No subject


Fri Sep 9 13:46:57 CEST 2011


- a request that list objects by returning a map of pivot attributes
- a request that get an object by using the pivot attributes and returning
the entry

On the other hand, you have an OpenLDAP directory with :
- a base DN to use for each search
- a filter to look for all entries returning a table of pivot attributes for
each entry
- a filter to look that will use the pivot attributes to get an unique entry

When you are using "-c all", you are asking LSC to go through the various
tasks and to launch the clean phase. On the task that is syncing your SQL
database to your OpenLDAP directory, the following process will occur :
- use the filterAll filter to get all the pivot attributes tables
corresponding to the entries that should be sync to the directory
- for each of them, use the pivot attributes table to look for an object
inside the database through the request that get an object from the pivot
attributes.

So what you need to do is to modify your SQL request to allow either the
field courriel to be equal the pivot attribute "courriel" or to the pivot
attribute that comes from LDAP (I can't catch if it is the uid or mail
attribute - but doesn't matter, choose the good one). And you should get an
up-to-date directory with no more shadow accounts.

Hope this help,

Sebastien.
-- 
Sebastien BAHLOUL
IAM / Security specialist
Ldap Synchronization Connector : http://lsc-project.org
Blog : http://sbahloul.wordpress.com/



2011/10/27 Maxime Pelletier <maxime.pelletier at educsa.org>

> Hi all,
>
> I want to share something that I think is not well documented.
>
> When you build your SQL statement to sync data with OpenLDAP, the column
> you will use as your UID must be named UID if you want to use the "-c all"
> option.
>
> I created entries in LDAP with an email address as the UID. I first build
> the SQL statement with "select * from mytable", and then build the DN with
> column "courriel". However, LSC was deleting all entries with "-c all"
> option.
>
> From what I understand, LSC matches the #uid# of the SQL statement with the
> field "uid" in LDAP. So when LSC tries to math #courriel# in LDAP, it fails
> and then replace #courriel# by a NULL value in the SQL query. Result: it
> deletes everything.
>
> I don't know if this is a well known pitfall/behavior, but I wanted to
> share this in case it could help someone.
>
> Regards,
>
> Maxime
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing list
> lsc-users at lists.lsc-project.org
> http://lists.lsc-project.org/listinfo/lsc-users
>
>

--bcaec54ee644fa29b104b04e28a3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Maxime,<div><br></div><div>The important piece of information is the piv=
ot attributes and the way they are used to look for an entry in the various=
 services.</div><div><br></div><div>From one hand, you have an SQL database=
 with :</div>

<div>- a request that list objects by returning a map of pivot attributes</=
div><div>- a request that get an object by using the pivot attributes and r=
eturning the entry</div><div><br></div><div>On the other hand, you have an =
OpenLDAP directory with :</div>

<div>- a base DN to use for each search</div><div>- a filter to look for al=
l entries returning a table of pivot attributes for each entry</div><div>- =
a filter to look that will use the pivot attributes to get an unique entry<=
/div>

<div><br></div><div>When you are using &quot;-c all&quot;, you are asking L=
SC to go through the various tasks and to launch the clean phase. On the ta=
sk that is syncing your SQL database to your OpenLDAP directory, the follow=
ing process will occur :</div>

<div>- use the filterAll filter to get all the pivot attributes tables corr=
esponding to the entries that should be sync to the directory</div><div>- f=
or each of them, use the pivot attributes table to look for an object insid=
e the database through the request that get an object from the pivot attrib=
utes.</div>

<div><br></div><div>So what you need to do is to modify your SQL request to=
 allow either the field courriel to be equal the pivot attribute &quot;cour=
riel&quot; or to the pivot attribute that comes from LDAP (I can&#39;t catc=
h if it is the uid or mail attribute - but doesn&#39;t matter, choose the g=
ood one). And you should get an up-to-date directory with no more shadow ac=
counts.</div>

<div><br></div><div>Hope this help,</div><div><br></div><div>Sebastien.</di=
v><div>--=A0<br clear=3D"all">Sebastien BAHLOUL<br>IAM / Security specialis=
t<br>Ldap Synchronization Connector : <a href=3D"http://lsc-project.org" ta=
rget=3D"_blank">http://lsc-project.org</a><br>

Blog : <a href=3D"http://sbahloul.wordpress.com/" target=3D"_blank">http://=
sbahloul.wordpress.com/</a><br><br>
<br><br><div class=3D"gmail_quote">2011/10/27 Maxime Pelletier <span dir=3D=
"ltr">&lt;<a href=3D"mailto:maxime.pelletier at educsa.org">maxime.pelletier at e=
ducsa.org</a>&gt;</span><br><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

<p>Hi all,</p><p>I want to share something that I think is not well
documented.</p><p>When you build your SQL statement to sync data with OpenL=
DAP,
the column you will use as your UID must be named UID if you want to use th=
e
&quot;-c all&quot; option.</p><p>I created entries in LDAP with an email
address as the UID. I first build the SQL statement with &quot;select * fro=
m
mytable&quot;, and then build the DN with column &quot;courriel&quot;. Howe=
ver,
LSC was deleting all entries with &quot;-c all&quot; option. </p><p>From wh=
at I
understand, LSC matches the #uid# of the SQL statement with the field
&quot;uid&quot; in LDAP. So when LSC tries to math #courriel# in LDAP, it f=
ails
and then replace #courriel# by a NULL value in the SQL query. Result: it de=
letes
everything.</p><p>I don&#39;t know if this is a well known pitfall/behavior=
, but I
wanted to share this in case it could help
someone.</p><p>Regards,</p><p>Maxime</p><br>_______________________________=
________________________________<br>
Ldap Synchronization Connector (LSC) - <a href=3D"http://lsc-project.org" t=
arget=3D"_blank">http://lsc-project.org</a><br>
<br>
lsc-users mailing list<br>
<a href=3D"mailto:lsc-users at lists.lsc-project.org">lsc-users at lists.lsc-proj=
ect.org</a><br>
<a href=3D"http://lists.lsc-project.org/listinfo/lsc-users" target=3D"_blan=
k">http://lists.lsc-project.org/listinfo/lsc-users</a><br>
<br></blockquote></div><br></div>

--bcaec54ee644fa29b104b04e28a3--


More information about the lsc-users mailing list