A page in your DokuWiki was added or changed. Here are the details:

Date : 2014/03/04 17:20
Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
IP-Address : 88.173.78.196
Hostname : mne69-10-88-173-78-196.fbx.proxad.net
Old Revision: http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory?rev=1393949035
New Revision: http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
Edit Summary:
User : coudot

@@ -35,30 +35,30 @@
And provide information on the identity used to bind to the target directory:
* **Principal DN**: for example **cn=LSC,dc=lsc-project,dc=org**.
* **Password**: for example **PassW0RD**.

- <code xml>
+ <file:xml>
<lsc>
<connections>
<ldapConnection>
- <id>AD</id>
- <authentication>simple</authentication>
+ <name>AD</name>
<url>ldap://adlds.lsc-project.org:389/dc=lsc-project,dc=org</url>
<username>cn=LSC,dc=lsc-project,dc=org</username>
<password>PassW0RD</password>
- </code>
+ <authentication>SIMPLE</authentication>
+ </file>


To manage Active Directory Paged Results Control (which enables to return more than 1000 entries), add:
- <code xml>
+ <file:xml>
<pageSize>1000</pageSize>
- </code>
+ </file>

And close the XML node :

- <code xml>
+ <file:xml>
</ldapConnection>
- </code>
+ </file>


As we want to act on the password (the attribute //unicodePwd//), we must use an SSL connection to Active Directory (password modification is not allowed on a clear connection).

@@ -75,66 +75,90 @@
* **Naming context root DN**: the data suffix. We choose **dc=lsc-project,dc=org**.
* **Principal DN**: for example **cn=Directory Manager,dc=lsc-project,dc=org**.
* **Password**: for example **secret**.

- <code xml>
+ <file:xml>
<ldapConnection>
- <id>openldap</id>
- <authentication>SIMPLE</authentication>
+ <name>openldap</name>
<url>ldap://localhost:389/dc=lsc-project,dc=org</url>
<username>cn=Directory Manager,dc=lsc-project,dc=org</username>
<password>secret</password>
+ <authentication>SIMPLE</authentication>
</ldapConnection>
- </code>
+ </file>

==== Task ====

You can have multiple tasks in your connector (identified by the //lsc>tasks>task// value). In this tutorial, we have only one task, named //ADuser//.

- You have to update the configuration to define basic searches on source and destination, list all source and destination attributes you want to synchronize, set the destination DN creation rule and select the pivot attributes that will link a source entry to a destination entry.
-
- If we want to read from the source all Active Directory users with a //sAMAccountName//, and from the destination all //inetOrgPerson// entries from //ou=People// with a uid, and we want to link the source entry to the destination entry saying that source //uid// value is equal to the //sAMAccountName// in the destination:
-
- <code xml>
+ In this task, we define the source service (OpenLDAP) and the destination service (AD) :
+ <file:xml>
<tasks>
<task>
<name>adUser</name>
<ldapSourceService>
- <name>openldap-dst-service</name>
- <baseDn>ou=People</baseDn>
- <getAllFilter>(&amp;(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
- <getOneFilter>(&amp;(objectClass=user)(sAMAccountName={uid}))</getOneFilter>
- <pivotAttributes><string>uid</string></pivotAttributes>
+ <name>openldap-source-service</name>
+ <connection reference="openldap" />
+ <baseDn>ou=People,dc=lsc-project,dc=org</baseDn>
+ <pivotAttributes>
+ <string>uid</string>
+ </pivotAttributes>
+ <fetchedAttributes>
+ <string>cn</string>
+ <string>description</string>
+ <string>givenName</string>
+ <string>mail</string>
+ <string>sn</string>
+ <string>uid</string>
+ <string>userpassword</string>
+ </fetchedAttributes>
+ <getAllFilter><![CDATA[(objectClass=inetOrgPerson)]]></getAllFilter>
+ <getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={uid}))]]></getOneFilter>
+ <cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))]]></cleanFilter>
</ldapSourceService>
<ldapDestinationService>
- <name>ad-src-service</name>
- <baseDn>cn=Users</baseDn>
- <getAllFilter>(&amp;(sAMAccountName=*)(objectClass=user))</getAllFilter>
- <getOneFilter>(&amp;(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
- <pivotAttributes><string>sAMAccountName</string></pivotAttributes>
+ <name>ad-dst-service</name>
+ <connection reference="AD" />
+ <baseDn>cn=Users,dc=lsc-project,dc=org</baseDn>
+ <pivotAttributes>
+ <string>sAMAccountName</string>
+ </pivotAttributes>
+ <fetchedAttributes>
+ <string>cn</string>
+ <string>description</string>
+ <string>givenName</string>
+ <string>mail</string>
+ <string>objectclass</string>
+ <string>pwdLastSet</string>
+ <string>sAMAccountName</string>
+ <string>sn</string>
+ <string>unicodePwd</string>
+ <string>userAccountControl</string>
+ <string>userPrincipalName</string>
+ </fetchedAttributes>
+ <getAllFilter><![CDATA[(objectClass=user)]]></getAllFilter>
+ <getOneFilter><![CDATA[(&(objectClass=user)(sAMAccountName={uid}))]]></getOneFilter>
</ldapDestinationService>
- </code>
+ </file>

<note important>You have to put objectClass in //lsc.tasks.task.adUser.ldapDestinationService.attrs// but be sure to remove it from //lsc.tasks.task.adUser.ldapSourceService.attrs//.</note>

- We will also define how the target DN is built. Let's choose that the target DN is composed from the source's attribute //cn// and the destination branch //ou=users//.
+ We will also define how the target DN is built. Let's choose that the target DN is composed from the source's attribute //cn// and the destination branch //cn=Users//.

- The suffix //dc=lsc-project,dc=org// is already configured in //dst.java.naming.provider.url//, so we only have to set up this configuration to build the relative DN:
- <code xml>
+ <file:xml>
<lsc>
<.../>
<tasks>
<task>
<.../>
<propertiesBasedSyncOptions>
- <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=users"</mainIdentifier>
+ <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",cn=Users,dc=lsc-project,dc=org"</mainIdentifier>
<.../>
</propertiesBasedSyncOptions>
</task>
</tasks>
- </code>
+ </file>

- If not successful, check the [[..:requirements]], read the [[..:configuration:start|configuration documentation]] or ask for help on the [[:community#mailing_lists|mailing lists]].
==== Synchronization options ====

This is the last configuration part, but not the least, because we will now describe all our synchronization rules.

@@ -142,8 +166,11 @@
^ Source attribute ^ Destination attribute ^ Rule ^
| cn | cn | = |
| sn | sn | = |
| uid | uid | = |
+ | mail | mail | = |
+ | givenName | givenName | = |
+ | description | description | = |
| - | objectClass | user/person/organizationalPerson/top |
| uid | sAMAccountName | = |
| uid | userPrincipalName | uid + "@lsc-project.org" |
| - | userAccountControl | Set as "Normal account" |
@@ -151,13 +178,14 @@
| - | unicodePwd | "changeit" |

These rules are applied through syncoptions:

- <code xml>
+ <file:xml>
<lsc>
<tasks>
<task>
<propertiesBasedSyncOptions>
+ <mainIdentifier>...</mainIdentifier>
<defaultPolicy>FORCE</defaultPolicy>
<defaultDelimiter>;</defaultDelimiter>
<dataset>
<name>objectClass</name>
@@ -207,26 +235,17 @@
</>
</task>
</task>
</lsc>
- </code>
+ </file>

You can test your synchronization in "dry-run" mode (-n), which means no modification is done on the target directory:
<code>
- $ bin/lsc -f etc -c all -s all -n
+ # /usr/bin/lsc -f /etc/lsc/openldap2ad -s all -c all -n
</code>

- ===== Setup and run =====
-
- Install the lsc-openldap2ad directory in /usr/local on the target server.
-
- Install cronjob and logrotate scripts:
+ If the test is successful, you can run it with modifications applied:
<code>
- $ sudo cp /usr/local/lsc-openldap2ad/etc/cron.d/lsc-openldap2ad /etc/cron.d
- $ sudo cp /usr/local/lsc-openldap2ad/etc/logrotate.d/lsc-openldap2ad /etc/logrotate.d
+ # /usr/bin/lsc -f /etc/lsc/openldap2ad -s all -c all
</code>

- Now your connector will run every hour, but you can also launch it manually:
- <code>
- $ sudo /usr/local/lsc-openldap2ad/bin/lsc -s all -c all
- </code>