636/DC=edu,DC=xxx,DC=xx,DC=it</url>
<username>CN=ad01-ad-user,CN=Users,DC=edu,DC=xxx,DC=xx,DC=it</username>
<password>password!</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>A-Sync-People-Task</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>GetPeoplefromGroupTask-src</name>
<connection reference="source-conn" />
<baseDn>OU=Bologna,DC=xxx,DC=xx,DC=it</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>objectclass</string>
<string>sn</string>
<string>givenName</string>
<string>userPrincipalName</string>
<string>name</string>
<string>cn</string>
<string>sAMAccountName</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=xxx,DC=xx,DC=it))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName})(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=xxx,DC=xx,DC=it))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName}))]]></cleanFilter>
<interval>100</interval>
</ldapSourceService>
<ldapDestinationService>
<name>ad-dst-service</name>
<connection reference="dst-conn" />
<baseDn>OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>objectclass</string>
<string>sn</string>
<string>givenName</string>
<string>sAMAccountName</string>
<string>userPrincipalName</string>
<string>cn</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(objectClass=user)(objectCategory=person)(memberof=CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=fi,DC=it))]]></getAllFilter>
<getOneFilter><![CDATA[(&((objectClass=user)(objectCategory=person)(sAMAccountName={sAMAccountName})))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<!-- ./mainIdentifier This mandatory node must contain a string Javascript
expression that will enforce the object main identifier.-->
<mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it"</mainIdentifier>
<!-- ./defaultDelimiter This mandatory node must contain a string Javascript
expression that will enforce the object main identifier.-->
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>MERGE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>cn</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("cn")</string>
</createValues>
</dataset>
<dataset>
<name>sn</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("sn")</string>
</createValues>
</dataset>
<dataset>
<name>givenName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("givenName")</string>
</createValues>
</dataset>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
<string>"user"</string>
</createValues>
</dataset>
<dataset>
<name>description</name>
<policy>KEEP</policy>
<createValues>
<string>" Access for " + srcBean.getDatasetFirstValueById("sn")+
srcBean.getDatasetFirstValueById("givenName")</string>
</createValues>
</dataset>
<dataset>
<name>description</name>
<policy>KEEP</policy>
<createValues>
<string>Zugang srcBean.getDatasetFirstValueById("sn")</string>
</createValues>
</dataset>
<dataset>
<!-- userPrincipalName = sAMAccountName + "@ad01.xxx.xx.it" -->
<name>userPrincipalName</name>
<policy>KEEP</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("sAMAccountName") +
"@ad01.xxx.xx.it"</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>MERGE</policy>
<createValues>
<string>AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<!-- pwdLastSet = 0 to force user to change password on next connection
-->
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>"0"</string>
</createValues>
</dataset>
<dataset>
<name>unicodePwd</name>
<policy>KEEP</policy>
<createValues>
<string>AD.getUnicodePwd("changeit")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
<task>
<name>Z-Sync-Group-Task</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>LoadGroupMember-src</name>
<connection reference="source-conn" />
<baseDn>OU=Bologna,DC=xxx,DC=xx,DC=it</baseDn>
<pivotAttributes>
<string>cn</string>
<string></string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>member</string>
<string>objectClass</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></cleanFilter>
<interval>100</interval>
</ldapSourceService>
<ldapDestinationService>
<name>ad-dst-service02</name>
<connection reference="dst-conn" />
<baseDn>OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>member</string>
<string>objectClass</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>MERGE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"group"</string>
<string>"top"</string>
</createValues>
</dataset>
<dataset>
<name>member</name>
<policy>MERGE</policy>
<forceValues>
<string>
<![CDATA[rjs:
var membersSrcDn = srcBean.getDatasetValuesById("Member");
var membersDstDn = [];
for (var i=0; i<membersSrcDn.size(); i++) {
var memberSrcDn = membersSrcDn.get(i);
var uid = "";
try {
uid = srcLdap.attribute(memberSrcDn,
"sAMAccountName").get(0);
} catch(e) {
continue;
}
var destDn = ldap.search("OU=Bologna",
"(sAMAccountName=" + uid + ")");
if (destDn.size() == 0 || destDn.size() > 1) {
continue;
}
var destMemberDn = destDn.get(0) + "," +
ldap.getContextDn();
membersDstDn.push(destMemberDn);
}
membersDstDn
]]>
</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
-----Ursprüngliche Nachricht-----
Von: lsc-users <[email protected]> Im Auftrag von Clément
OUDOT
Gesendet: Freitag, 10. Mai 2019 11:33
An: [email protected]
Betreff: Re: [lsc-users] Need help with the filters
Le 09/05/2019 à 17:24, Pilling, Michael a écrit :
> Hello Clément,
> I'm not sure, but it seems that +
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById wouldn't
> work in a dataset like this:
> (Or I made again something wrong, and I apologize)
>
> <dataset>
> <name>cn</name>
> <policy>KEEP</policy>
> <createValues>
> <string>js:"cn=" +
> javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
> ",DC=AD01,DC=xxx,DC=xx,DC=it"</string>
> </createValues>
> </dataset>
You must not use Rdn.escapeValue in a dataset, as the dataset will fill an
attribute value, not the DN. Use the escaping function only in mainIdentifier.
> In dry run I got no errors but when I try to sync I got this:
>
> May 09 16:59:34 - ERROR - Error while adding entry
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it in directory
> :javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr:
> DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name
> 'cn='
> May 09 16:59:34 - ERROR - Error while synchronizing ID
> cn=,DC=AD01,DC=xxx,DC=xx,DC=it: java.lang.Exception: Technical problem
> while applying modifications to the destination # Thu May 09 16:59:34
> CEST 2019
> dn: cn=,DC=AD01,DC=xxx,DC=xx,DC=it
>
> By the way the user which connects to the destination AD must have Domain
> Admin rights, is this right?
The first issue is that cn has no value (cn=), which means LSC do not get the
cn value from the source. Check if cn is listed in fetchedAttribute in source
service.
Then the user connecting to AD indeed need write privileges. Domain Admin
should be enough for that.
--
Clément Oudot | Identity Solutions Manager
[email protected]
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
