Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Hi Gunter, Sorry for late reply (had a day off ;) ). My current script looks like that: dataset namemember/name policyFORCE/policy forceValues string ![CDATA[js: var membersOpenLDAP = srcBean.getAttributeValuesById(memberUid).toArray(); var membersAD = []; for (var i=0; imembersOpenLDAP.length; i++) { var ADDN = ldap.search(OU=users,OU=imported,OU=XXX, (sAMAccountName= + membersOpenLDAP[i] + )); if (ADDN.size() != 1) { continue; } membersAD.push(ADDN.get(0) + ,DC=XXX,DC=XXX); } membersAD ]] /string /forceValues /dataset Of course you need to tune it up a bit... Cheers! Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 www.tyntec.com -Original Message- From: lsc-users-boun...@lists.lsc-project.org [mailto:lsc-users-boun...@lists.lsc-project.org] On Behalf Of Gunter Holzer Sent: Freitag, 5. Dezember 2014 20:27 To: lsc-users@lists.lsc-project.org Subject: Re: [lsc-users] OpenLDAP 2 LDAP synchronization Hello Marcin, could you please share the modified script you used, to sync the OpenLDAP group members with AD? As we are using posixgroups I am facing the same problem with the missing uniqueMember attribute - there is only memberUid. Thank you! Regards, Gunter Holzer Rechenzentrum, IuK Raum H208 Hochschule Ravensburg-Weingarten Doggenriedstr. 88250 Weingarten Tel. +49 751 / 501 4607 E-Mail: hol...@hs-weingarten.de ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Hello, Clément, I’ve tried this: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups But when I do the JavaScript Expression will not run. The error message is: Reason: javax.script.ScriptException: sun.org.mozilla.javascript.EcmaError: TypeError: Cannot find function size in object ……….. And if I replace the size()-Function by the length()-Function (= the function that was used in earlier samples) I get: Reason: javax.script.ScriptException: sun.org.mozilla.javascript.EcmaError: TypeError: Cannot find function get in object …… Do you have an idea what could be the reason for this? Must I install an additional module? My LSC version is 2.1.1 Thank you! Regards, Jutta Biernath Jutta Biernath Freie Universität Berlin Zentraleinrichtung für Datenverarbeitung (ZEDAT) Identity Customer Management, FUDIS Fabeckstr. 32 14195 Berlin Tel. +49 30 838-75090 Fax +49 30 838-475090 Von: lsc-users-boun...@lists.lsc-project.org [mailto:lsc-users-boun...@lists.lsc-project.org] Im Auftrag von Clément OUDOT Gesendet: Montag, 24. November 2014 15:16 An: Marcin Baluta Cc: lsc-userslsc-users Betreff: Re: [lsc-users] OpenLDAP 2 LDAP synchronization 2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.commailto:bal...@tyntec.com: Hello Clement, I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this. Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups): dataset namemember/name policyFORCE/policy forceValues string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ; for (var i=0; iumembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0) + ) )).get(0), 'distinguishedName').get(0) } catch (e) { umembers[i]=null } } var members = new Array(); var j=0; for (var i=0; iumembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] } members;]] /string /forceValues /dataset Any help kindly appreciated ;) .. and of course I remember about beer for you ☺ Hi, I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups It should help you to achieve your task. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Hello Clement, I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this. Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups): dataset namemember/name policyFORCE/policy forceValues string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ; for (var i=0; iumembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0) + ) )).get(0), 'distinguishedName').get(0) } catch (e) { umembers[i]=null } } var members = new Array(); var j=0; for (var i=0; iumembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] } members;]] /string /forceValues /dataset Any help kindly appreciated ;) .. and of course I remember about beer for you J Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: Clément OUDOT [mailto:clem.ou...@gmail.com] Sent: Montag, 17. November 2014 16:09 To: Marcin Baluta Cc: lsc-userslsc-users Subject: Re: OpenLDAP 2 LDAP synchronization 2014-11-17 15:45 GMT+01:00 Marcin Baluta bal...@tyntec.com: You mean in js? So it will be like this: ![CDATA[js: var dstMembers = new Array(); var membersSrcDn = srcBean.getDatasetValuesById(member); for (var i=0; imembersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); sam = srcLdap.attribute( memberSrcDn, distinguishedName).get(0); dstMembers.push(sam) } dstMembers; ]] No, you need to find the DN of the user as it will be in the destination directory. You can search the destination directory with the sAMAccountName to get the corresponding dn. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hello Clement, I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this. Currently I have this taken from your LSC 1.1 tutorial ( http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups ): dataset namemember/name policyFORCE/policy forceValues string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ; for (var i=0; iumembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0) + ) )).get(0), 'distinguishedName').get(0) } catch (e) { umembers[i]=null } } var members = new Array(); var j=0; for (var i=0; iumembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] } members;]] /string /forceValues /dataset Any help kindly appreciated ;) .. and of course I remember about beer for you J Hi, I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups It should help you to achieve your task. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Yep, definitely that’s a better approach than having everyone asking for the same ;) I’m starting reading and will give you a feedback. Thank you very much Clement J Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: Clément OUDOT [mailto:clem.ou...@gmail.com] Sent: Montag, 24. November 2014 15:16 To: Marcin Baluta Cc: lsc-userslsc-users Subject: Re: OpenLDAP 2 LDAP synchronization 2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hello Clement, I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this. Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups): dataset namemember/name policyFORCE/policy forceValues string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ; for (var i=0; iumembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0) + ) )).get(0), 'distinguishedName').get(0) } catch (e) { umembers[i]=null } } var members = new Array(); var j=0; for (var i=0; iumembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] } members;]] /string /forceValues /dataset Any help kindly appreciated ;) .. and of course I remember about beer for you J Hi, I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups It should help you to achieve your task. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Clément OUDOT clem.ou...@gmail.com a écrit : 2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hello Clement, ___ ___ ___I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this.___ ___Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups):___ _dataset_ __ namemember/name__ __ policyFORCE/policy__ __ forceValues__ __ string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ;__ __ for (var i=0; iumembers.length; i++ ) {__ __ try {__ __ umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0)__ __ + )__ __ )).get(0), 'distinguishedName').get(0)__ __ } catch (e) {__ __ umembers[i]=null__ __ }__ __ }__ __ var members = new Array();__ __ var j=0;__ __ for (var i=0; iumembers.length; i++) {__ __ if (umembers[i]!=null) members[j++]=umembers[i]__ __ }__ __ members;]]__ __ /string__ __ /forceValues__ __ /dataset__ ___ ___ __Any help kindly appreciated ;)__ __.. and of course I remember about beer for you J__ ___ ___ ___Hi,___ ___I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups___ ___It should help you to achieve your task. Clément.___ Hi Clément, I thought that with AD, the liste of member in a group had to be kept in sync with the memberOf attribute of the user entry. When I tested it a while ago, I had an exception when I tried to add a group to a user by adding it ot its memberOf attribute. Is it different when you add a user the member attribute of a group instead? Does AD update the memberOf attribute of the user automatically? Thanks Max ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-24 16:44 GMT+01:00 Maxime Pelletier maxime.pellet...@educsa.org: Clément OUDOT clem.ou...@gmail.com a écrit : 2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hello Clement, *I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this.* *Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups):* *dataset* * namemember/name* * policyFORCE/policy* * forceValues* * string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ;* *for (var i=0; iumembers.length; i++ ) {* *try {* *umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0)* *+ )* *)).get(0), 'distinguishedName').get(0)* *} catch (e) {* *umembers[i]=null* *}* *}* *var members = new Array();* *var j=0;* *for (var i=0; iumembers.length; i++) {* *if (umembers[i]!=null) members[j++]=umembers[i]* *}* *members;]]* * /string* * /forceValues* * /dataset* *Any help kindly appreciated ;)* *.. and of course I remember about beer for you J* *Hi,* *I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups* *It should help you to achieve your task. Clément.* Hi Clément, I thought that with AD, the liste of member in a group had to be kept in sync with the memberOf attribute of the user entry. When I tested it a while ago, I had an exception when I tried to add a group to a user by adding it ot its memberOf attribute. Is it different when you add a user the member attribute of a group instead? Does AD update the memberOf attribute of the user automatically? Yes, memberOf is an operational attribute, it is managed by the server. You can't update it directly. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Hi guys, I think it’s „member“ not „memberOf“ attribute. But I have other problem. So – in my OpenLDAP structure there’s no uniqueMember attribute, so the script in documentation page is not working for me K Users are listed in group with their memberUid. … what I meanwhile realized is, that during tests I was performing UIDs from source were saved in “memberUid” attribute in AD, but as “member” attribute is still empty it’s not solving my problem J Cheers, Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: lsc-users-boun...@lists.lsc-project.org [mailto:lsc-users-boun...@lists.lsc-project.org] On Behalf Of Maxime Pelletier Sent: Montag, 24. November 2014 16:45 To: lsc-users@lists.lsc-project.org Subject: Re: [lsc-users] OpenLDAP 2 LDAP synchronization Clément OUDOT clem.ou...@gmail.com a écrit : 2014-11-24 13:48 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hello Clement, I still cannot manage to synchronize group membership. Actually – I’m not sure what script should I use to achieve this. Currently I have this taken from your LSC 1.1 tutorial (http://lsc-project.org/wiki/documentation/1.1/tutorials/synchronizegroups): dataset namemember/name policyFORCE/policy forceValues string![CDATA[var umembers = srcBean.getAttributeValuesById(uniqueMember).toArray() ; for (var i=0; iumembers.length; i++ ) { try { umembers[i] = ldap.attribute(ldap.list( OU=Users,OU=imported,OU=test,DC=xxx,DC=xxx,(sAMAccountName=+(srcLdap.attribute(umembers[i], 'uid').get(0) + ) )).get(0), 'distinguishedName').get(0) } catch (e) { umembers[i]=null } } var members = new Array(); var j=0; for (var i=0; iumembers.length; i++) { if (umembers[i]!=null) members[j++]=umembers[i] } members;]] /string /forceValues /dataset Any help kindly appreciated ;) .. and of course I remember about beer for you J Hi, I just write a new tutorial that works with LSC 2: http://lsc-project.org/wiki/documentation/tutorial/synchronizegroups It should help you to achieve your task. Clément. Hi Clément, I thought that with AD, the liste of member in a group had to be kept in sync with the memberOf attribute of the user entry. When I tested it a while ago, I had an exception when I tried to add a group to a user by adding it ot its memberOf attribute. Is it different when you add a user the member attribute of a group instead? Does AD update the memberOf attribute of the user automatically? Thanks Max ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-17 12:50 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hi Clement, In shortcut – our goal is to have OpenLDAP and AD (Windows 2k12) fully synchronized. So far I managed to catch users from OpenLDAP and place them in desired OU. Now I’m facing a “group syncing” problem and cannot jump through it. I’m receiving this error: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0] when LSC tries to create a group in AD. As I can guess - I’m missing some attribute required by AD… or maybe something different. Task for group syncing: task nameGroups/name beanorg.lsc.beans.SimpleBean/bean ldapSourceService nameLDAPsource-service-groups/name connection reference=LDAPsource / baseDnou=groups,dc=xxx,dc=xxx,dc=xxx/baseDn pivotAttributes stringcn/string /pivotAttributes fetchedAttributes stringcn/string stringdescription/string stringmemberUID/string stringmember/string /fetchedAttributes getAllFilter![CDATA[(objectClass=posixGroup)]]/getAllFilter getOneFilter![CDATA[((objectClass=posixGroup)(cn={cn}))]]/getOneFilter cleanFilter![CDATA[((objectClass=posixGroup)(cn={cn}))]]/cleanFilter /ldapSourceService ldapDestinationService nameLDAPdestination-service-groups/name connection reference=LDAPdestination / baseDnOU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx/baseDn pivotAttributes stringcn/string /pivotAttributes fetchedAttributes stringcn/string stringsAMAccountName/string stringdistinguishedName/string stringdescription/string stringobjectClass/string stringmemberUID/string stringmember/string /fetchedAttributes getAllFilter![CDATA[(objectClass=group)]]/getAllFilter getOneFilter![CDATA[((objectClass=group)(cn={cn}))]]/getOneFilter /ldapDestinationService propertiesBasedSyncOptions mainIdentifierCN= + srcBean.getDatasetFirstValueById(cn) + , OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx /mainIdentifier defaultDelimiter;/defaultDelimiter defaultPolicyFORCE/defaultPolicy conditions createtrue/create updatetrue/update deletefalse/delete changeIdtrue/changeId /conditions dataset namecn/name policyFORCE/policy createValues stringsrcBean.getDatasetFirstValueById(cn)/string /createValues /dataset dataset namedescription/name policyKEEP/policy createValues stringsrcBean.getAttributeValuesById(description)/string /createValues /dataset dataset namesAMAccountName/name policyKEEP/policy createValues stringsrcBean.getDatasetFirstValueById(cn)/string /createValues /dataset dataset namedistinguishedName/name policyKEEP/policy createValues stringCN= + srcBean.getDatasetFirstValueById(cn) + , OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx /string /createValues /dataset dataset nameobjectcClass/name policyFORCE/policy createValues stringtop/string stringgroup/string /createValues /dataset dataset namemember/name policyFORCE/policy forceValues string ![CDATA[js: var dstMembers = new Array(); var membersSrcDn = srcBean.getDatasetValuesById(member); for (var i=0; imembersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); sam = srcLdap.attribute( memberSrcDn, sAMAccountName).get(0); dstMembers.push(sam) } dstMembers; ]] /string /forceValues /dataset /propertiesBasedSyncOptions /task Also very important info – our sAMAccountName is different than UID in OpenLDAP. I put these datasets in “users sync task”: dataset namesamAccountName/name policyKEEP/policy createValues stringsrcBean.getDatasetFirstValueById('givenName') + . + srcBean.getDatasetFirstValueById('sn')/string /createValues /dataset dataset nameuid/name policyKEEP/policy forceValues stringsrcBean.getDatasetFirstValueById(uid)/string
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-17 13:39 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hi Clement, Hi Marcin, please answer to the list. Thanks for your reply. So, I commented out dataset with sAMAccountName and still have the same error. Basically it looks like this: Nov 17 13:33:19 - ERROR - Error while adding entry CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx in directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining name 'CN=stuff,OU=Groups,OU=xxx,OU=xxx Nov 17 13:33:19 - ERROR - Error while synchronizing ID CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx: java.lang.Exception: Technical problem while applying modifications to the destination # Mon Nov 17 13:33:19 CET 2014 dn: CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx changetype: add memberUID: lot of memberUids here cn: stuff description: Stuff objectCategory: CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx and of course this goes for all groups listed in OpenLDAP. I think AD groups work with 'member' attribute containing DN of users. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Hi Clement, I guess that the error I’m receiving has nothing to do with group membership. It just cannot create the group and I have no idea why. So the log without members being picked: Nov 17 14:45:31 - ERROR - Error while adding entry CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx in directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining name 'CN=admins,OU=Groups,OU=imported,OU=test’ Nov 17 14:45:31 - ERROR - Error while synchronizing ID CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx: java.lang.Exception: Technical problem while applying modifications to the destination # Mon Nov 17 14:45:31 CET 2014 dn: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx changetype: add cn: admins description: System-Administration objectCategory: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx Cheers, Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: Clément OUDOT [mailto:clem.ou...@gmail.com] Sent: Montag, 17. November 2014 14:39 To: Marcin Baluta; lsc-userslsc-users Subject: Re: OpenLDAP 2 LDAP synchronization 2014-11-17 13:39 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hi Clement, Hi Marcin, please answer to the list. Thanks for your reply. So, I commented out dataset with sAMAccountName and still have the same error. Basically it looks like this: Nov 17 13:33:19 - ERROR - Error while adding entry CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx in directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining name 'CN=stuff,OU=Groups,OU=xxx,OU=xxx Nov 17 13:33:19 - ERROR - Error while synchronizing ID CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx: java.lang.Exception: Technical problem while applying modifications to the destination # Mon Nov 17 13:33:19 CET 2014 dn: CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx changetype: add memberUID: lot of memberUids here cn: stuff description: Stuff objectCategory: CN=stuff,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx and of course this goes for all groups listed in OpenLDAP. I think AD groups work with 'member' attribute containing DN of users. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-17 14:50 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hi Clement, I guess that the error I’m receiving has nothing to do with group membership. It just cannot create the group and I have no idea why. So the log without members being picked: Nov 17 14:45:31 - ERROR - Error while adding entry CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx in directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining name 'CN=admins,OU=Groups,OU=imported,OU=test’ Nov 17 14:45:31 - ERROR - Error while synchronizing ID CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx: java.lang.Exception: Technical problem while applying modifications to the destination # Mon Nov 17 14:45:31 CET 2014 dn: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx changetype: add cn: admins description: System-Administration objectCategory: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx It is because you have no objectClass in your entry. Seems you have a typo in your lsc.xml: nameobjectcClass/name objectcClass - objectClass Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
Holly crap, I owe you a beer Clement J So, after “fixing” typo groups have been created… … but no members in there. The java code I use is taken from depth of the Internet. I have no idea whether it’s working or not. Cheers, Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: Clément OUDOT [mailto:clem.ou...@gmail.com] Sent: Montag, 17. November 2014 15:00 To: Marcin Baluta Cc: lsc-userslsc-users Subject: Re: OpenLDAP 2 LDAP synchronization 2014-11-17 14:50 GMT+01:00 Marcin Baluta bal...@tyntec.com: Hi Clement, I guess that the error I’m receiving has nothing to do with group membership. It just cannot create the group and I have no idea why. So the log without members being picked: Nov 17 14:45:31 - ERROR - Error while adding entry CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx in directory :javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207B: UpdErr: DSID-03051266, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining name 'CN=admins,OU=Groups,OU=imported,OU=test’ Nov 17 14:45:31 - ERROR - Error while synchronizing ID CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx: java.lang.Exception: Technical problem while applying modifications to the destination # Mon Nov 17 14:45:31 CET 2014 dn: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx changetype: add cn: admins description: System-Administration objectCategory: CN=admins,OU=Groups,OU=imported,OU=test,DC=xxx,DC=xxx It is because you have no objectClass in your entry. Seems you have a typo in your lsc.xml: nameobjectcClass/name objectcClass - objectClass Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-17 15:20 GMT+01:00 Marcin Baluta bal...@tyntec.com: Holly crap, I owe you a beer Clement J Great ;) So, after “fixing” typo groups have been created… … but no members in there. The java code I use is taken from depth of the Internet. I have no idea whether it’s working or not. I think you need to push the DN of the users in the member attribute, not their sAMAccountName. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
You mean in js? So it will be like this: ![CDATA[js: var dstMembers = new Array(); var membersSrcDn = srcBean.getDatasetValuesById(member); for (var i=0; imembersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); sam = srcLdap.attribute( memberSrcDn, distinguishedName).get(0); dstMembers.push(sam) } dstMembers; ]] Marcin Baluta Systems Administrator tyntec GmbH Semerteichstr. 54 - 56 | 44141 Dortmund, Germany T +49 231 477 90 405 | F +49 231 108 799 2 http://www.tyntec.com/ www.tyntec.com From: Clément OUDOT [mailto:clem.ou...@gmail.com] Sent: Montag, 17. November 2014 15:31 To: Marcin Baluta Cc: lsc-userslsc-users Subject: Re: OpenLDAP 2 LDAP synchronization 2014-11-17 15:20 GMT+01:00 Marcin Baluta bal...@tyntec.com: Holly crap, I owe you a beer Clement J Great ;) So, after “fixing” typo groups have been created… … but no members in there. The java code I use is taken from depth of the Internet. I have no idea whether it’s working or not. I think you need to push the DN of the users in the member attribute, not their sAMAccountName. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users
Re: [lsc-users] OpenLDAP 2 LDAP synchronization
2014-11-17 15:45 GMT+01:00 Marcin Baluta bal...@tyntec.com: You mean in js? So it will be like this: ![CDATA[js: var dstMembers = new Array(); var membersSrcDn = srcBean.getDatasetValuesById(member); for (var i=0; imembersSrcDn.size(); i++) { var memberSrcDn = membersSrcDn.get(i); sam = srcLdap.attribute( memberSrcDn, distinguishedName).get(0); dstMembers.push(sam) } dstMembers; ]] No, you need to find the DN of the user as it will be in the destination directory. You can search the destination directory with the sAMAccountName to get the corresponding dn. Clément. ___ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org http://lists.lsc-project.org/listinfo/lsc-users