Thank you Sébastien, I missed that. After testing it works great! I have one further issue, it seems like I am trying to sync entries that are not matched by my getAllFilter. We have a large AD enviroment, but not all of those users need to be in LDAP. I only want to sync users that have a uidNumber assigned.
I use this filter: <getAllFilter>(& (objectClass=user) (sAMAccountName=*) (uidNumber=*))</getAllFilter> If I use it manually via ldapsearch it returns the users I expect. However my task is trying to grab users that have been modified recently, but do not have a uidNumber. This seems to be related to the timestamp, when I take the <dateFormat>yyyyMMddHHmmss'.0Z'</dateFormat> out of my config, I don't see this any longer. Is it still using the getallfilter when checking the modifytimestamp? I appreciate all the help. -Joel ** On Mon, Aug 6, 2012 at 11:51 PM, Sébastien Bahloul < [email protected]> wrote: > Hi Dunkan, > > Yes you are completely right, that's why you can customize it. Look at the > following page : > > > http://lsc-project.org/wiki/documentation/2.0/configuration/service/sourceldap > > and set the "*dateFormat" value to the following setting (not tested) :* > * > * > *yyyyMMddHHmmss.S'Z * > > The pattern to use is documented in standard Java documentation for > SimpleDateFormat class: > http://docs.oracle.com/javase/1.4.2/docs/api/java/text/SimpleDateFormat.html > > > Regards, > > -- > Sebastien BAHLOUL > IAM / Security specialist > Ldap Synchronization Connector : http://lsc-project.org > Blog : http://sbahloul.wordpress.com/ > > > > 2012/8/7 dunkan <[email protected]> > >> Sorry to be spammy. From looking at tcpdumps I see it is checking the >> modifytimestamp. It looks like the problem is the value is stored with a >> decimal in the directory, but not in the filter. >> >> For example, it is looking for "(modifytimestamp>=20110807030345Z)", and >> never gets any results. If I change that >> to "(modifytimestamp>=20110807030345.0Z)" it returns the entries that are >> modified. >> >> Thanks, >> Joel >> >> >> On Mon, Aug 6, 2012 at 9:00 PM, dunkan <[email protected]> wrote: >> >>> It looks like FORCE, with forcevalues will always put what I need, so >>> that part is working out now. >>> >>> I'm not sure about the async job though. How does it determine that it >>> needs to update? The logs give the indication that it is searching every 5 >>> seconds, but changes don't show up. If I stop and re-run it again they are >>> always picked up. >>> >>> -Joel >>> >>> >>> On Mon, Aug 6, 2012 at 7:02 PM, dunkan <[email protected]> wrote: >>> >>>> Hey there, >>>> >>>> I am working on one way syncing AD to OpenLDAP. I am seeing a >>>> difference in operation between using lsc in async vs sync mode. >>>> >>>> If I start lsc like so: >>>> >>>> # bin/lsc -f etc -a all >>>> >>>> users are read from active directory using my filter correctly, and >>>> attributes are updated as I would expect. >>>> >>>> If I start lsc in async like so: >>>> >>>> # bin/lsc -f etc -s all >>>> >>>> lsc attempts to create users every time, and I will get a failure to >>>> add as the entry already exists. >>>> >>>> From what I have read this sort of behavior shouldn't change using sync >>>> vs async, is that correct? >>>> It seems like an easy work around for now is to just use async and >>>> trigger an event. >>>> >>>> >>>> My second issue I believe is configuration. I have been using >>>> http://lsc-project.org/wiki/documentation/2.0/configuration/syncoptions as >>>> my guide for this. >>>> >>>> AD has a different objectclass than OpenLDAP. >>>> >>>> So in AD the objectClass will be OrgainzationalPerson, person >>>> In OpenLDAP it is Account, PossixAccount. >>>> >>>> I want the values in OpenLDAP to always be the OpenLDAP values, leave >>>> existing entries alone, and create new users with those values. >>>> >>>> I thought the way to do this would be to set policy to FORCE and >>>> defaultvalues to my requested values. >>>> This creates a new user ok, but existing users get trampled. >>>> >>>> If I set it to KEEP and defaultvalues to the requested values, existing >>>> users don't get messed with, but new users use the AD objectclass. >>>> >>>> I tried using forcevalues and createvalues with KEEP/FORCE as well, but >>>> am not having any luck getting the behavior I am looking for. >>>> >>>> Any tips? >>>> >>>> Thanks, >>>> Joel >>>> >>>> >>>> >>> >> >> _______________________________________________________________ >> Ldap Synchronization Connector (LSC) - http://lsc-project.org >> >> lsc-users mailing list >> [email protected] >> http://lists.lsc-project.org/listinfo/lsc-users >> >> >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
