[lsc-users] configure sync AD to OpenDJ

Sébastien Bahloul sebastien.bahloul at gmail.com
Mon Sep 26 00:03:28 CEST 2011


Can you take a look to see if any "Unable to get object for id=" is
following a error like the following line ?

Too many entries returned (base: "ou=DIT,dc=msk,dc=rian", filter:
"(&(objectClass=organizationalPerson)(mail=e.mamajanyan at rian.ru))")

It this is the case, fix the last issue and you would not see any "Unable to
get object..." error message.

And you need to fix this error because the corresponding entry will not be
synchronized otherwise.

Regards,
-- 
Sebastien BAHLOUL
IAM / Security specialist
Ldap Synchronization Connector : http://lsc-project.org
Blog : http://sbahloul.wordpress.com/



2011/9/24 Avatar <avatar.pm at gmail.com>

> There are a lot of records like this:
>
> Sep 24 08:42:41 - ERROR - Unable to get object for id=CN=ААААА_СТАНДАРТНЫЙ
> ПОЛЬЗОВАТЕЛЬ для ДИТ_ААААА,OU=DIT,DC=msk,DC=rian
>
>
> On Sat, Sep 24, 2011 at 8:41 AM, Avatar <avatar.pm at gmail.com> wrote:
>
>> Yea, but may be can I ignore it?
>>
>>
>> On Sat, Sep 24, 2011 at 12:36 AM, Sébastien Bahloul <
>> sebastien.bahloul at gmail.com> wrote:
>>
>>> Hi Pavel,
>>>
>>> The issue for this run is that the LDAP search
>>> "(&(objectClass=organizationalPerson)(mail=e.mamajanyan at rian.ru))" in "ou=DIT,dc=msk,dc=rian"
>>> is returning 2 or more entries. The LSC is not able to handle a
>>> synchronization from one to many. It requires that the filter you provide to
>>> find the destination object returns a unique entry. So check the filter or
>>> use other attribute values to make a more precise filter to obtain a
>>> one-to-one mapping.
>>>
>>> In your first try, the LSC was not able to found any entries from the
>>> source service, that's why I suggest you check your search filter through a
>>> LDAP browser and you modify either the base or the filter
>>>  > base: ou=DIT,dc=msk,dc=rian
>>> > filter: (objectClass=organizationalPerson)
>>> > requested attributes: mail
>>> > and fix the corresponding parameter !
>>>
>>> Regards.
>>>
>>> Le vendredi 23 septembre 2011, Avatar a écrit :
>>>
>>> Strange, but it is not synchronize anything.
>>>> Sorry, but I don't comprehend from your last mail what I have to change
>>>> in my config.
>>>>
>>>>
>>>> I run:
>>>> /usr/src/lsc-trunk-SNAPSHOT/bin/lsc -f /usr/src/lsc-trunk-SNAPSHOT/etc
>>>> -n -s all
>>>>
>>>> 10:16:46.270 [main] INFO  o.l.c.XmlConfigurationHelper - Loading plugins
>>>> ...
>>>> 10:16:57.030 [main] INFO  o.l.c.XmlConfigurationHelper - Plugins loaded
>>>> ...
>>>> 10:16:57.210 [main] INFO  org.lsc.jndi.JndiServices - Connecting to LDAP
>>>> server ldap://ad0.rian.off:389/dc=msk,dc=rian as
>>>> cn=SA_LDAP-Reader,ou=Test&ServiceUsers,dc=msk,dc=rian
>>>> 10:16:57.330 [main] INFO  org.lsc.jndi.JndiServices - Connecting to LDAP
>>>> server ldap://127.0.0.1/dc=dmz,dc=rian as cn=Directory Manager
>>>> 10:16:57.334 [main] WARN  o.l.c.o.s.PropertiesBasedSyncOptions - Your
>>>> main identifier will be used as a DN ("mail=" +
>>>> srcBean.getAttributeFirstValueById("mail") + ",ou=DIT,dc=msk,dc=rian") in
>>>> LDAP destination service and does not end with the context dn
>>>> (dc=dmz,dc=rian). This is probably an error ! For LSC 1.X users, this is
>>>> part of the changelog to 2.X.
>>>> сен 23 10:16:57 - WARN  - Starting sync for People
>>>> сен 23 10:16:57 - ERROR - Unable to get object for
>>>> id=CN=ААААА_СТАНДАРТНЫЙ ПОЛЬЗОВАТЕЛЬ для ДИТ_ААААА,OU=DIT,DC=msk,DC=rian
>>>> сен 23 10:16:57 - ERROR - Too many entries returned (base:
>>>> "ou=DIT,dc=msk,dc=rian", filter: "(&(objectClass=organizationalPerson)(mail=
>>>> e.mamajanyan at rian.ru))")
>>>> сен 23 10:16:57 - ERROR - Error while synchronizing ID {mail=
>>>> e.mamajanyan at rian.ru}: org.lsc.exception.LscServiceException:
>>>> javax.naming.SizeLimitExceededException: Too many entries returned (base:
>>>> "ou=DIT,dc=msk,dc=rian", filter: "(&(objectClass=organizationalPerson)(mail=
>>>> e.mamajanyan at rian.ru))")
>>>> сен 23 10:16:57 - ERROR - Too many entries returned (base:
>>>> "ou=DIT,dc=msk,dc=rian", filter: "(&(objectClass=organizationalPerson)(mail=
>>>> e.mamajanyan at rian.ru))")
>>>> сен 23 10:16:57 - ERROR - Error while synchronizing ID {mail=
>>>> e.mamajanyan at rian.ru}: org.lsc.exception.LscServiceException:
>>>> javax.naming.SizeLimitExceededException: Too many entries returned (base:
>>>> "ou=DIT,dc=msk,dc=rian", filter: "(&(objectClass=organizationalPerson)(mail=
>>>> e.mamajanyan at rian.ru))")
>>>> сен 23 10:16:57 - ERROR - Unable to get object for
>>>> id=CN=КРОСС,OU=OSS,OU=DIT,DC=msk,DC=rian
>>>> сен 23 10:16:57 - ERROR - Unable to get object for
>>>> id=CN=sa_presscenter,OU=OTOPC,OU=DIT,DC=msk,DC=rian
>>>> сен 23 10:16:57 - ERROR - All entries: 46, to modify entries: 0,
>>>> modified entries: 0, errors: 5
>>>>
>>>>
>>>> I understand:
>>>> Too many entries returned - it's duplicate in mail field
>>>> Unable to get object for id - there is no mail
>>>>
>>>>
>>>> Here is my full configuration:
>>>> <?xml version="1.0" ?>
>>>> <lsc xmlns="http://lsc-project.org/XSD/lsc-core-1.0.xsd" id="1"
>>>> revision="0">
>>>>  <connections id="2">
>>>>    <connection class="ldapConnection" id="3">
>>>>      <id>ldap-src-conn</id>
>>>>      <url>ldap://ad0.rian.off:389/dc=msk,dc=rian</url>
>>>>
>>>>  <username>cn=SA_LDAP-Reade,ou=Test&amp;ServiceUsers,dc=msk,dc=rian</username>
>>>>      <password></password>
>>>>      <authentication>SIMPLE</authentication>
>>>>      <referral>IGNORE</referral>
>>>>      <derefAliases>NEVER</derefAliases>
>>>>      <version>VERSION_3</version>
>>>>      <pageSize>-1</pageSize>
>>>>      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
>>>>      <tlsActivated>false</tlsActivated>
>>>>    </connection>
>>>>    <connection class="ldapConnection" id="4">
>>>>      <id>ldap-dst-conn</id>
>>>>      <url>ldap://127.0.0.1/dc=dmz,dc=rian</url>
>>>>      <username>cn=Directory Manager</username>
>>>>      <password></password>
>>>>      <authentication>SIMPLE</authentication>
>>>>      <referral>IGNORE</referral>
>>>>      <derefAliases>NEVER</derefAliases>
>>>>      <version>VERSION_3</version>
>>>>      <pageSize>-1</pageSize>
>>>>      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
>>>>      <tlsActivated>false</tlsActivated>
>>>>    </connection>
>>>>  </connections>
>>>>  <audits id="5">
>>>> <audit class="csvAudit">
>>>> <name>csv</name>
>>>> <operations>create, delete</operations>
>>>> <datasets>cn, dn</datasets>
>>>> <separator>;</separator>
>>>> <append>true</append>
>>>> </audit>
>>>> <audit class="ldifAudit">
>>>> <name>ldif</name>
>>>> <append>false</append>
>>>> </audit>
>>>>  </audits>
>>>>  <tasks id="6">
>>>>    <task id="7">
>>>>      <name>People</name>
>>>>      <bean>org.lsc.beans.SimpleBean</bean>
>>>>      <sourceService class="ldapSourceService" id="11">
>>>>        <name>openldap-source-service</name>
>>>>        <connection reference="3" />
>>>>        <baseDn>ou=DIT,dc=msk,dc=rian</baseDn>
>>>>        <pivotAttributes>
>>>>          <string>mail</string>
>>>>        </pivotAttributes>
>>>>        <fetchedAttributes>
>>>>          <string>description</string>
>>>>          <string>cn</string>
>>>>          <string>sn</string>
>>>>          <string>userPassword</string>
>>>>          <string>objectClass</string>
>>>>          <string>uid</string>
>>>>          <string>mail</string>
>>>>        </fetchedAttributes>
>>>>        <getAllFilter>(objectClass=organizationalPerson)</getAllFilter>
>>>>
>>>>  <getOneFilter>(&amp;(objectClass=organizationalPerson)(mail={mail}))</getOneFilter>
>>>>      </sourceService>
>>>>      <destinationService class="ldapDestinationService" id="8">
>>>>        <name>opends-dst-service</name>
>>>>        <connection reference="4" />
>>>>        <baseDn>ou=DIT,dc=dmz,dc=rian</baseDn>
>>>>        <pivotAttributes id="9">
>>>>          <string>mail</string>
>>>>        </pivotAttributes>
>>>>        <fetchedAttributes id="10">
>>>>          <string>description</string>
>>>>          <string>cn</string>
>>>>          <string>sn</string>
>>>>          <string>userPassword</string>
>>>>          <string>objectClass</string>
>>>>          <string>uid</string>
>>>>          <string>mail</string>
>>>>        </fetchedAttributes>
>>>>        <getAllFilter>(objectClass=inetorgperson)</getAllFilter>
>>>>
>>>>  <getOneFilter>(&amp;(objectClass=inetorgperson)(mail={mail}))</getOneFilter>
>>>>      </destinationService>
>>>>      <syncOptions class="propertiesBasedSyncOptions" id="12">
>>>>        <conditions id="13"></conditions>
>>>>        <mainIdentifier>"mail=" +
>>>> srcBean.getAttributeFirstValueById("mail") +
>>>> ",ou=DIT,dc=msk,dc=rian"</mainIdentifier>
>>>>        <defaultDelimiter>;</defaultDelimiter>
>>>>        <defaultPolicy>FORCE</defaultPolicy>
>>>>      </syncOptions>
>>>>    </task>
>>>>  </tasks>
>>>> </lsc>
>>>>
>>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 6:21 PM, Sébastien Bahloul <
>>>> sebastien.bahloul at gmail.com> wrote:
>>>> > Oh ! I read the first error message to fast : the error is simply that
>>>> the
>>>> > first list request on the source directory has not returned any data.
>>>> > Try an external search with the following parameter on your source
>>>> directory
>>>> > :
>>>> > base: ou=DIT,dc=msk,dc=rian
>>>> > filter: (objectClass=organizationalPerson)
>>>> > requested attributes: mail
>>>> > and fix the corresponding parameter !
>>>> > Regards
>>>> >
>>>> > --
>>>> > Sebastien BAHLOUL
>>>> > IAM / Security specialist
>>>> > Ldap Synchronization Connector : http://lsc-project.org
>>>> > Blog : http://sbahloul.wordpress.com/
>>>> >
>>>>
>>>>
>>>> --
>>>> Rgrds, Pavel Morozov
>>>>
>>>>
>>>
>>> --
>>> Sebastien BAHLOUL
>>> IAM / Security specialist
>>> Ldap Synchronization Connector : http://lsc-project.org
>>> Blog : http://sbahloul.wordpress.com/
>>>
>>>
>>
>>
>> --
>> Rgrds, Pavel Morozov
>>
>
>
>
> --
> Rgrds, Pavel Morozov
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lsc-project.org/pipermail/lsc-users/attachments/20110926/df958a37/attachment-0001.htm>


More information about the lsc-users mailing list