Hi,
The people cleanFilter is now working! Thanks!
But I still have trouble with the group...
You was right with the baseDN the group is in an sub ou. So I modified the
baseDN and the mainIdentifierto the right place and changed the log level.
The dataset know looks like:
<defaultPolicy>KEEP</defaultPolicy>
<conditions>
<create>false</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<forceValues>
<string>"group"</string>
<string>"top"</string>
</forceValues>
</dataset>
<dataset>
<name>member</name>
<policy>MERGE</policy>
<forceValues>
<string>
<![CDATA[rjs:
var membersSrcDn = srcBean.getDatasetValuesById("Member");
var membersDstDn = [];
for (var i=0; i<membersSrcDn.size(); i++) {
var memberSrcDn = membersSrcDn.get(i);
var uid = "";
try {
uid = srcLdap.attribute(memberSrcDn,
"sAMAccountName").get(0);
} catch(e) {
continue;
}
var destDn = ldap.search("OU=Firenze",
"(sAMAccountName=" + uid + ")");
if (destDn.size() == 0 || destDn.size() > 1) {
continue;
}
var destMemberDn = destDn.get(0) + "," +
ldap.getContextDn();
membersDstDn.push(destMemberDn);
}
membersDstDn
]]>
</string>
</forceValues>
</dataset>
But my log always remark that the Group exist....
May 23 11:08:40 - DEBUG - In object
"CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it": Attribute
"objectClass" is in KEEP status
May 23 11:08:41 - DEBUG - In object
"CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it": Attribute "cn"
is in KEEP status
May 23 11:08:41 - ERROR - Error while modifying entry
CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it in directory
:javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562:
UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0
]; remaining name 'CN=TEST-RADIUS,OU=security-groups'
May 23 11:08:41 - ERROR - Error while synchronizing ID
CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it:
java.lang.Exception: Technical problem while applying modifications to the
destination
May 23 11:08:41 - DEBUG - java.lang.Exception: Technical problem while applying
modifications to the destination
java.lang.Exception: Technical problem while applying modifications to the
destination
at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:783)
[lsc-core-2.1.4.jar:na]
at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:689)
[lsc-core-2.1.4.jar:na]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_212]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_212]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]
# Thu May 23 11:08:41 CEST 2019
dn: CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it
changetype: modify
add: member
member: CN=Kent\, Clark,OU=Roma,DC=ad01,DC=xxx,DC=xx,DC=it
Is there something else I could try?
Thanks!
Michael
-----Ursprüngliche Nachricht-----
Von: lsc-users <[email protected]> Im Auftrag von Soisik
Froger
Gesendet: Mittwoch, 22. Mai 2019 18:45
An: [email protected]
Betreff: Re: [lsc-users] Need help with the filters
Hi,
On 22/05/2019 16:55, Pilling, Michael wrote:
> 1. my cleanFilter for the user isn't working.
> I would like to delete an account if it is removed from TEST-RADIUS
1. The source cleanFilter is used to check whether entries return by
destination getAllFilter still exists in source. If it cannot be found, it will
be deleted in destination. Since your cleanFilter will return an entry even if
it was removed from the TEST-RADIUS group, it will not be deleted. cleanFilter
should have the same memberOf filter as your getOneFilter has.
>
> 2. my group TEST-RADIUS always produce an error:
>
> May 22 16:36:04 - ERROR - Error while modifying entry
> CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it
> in directory :javax.naming.NameAlreadyBoundException: [LDAP: error code 68 -
> 00000562: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0 ];
> remaining name 'CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna'
> May 22 16:36:04 - ERROR - Error while synchronizing ID
> CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,
> DC=it: java.lang.Exception: Technical problem while applying
> modifications to the destination
>
> Is this because the group exist? Can I avoid that the group is always new
> created?
> Sure the member should be updated...
2. I don't see why LSC tries to create a new entry. Best guess, LSC cannot find
a matching group in destination using
<getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]></getOneFilter>
searching in the baseDn "OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it", so it tries
to create it and fails because it is already there. Does this filter work with
the cn TEST-RADIUS when applied on this baseDn, using the account LSC uses to
request AD? Also
- try remove empty pivot attribute in group task source service :
<string></string>.
- You can also forbid group creation by setting it to false in conditions,
unless you want to create new groups.
- Activating debug level in logback.xml may help you figure it out.
>
> 3. I would like to create a description, but <string>"Access
> for" + srcBean.getDatasetFirstValueById("sn")+
> srcBean.getDatasetFirstValueById("givenName")</string>
> Doesn't work.
3. You have 2 datasets for description , try unifying them in one dataset, if
you need to set a multiple attribute, return an array instead of string.
>
> 4. I think every user account should be created in it's OU I have created the
> OU's but they always created in OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it.
> It is not a big Problem my colleagues likes the behavior...
4. You can change the destination OU for your user by changing it in the
mainIdentifier and baseDn of destination service.
--
Soisik Froger | Software Architect
[email protected]
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
