Discussion:
[lsc-users] NIS plugin and filtering
Martin Röh
2018-10-29 12:48:59 UTC
Permalink
Hello,

is it possible to set a filter in the nis configuration, so that only
special uid's or uidNumbers are synced from nis ?

Best regards

Martin
Soisik Froger
2018-10-29 13:37:50 UTC
Permalink
On 29/10/2018 13:48, Martin Röh wrote:
> Hello,
>
> is it possible to set a filter in the nis configuration, so that only
> special uid's or uidNumbers are synced from nis ?
>
> Best regards
>
> Martin

Hi Martin,

Yes, you can add such filter in the getAllFilter tag.

--
Soisik
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lis
Martin Röh
2018-10-29 13:42:40 UTC
Permalink
Hi Soisik,

I tried it this way:

<name>NIS2LDAP-User-SyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<pluginSourceService
implementationClass="org.lsc.plugins.connectors.nis.NisSrcService">
<name>nis-source-service</name>
<connection reference="nis-src-conn" />
<nis:nisSourceServiceSettings>
<name>nis-src-service</name>
<connection
reference="nis-src-conn" />
<nis:map>passwd.byname</nis:map>
</nis:nisSourceServiceSettings>
<getAllFilter>>(&amp;(objectClass=inetorgperson)(uid=mar))</getAllFilter>
</pluginSourceService>

But I get an error:

Oct 29 14:40:15 - ERROR - org.lsc.exception.LscConfigurationException:
Configuration exception: Unable to identify the nis service configuration
inside the plugin source node of the task: NIS2LDAP-User-SyncTask

Can you telle me how to do it in the right way ?

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 29.10.2018 14:38
Betreff: Re: [lsc-users] NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 29/10/2018 13:48, Martin Röh wrote:
> Hello,
>
> is it possible to set a filter in the nis configuration, so that only
> special uid's or uidNumbers are synced from nis ?
>
> Best regards
>
> Martin

Hi Martin,

Yes, you can add such filter in the getAllFilter tag.

--
Soisik
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-10-29 14:25:24 UTC
Permalink
On 29/10/2018 14:42, Martin Röh wrote:
>
> I tried it this way:
>
>  <name>NIS2LDAP-User-SyncTask</name>
>                         <bean>org.lsc.beans.SimpleBean</bean>
>                         <pluginSourceService implementationClass="org.lsc.plugins.connectors.nis.NisSrcService">
>                                 <name>nis-source-service</name>
>                                 <connection reference="nis-src-conn" />
>                                 <nis:nisSourceServiceSettings>
>                                         <name>nis-src-service</name>
>                                         <connection reference="nis-src-conn" />
>                                         <nis:map>passwd.byname</nis:map>
>                                 </nis:nisSourceServiceSettings>
>                                 <getAllFilter>>(&amp;(objectClass=inetorgperson)(uid=mar))</getAllFilter>
>                         </pluginSourceService>
>
> But I get an error:
>
> Oct 29 14:40:15 - ERROR - org.lsc.exception.LscConfigurationException: Configuration exception: Unable to identify the nis service configuration inside the plugin source node of the task: NIS2LDAP-User-SyncTask
>
> Can you telle me how to do it in the right way ?


Maybe using some conditions ?

https://lsc-project.org/documentation/latest/configuration/syncoptions#conditions_lsc_tasks_task_propertiesbasedsyncoptions_conditions

--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-u
Martin Röh
2018-10-29 14:31:54 UTC
Permalink
Hi Soisik,

that makes no different.

It seems to me that the filter option is not known by the nis plugin. Is
it possible ?

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 29.10.2018 15:25
Betreff: Re: [lsc-users] Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 29/10/2018 14:42, Martin Röh wrote:
>
> I tried it this way:
>
> <name>NIS2LDAP-User-SyncTask</name>
> <bean>org.lsc.beans.SimpleBean</bean>
> <pluginSourceService
implementationClass="org.lsc.plugins.connectors.nis.NisSrcService">
> <name>nis-source-service</name>
> <connection reference="nis-src-conn" />
> <nis:nisSourceServiceSettings>
> <name>nis-src-service</name>
> <connection
reference="nis-src-conn" />
> <nis:map>passwd.byname</nis:map>
> </nis:nisSourceServiceSettings>
>
<getAllFilter>>(&amp;(objectClass=inetorgperson)(uid=mar))</getAllFilter>
> </pluginSourceService>
>
> But I get an error:
>
> Oct 29 14:40:15 - ERROR - org.lsc.exception.LscConfigurationException:
Configuration exception: Unable to identify the nis service configuration
inside the plugin source node of the task: NIS2LDAP-User-SyncTask
>
> Can you telle me how to do it in the right way ?


Maybe using some conditions ?

https://lsc-project.org/documentation/latest/configuration/syncoptions#conditions_lsc_tasks_task_propertiesbasedsyncoptions_conditions


--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-10-29 14:56:25 UTC
Permalink
On 29/10/2018 15:31, Martin Röh wrote:
> Hi Soisik,
>
> that makes no different.
>
> It seems to me that the filter option is not known by the nis plugin. Is it possible ?
>
> Regards
>
> Martin

Looking at schema, I don't think this is possible but I do not know this plugin very well.

Conditions will allow you to trigger synchronization on some entry while ignoring some others, isn't that what you are trying to achieve?

--
Soisik Froger
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-
Martin Röh
2018-10-29 15:07:33 UTC
Permalink
Yes, that is what I will try, but I don't know how can I do it with
conditions. I think the conditions are global for the complete sync
process ? Perhaps you have an example for me how I can do it ?

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 29.10.2018 15:56
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: NIS plugin and
filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 29/10/2018 15:31, Martin Röh wrote:
> Hi Soisik,
>
> that makes no different.
>
> It seems to me that the filter option is not known by the nis plugin. Is
it possible ?
>
> Regards
>
> Martin

Looking at schema, I don't think this is possible but I do not know this
plugin very well.

Conditions will allow you to trigger synchronization on some entry while
ignoring some others, isn't that what you are trying to achieve?

--
Soisik Froger
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-10-29 18:12:04 UTC
Permalink
Le 29/10/2018 à 16:07, Martin Röh a écrit :
> Yes, that is what I will try, but I don't know how can I do it with
> conditions. I think the conditions are global for the complete sync
> process ? Perhaps you have an example for me how I can do it ?
>

Hello Martin,

conditions are evaluated for each entry. It is a javascript expression
that is evaluated (like in a dataset). It the expression returns true,
the condition is validated and the entry can be written
(create/update/delete). If the condition is false, the entry is not updated.

Example:

        <conditions>
          <create>false</create>
          <update><![CDATA[rjs:
            var update = true;
            if (
srcBean.getDatasetFirstValueById("userPassword").startsWith("{") ) {
              update = false;
            }
            update;
          ]]></update>
          <delete>false</delete>
          <changeId>false</changeId>
        </conditions>

Here the task will only update the entry if the value in userPassword
field is in cleartext.

--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Martin Röh
2018-11-02 11:19:44 UTC
Permalink
Hi Clement,

thank you for the hint.

I try it this way but unfortunately it didn't work for me.

For only sync the uid mar I coded it this way:

<propertiesBasedSyncOptions>
<mainIdentifier>"uid=" +
srcBean.getDatasetFirstValueById("uid") +
",ou=people,dc=ppi,dc=org"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = false;
if (
srcBean.getDatasetFirstValueById("uid") == "mar" ) {
update = true;
}
update;
]]></update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>gecos</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("gecos")</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>

Then I did a dry run and at the end I get this:

.......
Nov 02 12:02:19 - INFO - Starting sync for NIS2LDAP-User-SyncTask
Nov 02 12:02:23 - INFO - All entries: 948, to modify entries: 0,
successfully modified entries: 0, errors: 0
[***@tasha nis2ad]#

The user mar exists in NIS:
[***@janeway ~]# getent passwd | grep ^mar
mar:sijMc1cgNHgCo:7241:202:Martin Roeh:/home/mar:/bin/bash
[***@janeway ~]#

Can you show me my mistake ?

Regards

Martin



Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 29.10.2018 19:12
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re: NIS
plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 29/10/2018 à 16:07, Martin Röh a écrit :
Yes, that is what I will try, but I don't know how can I do it with
conditions. I think the conditions are global for the complete sync
process ? Perhaps you have an example for me how I can do it ?


Hello Martin,

conditions are evaluated for each entry. It is a javascript expression
that is evaluated (like in a dataset). It the expression returns true, the
condition is validated and the entry can be written
(create/update/delete). If the condition is false, the entry is not
updated.

Example:

<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = true;
if (
srcBean.getDatasetFirstValueById("userPassword").startsWith("{") ) {
update = false;
}
update;
]]></update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>

Here the task will only update the entry if the value in userPassword
field is in cleartext.
--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-11-05 06:32:21 UTC
Permalink
On 02/11/2018 12:19, Martin Röh wrote:
>   <update><![CDATA[rjs:
>                                                 var update = false;
>                                                 if ( srcBean.getDatasetFirstValueById("uid") == "mar" ) {
>                                                         update = true;
>                                                 }
>                                                 update;
>                                         ]]></update>
Hi Martin,

In java, using "==" on a string will compare the memory address of the object.

To compare chars, your have to use equals method, eg srcBean.getDatasetFirstValueById("uid").equals("mar")

Regards

--
Soisik Froger
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://list
Clément OUDOT
2018-11-05 08:37:45 UTC
Permalink
Le 05/11/2018 à 07:32, Soisik Froger a écrit :
> On 02/11/2018 12:19, Martin Röh wrote:
>>   <update><![CDATA[rjs:
>>                                                 var update = false;
>>                                                 if ( srcBean.getDatasetFirstValueById("uid") == "mar" ) {
>>                                                         update = true;
>>                                                 }
>>                                                 update;
>>                                         ]]></update>
> Hi Martin,
>
> In java, using "==" on a string will compare the memory address of the object.
>
> To compare chars, your have to use equals method, eg srcBean.getDatasetFirstValueById("uid").equals("mar")

Check also that you really want an update condition and not a create
condition. The update condition will only be tested if LSC matches an
entry in source and destination.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-use
Martin Röh
2018-11-05 09:04:31 UTC
Permalink
Hi Clement,

thank you for your hint, but indeed I only want an update.

For test purpose I also set the condition for a create, but nothing
changes with a dry run.

Regards

Martin



Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 09:37
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 05/11/2018 à 07:32, Soisik Froger a écrit :
> On 02/11/2018 12:19, Martin Röh wrote:
>> <update><![CDATA[rjs:
>> var update = false;
>> if (
srcBean.getDatasetFirstValueById("uid") == "mar" ) {
>> update = true;
>> }
>> update;
>> ]]></update>
> Hi Martin,
>
> In java, using "==" on a string will compare the memory address of the
object.
>
> To compare chars, your have to use equals method, eg
srcBean.getDatasetFirstValueById("uid").equals("mar")

Check also that you really want an update condition and not a create
condition. The update condition will only be tested if LSC matches an
entry in source and destination.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-11-05 09:34:55 UTC
Permalink
Le 05/11/2018 à 10:04, Martin Röh a écrit :
> Hi Clement,
>
> thank you for your hint, but indeed I only want an update.
>
> For test purpose I also set the condition for a create, but nothing
> changes with a dry run.


With the dry-run, the counter "to modify entries" should be increased.
You can change the loglevel in logback.xml and set it to DEBUG to get
more logs.

--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Martin Röh
2018-11-05 13:13:41 UTC
Permalink
Hi Clement,

I already tried it with debug, but the output is not much more
informative:

[***@tasha nis2ad]# lsc -n -s all -f /etc/lsc/nis2ad/
14:10:04,616 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
Could NOT find resource [logback-test.xml]
14:10:04,617 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
Found resource [logback.xml] at [file:/etc/lsc/nis2ad/logback.xml]
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs multiple times on the classpath.
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs at [file:/etc/lsc/nis2ad/logback.xml]
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs at
[jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/logback.xml]
14:10:04,760 |-INFO in
ch.qos.logback.classic.joran.action.ConfigurationAction - debug attribute
not set
14:10:04,772 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
About to instantiate appender of type
[ch.qos.logback.core.ConsoleAppender]
14:10:04,778 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
Naming appender as [CONSOLE]
14:10:04,835 |-INFO in
ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Pushing
component [layout] on top of the object stack.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - This
appender no longer admits a layout as a sub-component, set an encoder
instead.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - To
ensure compatibility, wrapping your layout in LayoutWrappingEncoder.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - See
also http://logback.qos.ch/codes.html#layoutInsteadOfEncoder for details
14:10:04,932 |-INFO in
ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of
ROOT logger to DEBUG
14:10:04,933 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction
- Attaching appender named [CONSOLE] to Logger[ROOT]

Nov 05 14:10:05 - DEBUG - Loading XML configuration from:
/etc/lsc/nis2ad/lsc.xml
Nov 05 14:10:05 - DEBUG - going to scan these urls:
jar:file:/usr/lib/lsc/lsc-nis-plugin-1.0.jar!/
jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/
Nov 05 14:10:05 - INFO - Reflections took 367 ms to scan 2 urls,
producing 57 keys and 125 values
Nov 05 14:10:05 - DEBUG - Importing XML schema file:
schemas/lsc-core-2.1.xsd
Nov 05 14:10:05 - DEBUG - Importing XML schema file:
schemas/lsc-nis-plugin-1.0.xsd
Nov 05 14:10:06 - INFO - Logging configuration successfully loaded from
/etc/lsc/nis2ad/logback.xml
Nov 05 14:10:06 - INFO - LSC configuration successfully loaded from
/etc/lsc/nis2ad/
Nov 05 14:10:06 - INFO - Connecting to LDAP server
ldap://tasha.ppi.int:389/dc=ppi,dc=org as cn=ldapadmin,dc=ppi,dc=org
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.18060.0.0.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.7
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.319
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.10.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.18060.0.0.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.7
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.319
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.10.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.42.2.27.8.5.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.4
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.473
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.474
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.841
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.1.8
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.8
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.3
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.6
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.5
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.4203.1.11.1
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.4203.1.11.3
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.1466.20037
Nov 05 14:10:06 - INFO - Starting sync for NIS2LDAP-User-SyncTask
Nov 05 14:10:06 - DEBUG - Connecting to the NIS domain ...
Nov 05 14:10:06 - DEBUG - Retrieving the information ...
Nov 05 14:10:06 - DEBUG - Closing context ...
Nov 05 14:10:11 - INFO - All entries: 950, to modify entries: 0,
successfully modified entries: 0, errors: 0

Is it possible to put some output statements in the lsc.xml for debugging
?

Regards

Martin



Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 10:35
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 05/11/2018 à 10:04, Martin Röh a écrit :
Hi Clement,

thank you for your hint, but indeed I only want an update.

For test purpose I also set the condition for a create, but nothing
changes with a dry run.


With the dry-run, the counter "to modify entries" should be increased. You
can change the loglevel in logback.xml and set it to DEBUG to get more
logs.

--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-11-05 13:43:47 UTC
Permalink
Le 05/11/2018 à 14:13, Martin Röh a écrit :
> Hi Clement,
>
> I already tried it with debug, but the output is not much more
> informative:
>
> [***@tasha nis2ad]# lsc -n -s all -f /etc/lsc/nis2ad/
> 14:10:04,616 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
> Could NOT find resource [logback-test.xml]
> 14:10:04,617 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
> Found resource [logback.xml] at [file:/etc/lsc/nis2ad/logback.xml]
> 14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
> Resource [logback.xml] occurs multiple times on the classpath.
> 14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
> Resource [logback.xml] occurs at [file:/etc/lsc/nis2ad/logback.xml]
> 14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
> Resource [logback.xml] occurs at
> [jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/logback.xml]
> 14:10:04,760 |-INFO in
> ch.qos.logback.classic.joran.action.ConfigurationAction - debug
> attribute not set
> 14:10:04,772 |-INFO in ch.qos.logback.core.joran.action.AppenderAction
> - About to instantiate appender of type
> [ch.qos.logback.core.ConsoleAppender]
> 14:10:04,778 |-INFO in ch.qos.logback.core.joran.action.AppenderAction
> - Naming appender as [CONSOLE]
> 14:10:04,835 |-INFO in
> ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Pushing
> component [layout] on top of the object stack.
> 14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] -
> This appender no longer admits a layout as a sub-component, set an
> encoder instead.
> 14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] -
> To ensure compatibility, wrapping your layout in LayoutWrappingEncoder.
> 14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] -
> See also http://logback.qos.ch/codes.html#layoutInsteadOfEncoderfor
> details
> 14:10:04,932 |-INFO in
> ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level
> of ROOT logger to DEBUG
> 14:10:04,933 |-INFO in
> ch.qos.logback.core.joran.action.AppenderRefAction - Attaching
> appender named [CONSOLE] to Logger[ROOT]
>
> Nov 05 14:10:05 - DEBUG - Loading XML configuration from:
> /etc/lsc/nis2ad/lsc.xml
> Nov 05 14:10:05 - DEBUG - going to scan these urls:
> jar:file:/usr/lib/lsc/lsc-nis-plugin-1.0.jar!/
> jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/
> Nov 05 14:10:05 - INFO  - Reflections took 367 ms to scan 2 urls,
> producing 57 keys and 125 values
> Nov 05 14:10:05 - DEBUG - Importing XML schema file:
> schemas/lsc-core-2.1.xsd
> Nov 05 14:10:05 - DEBUG - Importing XML schema file:
> schemas/lsc-nis-plugin-1.0.xsd
> Nov 05 14:10:06 - INFO  - Logging configuration successfully loaded
> from /etc/lsc/nis2ad/logback.xml
> Nov 05 14:10:06 - INFO  - LSC configuration successfully loaded from
> /etc/lsc/nis2ad/
> Nov 05 14:10:06 - INFO  - Connecting to LDAP server
> ldap://tasha.ppi.int:389/dc=ppi,dc=org as cn=ldapadmin,dc=ppi,dc=org
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.18060.0.0.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.7
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.2
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.2.840.113556.1.4.319
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.3
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.10.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.18060.0.0.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.7
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.2
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.2.840.113556.1.4.319
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 2.16.840.1.113730.3.4.3
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.10.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.42.2.27.8.5.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.9.1.3
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.9.1.4
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.9.1.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.3.6.1.4.1.4203.1.9.1.2
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.2.840.113556.1.4.473
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.2.840.113556.1.4.474
> Nov 05 14:10:06 - INFO  - Registered pre-bundled control factory:
> 1.2.840.113556.1.4.841
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.1.8
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.18060.0.1.8
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.18060.0.1.3
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.18060.0.1.6
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.18060.0.1.5
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.4203.1.11.1
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.4203.1.11.3
> Nov 05 14:10:06 - INFO  - Registered pre-bundled extended operation
> factory: 1.3.6.1.4.1.1466.20037
> Nov 05 14:10:06 - INFO  - Starting sync for NIS2LDAP-User-SyncTask
> Nov 05 14:10:06 - DEBUG - Connecting to the NIS domain ...
> Nov 05 14:10:06 - DEBUG - Retrieving the information ...
> Nov 05 14:10:06 - DEBUG - Closing context ...
> Nov 05 14:10:11 - INFO  - All entries: 950, to modify entries: 0,
> successfully modified entries: 0, errors: 0
>
> Is it possible to put some output statements in the lsc.xml for
> debugging ?

You can use : java.lang.System.out.println("my debug message");


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Martin Röh
2018-11-05 14:06:47 UTC
Permalink
Hi Clement,

I think I surrender with the nis plugin :-(

Configuration and syncing of AD to Openldap works smoothly and easy, but
the NIS plugin is obviously too much java for me.

I cannot find my fault and debugging with println raise an error "ERROR -
Unable to load configuration ....."

Reading the examples and documentations does not help me.

Again thank you for helping so far.

Best regards

Martin



Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 14:44
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 05/11/2018 à 14:13, Martin Röh a écrit :
Hi Clement,

I already tried it with debug, but the output is not much more
informative:

[***@tasha nis2ad]# lsc -n -s all -f /etc/lsc/nis2ad/
14:10:04,616 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
Could NOT find resource [logback-test.xml]
14:10:04,617 |-INFO in ch.qos.logback.classic.LoggerContext[default] -
Found resource [logback.xml] at [file:/etc/lsc/nis2ad/logback.xml]
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs multiple times on the classpath.
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs at [file:/etc/lsc/nis2ad/logback.xml]
14:10:04,618 |-WARN in ch.qos.logback.classic.LoggerContext[default] -
Resource [logback.xml] occurs at [
jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/logback.xml]
14:10:04,760 |-INFO in
ch.qos.logback.classic.joran.action.ConfigurationAction - debug attribute
not set
14:10:04,772 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
About to instantiate appender of type
[ch.qos.logback.core.ConsoleAppender]
14:10:04,778 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
Naming appender as [CONSOLE]
14:10:04,835 |-INFO in
ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Pushing
component [layout] on top of the object stack.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - This
appender no longer admits a layout as a sub-component, set an encoder
instead.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - To
ensure compatibility, wrapping your layout in LayoutWrappingEncoder.
14:10:04,932 |-WARN in ch.qos.logback.core.ConsoleAppender[CONSOLE] - See
also http://logback.qos.ch/codes.html#layoutInsteadOfEncoder for details
14:10:04,932 |-INFO in
ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of
ROOT logger to DEBUG
14:10:04,933 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction
- Attaching appender named [CONSOLE] to Logger[ROOT]

Nov 05 14:10:05 - DEBUG - Loading XML configuration from:
/etc/lsc/nis2ad/lsc.xml
Nov 05 14:10:05 - DEBUG - going to scan these urls:
jar:file:/usr/lib/lsc/lsc-nis-plugin-1.0.jar!/
jar:file:/usr/lib/lsc/lsc-core-2.1.4.jar!/
Nov 05 14:10:05 - INFO - Reflections took 367 ms to scan 2 urls,
producing 57 keys and 125 values
Nov 05 14:10:05 - DEBUG - Importing XML schema file:
schemas/lsc-core-2.1.xsd
Nov 05 14:10:05 - DEBUG - Importing XML schema file:
schemas/lsc-nis-plugin-1.0.xsd
Nov 05 14:10:06 - INFO - Logging configuration successfully loaded from
/etc/lsc/nis2ad/logback.xml
Nov 05 14:10:06 - INFO - LSC configuration successfully loaded from
/etc/lsc/nis2ad/
Nov 05 14:10:06 - INFO - Connecting to LDAP server
ldap://tasha.ppi.int:389/dc=ppi,dc=org as cn=ldapadmin,dc=ppi,dc=org
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.18060.0.0.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.7
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.319
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.10.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.18060.0.0.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.7
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.319
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
2.16.840.1.113730.3.4.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.10.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.42.2.27.8.5.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.3
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.4
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.1
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.3.6.1.4.1.4203.1.9.1.2
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.473
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.474
Nov 05 14:10:06 - INFO - Registered pre-bundled control factory:
1.2.840.113556.1.4.841
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.1.8
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.8
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.3
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.6
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.18060.0.1.5
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.4203.1.11.1
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.4203.1.11.3
Nov 05 14:10:06 - INFO - Registered pre-bundled extended operation
factory: 1.3.6.1.4.1.1466.20037
Nov 05 14:10:06 - INFO - Starting sync for NIS2LDAP-User-SyncTask
Nov 05 14:10:06 - DEBUG - Connecting to the NIS domain ...
Nov 05 14:10:06 - DEBUG - Retrieving the information ...
Nov 05 14:10:06 - DEBUG - Closing context ...
Nov 05 14:10:11 - INFO - All entries: 950, to modify entries: 0,
successfully modified entries: 0, errors: 0

Is it possible to put some output statements in the lsc.xml for debugging
?

You can use : java.lang.System.out.println("my debug message");


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Martin Röh
2018-11-05 09:01:37 UTC
Permalink
Hi Soisik,

as you can see I don't know much about java .... ;-(

I changed it to
<propertiesBasedSyncOptions>
<mainIdentifier>"uid=" +
srcBean.getDatasetFirstValueById("uid") +
",ou=people,dc=ppi,dc=org"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = false;
if (
srcBean.getDatasetFirstValueById("uid").equals("mar")) {
update = true;
}
update;
]]></update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>gecos</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("gecos")</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>

But again a dry run said

Nov 05 09:27:31 - INFO - All entries: 949, to modify entries: 0,
successfully modified entries: 0, errors: 0

Will a dry run perhaps always show only this message ?

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 07:32
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 02/11/2018 12:19, Martin Röh wrote:
> <update><![CDATA[rjs:
> var update = false;
> if (
srcBean.getDatasetFirstValueById("uid") == "mar" ) {
> update = true;
> }
> update;
> ]]></update>
Hi Martin,

In java, using "==" on a string will compare the memory address of the
object.

To compare chars, your have to use equals method, eg
srcBean.getDatasetFirstValueById("uid").equals("mar")

Regards

--
Soisik Froger
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-11-05 14:12:52 UTC
Permalink
On 05/11/2018 10:01, Martin Röh wrote:
> Nov 05 09:27:31 - INFO  - All entries: 949, to modify entries: 0, successfully modified entries: 0, errors: 0
>
> Will a dry run perhaps always show only this message ?

Hi Martin,

I've checked the code and I can confirm that counter "modify entries" is incremented in dry run mode even a change would be applied without drymode - eg. AbstractSynchronize.run(IBean entry), lines 762 to 769.

The only reasons I can think of for that change not being detected is that
1. there is no entry with uid "mar" in your source or in your destination directory, or the filter exclude such entry from being synchronize or,
2. the value of the attribute in your source is already the same as the value of the attribute in the destination.

Adding some debug logging as clement suggested in your condition script may help to understand what's going on.

Regards.
--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://l
Martin Röh
2018-11-05 14:33:27 UTC
Permalink
Hi Soisik,

thank you for your effort.

There is an entry uid in NIS and LDAP:

ldapsearch -x uid=mar uid uidNumber gecos
# extended LDIF
#
# LDAPv3
# base <dc=ppi,dc=org> (default) with scope subtree
# filter: uid=mar
# requesting: uid uidNumber
#

# Martin R\C3\B6h, people, ppi.org
dn:: Y249TWFydGluIFLDtmgsb3U9cGVvcGxlLGRjPXBwaSxkYz1vcmc=
uid: mar
uidNumber: 7241
gecos: Martin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

getent passwd mar (-> on NIS Master)
mar:sijMc1cgNHgCo:7241:202:Martin Roeh:/home/mar:/bin/bash

As far as I can see I have no filter in my lsc.xml and the attribute
"gecos" I try to sync is different (I think).

In fact some debug logging (eg. showing the status of the nis connection,
show the uid attribute from nis, etc) would be very helpful, but the
debugging functions from lsc do not show such information and I don't have
the java experience to implement it on my own in the xml file.

So I'm at a loss ....

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 15:13
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 05/11/2018 10:01, Martin Röh wrote:
> Nov 05 09:27:31 - INFO - All entries: 949, to modify entries: 0,
successfully modified entries: 0, errors: 0
>
> Will a dry run perhaps always show only this message ?

Hi Martin,

I've checked the code and I can confirm that counter "modify entries" is
incremented in dry run mode even a change would be applied without drymode
- eg. AbstractSynchronize.run(IBean entry), lines 762 to 769.

The only reasons I can think of for that change not being detected is that

1. there is no entry with uid "mar" in your source or in your destination
directory, or the filter exclude such entry from being synchronize or,
2. the value of the attribute in your source is already the same as the
value of the attribute in the destination.

Adding some debug logging as clement suggested in your condition script
may help to understand what's going on.

Regards.
--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-11-05 15:08:29 UTC
Permalink
On 05/11/2018 15:33, Martin Röh wrote:
>
> As far as I can see I have no filter in my lsc.xml and the attribute "gecos" I try to sync is different (I think).
>
First of all make sure these values are different ; LSC won't detect any need for change if values are identical.

> In fact some debug logging (eg. showing the status of the nis connection, show the uid attribute from nis, etc) would be very helpful, but the debugging functions from lsc do not show such information and I don't have the java experience to implement it on my own in the xml file.

To make sure that entry uid "mar" is detected and that values of attribute "gecos" on both sides do not match, you can use this code as Clement suggested earlier :


<update><![CDATA[rjs:
var update = false;
java.lang.System.out.println("checking UID -> " + srcBean.getDatasetFirstValueById("uid"));
if ( srcBean.getDatasetFirstValueById("uid").equals("mar")) {
java.lang.System.out.println("Found UID mar, compare gecos values -> " + srcBean.getDatasetFirstValueById("gecos") + " vs " + dstBean.getDatasetFirstValueById("gecos"));

update = true;
}
update;
]]></update>



--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/c
Martin Röh
2018-11-05 15:49:58 UTC
Permalink
Hi Soisik,

now I can see something !! Perfect !

There seems to be an error or mismatch in the mainIdentifier, but now I'm
able to analyze it.

Thank you so much :-) !

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 16:08
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 05/11/2018 15:33, Martin Röh wrote:
>
> As far as I can see I have no filter in my lsc.xml and the attribute
"gecos" I try to sync is different (I think).
>
First of all make sure these values are different ; LSC won't detect any
need for change if values are identical.

> In fact some debug logging (eg. showing the status of the nis
connection, show the uid attribute from nis, etc) would be very helpful,
but the debugging functions from lsc do not show such information and I
don't have the java experience to implement it on my own in the xml file.

To make sure that entry uid "mar" is detected and that values of attribute
"gecos" on both sides do not match, you can use this code as Clement
suggested earlier :


<update><![CDATA[rjs:
var update = false;
java.lang.System.out.println("checking UID -> " +
srcBean.getDatasetFirstValueById("uid"));
if (
srcBean.getDatasetFirstValueById("uid").equals("mar")) {
java.lang.System.out.println("Found UID
mar, compare gecos values -> " + srcBean.getDatasetFirstValueById("gecos")
+ " vs " + dstBean.getDatasetFirstValueById("gecos"));

update = true;
}
update;
]]></update>



--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Martin Röh
2018-11-05 17:15:21 UTC
Permalink
Hi Soisik,

one last question (hopefully).

The sync from nis to openldap works perfectly now.

In the next step I switched the destination from openldap to an AD
including changing the necessary attributes. Again I get now modify
messages. As I learned before the problem is the main identifier or a
filter. But both worked with openldap, I only change the different
attributes according to the AD:

<task>
<name>NIS2LDAP-User-SyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<pluginSourceService
implementationClass="org.lsc.plugins.connectors.nis.NisSrcService">
<name>nis-source-service</name>
<connection reference="nis-src-conn" />
<nis:nisSourceServiceSettings>
<name>nis-src-service</name>
<connection
reference="nis-src-conn" />
<nis:map>passwd.byname</nis:map>
</nis:nisSourceServiceSettings>
</pluginSourceService>
<ldapDestinationService>
<name>ad-dst-service</name>
<connection reference="ad-dst" />
<baseDn>DC=PPI,DC=INT</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>sAMAccountName</string>
<string>uid</string>
<string>uidNumber</string>
<string>gidNumber</string>
<string>unixHomeDirectory</string>
<string>loginShell</string>
</fetchedAttributes>

<getAllFilter>(&amp;(objectClass=user)(!(objectClass=computer)))</getAllFilter>

<getOneFilter>(&amp;(objectClass=user)(!(objectClass=computer))(sAMAccountName={uid}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"CN=" +
srcBean.getDatasetFirstValueById("uid")) +
",OU=HH,OU=Benutzer,DC=PPI,DC=INT"></mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>KEEP</defaultPolicy>
<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = false;
java.lang.System.out.println("checking user -> " +
srcBean.getDatasetFirstValueById("uid"));
if (
srcBean.getDatasetFirstValueById("uid").equals("mar")) {
java.lang.System.out.println("Found UID mar, compare gecos values -> " +
srcBean.getDatasetFirstValueById("gecos") + " vs " +
dstBean.getDatasetFirstValueById("gecos"));
update = true;
}
update;
]]></update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>uidNumber</name>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uidNumber")</string>
</forceValues>
</dataset>
<dataset>
<name>uid</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</forceValues>
</dataset>
<dataset>
<name>gidNumber</name>
<forceValues>
<string>srcBean.getDatasetFirstValueById("gidNumber")</string>
</forceValues>
</dataset>
<dataset>
<name>unixHomeDirectory</name>
<forceValues>
<string>srcBean.getDatasetFirstValueById("homeDirectory")</string>
</forceValues>
</dataset>
<dataset>
<name>loginShell</name>
<forceValues>
<string>srcBean.getDatasetFirstValueById("loginShell")</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>
</task>

Is there something special in relation to the AD ?

Regards

Martin



Von: "Martin Röh" <***@ppi.de>
An: "General discussions and help for Ldap Synchronization
Connector\(LSC\) - Start here!" <lsc-***@lists.lsc-project.org>
Datum: 05.11.2018 16:50
Betreff: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: NIS plugin and
filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



Hi Soisik,

now I can see something !! Perfect !

There seems to be an error or mismatch in the mainIdentifier, but now I'm
able to analyze it.

Thank you so much :-) !

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 16:08
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>




On 05/11/2018 15:33, Martin Röh wrote:
>
> As far as I can see I have no filter in my lsc.xml and the attribute
"gecos" I try to sync is different (I think).
>
First of all make sure these values are different ; LSC won't detect any
need for change if values are identical.

> In fact some debug logging (eg. showing the status of the nis
connection, show the uid attribute from nis, etc) would be very helpful,
but the debugging functions from lsc do not show such information and I
don't have the java experience to implement it on my own in the xml file.

To make sure that entry uid "mar" is detected and that values of attribute
"gecos" on both sides do not match, you can use this code as Clement
suggested earlier :


<update><![CDATA[rjs:
var update = false;
java.lang.System.out.println("checking UID -> "
+ srcBean.getDatasetFirstValueById("uid"));
if (
srcBean.getDatasetFirstValueById("uid").equals("mar")) {
java.lang.System.out.println("Found UID mar, compare gecos values -> " +
srcBean.getDatasetFirstValueById("gecos") + " vs " +
dstBean.getDatasetFirstValueById("gecos"));

update = true;
}
update;
]]></update>



--
Soisik Froger

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Soisik Froger
2018-11-05 18:19:57 UTC
Permalink
On 05/11/2018 18:15, Martin Röh wrote:
>
> Is there something special in relation to the AD ?
>
> Regards
>
> Martin

Hi Martin,

Please elaborate your question, I don't understand what is the exact problem with your AD sync, and you said that you get modify messages. Are you getting any error and what is not working accordingly to your expectations ?

--
Soisik Froger | Software Architect

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://list
Martin Röh
2018-11-06 10:52:18 UTC
Permalink
Hi Soisik,

as described I changed the sync destination from an openldap to an AD
(also changing the attributes fitting the AD needs). If I start a sync now
no entries for syncing are found, I only get this message:

Nov 06 11:45:21 - INFO - Starting sync for NIS2LDAP-User-SyncTask
Nov 06 11:45:21 - DEBUG - Connecting to the NIS domain ...
Nov 06 11:45:21 - DEBUG - Retrieving the information ...
Nov 06 11:45:22 - DEBUG - Closing context ...
Nov 06 11:45:25 - INFO - All entries: 950, to modify entries: 0,
successfully modified entries: 0, errors: 0

It seems to me that there are no matches between the NIS and the AD and I
think I set the mainidentifier in a wrong way:

<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid")) +
",OU=HH,OU=Benutzer,DC=PPI,DC=INT"></mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>KEEP</defaultPolicy>
<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = false;
java.lang.System.out.println("checking user -> " +
srcBean.getDatasetFirstValueById("uid"));

The println in the update condition is never reached.

Is it possible to set a general println outside of the condition block so
I can see every entry from the source the sync is working on ? An output
of every mainIdentifier would also be helpful.

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 05.11.2018 19:20
Betreff: Re: [lsc-users] Antwort: Antwort: Re: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: NIS
plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 05/11/2018 18:15, Martin Röh wrote:
>
> Is there something special in relation to the AD ?
>
> Regards
>
> Martin

Hi Martin,

Please elaborate your question, I don't understand what is the exact
problem with your AD sync, and you said that you get modify messages. Are
you getting any error and what is not working accordingly to your
expectations ?

--
Soisik Froger | Software Architect

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-11-06 23:21:03 UTC
Permalink
Le 06/11/2018 à 11:52, Martin Röh a écrit :
> Hi Soisik,
>
> as described I changed the sync destination from an openldap to an AD
> (also changing the attributes fitting the AD needs). If I start a sync
> now no entries for syncing are found, I only get this message:
>
> Nov 06 11:45:21 - INFO  - Starting sync for NIS2LDAP-User-SyncTask
> Nov 06 11:45:21 - DEBUG - Connecting to the NIS domain ...
> Nov 06 11:45:21 - DEBUG - Retrieving the information ...
> Nov 06 11:45:22 - DEBUG - Closing context ...
> Nov 06 11:45:25 - INFO  - All entries: 950, to modify entries: 0,
> successfully modified entries: 0, errors: 0
>
> It seems to me that there are no matches between the NIS and the AD
> and I think I set the mainidentifier in a wrong way:
>
> <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid")) +
> ",OU=HH,OU=Benutzer,DC=PPI,DC=INT"></mainIdentifier>
>                                 <defaultDelimiter>;</defaultDelimiter>
>                                 <defaultPolicy>KEEP</defaultPolicy>
>                                 <conditions>
>                                         <create>false</create>
>                                         <update><![CDATA[rjs:
>                                                 var update = false;
>                                                
> java.lang.System.out.println("checking user -> " +
> srcBean.getDatasetFirstValueById("uid"));
>
> The println in the update condition is never reached.
>
> Is it possible to set a general println outside of the condition block
> so I can see every entry from the source the sync is working on ? An
> output of every mainIdentifier would also be helpful.
>


Hello,

the create condition is set to "false" so if the entry does not exists
in AD, it will not be created.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Martin Röh
2018-11-08 15:59:12 UTC
Permalink
Hi,

I test the sync with create condition "true" and then I get a (false)
result.

In the AD there is an entry like this:

***Searching...
ldap_search_s(ld, "DC=foo,DC=bar", 2, "(samAccountName=lg)", attrList, 0,
&msg)
Getting 1 entries:
Dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar


Then I start a sync I get this:

Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": List of attributes considered
for writing in destination: [uid, unixHomeDirectory, gidNumber, uidNumber,
loginShell]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "uid" is in FORCE
status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "uid" with
values [lg]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "unixHomeDirectory" is
in FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute
"unixHomeDirectory" with values [/home/lg]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "gidNumber" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "gidNumber"
with values [202]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "uidNumber" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "uidNumber"
with values [5675]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "loginShell" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "loginShell"
with values [/usr/bin/bash]
Nov 08 16:50:12 - DEBUG - Create condition false. Should have added object
CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
# Thu Nov 08 16:50:12 CET 2018
dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
changetype: add
uid: lg
unixHomeDirectory: /home/lg
gidNumber: 202
uidNumber: 5675
loginShell: /usr/bin/bash

Nov 08 16:50:13 - INFO - All entries: 950, to modify entries: 1,
successfully modified entries: 0, errors: 0

This is not what I expected. The sync should MODIFY the listed attribute
in the destination entry and not create a new (duplicate) one with the
list attribute.

Has someone an advice what I do wrong ?

Regards

Martin


Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 07.11.2018 00:21
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort:
Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 06/11/2018 à 11:52, Martin Röh a écrit :
Hi Soisik,

as described I changed the sync destination from an openldap to an AD
(also changing the attributes fitting the AD needs). If I start a sync now
no entries for syncing are found, I only get this message:

Nov 06 11:45:21 - INFO - Starting sync for NIS2LDAP-User-SyncTask
Nov 06 11:45:21 - DEBUG - Connecting to the NIS domain ...
Nov 06 11:45:21 - DEBUG - Retrieving the information ...
Nov 06 11:45:22 - DEBUG - Closing context ...
Nov 06 11:45:25 - INFO - All entries: 950, to modify entries: 0,
successfully modified entries: 0, errors: 0

It seems to me that there are no matches between the NIS and the AD and I
think I set the mainidentifier in a wrong way:

<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid")) +
",OU=HH,OU=Benutzer,DC=foo,DC=bar"></mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>KEEP</defaultPolicy>
<conditions>
<create>false</create>
<update><![CDATA[rjs:
var update = false;

java.lang.System.out.prbarln("checking user -> " +
srcBean.getDatasetFirstValueById("uid"));

The prbarln in the update condition is never reached.

Is it possible to set a general prbarln outside of the condition block so
I can see every entry from the source the sync is working on ? An output
of every mainIdentifier would also be helpful.



Hello,

the create condition is set to "false" so if the entry does not exists in
AD, it will not be created.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-11-08 16:19:44 UTC
Permalink
Le 08/11/2018 à 16:59, Martin Röh a écrit :
> Hi,
>
> I test the sync with create condition "true" and then I get a (false)
> result.
>
> In the AD there is an entry like this:
>
> ***Searching...
> ldap_search_s(ld, "DC=foo,DC=bar", 2, "(samAccountName=lg)", attrList,
>  0, &msg)
> Getting 1 entries:
> *Dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar*
>
>
> Then I start a sync I get this:
>
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  List of attributes
> considered for writing in destination: [uid, unixHomeDirectory,
> gidNumber, uidNumber, loginShell]
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Attribute "uid" is in FORCE
> status
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Adding attribute "uid" with
> values [lg]
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Attribute
> "unixHomeDirectory" is in FORCE status
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Adding attribute
> "unixHomeDirectory" with values [/home/lg]
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Attribute "gidNumber" is in
> FORCE status
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Adding attribute "gidNumber"
> with values [202]
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Attribute "uidNumber" is in
> FORCE status
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Adding attribute "uidNumber"
> with values [5675]
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Attribute "loginShell" is in
> FORCE status
> Nov 08 16:50:12 - DEBUG - In object
> "CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar":  Adding attribute
> "loginShell" with values [/usr/bin/bash]
> Nov 08 16:50:12 - DEBUG - Create condition false. Should have added
> object CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
> # Thu Nov 08 16:50:12 CET 2018
> dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
> changetype: add
> uid: lg
> unixHomeDirectory: /home/lg
> gidNumber: 202
> uidNumber: 5675
> loginShell: /usr/bin/bash
>
> Nov 08 16:50:13 - INFO  - All entries: 950, to modify entries: 1,
> successfully modified entries: 0, errors: 0
>
> This is not what I expected. The sync should MODIFY  the listed
> attribute in the destination entry and not create a new (duplicate)
> one with the list attribute.
>
> Has someone an advice what I do wrong ?

Maybe the account configured in LSC to browse AD has not enough rights
to read the entry? The issue is indeed that LSC does not find your entry
and tries to create a new one.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Martin Röh
2018-11-09 09:08:28 UTC
Permalink
Hi Clement,

the connection is done with the AD admin user having full access rights.

Maybe the getOneFilter is wrong ?

<getOneFilter>(&amp;(objectClass=user)(!(objectClass=computer))(sAMAccountName={uid}))</getOneFilter>

Is uid correctly filled from the nis plugin at this point ?

Regards

Martin



Von: "Clément OUDOT" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 08.11.2018 17:19
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Re: Antwort:
Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort:
Re: Antwort: Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>





Le 08/11/2018 à 16:59, Martin Röh a écrit :
Hi,

I test the sync with create condition "true" and then I get a (false)
result.

In the AD there is an entry like this:

***Searching...
ldap_search_s(ld, "DC=foo,DC=bar", 2, "(samAccountName=lg)", attrList, 0,
&msg)
Getting 1 entries:
Dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar


Then I start a sync I get this:

Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": List of attributes considered
for writing in destination: [uid, unixHomeDirectory, gidNumber, uidNumber,
loginShell]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "uid" is in FORCE
status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "uid" with
values [lg]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "unixHomeDirectory" is
in FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute
"unixHomeDirectory" with values [/home/lg]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "gidNumber" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "gidNumber"
with values [202]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "uidNumber" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "uidNumber"
with values [5675]
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Attribute "loginShell" is in
FORCE status
Nov 08 16:50:12 - DEBUG - In object
"CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar": Adding attribute "loginShell"
with values [/usr/bin/bash]
Nov 08 16:50:12 - DEBUG - Create condition false. Should have added object
CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
# Thu Nov 08 16:50:12 CET 2018
dn: CN=lg,OU=HH,OU=Benutzer,DC=foo,DC=bar
changetype: add
uid: lg
unixHomeDirectory: /home/lg
gidNumber: 202
uidNumber: 5675
loginShell: /usr/bin/bash

Nov 08 16:50:13 - INFO - All entries: 950, to modify entries: 1,
successfully modified entries: 0, errors: 0

This is not what I expected. The sync should MODIFY the listed attribute
in the destination entry and not create a new (duplicate) one with the
list attribute.

Has someone an advice what I do wrong ?

Maybe the account configured in LSC to browse AD has not enough rights to
read the entry? The issue is indeed that LSC does not find your entry and
tries to create a new one.


--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-11-09 09:22:05 UTC
Permalink
Le 09/11/2018 à 10:08, Martin Röh a écrit :
> Hi Clement,
>
> the connection is done with the AD admin user having full access rights.
>
> Maybe the getOneFilter is wrong ?
>
> <getOneFilter>(&amp;(objectClass=user)(!(objectClass=computer))(sAMAccountName={uid}))</getOneFilter>
>
>
> Is uid correctly filled from the nis plugin at this point ?

Yes it should. I think it was working when you used it with OpenLDAP.

You can indeed try to change the getOneFilter by:

<getOneFilter>(sAMAccountName={uid})</getOneFilter>


--
Clément Oudot | Identity Solutions Manager

***@worteks.com


Worteks | https://www.worteks.com
Soisik Froger
2018-11-09 09:13:25 UTC
Permalink
On 07/11/2018 00:21, Clément OUDOT wrote:
> <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid")) + ",OU=HH,OU=Benutzer,DC=PPI,DC=INT"></mainIdentifier>

Hi Martin,

Just noticed, you have a ">" at the end of your main identifier that should not be there.

--
Soisik Froger | Software Architect
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/
Martin Röh
2018-11-09 09:21:15 UTC
Permalink
Hi Soisik,

could be a copy & paste error or some formating from the mail client, in
the original lsc.xml there is no ">" at the end

I try the copy again:

<mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid") +
",OU=HH,OU=Benutzer,DC=PPI,DC=INT"</mainIdentifier>

Regards

Martin



Von: "Soisik Froger" <***@worteks.com>
An: lsc-***@lists.lsc-project.org
Datum: 09.11.2018 10:13
Betreff: Re: [lsc-users] Antwort: Re: Antwort: Antwort: Re:
Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort: Re: Antwort:
Re: NIS plugin and filtering
Gesendet von: "lsc-users" <lsc-users-***@lists.lsc-project.org>



On 07/11/2018 00:21, Clément OUDOT wrote:
> <mainIdentifier>"CN=" + srcBean.getDatasetFirstValueById("uid")) +
",OU=HH,OU=Benutzer,DC=PPI,DC=INT"></mainIdentifier>

Hi Martin,

Just noticed, you have a ">" at the end of your main identifier that
should not be there.

--
Soisik Froger | Software Architect
Worteks | https://www.worteks.com
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Loading...