OpenLdap - LSC - Active Directory sync and login pass-through

Active Directory server in backend, store all user data, password…
OpenLDAP install on Ubuntu server, frontend, is a read-only LDAP service to provide users data to other server (web, app…) by using LSC to sync data, this server also use to authentication user by pass-through request to Active Directory server by using saslauthd service. OpenLDAP act as Single Sign On service.

Example user name Jenkins login process:

Install and config OpenLDAP

# apt-get install slapd ldap-utils libsasl2-modules-gssapi-mit

1	# apt-get install slapd ldap-utils libsasl2-modules-gssapi-mit

Note: libsasl2-modules-gssapi-mit may not need

Admin username and password: admin / demopassword

(note that admin is default username of Admin in OpenLDAP)

Edit file /etc/ldap/ldap.conf, add:

BASE dc=your_ad_domain,dc=local
URI ldap://ldap-server.your_ad_domain.local ldap://ldap-server.your_ad_domain.local:666

1 2	BASE dc=your_ad_domain,dc=local URI ldap://ldap-server.your_ad_domain.local ldap://ldap-server.your_ad_domain.local:666

Note: ldap-server is the hostname of server openldap installed, to change hostname in Ubuntu:

nano /etc/hostname
edit content: <em>ldap-server.your_ad_domain.local</em>

1 2	nano /etc/hostname edit content: <em>ldap-server.your_ad_domain.local</em>

Update host file

nano /etc/hosts
edit content: 127.0.0.1 ldap-server.we-solarbk.com

1 2	nano /etc/hosts edit content: 127.0.0.1 ldap-server.we-solarbk.com

update value:

dpkg-reconfigure slapd

1	dpkg-reconfigure slapd

select No

enter DNS domain name: your_ad_domain.local

enter Organization name: CompanyName

enter admin password:demopassword

Database backend to use: MDB

slapt is purged: Yes

move old database: Yes

Allow LDAPv2 protocol? No

Test Ldap is running:

# ldapsearch -x

1	# ldapsearch -x

View Ldap server status:

 # /etc/init.d/slapd status

1	# /etc/init.d/slapd status

Install LSC (tool support sync data between ldap server)

Files & Example: http://tools.lsc-project.org/projects/lsc/repository

# apt-get install default-jre
# nano /etc/apt/sources.list

1 2	# apt-get install default-jre # nano /etc/apt/sources.list

add content:

deb     http://lsc-project.org/debian lsc main
deb-src http://lsc-project.org/debian lsc main

1 2	deb http://lsc-project.org/debian lsc main deb-src http://lsc-project.org/debian lsc main

# apt-get update

1	# apt-get update

Import reponsitory public key:

wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -

1	wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project \| sudo apt-key add -

Install:

apt-get install lsc

1	apt-get install lsc

Configuration:

# mkdir /etc/lsc/ad2openldap
# nano /etc/lsc/ad2openldap/lsc.xml

1 2	# mkdir /etc/lsc/ad2openldap # nano /etc/lsc/ad2openldap/lsc.xml

LSC will sync data source from Active Directory to OpenLDAP, content of lsc.xml:

Note:

ad-server.publicdomain.xyz is a public domain point to IP address of AD server to get data.

Source code

<span class="sc3"><span class="re1">&lt;?xml</span> <span class="re0">version</span>=<span class="st0">&quot;1.0&quot;</span> <span class="re2">?&gt;</span></span>
<span class="sc3"><span class="re1">&lt;lsc</span> <span class="re0">xmlns</span>=<span class="st0">&quot;http://lsc-project.org/XSD/lsc-core-2.1.xsd&quot;</span> <span class="re0">revision</span>=<span class="st0">&quot;0&quot;</span><span class="re2">&gt;</span></span>
    <span class="sc3"><span class="re1">&lt;connections<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;ldapConnection<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>ldap-src-conn<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;url<span class="re2">&gt;</span></span></span>ldap://ad-server.publicdomain.xyz:389/DC=your_ad_domain,DC=local<span class="sc3"><span class="re1">&lt;/url<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;username<span class="re2">&gt;</span></span></span>user_to_login_ad@your_ad_domain.local<span class="sc3"><span class="re1">&lt;/username<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;password<span class="re2">&gt;</span></span></span>password_to_login_ad<span class="sc3"><span class="re1">&lt;/password<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;authentication<span class="re2">&gt;</span></span></span>SIMPLE<span class="sc3"><span class="re1">&lt;/authentication<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;referral<span class="re2">&gt;</span></span></span>IGNORE<span class="sc3"><span class="re1">&lt;/referral<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;derefAliases<span class="re2">&gt;</span></span></span>NEVER<span class="sc3"><span class="re1">&lt;/derefAliases<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;version<span class="re2">&gt;</span></span></span>VERSION_3<span class="sc3"><span class="re1">&lt;/version<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;pageSize<span class="re2">&gt;</span></span></span>-1<span class="sc3"><span class="re1">&lt;/pageSize<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;factory<span class="re2">&gt;</span></span></span>com.sun.jndi.ldap.LdapCtxFactory<span class="sc3"><span class="re1">&lt;/factory<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;tlsActivated<span class="re2">&gt;</span></span></span>false<span class="sc3"><span class="re1">&lt;/tlsActivated<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;/ldapConnection<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;ldapConnection<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>ldap-dst-conn<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;url<span class="re2">&gt;</span></span></span>ldap://localhost:389/dc=your_ad_domain,dc=local<span class="sc3"><span class="re1">&lt;/url<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;username<span class="re2">&gt;</span></span></span>cn=admin,dc=your_ad_domain,dc=local<span class="sc3"><span class="re1">&lt;/username<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;password<span class="re2">&gt;</span></span></span>demopassword<span class="sc3"><span class="re1">&lt;/password<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;authentication<span class="re2">&gt;</span></span></span>SIMPLE<span class="sc3"><span class="re1">&lt;/authentication<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;referral<span class="re2">&gt;</span></span></span>IGNORE<span class="sc3"><span class="re1">&lt;/referral<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;derefAliases<span class="re2">&gt;</span></span></span>NEVER<span class="sc3"><span class="re1">&lt;/derefAliases<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;version<span class="re2">&gt;</span></span></span>VERSION_3<span class="sc3"><span class="re1">&lt;/version<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;pageSize<span class="re2">&gt;</span></span></span>-1<span class="sc3"><span class="re1">&lt;/pageSize<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;factory<span class="re2">&gt;</span></span></span>com.sun.jndi.ldap.LdapCtxFactory<span class="sc3"><span class="re1">&lt;/factory<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;tlsActivated<span class="re2">&gt;</span></span></span>false<span class="sc3"><span class="re1">&lt;/tlsActivated<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;/ldapConnection<span class="re2">&gt;</span></span></span>
    <span class="sc3"><span class="re1">&lt;/connections<span class="re2">&gt;</span></span></span>
    <span class="sc3"><span class="re1">&lt;tasks<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;task<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Sync_1_Users<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;bean<span class="re2">&gt;</span></span></span>org.lsc.beans.SimpleBean<span class="sc3"><span class="re1">&lt;/bean<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;ldapSourceService<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>ad-source-service<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;connection</span> <span class="re0">reference</span>=<span class="st0">&quot;ldap-src-conn&quot;</span> <span class="re2">/&gt;</span></span>
                <span class="sc3"><span class="re1">&lt;baseDn<span class="re2">&gt;</span></span></span>DC=your_ad_domain,DC=local<span class="sc3"><span class="re1">&lt;/baseDn<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;pivotAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>samAccountName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/pivotAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;fetchedAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>sn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>givenName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>samAccountName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>userPrincipalName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>title<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>physicalDeliveryOfficeName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>telephoneNumber<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>facsimileTelephoneNumber<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>department<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>company<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>mail<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>mobile<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>jpegPhoto<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/fetchedAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc-1">&lt;!-- get active users only --&gt;</span>
                <span class="sc3"><span class="re1">&lt;getAllFilter<span class="re2">&gt;</span></span></span>(<span class="sc1">&amp;amp;</span>(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))<span class="sc3"><span class="re1">&lt;/getAllFilter<span class="re2">&gt;</span></span></span>
                <span class="sc-1">&lt;!-- &lt;getOneFilter&gt;(&amp;amp;(objectClass=user)(samAccountName={samAccountName})(mail=*))&lt;/getOneFilter&gt; --&gt;</span>
                <span class="sc3"><span class="re1">&lt;getOneFilter<span class="re2">&gt;</span></span></span>(<span class="sc1">&amp;amp;</span>(objectCategory=person)(objectClass=user)(!(UserAccountControl:1 4cidexn.2.840.113556.1.4.803:=2))(samAccountName={samAccountName}))<span class="sc3"><span class="re1">&lt;/getOneFilter<span class="re2">&gt;</span></span></span>
                <span class="sc-1">&lt;!-- &lt;cleanFilter&gt;(&amp;amp;(objectClass=user)(samAccountName={uid})(mail=*))&lt;/cleanFilter&gt; --&gt;</span>
                <span class="sc3"><span class="re1">&lt;cleanFilter<span class="re2">&gt;</span></span></span>(<span class="sc1">&amp;amp;</span>(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(samAccountName={uid}))<span class="sc3"><span class="re1">&lt;/cleanFilter<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/ldapSourceService<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;ldapDestinationService<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>opends-dst-service<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;connection</span> <span class="re0">reference</span>=<span class="st0">&quot;ldap-dst-conn&quot;</span> <span class="re2">/&gt;</span></span>
                <span class="sc-1">&lt;!-- You need create an OU in OpenLDAP name = Users --&gt;</span>
                <span class="sc3"><span class="re1">&lt;baseDn<span class="re2">&gt;</span></span></span>ou=Users,dc=your_ad_domain,dc=local<span class="sc3"><span class="re1">&lt;/baseDn<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;pivotAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>uid<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/pivotAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;fetchedAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>sn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>userPassword<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>objectClass<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>uid<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>title<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>physicalDeliveryOfficeName<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>telephoneNumber<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>telexNumber<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>ou<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>o<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>mail<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>mobile<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>jpegPhoto<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/fetchedAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getAllFilter<span class="re2">&gt;</span></span></span>(objectClass=inetorgperson)<span class="sc3"><span class="re1">&lt;/getAllFilter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getOneFilter<span class="re2">&gt;</span></span></span>(<span class="sc1">&amp;amp;</span>(objectClass=inetorgperson)(uid={samAccountName}))<span class="sc3"><span class="re1">&lt;/getOneFilter<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/ldapDestinationService<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;propertiesBasedSyncOptions<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;mainIdentifier<span class="re2">&gt;</span></span></span>&quot;uid=&quot; +
                    srcBean.getDatasetFirstValueById(&quot;samAccountName&quot;) +
                    &quot;,ou=Users,dc=your_ad_domain,dc=local&quot;<span class="sc3"><span class="re1">&lt;/mainIdentifier<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;defaultDelimiter<span class="re2">&gt;</span></span></span>;<span class="sc3"><span class="re1">&lt;/defaultDelimiter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;defaultPolicy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/defaultPolicy<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:(srcBean.getDatasetFirstValueById(&quot;sn&quot;) != null  ? srcBean.getDatasetFirstValueById(&quot;sn&quot;).toUpperCase() : null )<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>userPassword<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>KEEP<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;createValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:&quot;{SASL}&quot; +
                            srcBean.getDatasetFirstValueById(&quot;samAccountName&quot;) + &quot;@your_ad_domain.local&quot;<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/createValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>sn<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc-1">&lt;!-- &lt;policy&gt;FORCE&lt;/policy&gt; --&gt;</span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>KEEP<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;createValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:srcBean.getDatasetFirstValueById(&quot;samAccountName&quot;)<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/createValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:(srcBean.getDatasetFirstValueById(&quot;sn&quot;) != null  ? srcBean.getDatasetFirstValueById(&quot;sn&quot;).toUpperCase() : null )<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>uid<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>KEEP<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;createValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:srcBean.getDatasetFirstValueById(&quot;samAcccountName&quot;)<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/createValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>objectClass<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>KEEP<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;createValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>&quot;inetOrgPerson&quot;<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/createValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>telexNumber<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:srcBean.getDatasetFirstValueById(&quot;facsimileTelephoneNumber&quot;)<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>o<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:srcBean.getDatasetFirstValueById(&quot;company&quot;)<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>ou<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>js:srcBean.getDatasetFirstValueById(&quot;department&quot;)<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/propertiesBasedSyncOptions<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;/task<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;task<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Sync_2_Groups<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;bean<span class="re2">&gt;</span></span></span>org.lsc.beans.SimpleBean<span class="sc3"><span class="re1">&lt;/bean<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;ldapSourceService<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>group-source-service<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;connection</span> <span class="re0">reference</span>=<span class="st0">&quot;ldap-src-conn&quot;</span> <span class="re2">/&gt;</span></span>
                <span class="sc3"><span class="re1">&lt;baseDn<span class="re2">&gt;</span></span></span>DC=your_ad_domain,DC=local<span class="sc3"><span class="re1">&lt;/baseDn<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;pivotAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/pivotAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;fetchedAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>member<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc-1">&lt;!-- &lt;string&gt;objectClass&lt;/string&gt; --&gt;</span>
                <span class="sc3"><span class="re1">&lt;/fetchedAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getAllFilter<span class="re2">&gt;</span></span></span><span class="sc2">&lt;![CDATA[(objectClass=group)]]&gt;</span><span class="sc3"><span class="re1">&lt;/getAllFilter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getOneFilter<span class="re2">&gt;</span></span></span><span class="sc2">&lt;![CDATA[(&amp;(objectClass=group)(cn={cn}))]]&gt;</span><span class="sc3"><span class="re1">&lt;/getOneFilter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;cleanFilter<span class="re2">&gt;</span></span></span><span class="sc2">&lt;![CDATA[(&amp;(objectClass=group)(cn={cn}))]]&gt;</span><span class="sc3"><span class="re1">&lt;/cleanFilter<span class="re2">&gt;</span></span></span>
                <span class="sc-1">&lt;!-- &lt;serverType&gt;ActiveDirectory&lt;/serverType&gt; --&gt;</span>
            <span class="sc3"><span class="re1">&lt;/ldapSourceService<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;ldapDestinationService<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>group-dst-service<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;connection</span> <span class="re0">reference</span>=<span class="st0">&quot;ldap-dst-conn&quot;</span> <span class="re2">/&gt;</span></span>
                <span class="sc-1">&lt;!-- You need create an OU in OpenLDAP name = Groups --&gt;</span>
                <span class="sc3"><span class="re1">&lt;baseDn<span class="re2">&gt;</span></span></span>ou=Groups,dc=your_ad_domain,dc=local<span class="sc3"><span class="re1">&lt;/baseDn<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;pivotAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/pivotAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;fetchedAttributes<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>cn<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>description<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>uniqueMember<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>objectClass<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc-1">&lt;!-- &lt;string&gt;gidNumber&lt;/string&gt; --&gt;</span>
                <span class="sc3"><span class="re1">&lt;/fetchedAttributes<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getAllFilter<span class="re2">&gt;</span></span></span><span class="sc2">&lt;![CDATA[(objectClass=groupOfUniqueNames)]]&gt;</span><span class="sc3"><span class="re1">&lt;/getAllFilter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;getOneFilter<span class="re2">&gt;</span></span></span><span class="sc2">&lt;![CDATA[(&amp;(objectClass=groupOfUniqueNames)(cn={cn}))]]&gt;</span><span class="sc3"><span class="re1">&lt;/getOneFilter<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/ldapDestinationService<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;propertiesBasedSyncOptions<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;mainIdentifier<span class="re2">&gt;</span></span></span>js:&quot;cn=&quot; + srcBean.getDatasetFirstValueById(&quot;cn&quot;) + &quot;,OU=Groups,dc=your_ad_domain,dc=local&quot;<span class="sc3"><span class="re1">&lt;/mainIdentifier<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;defaultDelimiter<span class="re2">&gt;</span></span></span>;<span class="sc3"><span class="re1">&lt;/defaultDelimiter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;defaultPolicy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/defaultPolicy<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;conditions<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;create<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/create<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;update<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/update<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;delete<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/delete<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;changeId<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/changeId<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/conditions<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>uniqueMember<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>
                            <span class="sc2">&lt;![CDATA[rjs:</span>
<span class="sc2">                                    var membersSrcDn = srcBean.getDatasetValuesById(&quot;member&quot;);</span>
<span class="sc2">                                    var membersDstDn = new java.util.ArrayList();;</span>
<span class="sc2">                                    for  (var i=0; i &lt; membersSrcDn.size(); i++) {</span>
<span class="sc2">                                            var memberSrcDn = membersSrcDn.get(i);</span>
<span class="sc2">                                            var sAMAccountName = &quot;&quot;;</span>
<span class="sc2">                                            try {</span>
<span class="sc2">                                                    sAMAccountName = srcLdap.attribute(memberSrcDn, &quot;samAccountName&quot;).get(0);</span>
<span class="sc2">                                            } catch(e) {</span>
<span class="sc2">                                                    continue;</span>
<span class="sc2">                                            }</span>
<span class="sc2">                                            var destDn = ldap.search(&quot;ou=Users&quot;, &quot;(uid=&quot; + sAMAccountName + &quot;)&quot;);</span>
<span class="sc2">                                            if (destDn.size() == 0 || destDn.size() &gt; 1) {</span>
<span class="sc2">                                                    continue;</span>
<span class="sc2">                                            }</span>
<span class="sc2">                                            var destMemberDn = destDn.get(0) + &quot;,&quot; +  ldap.getContextDn();</span>
<span class="sc2">                                            membersDstDn.add(destMemberDn);</span>
<span class="sc2">                                    }</span>
<span class="sc2">                                    if (membersDstDn.size() == 0) {</span>
<span class="sc2">                                        membersDstDn.add(&quot;uid=empty_member,dc=your_ad_domain,dc=local&quot;);</span>
<span class="sc2">                                    }</span>
<span class="sc2">                                    membersDstDn</span>
<span class="sc2">                            ]]&gt;</span>
                        <span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;dataset<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>objectClass<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;policy<span class="re2">&gt;</span></span></span>FORCE<span class="sc3"><span class="re1">&lt;/policy<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;forceValues<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>&quot;groupOfUniqueNames&quot;<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;string<span class="re2">&gt;</span></span></span>&quot;top&quot;<span class="sc3"><span class="re1">&lt;/string<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/forceValues<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;delimiter<span class="re2">&gt;</span></span></span>$<span class="sc3"><span class="re1">&lt;/delimiter<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/dataset<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/propertiesBasedSyncOptions<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;/task<span class="re2">&gt;</span></span></span>
    <span class="sc3"><span class="re1">&lt;/tasks<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/lsc<span class="re2">&gt;</span></span></span>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

<?xml version="1.0" ?>

<url>ldap://ad-server.publicdomain.xyz:389/DC=your_ad_domain,DC=local</url>

<username>user_to_login_ad@your_ad_domain.local</username>

<password>password_to_login_ad</password>

<authentication>SIMPLE</authentication>

<referral>IGNORE</referral>

<derefAliases>NEVER</derefAliases>

<version>VERSION_3</version>

<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>

<tlsActivated>false</tlsActivated>

</ldapConnection>

<url>ldap://localhost:389/dc=your_ad_domain,dc=local</url>

<username>cn=admin,dc=your_ad_domain,dc=local</username>

<password>demopassword</password>

<authentication>SIMPLE</authentication>

<referral>IGNORE</referral>

<derefAliases>NEVER</derefAliases>

<version>VERSION_3</version>

<tlsActivated>false</tlsActivated>

</ldapConnection>

</connections>

<tasks>

<task>

<name>Sync_1_Users</name>

<bean>org.lsc.beans.SimpleBean</bean>

<name>ad-source-service</name>

<baseDn>DC=your_ad_domain,DC=local</baseDn>

<string>samAccountName</string>

</pivotAttributes>

<string>description</string>

<string>givenName</string>

<string>samAccountName</string>

<string>userPrincipalName</string>

<string>title</string>

<string>physicalDeliveryOfficeName</string>

<string>telephoneNumber</string>

<string>facsimileTelephoneNumber</string>

<string>department</string>

<string>company</string>

<string>mobile</string>

<string>jpegPhoto</string>

</fetchedAttributes>

<getAllFilter>(&amp;(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))</getAllFilter>

<getOneFilter>(&amp;(objectCategory=person)(objectClass=user)(!(UserAccountControl:1 4cidexn.2.840.113556.1.4.803:=2))(samAccountName={samAccountName}))</getOneFilter>

<cleanFilter>(&amp;(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(samAccountName={uid}))</cleanFilter>

</ldapSourceService>

<name>opends-dst-service</name>

<baseDn>ou=Users,dc=your_ad_domain,dc=local</baseDn>

</pivotAttributes>

<string>description</string>

<string>userPassword</string>

<string>objectClass</string>

<string>title</string>

<string>physicalDeliveryOfficeName</string>

<string>telephoneNumber</string>

<string>telexNumber</string>

<string>mobile</string>

<string>jpegPhoto</string>

</fetchedAttributes>

<getAllFilter>(objectClass=inetorgperson)</getAllFilter>

<getOneFilter>(&amp;(objectClass=inetorgperson)(uid={samAccountName}))</getOneFilter>

</ldapDestinationService>

<mainIdentifier>"uid=" +

srcBean.getDatasetFirstValueById("samAccountName") +

",ou=Users,dc=your_ad_domain,dc=local"</mainIdentifier>

<defaultPolicy>FORCE</defaultPolicy>

<name>description</name>

<policy>FORCE</policy>

<string>js:(srcBean.getDatasetFirstValueById("sn") != null ? srcBean.getDatasetFirstValueById("sn").toUpperCase() : null )</string>

</forceValues>

</dataset>

<name>userPassword</name>

<string>js:"{SASL}" +

srcBean.getDatasetFirstValueById("samAccountName") + "@your_ad_domain.local"</string>

</createValues>

</dataset>

<string>js:srcBean.getDatasetFirstValueById("samAccountName")</string>

</createValues>

</dataset>

<name>description</name>

<policy>FORCE</policy>

</forceValues>

</dataset>

<string>js:srcBean.getDatasetFirstValueById("samAcccountName")</string>

</createValues>

</dataset>

<name>objectClass</name>

<string>"inetOrgPerson"</string>

</createValues>

</dataset>

<name>telexNumber</name>

<policy>FORCE</policy>

<string>js:srcBean.getDatasetFirstValueById("facsimileTelephoneNumber")</string>

</forceValues>

</dataset>

<policy>FORCE</policy>

<string>js:srcBean.getDatasetFirstValueById("company")</string>

</forceValues>

</dataset>

<policy>FORCE</policy>

<string>js:srcBean.getDatasetFirstValueById("department")</string>

</forceValues>

</dataset>

</propertiesBasedSyncOptions>

</task>

<task>

<name>Sync_2_Groups</name>

<bean>org.lsc.beans.SimpleBean</bean>

<name>group-source-service</name>

<baseDn>DC=your_ad_domain,DC=local</baseDn>

</pivotAttributes>

<string>description</string>

<string>member</string>

</fetchedAttributes>

</ldapSourceService>

<name>group-dst-service</name>

<baseDn>ou=Groups,dc=your_ad_domain,dc=local</baseDn>

</pivotAttributes>

<string>description</string>

<string>uniqueMember</string>

<string>objectClass</string>

</fetchedAttributes>

</ldapDestinationService>

<mainIdentifier>js:"cn=" + srcBean.getDatasetFirstValueById("cn") + ",OU=Groups,dc=your_ad_domain,dc=local"</mainIdentifier>

<defaultPolicy>FORCE</defaultPolicy>

</conditions>

<name>uniqueMember</name>

<policy>FORCE</policy>

<![CDATA[rjs:

var membersSrcDn = srcBean.getDatasetValuesById("member");

var membersDstDn = new java.util.ArrayList();;

for (var i=0; i < membersSrcDn.size(); i++) {

var memberSrcDn = membersSrcDn.get(i);

var sAMAccountName = "";

try {

sAMAccountName = srcLdap.attribute(memberSrcDn, "samAccountName").get(0);

} catch(e) {

continue;

}

var destDn = ldap.search("ou=Users", "(uid=" + sAMAccountName + ")");

if (destDn.size() == 0 || destDn.size() > 1) {

continue;

}

var destMemberDn = destDn.get(0) + "," + ldap.getContextDn();

membersDstDn.add(destMemberDn);

}

if (membersDstDn.size() == 0) {

membersDstDn.add("uid=empty_member,dc=your_ad_domain,dc=local");

}

membersDstDn

]]>

</string>

</forceValues>

</dataset>

<name>objectClass</name>

<policy>FORCE</policy>

<string>"groupOfUniqueNames"</string>

</forceValues>

</dataset>

</propertiesBasedSyncOptions>

</task>

</tasks>

</lsc>

You need a logback configuration in this directory:

# cp /etc/lsc/logback.xml /etc/lsc/ad2openldap/

1	# cp /etc/lsc/logback.xml /etc/lsc/ad2openldap/

To test is working:

/usr/bin/lsc -f /etc/lsc/ad2openldap -s all -c all -n

1	/usr/bin/lsc -f /etc/lsc/ad2openldap -s all -c all -n

To real sync, remove -n

Create a crontab run sync every 6 hours:

# crontab -e

1	# crontab -e

Use Active Directory to authentication user for LDAP (OpenLDAP pass-through):

Concept: User login, OpenLdap check user password field (userPassword), if it has format: {SASL}username@domain.xyz OpenLdap with authentication user via saslauthd service, saslauthd server with connect to AD and return the result.

# apt install sasl2-bin
# nano /etc/default/saslauthd
<em>content of saslauthd</em>
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# apt install sasl2-bin

# nano /etc/default/saslauthd

content of saslauthd

# Should saslauthd run automatically on startup? (default: no)

START=yes

# Example: MECHANISMS="pam"

MECHANISMS="ldap"

OpenLDAP service account name: ‘openldap‘ – view in file /etc/default/slapd

Add OpenLDAP service account to the sasl group:

# adduser openldap sasl

1	# adduser openldap sasl

Create file /etc/saslauthd.conf, content

ldap_servers: ldap://ad-server.publicdomain.xyz/
ldap_search_base: DC=your_ad_domain,DC=local
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=user_to_login_ad,ou=SomeOU,dc=your_ad_domain,dc=local
ldap_password: password_to_login_ad

ldap_servers: ldap://ad-server.publicdomain.xyz/

ldap_search_base: DC=your_ad_domain,DC=local

ldap_filter: (sAMAccountName=%u)

ldap_bind_dn: cn=user_to_login_ad,ou=SomeOU,dc=your_ad_domain,dc=local

ldap_password: password_to_login_ad

Restart service to update setting:

root@ldap-server:/# service saslauthd restart

1	root@ldap-server:/# service saslauthd restart

To test authentication:

# testsaslauthd -u <em>some_ad_user_ex</em> -p <em>user_password</em>
0: OK "Success."

1 2	# testsaslauthd -u <em>some_ad_user_ex</em> -p <em>user_password</em> 0: OK "Success."

Create file /usr/lib/sasl2/slapd.conf

# nano /usr/lib/sasl2/slapd.conf
<em>file content:</em>
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux

# nano /usr/lib/sasl2/slapd.conf

file content:

pwcheck_method: saslauthd

saslauthd_path: /run/saslauthd/mux

OpenLdap with check password field, if format {SASL}xxx… it with go to Active Directory to authentication user.

Fix Error:

Jan 21 02:25:58 ldap-server.your_ad_domain.local slapd[20263]: SASL [conn=1001] Failure: cannot connect to saslauthd server: Permission denied

1	Jan 21 02:25:58 ldap-server.your_ad_domain.local slapd[20263]: SASL [conn=1001] Failure: cannot connect to saslauthd server: Permission denied

To resolve:

# apt install apparmor-utils
# aa-complain usr.sbin.slapd

1 2	# apt install apparmor-utils # aa-complain usr.sbin.slapd

Setting /etc/apparmor.d/usr.sbin.slapd to complain mode.

# /etc/init.d/slapd restart
# service saslauthd restart

1 2	# /etc/init.d/slapd restart # service saslauthd restart

Done!!!!

Do or Do not. There is no Try. (Yoda master)

OpenLdap – LSC – Active Directory sync and login pass-through

Install and config OpenLDAP

Install LSC (tool support sync data between ldap server)

Use Active Directory to authentication user for LDAP (OpenLDAP pass-through):

Do or Do not. There is no Try. (Yoda master)

OpenLdap – LSC – Active Directory sync and login pass-through

Install and config OpenLDAP

Install LSC (tool support sync data between ldap server)

Use Active Directory to authentication user for LDAP (OpenLDAP pass-through):

Related articles

Workaround for bug “Extra frozen / stuck mouse cursor after auto screen lock / sleep” on Linux

How to stop using TLS-SNI-01 with Certbot / Ubuntu / Nginx

Full-Stack Web Developer Roadmap (2018)