Thanks Soisik
I made the changes you suggested, added givenName and my AD connection URL is
now,
<url>ldap://127.0.0.1/dc=company,dc=local
<http://127.0.0.1/dc=company,dc=local></url>
With the main identifier set to...
<mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
It provisions users fine, however, as mentioned before our CN is in the format of an email address,
we want to use the "name" attribute from our LDAP which is in the format "firstName
lastName". So when I change this to...
<mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("name")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
It still fails, however, after the above changes, the error is now different.
(Full error below.) It seems to be yet another issue with the DN.
Sep 08 18:24:48 - ERROR - Error while adding entry cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local in directory
:javax.naming.InvalidNameException: cn=Simon Thorpe,ou=companyusers: [LDAP:
error code 34 - 00002081: NameErr: DSID-03050F42, problem 2003
(BAD_ATT_SYNTAX), data 0, best match of:
'cn=Simon Thorpe,ou=companyusers,dc=company,dc=local'
]; remaining name 'cn=Simon Thorpe,ou=companyusers'
Sep 08 18:24:48 - ERROR - Error while synchronizing ID cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local: java.lang.Exception: Technical
problem while applying modifications to the destination
# Thu Sep 08 18:24:48 UTC 2022
dn: cn=Simon Thorpe,ou=companyusers,dc=company,dc=local
changetype: add
mail: stho...@company.com <mailto:stho...@company.com>
givenName: Simon
name: Simon Thorpe
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
samAccountName: sthorpe
cn: stho...@company.com <mailto:stho...@company.com>
sn: Thorpe
userPrincipalName: stho...@company.com <mailto:stho...@company.com>
userAccountControl: 544
On Wed, Sep 7, 2022 at 1:58 AM Soisik Froger <soisik.fro...@worteks.com
<mailto:soisik.fro...@worteks.com>> wrote:
Hi Simon,
Some remark about your LSC config file that may not be related to this
error:
- why not fetching the givenName from your source, since your fetching it
in your destination
- your source url do not seem to have the domain eg <url>ldap://127.0.0.1
<http://127.0.0.1></url> should be <url>ldap://127.0.0.1/dc=company,dc=local
<http://127.0.0.1/dc=company,dc=local></url>
"LDAP Error Code 34 indicates that the configured User or Group Mapping BaseDN
does not follow correct syntax."
So this error seems to indicate a format error somewhere in your DN, but
since you are not disclosing the DN, we can't really help you in figuring out
where is the issue in your DN (such as a branch that do not exists, is not
writable by your AD service user account, or has special character that need
escaping). Error could be also in the syntaxt of one of the attribute, such as
userPrincipalName or samAccountName.
Could you send your full LSC config file as it has evolved since your first
sent it, and the LDIF part of the log from the error ?
Regards,
--
Soisik Froger
Worteks | https://www.worteks.com <https://www.worteks.com>
On 06/09/2022 21:27, Simon Thorpe wrote:
> Yes, when we change it to name, we get this error.
>
> Aug 26 22:56:49 - ERROR - Error while adding entry cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local in directory
:javax.naming.InvalidNameException: cn=Simon
Thorpe,ou=companyusers,dc=domain,dc=local: [LDAP: error code 34 - 00002081:
NameErr: DSID-03050F42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
> 'cn=Simon Thorpe,ou=companyusers,dc=company,dc=local'
> ]; remaining name 'cn=Simon Thorpe,ou=companyusers,dc=company,dc=local'
> Aug 26 22:56:49 - ERROR - Error while synchronizing ID cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local: java.lang.Exception: Technical problem
while applying modifications to the destination
>
> Our XML looks like this...
>
> <mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("name")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
>
> <dataset>
> <name>cn</name>
> <policy>FORCE</policy>
> <createValues>
> <string>srcBean.getDatasetFirstValueById("name")</string>
> </createValues>
> </dataset>
>
> On Tue, Aug 30, 2022 at 5:13 AM Soisik Froger <soisik.fro...@worteks.com
<mailto:soisik.fro...@worteks.com> <mailto:soisik.fro...@worteks.com
<mailto:soisik.fro...@worteks.com>>> wrote:
>
> Did you try to use the name attribute in your mainIdentifier and map
name to cn ?
>
> <mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("name")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
> ...
> <dataset>
> <name>cn</name>
> <policy>FORCE</policy>
> <forceValues>
>
<string>srcBean.getDatasetFirstValueById("name")</string>
> </forceValues>
> </dataset>
>
>
> --
> Soisik Froger
> Worteks | https://www.worteks.com <https://www.worteks.com>
<https://www.worteks.com <https://www.worteks.com>>
>
> On 29/08/2022 23:13, Simon Thorpe wrote:
> > Thanks for your fast reply!
> >
> > We removed the name and displayName datasets. Good catch on the
sAMAccount name, we updated that to use uid. Our userPrincipalName however is
correct. The LDAP we are talking to has the following schema and formatting.
> >
> > So the main question that we still need help is this. In our LDAP the cn is
formatted to an email address. Yet what we want in Active Directory is a cn that's formatted
like the name attribute in LDAP (which is of form "firstName lastName"). Yet when we
changed our main identifier to use name instead of cn, the user creation fails with the error.
LDAP: error code 34 - 00002081: NameErr: DSID-03050F42, problem 2003 (BAD_ATT_SYNTAX).
> >
> > How do we fix this? Any idea why Active Directory is throwing
this error when we try to create a user with the DN cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local.
> >
> > Active Directory users and groups has no issues letting us create
a user with the above DN.
> >
> > For reference here is what we are getting from LDAP.
> >
> > objectClass: inetOrgPerson (structural)
> > objectClass: sudoRole (structural)
> > objectClass: top (abstract)
> > objectClass: user (structural)
> > cn: si...@domain.com <mailto:si...@domain.com> <mailto:si...@domain.com
<mailto:si...@domain.com>> <mailto:si...@domain.com <mailto:si...@domain.com> <mailto:si...@domain.com
<mailto:si...@domain.com>>>
> > sn: Thorpe
> > displayName: Simon
> > gidNumber: 4444
> > givenName: Simon
> > loginShell: /bin/bash
> > mail: si...@company.com <mailto:si...@company.com> <mailto:si...@company.com
<mailto:si...@company.com>> <mailto:si...@company.com <mailto:si...@company.com> <mailto:si...@company.com
<mailto:si...@company.com>>>
> > name: Simon Thorpe
> > photo: Binary Data (91 Bytes)
> > title: CEO
> > uid: simon
> > uidNumber: 1001
> > department: Executive Team
> > startDate: 2022-04-19
> > userPrincipalName: simon
> >
> > Simon
> >
> > On Mon, Aug 29, 2022 at 12:56 AM Soisik Froger <soisik.fro...@worteks.com
<mailto:soisik.fro...@worteks.com> <mailto:soisik.fro...@worteks.com <mailto:soisik.fro...@worteks.com>>
<mailto:soisik.fro...@worteks.com <mailto:soisik.fro...@worteks.com> <mailto:soisik.fro...@worteks.com
<mailto:soisik.fro...@worteks.com>>>> wrote:
> >
> > Hi,
> >
> > Dont try to set displayName and name in AD, I think AD
calculates these fields automatically.
> >
> > Also your samaccountname and userPrincipalName don't look set
properly, it should be something like this:
> >
> > <dataset>
> > <name>sAMAccountName</name>
> > <policy>KEEP</policy>
> > <createValues>
> >
<string>srcBean.getDatasetFirstValueById("uid")</string>
> > </createValues>
> > </dataset>
> > <dataset>
> > <name>userPrincipalName</name>
> > <policy>FORCE</policy>
> > <forceValues>
> > <string>srcBean.getDatasetFirstValueById("uid") + "rippling.com <http://rippling.com>
<http://rippling.com <http://rippling.com>> <http://rippling.com <http://rippling.com> <http://rippling.com
<http://rippling.com>>>"</string>
> > </forceValues>
> > </dataset>
> >
> > --
> > Soisik Froger
> > Worteks | https://www.worteks.com <https://www.worteks.com> <https://www.worteks.com
<https://www.worteks.com>> <https://www.worteks.com <https://www.worteks.com> <https://www.worteks.com
<https://www.worteks.com>>>
> >
> > On 27/08/2022 01:01, Simon Thorpe (stho...@rippling.com <mailto:stho...@rippling.com>
<mailto:stho...@rippling.com <mailto:stho...@rippling.com>> <mailto:stho...@rippling.com
<mailto:stho...@rippling.com> <mailto:stho...@rippling.com <mailto:stho...@rippling.com>>>) wrote:
> > > Subject:
> > > Help with syncing LDAP users to AD
> > > From:
> > > "Simon Thorpe" (stho...@rippling.com <mailto:stho...@rippling.com> <mailto:stho...@rippling.com <mailto:stho...@rippling.com>>
<mailto:stho...@rippling.com <mailto:stho...@rippling.com> <mailto:stho...@rippling.com <mailto:stho...@rippling.com>>>) <lsc-us...@ow2.org
<mailto:lsc-us...@ow2.org> <mailto:lsc-us...@ow2.org <mailto:lsc-us...@ow2.org>> <mailto:lsc-us...@ow2.org <mailto:lsc-us...@ow2.org>
<mailto:lsc-us...@ow2.org <mailto:lsc-us...@ow2.org>>>>
> > > Date:
> > > 27/08/2022, 01:01
> > >
> > > To:
> > > lsc-us...@ow2.org <mailto:lsc-us...@ow2.org> <mailto:lsc-us...@ow2.org
<mailto:lsc-us...@ow2.org>> <mailto:lsc-us...@ow2.org <mailto:lsc-us...@ow2.org> <mailto:lsc-us...@ow2.org
<mailto:lsc-us...@ow2.org>>>
> > >
> > >
> > > Hi
> > >
> > > We've been trying to get a sync working for a few days and
are very close. But we are stuck and hoping someone can help.
> > >
> > > We have an LDAP server and want to sync users from it to Active Directory. My lsc.xml is below,
i've removed sensitive information. The XML below will create new users. But in our LDAP the "cn" is the same as the
email address. What we want, is to create a "cn" in Active Directory that is the same as the "name"
attribute in our LDAP which is of the format "firstName lastName".
> > >
> > > However, when we change the mainIdentifier from;
> > >
> > > <mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
> > >
> > > to
> > >
> > > <mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("name")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
> > >
> > > It fails with the error...
> > >
> > > Aug 26 22:56:49 - ERROR - Error while adding entry
cn=Simon Thorpe,ou=companyusers,dc=company,dc=local in directory
:javax.naming.InvalidNameException: cn=Simon Thorpe,ou=companyusers,dc=domain,dc=local:
[LDAP: error code 34 - 00002081: NameErr: DSID-03050F42, problem 2003 (BAD_ATT_SYNTAX),
data 0, best match of:
> > > 'cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local'
> > > ]; remaining name 'cn=Simon
Thorpe,ou=companyusers,dc=company,dc=local'
> > > Aug 26 22:56:49 - ERROR - Error while synchronizing ID
cn=SSimon Thorpe,ou=companyusers,dc=company,dc=local: java.lang.Exception: Technical
problem while applying modifications to the destination
> > >
> > > Anyone able to tell me how we can create a DN that looks
like...
> > >
> > > cn=Simon Thorpe,ou=companyusers,dc=company,dc=local
> > >
> > > instead of
> > >
> > > cn=si...@domain.com <mailto:si...@domain.com> <mailto:si...@domain.com <mailto:si...@domain.com>> <mailto:si...@domain.com
<mailto:si...@domain.com> <mailto:si...@domain.com <mailto:si...@domain.com>>> <mailto:si...@domain.com <mailto:si...@domain.com>
<mailto:si...@domain.com <mailto:si...@domain.com>> <mailto:si...@domain.com <mailto:si...@domain.com> <mailto:si...@domain.com
<mailto:si...@domain.com>>>>,ou=companyusers,dc=company,dc=local
> > >
> > >
> > > MY XML CONFIG BELOW
> > >
> > > <?xml version="1.0" ?>
> > > <!--
> > > In the following file, comments are describing each node.
Elements are
> > > referenced through XPath expression, whereas attributes
are prefixed with
> > > '@'
> > >
> > > //lsc Root node of the XML configuration file
> > > @xmlns XML Schema validation is not ready yet (Reserved
for futur use)
> > > @id optional, added by XML API
> > > @revision mandatory, used by the Web Administration
Interface to version
> > > this file
> > > -->
> > > <lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd> <http://lsc-project.org/XSD/lsc-core-2.1.xsd
<http://lsc-project.org/XSD/lsc-core-2.1.xsd>> <http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd> <http://lsc-project.org/XSD/lsc-core-2.1.xsd
<http://lsc-project.org/XSD/lsc-core-2.1.xsd>>> <http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd>
<http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd>> <http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd>
<http://lsc-project.org/XSD/lsc-core-2.1.xsd <http://lsc-project.org/XSD/lsc-core-2.1.xsd>>>>" revision="0">
> > >
> > > <!-- ./connections Connections list node, must contain at
least two connections -->
> > >
> > > <connections>
> > >
> > > <!--
> > > ./connection Connection node, include definition of the
required parameters.
> > > Depending on the connection type, properties vary.
> > > Existing class type are : ldapConnection,
databaseConnnection
> > > Plugins also provides : nisConnection,
jndiExecDstConnection
> > > -->
> > >
> > >
> > > <ldapConnection>
> > > <name>activedirectory</name>
> > > <!-- ./url mandatory, the JNDI URL -->
> > > <url>ldap://127.0.0.1 <http://127.0.0.1> <http://127.0.0.1 <http://127.0.0.1>> <http://127.0.0.1 <http://127.0.0.1>
<http://127.0.0.1 <http://127.0.0.1>>> <http://127.0.0.1 <http://127.0.0.1> <http://127.0.0.1 <http://127.0.0.1>> <http://127.0.0.1
<http://127.0.0.1> <http://127.0.0.1 <http://127.0.0.1>>>></url>
> > > <!-- ./username mandatory, the DN to bind with -->
> > > <username>admin@domain.local</username>
> > > <!-- ./password mandatory, credentials to bind with -->
> > > <password>notarealpassword</password>
> > > <!-- ./authentication mandatory, must contain either
ANONYMOUS, SIMPLE, SASL, GSSAPI or DIGEST_MD5 -->
> > > <authentication>SIMPLE</authentication>
> > > <!-- ./referral mandatory, must contain either IGNORE,
THROUGH, THROW or FOLLOW -->
> > > <referral>IGNORE</referral>
> > > <!-- ./derefAliases mandatory, must contain either NEVER,
SEARCH, FIND, ALWAYS -->
> > > <derefAliases>NEVER</derefAliases>
> > > <!-- ./version mandatory, must contain either VERSION_2,
VERSION_3 -->
> > > <version>VERSION_3</version>
> > > <!-- ./pageSize optional, specify the paged size when
searching -->
> > > <pageSize>-1</pageSize>
> > > <!-- ./factory mandatory, points to LDAP Context Factory,
com.sun.jndi.ldap.LdapCtxFactory for a SUN JDK -->
> > > <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
> > > <!-- ./tlsActivated optional, specify if SSL/TLS is
activated to connect to the LDAP server -->
> > > <tlsActivated>false</tlsActivated>
> > > </ldapConnection>
> > >
> > > <ldapConnection>
> > > <name>ripplingldap</name>
> > > <!-- ./url mandatory, the JNDI URL -->
> > > <url>ldaps://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com>
<http://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com>> <http://ldap.domain.com/dc=company,dc=rippling,dc=com
<http://ldap.domain.com/dc=company,dc=rippling,dc=com> <http://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com>>>
<http://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com> <http://ldap.domain.com/dc=company,dc=rippling,dc=com
<http://ldap.domain.com/dc=company,dc=rippling,dc=com>> <http://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com>
<http://ldap.domain.com/dc=company,dc=rippling,dc=com <http://ldap.domain.com/dc=company,dc=rippling,dc=com>>>></url>
> > > <!-- ./username mandatory, the DN to bind with -->
> > >
<username>cn=admin,ou=users,dc=company,dc=rippling,dc=com</username>
> > > <!-- ./password mandatory, credentials to bind with -->
> > > <password>notarealpassword</password>
> > > <!-- ./authentication mandatory, must contain either
ANONYMOUS, SIMPLE, SASL, GSSAPI or DIGEST_MD5 -->
> > > <authentication>SIMPLE</authentication>
> > > <!-- ./referral mandatory, must contain either IGNORE,
THROUGH, THROW or FOLLOW -->
> > > <referral>IGNORE</referral>
> > > <!-- ./derefAliases mandatory, must contain either NEVER,
SEARCH, FIND, ALWAYS -->
> > > <derefAliases>NEVER</derefAliases>
> > > <!-- ./version mandatory, must contain either VERSION_2,
VERSION_3 -->
> > > <version>VERSION_3</version>
> > > <!-- ./pageSize optional, specify the paged size when
searching -->
> > > <pageSize>-1</pageSize>
> > > <!-- ./factory mandatory, points to LDAP Context Factory,
com.sun.jndi.ldap.LdapCtxFactory for a SUN JDK -->
> > > <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
> > > <!-- ./tlsActivated optional, specify if SSL/TLS is
activated to connect to the LDAP server -->
> > > <tlsActivated>false</tlsActivated>
> > > </ldapConnection>
> > > </connections>
> > >
> > >
> > >
> > > <!-- ./tasks Task list node, must contain at least one task
-->
> > > <tasks>
> > >
> > > <!-- ./task Task node, this is the main node, in which
synchronization is defined -->
> > > <task>
> > > <!-- ./name mandatory task node this is the main node, in
which synchronization is defined -->
> > > <name>activedirectoryusers</name>
> > > <!-- ./bean optional bean node, default to
org.lsc.beans.SimpleBean, define the pivot object used to store datasets and values -->
> > > <bean>org.lsc.beans.SimpleBean</bean>
> > > <!-- ./sourceService mandatory node containing definition
of the source service settings
> > > possible builtin types are :
> > > databaseSourceService, ldapSourceService
> > > Plugins also provides: syncreplSourceService,
nisSourceService
> > > -->
> > >
> > > <ldapSourceService>
> > > <!-- A ldap source service will have to contain at least
a name, a connection reference, a base DN, a filter to list
> > > entries, a filter to get a particular entry, a list of
pivot attributes and a list of fetched attributes -->
> > > <name>rippling-source-service</name>
> > > <connection reference="ripplingldap" />
> > > <!-- ./baseDn This mandatory node provide the directory base
branch that will be used to look for entries (list and get) -->
> > >
<baseDn>ou=users,dc=company,dc=rippling,dc=com</baseDn>
> > > <!-- ./pivotAttributes This mandatory node must include
string nodes with attributes name that will be used with their values
> > > as pivot datasets (used to get the corresponding
entry and to identify the counter-part object, here in the source database
> > > used during the clean phase to delete the
corresponding entry if no corresponding object is found)-->
> > > <pivotAttributes>
> > > <string>cn</string>
> > > </pivotAttributes>
> > > <!-- ./fetchedAttributes This mandatory node must include
string nodes with attributes name that will fill the full object.
> > > In a LDAP source service, fetched attributes will
be written to the target directory, whereas source provided datasets
> > > that are not listed their will silently be canceled,
i.e. not synchronized with the directory. -->
> > > <fetchedAttributes>
> > > <string>name</string>
> > > <string>cn</string>
> > > <string>sn</string>
> > > <string>uid</string>
> > > <string>mail</string>
> > > </fetchedAttributes>
> > > <!-- ./getAllFilter This mandatory node must include the
filter that will be used to list all target objects. In a LDAP destination service
> > > this value is used during the clean phase to look for
every object that it has a corresponding object in the source database -->
> > > <!--
<getAllFilter>(objectClass=inetOrgPerson)</getAllFilter> -->
> > >
> > > <!-- ./getOneFilter This mandatory node must include the
filter that will be used to get a particular entry. In a LDAP destination service
> > > this value is used during the synchronization phase to
get the object - in conjonction with fetchedAttributes to synchronize them -->
> > > <!--
<getOneFilter>(&(objectClass=inetOrgPerson)(cn={cn}))</getOneFilter> -->
> > >
<getAllFilter><![CDATA[(&(objectClass=inetOrgPerson))]]></getAllFilter>
> > >
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
> > > </ldapSourceService>
> > >
> > > <ldapDestinationService>
> > > <!-- A ldap destination service will have to contain at
least a name, a connection reference, a base DN, a filter to list
> > > entries, a filter to get a particular entry, a list of pivot
attributes and a list of fetched attributes -->
> > > <name>activedirectory-destination-service</name>
> > > <connection reference="activedirectory" />
> > > <!-- ./baseDn This mandatory node provide the directory base
branch that will be used to look for entries (list and get) -->
> > >
<baseDn>ou=companyusers,dc=company,dc=local</baseDn>
> > > <!-- ./pivotAttributes This mandatory node must include
string nodes with attributes name that will be used with their values
> > > as pivot datasets (used to get the corresponding entry and
to identify the counter-part object, here in the source database
> > > used during the clean phase to delete the corresponding entry
if no corresponding object is found)-->
> > > <pivotAttributes>
> > > <string>userPrincipalName</string>
> > > </pivotAttributes>
> > > <!-- ./fetchedAttributes This mandatory node must include
string nodes with attributes name that will fill the full object.
> > > In a LDAP destination service, fetched attributes will be
written to the target directory, whereas source provided datasets
> > > that are not listed their will silently be canceled, i.e. not
synchronized with the directory. -->
> > > <fetchedAttributes>
> > > <string>cn</string>
> > > <string>sn</string>
> > > <string>givenName</string>
> > > <string>displayName</string>
> > > <string>name</string>
> > > <string>mail</string>
> > > <string>userPrincipalName</string>
> > > <string>objectClass</string>
> > > <string>userAccountControl</string>
> > > <string>samAccountName</string>
> > > </fetchedAttributes>
> > > <!-- ./getAllFilter This mandatory node must include the
filter that will be used to list all target objects. In a LDAP destination service
> > > this value is used during the clean phase to look for every
object that it has a corresponding object in the source database -->
> > > <!-- <getAllFilter>(objectClass=user)</getAllFilter>
-->
> > > <!-- ./getOneFilter This mandatory node must include the
filter that will be used to get a particular entry. In a LDAP destination service
> > > this value is used during the synchronization phase to get
the object - in conjonction with fetchedAttributes to synchronize them -->
> > > <!--
<getOneFilter>(&(objectClass=user)(userPrincipalName={userPrincipalName}))</getOneFilter>
-->
> > >
<getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter>
> > >
<getOneFilter><![CDATA[(&(objectClass=user)(userPrincipalName={userPrincipalName}))]]></getOneFilter>
> > > </ldapDestinationService>
> > > <!-- ./syncOptions This mandatory node describes how to
handle the various situations encountered while synchronizing datasets.
> > > It must contains a main identifier construction rule and a
default policy.
> > > It may contains synchronization conditions, a default
delimiter and datasets synchronization rules (attribute nodes) -->
> > > <propertiesBasedSyncOptions>
> > > <!-- ./mainIdentifier This mandatory node must contain a
string Javascript expression that will enforce the object main identifier.-->
> > > <mainIdentifier>"cn=" +
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) +
",ou=companyusers,dc=company,dc=local"</mainIdentifier>
> > > <!-- ./defaultDelimiter This mandatory node must contain a
string Javascript expression that will enforce the object main identifier.-->
> > > <defaultDelimiter>;</defaultDelimiter>
> > > <!-- ./defaultPolicy This mandatory node must contain a
string Javascript expression that will enforce the object main identifier.-->
> > > <defaultPolicy>KEEP</defaultPolicy>
> > > <!-- ./conditions This optional node may contain one or
more of the four node : create, update, delete and changeId -->
> > > <conditions>
> > > <!-- ./create This optional node may contain a boolean
Javascript expression that will indicate whenever a new entry must be created or not -->
> > > <create>true</create>
> > > <!-- ./update This optional node may contain a boolean
Javascript expression that will indicate whenever a existing entry must be updated or not
-->
> > > <update>true</update>
> > > <!-- ./delete This optional node may contain a boolean
Javascript expression that will indicate whenever a existing entry must be deleted or not
-->
> > > <delete>false</delete>
> > > <!-- ./changeId This optional node may contain a boolean
Javascript expression that will indicate whenever an existing object main identifier must be
changed or not -->
> > > <changeId>true</changeId>
> > > </conditions>
> > > <!-- ./dataset This multi-valued node may contain a
structure that will describe how to synchronize the corresponding dataset -->
> > > <dataset>
> > > <!-- ./name Mandatory node containing the dataset name
-->
> > > <name>objectClass</name>
> > > <!-- ./policy Mandatory node containing the policy to
apply to this dataset. Contains KEEP, FORCE or MERGE value -->
> > > <policy>KEEP</policy>
> > > <!-- ./defaultValues Optional node containing a list of
string values that will be used if noone is provided by datasource -->
> > > <!-- <defaultValues></defaultValues> -->
> > > <!-- ./forceValues Optional node containing a list of
string values that will be used to force destination service dataset values -->
> > > <!-- <forceValues></forceValues> -->
> > > <!-- ./createValues Optional node containing a list of
string values that will be used to force destination service dataset values when creating
object -->
> > > <createValues>
> > > <string>"user"</string>
> > > <string>"organizationalPerson"</string>
> > > <string>"person"</string>
> > > <string>"top"</string>
> > > </createValues>
> > > <!-- ./delimiter Used when multiples values are provided
in a single joined value -->
> > > <!-- <delimiter>,</delimiter> -->
> > > </dataset>
> > >
> > > <dataset>
> > > <name>displayName</name>
> > > <policy>FORCE</policy>
> > > <createValues>
> > >
<string>srcBean.getDatasetFirstValueById("name")</string>
> > > </createValues>
> > > </dataset>
> > > <dataset>
> > > <name>samAccountName</name>
> > > <policy>KEEP</policy>
> > > <createValues>
> > >
<string>srcBean.getDatasetFirstValueById("userPrincipalName")</string>
> > > </createValues>
> > > </dataset>
> > > <dataset>
> > > <name>userPrincipalName</name>
> > > <policy>KEEP</policy>
> > > <createValues>
> > >
<string>srcBean.getDatasetFirstValueById("cn")</string>
> > > </createValues>
> > > </dataset>
> > > <dataset>
> > > <name>userAccountControl</name>
> > > <policy>FORCE</policy>
> > > <forceValues>
> > > <string>
> > > <![CDATA[rjs:
> > > try{
> > > uac = AD.userAccountControlSet(
> > >
dstBean.getDatasetFirstValueById('userAccountControl'),
> > > [AD.UAC_UNSET_ACCOUNTDISABLE]);
> > > }catch(error){
> > > uac = AD.userAccountControlSet( "0", [
AD.UAC_SET_NORMAL_ACCOUNT , AD.UAC_SET_PASSWD_NOTREQD]);
> > > }
> > > uac;
> > > ]]>
> > > </string>
> > > </forceValues>
> > > </dataset>
> > >
> > > <!-- This is to set a password, which requires SSL
on your Domain Controller
> > > <dataset>
> > > <name>userPassword</name>
> > > <policy>KEEP</policy>
> > > <defaultValues>
> > > <string>"changethis"</string>
> > > </defaultValues>
> > > <forceValues></forceValues>
> > > <createValues></createValues>
> > > </dataset>
> > > <dataset>
> > > <name>unicodePwd</name>
> > > <policy>KEEP</policy>
> > > <createValues>
> > >
<string>AD.getUnicodePwd("&newUserPwd;")</string>
> > > </createValues>
> > > </dataset>
> > > -->
> > > </propertiesBasedSyncOptions>
> > > </task>
> > > </tasks>
> > > </lsc>
> > >
> > > --
> > >
> > > Simon Thorpe
> > >
> > > Director of Product | Rippling.com <https://www.rippling.com/ <https://www.rippling.com/>
<https://www.rippling.com/ <https://www.rippling.com/>> <https://www.rippling.com/ <https://www.rippling.com/>
<https://www.rippling.com/ <https://www.rippling.com/>>>>
> >
>