Ashtar Communications
2013-06-09 03:56:14 UTC
Hi,
First of all, thanks for writing this tool - it's really bailing me out of
a tough spot.
I am having difficulty getting passwords to sync from OpenLDAP to Active
Directory Lightweight Directory Services. I have followed the tutorial and
the advice in the documentation, and I've tried to read every previous
thread I could find on this list about it, but I'm still struggling to get
it to work. I apologize for asking what I'm sure is a common question, but
this is very much not my area of expertise.
Specifically, my issue is that users are created during sync, but the
password attribute doesn't appear to be set. After I run lsc, I can see
newly created users in AD LDS - but when I use my application on the AD LDS
machine to log in with one of those new users, it fails to authenticate
with the password I provided in the lsc.xml file. Instead, it allows me to
log in using the new username and a blank password.
I'm not getting any error messages in the console when lsc runs. Even
turning up all the logback settings to DEBUG, I can see each attribute
being set, but zero references in the console to unicodePwd at all - it's
as if it's just being ignored entirely.
My connection password to AD LDS is correct and has administrative rights.
I can connect over SSL and reset the user password successfully using
another online LDAP tool, using the same admin credentials.
The password I'm trying to set complies with the AD LDS password policy - I
can manually set the same password on the AD side.
I'm using lsc 2.0.2 on ubuntu.
Edited excerpt from my lsc.xml file (can provide the whole thing if it
would help):
<propertiesBasedSyncOptions>
<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") +
",cn=Test,dc=test,dc=local"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd("change1t!")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
Ultimately, I will need to use the userPassword attribute from OpenLDAP to
sync to AD for each user - but I can't even get this to work just
specifying a FORCE for the same password for all users.
Any idea what I'm doing wrong?
One other question - I am also noticing that the msDS-UserAccountDisabled
attribute for all the synced accounts is set to TRUE - my first few
attempts at configuring the xml file to change that all failed. Does anyone
know a quick way to enable all the new accounts? I assume it has something
to do with the userAccountControl section, but the example in the tutorial
didn't seem to do it.
Thank you in advance for any assistance,
aaron
First of all, thanks for writing this tool - it's really bailing me out of
a tough spot.
I am having difficulty getting passwords to sync from OpenLDAP to Active
Directory Lightweight Directory Services. I have followed the tutorial and
the advice in the documentation, and I've tried to read every previous
thread I could find on this list about it, but I'm still struggling to get
it to work. I apologize for asking what I'm sure is a common question, but
this is very much not my area of expertise.
Specifically, my issue is that users are created during sync, but the
password attribute doesn't appear to be set. After I run lsc, I can see
newly created users in AD LDS - but when I use my application on the AD LDS
machine to log in with one of those new users, it fails to authenticate
with the password I provided in the lsc.xml file. Instead, it allows me to
log in using the new username and a blank password.
I'm not getting any error messages in the console when lsc runs. Even
turning up all the logback settings to DEBUG, I can see each attribute
being set, but zero references in the console to unicodePwd at all - it's
as if it's just being ignored entirely.
My connection password to AD LDS is correct and has administrative rights.
I can connect over SSL and reset the user password successfully using
another online LDAP tool, using the same admin credentials.
The password I'm trying to set complies with the AD LDS password policy - I
can manually set the same password on the AD side.
I'm using lsc 2.0.2 on ubuntu.
Edited excerpt from my lsc.xml file (can provide the whole thing if it
would help):
<propertiesBasedSyncOptions>
<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("cn") +
",cn=Test,dc=test,dc=local"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0",
[AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd("change1t!")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
Ultimately, I will need to use the userPassword attribute from OpenLDAP to
sync to AD for each user - but I can't even get this to work just
specifying a FORCE for the same password for all users.
Any idea what I'm doing wrong?
One other question - I am also noticing that the msDS-UserAccountDisabled
attribute for all the synced accounts is set to TRUE - my first few
attempts at configuring the xml file to change that all failed. Does anyone
know a quick way to enable all the new accounts? I assume it has something
to do with the userAccountControl section, but the example in the tutorial
didn't seem to do it.
Thank you in advance for any assistance,
aaron