Hi, Yes, I use the merge strategy for members because I have accounts which only exist in the destination. Yes, the group CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it exist. And I can confirm that the error is coming from the member dataset part.
"...https://lsc-project.org/documentation/latest/configuration/syncoptions, MERGE strategy does this : "Values from <forceValues/> are added to existing values in the destination, regardless of values from source". ..." Yes, but I had tested createvalue and defaultvalue and the error is the same. Best regards, Michael -----Ursprüngliche Nachricht----- Von: lsc-users <[email protected]> Im Auftrag von Soisik Froger Gesendet: Donnerstag, 23. Mai 2019 13:01 An: [email protected] Betreff: Re: [lsc-users] Need help with the filters Hi, If the group CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it really do exist, the error likely comes from the member attribute modify instruction showed at the bottom of the log. Try comment out the member fetch and dataset to see if you still get any error. It could be that "CN=Kent\, Clark,OU=Roma,DC=ad01,DC=xxx,DC=xx,DC=it" is already a member of this group, and LSC tries to add it as part of the MERGE strategy. According to documentation, https://lsc-project.org/documentation/latest/configuration/syncoptions, MERGE strategy does this : "Values from <forceValues/> are added to existing values in the destination, regardless of values from source". Why have you chosen a MERGE strategy for member? Has members of this groups only exists in destination and you want to keep them? If that's not the case, try use a FORCE strategy. Otherwise, try use the FORCE strategy and adapt your script to perform the merge itself, like this (not tested) (=> indicates a modification) : var membersSrcDn = srcBean.getDatasetValuesById("member"); => var membersDstDn = dstBean.getDatasetValuesById("member"); for (var i=0; i<membersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); var uid = ""; try { uid = srcLdap.attribute(memberSrcDn, "sAMAccountName").get(0); } catch(e) { continue; } var destDn = ldap.search("OU=Firenze", "(sAMAccountName=" + uid + ")"); if (destDn.size() == 0 || destDn.size() > 1) { continue; } var destMemberDn = destDn.get(0) + "," + ldap.getContextDn(); => if (membersDstDn.indexOf(destMemberDn) == -1) { membersDstDn.push(destMemberDn); => } } membersDstDn -- Soisik Froger | Software Architect [email protected] Worteks | https://www.worteks.com On 23/05/2019 11:29, Pilling, Michael wrote: > Hi, > The people cleanFilter is now working! Thanks! > > But I still have trouble with the group... > You was right with the baseDN the group is in an sub ou. So I modified the > baseDN and the mainIdentifierto the right place and changed the log level. > > The dataset know looks like: > > <defaultPolicy>KEEP</defaultPolicy> > <conditions> > <create>false</create> > <update>true</update> > <delete>true</delete> > <changeId>true</changeId> > </conditions> > > <dataset> > <name>objectclass</name> > <policy>KEEP</policy> > <forceValues> > <string>"group"</string> > <string>"top"</string> > </forceValues> > </dataset> > > <dataset> > <name>member</name> > <policy>MERGE</policy> > <forceValues> > <string> > <![CDATA[rjs: > var membersSrcDn = srcBean.getDatasetValuesById("Member"); > var membersDstDn = []; > for (var i=0; i<membersSrcDn.size(); i++) { > var memberSrcDn = membersSrcDn.get(i); > var uid = ""; > try { > uid = srcLdap.attribute(memberSrcDn, > "sAMAccountName").get(0); > } catch(e) { > continue; > } > var destDn = ldap.search("OU=Firenze", > "(sAMAccountName=" + uid + ")"); > if (destDn.size() == 0 || destDn.size() > 1) { > continue; > } > var destMemberDn = destDn.get(0) + "," + > ldap.getContextDn(); > membersDstDn.push(destMemberDn); > } > membersDstDn > ]]> > </string> > </forceValues> > </dataset> > > But my log always remark that the Group exist.... > > May 23 11:08:40 - DEBUG - In object > "CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it": > Attribute "objectClass" is in KEEP status May 23 11:08:41 - DEBUG - In > object "CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it": > Attribute "cn" is in KEEP status May 23 11:08:41 - ERROR - Error while > modifying entry CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it > in directory :javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - > 00000562: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0 ]; > remaining name 'CN=TEST-RADIUS,OU=security-groups' > May 23 11:08:41 - ERROR - Error while synchronizing ID > CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it: > java.lang.Exception: Technical problem while applying modifications to > the destination May 23 11:08:41 - DEBUG - java.lang.Exception: > Technical problem while applying modifications to the destination > java.lang.Exception: Technical problem while applying modifications to the > destination > at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:783) > [lsc-core-2.1.4.jar:na] > at org.lsc.SynchronizeTask.run(AbstractSynchronize.java:689) > [lsc-core-2.1.4.jar:na] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [na:1.8.0_212] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [na:1.8.0_212] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212] # Thu > May 23 11:08:41 CEST 2019 > dn: CN=TEST-RADIUS,OU=security-groups,DC=ad01,DC=xxx,DC=xx,DC=it > changetype: modify > add: member > member: CN=Kent\, Clark,OU=Roma,DC=ad01,DC=xxx,DC=xx,DC=it > > Is there something else I could try? > Thanks! > Michael > > -----Ursprüngliche Nachricht----- > Von: lsc-users <[email protected]> Im Auftrag > von Soisik Froger > Gesendet: Mittwoch, 22. Mai 2019 18:45 > An: [email protected] > Betreff: Re: [lsc-users] Need help with the filters > > Hi, > > On 22/05/2019 16:55, Pilling, Michael wrote: >> 1. my cleanFilter for the user isn't working. >> I would like to delete an account if it is removed from TEST-RADIUS > > 1. The source cleanFilter is used to check whether entries return by > destination getAllFilter still exists in source. If it cannot be found, it > will be deleted in destination. Since your cleanFilter will return an entry > even if it was removed from the TEST-RADIUS group, it will not be deleted. > cleanFilter should have the same memberOf filter as your getOneFilter has. > >> >> 2. my group TEST-RADIUS always produce an error: >> >> May 22 16:36:04 - ERROR - Error while modifying entry >> CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it >> in directory :javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - >> 00000562: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0 ]; >> remaining name 'CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna' >> May 22 16:36:04 - ERROR - Error while synchronizing ID >> CN=TEST-RADIUS,OU=_Sicherheitsgruppen,OU=Bologna,DC=ad01,DC=xxx,DC=xx >> , >> DC=it: java.lang.Exception: Technical problem while applying >> modifications to the destination >> >> Is this because the group exist? Can I avoid that the group is always new >> created? >> Sure the member should be updated... > > 2. I don't see why LSC tries to create a new entry. Best guess, LSC > cannot find a matching group in destination using > <getOneFilter><![CDATA[(&(objectClass=group)(cn=*RADIUS*)(cn={cn}))]]> > </getOneFilter> searching in the baseDn > "OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it", so it tries to create it and > fails because it is already there. Does this filter work with the cn > TEST-RADIUS when applied on this baseDn, using the account LSC uses to > request AD? Also > - try remove empty pivot attribute in group task source service : > <string></string>. > - You can also forbid group creation by setting it to false in conditions, > unless you want to create new groups. > - Activating debug level in logback.xml may help you figure it out. > > >> >> 3. I would like to create a description, but <string>"Access >> for" + srcBean.getDatasetFirstValueById("sn")+ >> srcBean.getDatasetFirstValueById("givenName")</string> >> Doesn't work. > > 3. You have 2 datasets for description , try unifying them in one dataset, if > you need to set a multiple attribute, return an array instead of string. > >> >> 4. I think every user account should be created in it's OU I have created >> the OU's but they always created in OU=Bologna,DC=ad01,DC=xxx,DC=xx,DC=it. >> It is not a big Problem my colleagues likes the behavior... > > 4. You can change the destination OU for your user by changing it in the > mainIdentifier and baseDn of destination service. > -- Soisik Froger | Software Architect [email protected] +33 6 49 00 09 55 Worteks | https://www.worteks.com _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
