[lsc-users] LSC - Users deletion during sync

Thu May 31 14:06:36 CEST 2018

Le 31/05/2018 à 09:56, Clément OUDOT a écrit :
>
> Le 31/05/2018 à 09:32, Julien TEHERY a écrit :
>> Hi there,

> Hello Julien,
>
>> One question about AD provisionning from LDAP.
>> I successfully imported users from an ldap into a fresh new samba4-AD
>> server (thanks to LSC!), in order to migrate users from an old samba
>> 3.5 domaine to the new one.
>> Now the two domains live together and i intend to keep users
>> synchronized from the old one to the new one during the migration.
>>
>> New users created in the samba4 domain won't have to be deleted, as
>> they will be created only in the new one.
>> On the contrary, actions made on users from the old LDAP will habe to
>> be replicated to Samba4-AD (mainly fields update and users deletion).
>>
>> At the moment, if i re launch my sync task with th "delete" option,
>> new users created to the new domain (that don't exist in the old one)
>> will be deleted (exepted domain administrator and specific samba4
>> system accounts).
>>
>> Is there a way to keep both annuary synchronized without delete new
>> users in the new domain?
>>
> Yes, you need to have an attribute in user entry that allows to know
> which entry is linked to old directory. You can for example force a
> field like "description" or "employeeType" with a value, and configure
> getAllFilter in destination to only match these entries.
>
>
Thanks Clément, you're perfectly right and it's very simple.
I found out what attribute to use to do this.

One more question, this time about groups sync: I succeeded in importing 
groups from former LDAP to Samba4-AD, but those remain empty.
I don't have memberof or uniqueMember attributes ins source LDAP (since 
overlay memberof isn't activated on it..)

Is there a way to sync users, gathering informations from memberUid 
attribute to populate AD groups?

I tried filtering on posixGroups instead of groupOfUniqueNames to get 
memberUid instead of uniqueMember
Here are the details of my task:

     <task>
       <name>LDAPGROUPS2AD</name>

       <bean>org.lsc.beans.SimpleBean</bean>
        <asyncLdapSourceService>
         <name>group-source-service</name>
         <connection reference="ldap-source-conn-group" />
<baseDn>ou=groupes,dc=sourcedomain,dc=lan</baseDn>
         <pivotAttributes>
           <string>cn</string>
         </pivotAttributes>
         <fetchedAttributes>
           <string>cn</string>
           <string>description</string>
           <string>memberUid</string>
           <string>gidNumber</string>
         </fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=posixgroup)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=posixgroup)(cn={cn}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=posixgroup)(cn={cn}))]]></cleanFilter>
         <serverType>OpenLDAP</serverType>
       </asyncLdapSourceService>

       <ldapDestinationService>
         <name>group-dst-service</name>
         <connection reference="ldap-dst-conn-group" />
         <baseDn>OU=Groups,DC=destdomain,DC=lan</baseDn>
         <pivotAttributes>
           <string>cn</string>
         </pivotAttributes>
         <fetchedAttributes>
           <string>cn</string>
           <string>description</string>
           <string>member</string>
           <string>objectClass</string>
           <string>gidNumber</string>
         </fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=group)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=group)(cn={cn}))]]></getOneFilter>
       </ldapDestinationService>
       <propertiesBasedSyncOptions>
         <mainIdentifier>js:"cn=" + 
javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) 
+ ",OU=Groups,DC=dstdomain,DC=lan"</mainIdentifier>
         <defaultDelimiter>;</defaultDelimiter>
         <defaultPolicy>FORCE</defaultPolicy>
         <conditions>
           <create>true</create>
           <update>true</update>
           <delete>false</delete>
           <changeId>true</changeId>
         </conditions>
         <dataset>
           <name>objectclass</name>
           <policy>KEEP</policy>
           <createValues>
             <string>"group"</string>
             <string>"top"</string>
           </createValues>
         </dataset>
         <dataset>
           <name>member</name>
           <policy>FORCE</policy>
           <forceValues>
             <string>
             <![CDATA[rjs:
                  var membersSrcDn = 
srcBean.getDatasetValuesById("memberUid");
                  var membersDstDn = [];
                  for  (var i=0; i<membersSrcDn.size(); i++) {
                          var memberSrcDn = membersSrcDn.get(i);
                          var uid = "";
                          try {
                                  uid = srcLdap.attribute(memberSrcDn, 
"uid").get(0);
                          } catch(e) {
                                  continue;
                          }
                          var destDn = ldap.search("CN=Users", 
"(sAMAccountName=" + uid + ")");
                          if (destDn.size() == 0 || destDn.size() > 1) {
                                  continue;
                          }
                          var destMemberDn = destDn.get(0) + "," + 
ldap.getContextDn();
                          membersDstDn.push(destMemberDn);
                  }
                  membersDstDn
             ]]>
             </string>
           </forceValues>
         </dataset>
       </propertiesBasedSyncOptions>
     </task>

When launching LSC I actually get this error, As i don't seem to get the 
memberUid attribute:

Caused by: java.lang.RuntimeException: 
org.apache.directory.api.ldap.model.exception.LdapInvalidDnException: 
ERR_04202 A value is missing on some RDN

My guess is that I have something wrong with the destDn scope..

Any idea?

Thanks