Hi Sebastian,
I used the user's RID (which is unique to each user in a domain) to
generate a persistent uidNumber for all of the AD users in OpenLDAP.
The RID can be extracted from the objectSid
(http://blogs.msdn.com/b/oldnewthing/archive/2004/03/15/89753.aspx). See
relevant sections below:
AD source configuration:
*** NOTE: http://tools.lsc-project.org/issues/519
<ldapConnection>
<name>ad-src-conn</name>
....
<binaryAttributes>
<string>objectSid</string>
</binaryAttributes>
</ldapConnection>
<ldapSourceService>
....
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
....
<getAllFilter>(&(sAMAccountName=*)(objectClass=user)(!(objectClass=computer)))</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={sAMAccountName}))</getOneFilter>
<cleanFilter>(&(objectClass=user)(sAMAccountName={uid}))</cleanFilter>
</ldapSourceService>
OpenLDAP destination configuration:
<ldapDestinationService>
....
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
....
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</getOneFilter>
</ldapDestinationService>
In my example below, replicated AD users get a uidNumber starting at
1000000. I did this to keep replicated users from conflicting with UNIX
local accounts or other LDAP local accounts.
For example, an objectSid of
S-1-5-12-7723811915-3361004348-033306820-515 would translate to
uidNumber 1000515.
<propertiesBasedSyncOptions>
...
<dataset>
<name>uidNumber</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[js:
// AD uidNumbers start at this value:
var adBase=1000000;
var sid=srcBean.getDatasetById("objectSid").iterator().next()
var ret="", rid="",h="";
// convert objectSid bytes 23-27 (RID) from little-endian byte array
to big-endian hex string
for (var i=27;i>23;i--) {
h=(sid[i]&0xFF).toString(16);
rid+=(h.length<2)?"0"+h:h;
}
// convert from hex to integer
rid=parseInt(rid,16);
// add base value to rid, and convert to string
uidNumber=(adBase+rid).toString();
uidNumber
]]>
</string>
</forceValues>
</dataset>
<dataset>
...
<propertiesBasedSyncOptions>
You may also be interested in:
<dataset>
<name>userPassword</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[js:
// For LDAP SASL:
var
userPrincipalName=srcBean.getDatasetFirstValueById("userPrincipalName");
var userPassword="{sasl}"+userPrincipalName;
// Check for disabled account.
if
(AD.userAccountControlCheck(srcBean.getDatasetFirstValueById('userAccountControl'),
AD.UAC_ACCOUNTDISABLE)) {
userPassword="{crypt}!*"; // Account disabled
}
userPassword
]]>
</string>
</forceValues>
</dataset>
<dataset>
<name>loginShell</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[js:
var loginShell="/bin/bash"; // default to bash shell
var
dn=srcBean.getDatasetFirstValueById("distinguishedName").toLowerCase();
// Check if account is disabled. Otherwise, check if it's a service
account.
if
(AD.userAccountControlCheck(srcBean.getDatasetFirstValueById('userAccountControl'),
AD.UAC_ACCOUNTDISABLE) ||
dn.indexOf("ou=service accounts")) {
loginShell="/bin/false"; // no interactive login
}
loginShell
]]>
</string>
</forceValues>
</dataset>
Hope this helps.
Alex
On 5/7/2013 12:35 PM, Sebastian Krieger wrote:
Hey Community,
I want to choose LSC for an internal project to grep all our AD Users
and hold them in sync with the projects OpenLDAP server.
Now we run into a problem, where I stuck for a few days now.
I can successfully sync our AD Users in the OpenLDAP. But when the
sync job is restarted, the LSC tries to create them again in the LDAP
Server. This seems not a Problem normally, since the DN already exists
in LDAP and the creation fails.
But in our scenario, we have to create Posix users from the
sAMAccountName with Unique UIDNumber.
For this I used the tutorial on the LSC project page
(http://lsc-project.org/wiki/documentation/2.0/configuration/syncoptions/sequences)
to have a counter available.
My Problem is, that on every run when the Users should be synced, the
counter for the UIDNumber is increased by 1 for every user nether he
must be created or not.
Has any one solved that problem in the past?
I run LSC 2.0.2 in syncronous mode if.
Here is the relevant xml task snippet.
>>
<tasks>
<!-- BEGIN: TASK: Sync AD User -->
<task>
<name>CreateAdUser</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>ad-src-service</name>
<connection reference="AD" />
<baseDn>dc=company,dc=group</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>sAMAccountName</string>
<string>cn</string>
<string>givenName</string>
<string>sn</string>
</fetchedAttributes>
<getAllFilter>(&(objectClass=User)(objectCategory=Person)(|(sAMAccountName=b*)(sAMAccountName=e*))(!(sAMAccountName=company*)))</getAllFilter>
<getOneFilter>(&(objectClass=User)(objectCategory=Person)(sAMAccountName={sAMAccountName}))</getOneFilter>
</ldapSourceService>
<ldapDestinationService>
<name>openldap-dst-service</name>
<connection reference="OpenLDAP" />
<baseDn>dc=lnxcim,dc=company,dc=group</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>dn</string>
<string>sn</string>
<string>cn</string>
<string>uid</string>
<string>givenName</string>
<string>ObjectClass</string>
<string>uidNumber</string>
<string>gidNumber</string>
<string>homeDirectory</string>
<string>userPassword</string>
</fetchedAttributes>
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<!-- choose UID as DN in OpenLDAP -->
<mainIdentifier>"uid=" +
srcBean.getDatasetFirstValueById("sAMAccountName") +
",ou=users,dc=lnxcim,dc=company,dc=group"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<!-- ObjectClass -->
<dataset>
<name>objectClass</name>
<policy>FORCE</policy>
<forceValues>
<string>"top"</string>
<string>"person"</string>
<string>"organizationalPerson"</string>
<string>"inetOrgPerson"</string>
<string>"posixAccount"</string>
</forceValues>
</dataset>
<!-- sAMAccountName == UID -->
<dataset>
<name>uid</name>
<policy>FORCE</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</createValues>
</dataset>
<!-- count up the uidNumber for every user
created, for this we have a cn with serialNumber attribute for count
up in the LDAP -->
<dataset>
<name>uidNumber</name>
<policy>KEEP</policy>
<createValues>
<string>SequencesFactory.getInstance(ldap.getJndiServices()).getNextValue("cn=uidNumberSequenceUnix,ou=LSC,ou=services,dc=lnxcim,dc=company,dc=group","serialNumber")</string>
</createValues>
</dataset>
<!-- set users home -->
<dataset>
<name>homeDirectory</name>
<policy>FORCE</policy>
<createValues>
<string>"/home/" +
srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</createValues>
</dataset>
<dataset>
<name>givenName</name>
<policy>FORCE</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("givenName")</string>
</createValues>
</dataset>
<dataset>
<name>sn</name>
<policy>FORCE</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("sn")</string>
</createValues>
</dataset>
<dataset>
<name>cn</name>
<policy>FORCE</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("cn")</string>
</createValues>
</dataset>
<!-- create userPassword as SASL auth -->
<dataset>
<name>userPassword</name>
<policy>FORCE</policy>
<createValues>
<string>"{SASL}" +
srcBean.getDatasetFirstValueById("sAMAccountName") +
"@company.group"</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
<!-- END: Task: Sync AD User -->
</tasks>
<<
Thanks for your hints and replies!
Sebastian
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
