[lsc-users] LSC - Users deletion during sync

Julien TEHERY julien.tehery at openevents.fr
Thu May 31 14:06:36 CEST 2018

Le 31/05/2018 à 09:56, Clément OUDOT a écrit :
> Le 31/05/2018 à 09:32, Julien TEHERY a écrit :
>> Hi there,

> Hello Julien,
>> One question about AD provisionning from LDAP.
>> I successfully imported users from an ldap into a fresh new samba4-AD
>> server (thanks to LSC!), in order to migrate users from an old samba
>> 3.5 domaine to the new one.
>> Now the two domains live together and i intend to keep users
>> synchronized from the old one to the new one during the migration.
>> New users created in the samba4 domain won't have to be deleted, as
>> they will be created only in the new one.
>> On the contrary, actions made on users from the old LDAP will habe to
>> be replicated to Samba4-AD (mainly fields update and users deletion).
>> At the moment, if i re launch my sync task with th "delete" option,
>> new users created to the new domain (that don't exist in the old one)
>> will be deleted (exepted domain administrator and specific samba4
>> system accounts).
>> Is there a way to keep both annuary synchronized without delete new
>> users in the new domain?
> Yes, you need to have an attribute in user entry that allows to know
> which entry is linked to old directory. You can for example force a
> field like "description" or "employeeType" with a value, and configure
> getAllFilter in destination to only match these entries.
Thanks Clément, you're perfectly right and it's very simple.
I found out what attribute to use to do this.

One more question, this time about groups sync: I succeeded in importing 
groups from former LDAP to Samba4-AD, but those remain empty.
I don't have memberof or uniqueMember attributes ins source LDAP (since 
overlay memberof isn't activated on it..)

Is there a way to sync users, gathering informations from memberUid 
attribute to populate AD groups?

I tried filtering on posixGroups instead of groupOfUniqueNames to get 
memberUid instead of uniqueMember
Here are the details of my task:


         <connection reference="ldap-source-conn-group" />

         <connection reference="ldap-dst-conn-group" />
         <mainIdentifier>js:"cn=" + 
+ ",OU=Groups,DC=dstdomain,DC=lan"</mainIdentifier>
                  var membersSrcDn = 
                  var membersDstDn = [];
                  for  (var i=0; i<membersSrcDn.size(); i++) {
                          var memberSrcDn = membersSrcDn.get(i);
                          var uid = "";
                          try {
                                  uid = srcLdap.attribute(memberSrcDn, 
                          } catch(e) {
                          var destDn = ldap.search("CN=Users", 
"(sAMAccountName=" + uid + ")");
                          if (destDn.size() == 0 || destDn.size() > 1) {
                          var destMemberDn = destDn.get(0) + "," + 

When launching LSC I actually get this error, As i don't seem to get the 
memberUid attribute:

Caused by: java.lang.RuntimeException: 
ERR_04202 A value is missing on some RDN

My guess is that I have something wrong with the destDn scope..

Any idea?


More information about the lsc-users mailing list