Archive

Archive for July, 2010

LSC Use Case: synchronize telephoneNumber from Sun LDAP to Active Directory

July 21st, 2010 1 comment

At work, we are using two directories. The first one, a damn old Sun Directory 5.2, used by the mail system and VOIP. The second directory is an Active Directory used by … everything which run on Windows. At the moment, we don’t have some Identity Provisionning products, so users are created by hand in both directories. I want to make this synchronization automatic, however since it’s a complex and dangerous thing, I want to start by synchronize few attributes. The first one is the telephoneNumber, available in the Sun Directory with format “21xxx” (the internal phone number), while the one store in active directory is the public one (014070xxx), so I need to transform the attribute before sending it in AD.

Some friends of mine start the LSC Project(LDAP Synchronization Connector) few years ago, a tool to synchronize directories! Here the configuration file I used for my use case:

Define the source


src.java.naming.provider.url = ldap://sun_hostname:389/dc=rtl,dc=fr
src.java.naming.security.authentication = none
src.java.naming.security.principal =
src.java.naming.security.credentials =
src.java.naming.referral = ignore
src.java.naming.ldap.derefAliases = never
src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
src.java.naming.ldap.version = 3

Define the target


dst.java.naming.provider.url = ldap://ad_hostname:389/dc=activedirectory,dc=domain
dst.java.naming.security.authentication = simple
dst.java.naming.security.principal = userwithenoughperms@activedirectory.domain
dst.java.naming.security.credentials = secret
dst.java.naming.referral = ignore
dst.java.naming.ldap.derefAliases = never
dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
dst.java.naming.ldap.version = 3

Define the task to manage telephoneNumber attribute


lsc.tasks = FirstTask
lsc.tasks.FirstTask.srcService = org.lsc.jndi.SimpleJndiSrcService
lsc.tasks.FirstTask.srcService.baseDn = ou=People
lsc.tasks.FirstTask.srcService.filterAll = (inetUserStatus=ACTIVE)
lsc.tasks.FirstTask.srcService.pivotAttrs = mail
lsc.tasks.FirstTask.srcService.filterId = (mail={mail})
lsc.tasks.FirstTask.srcService.attrs = mail telephoneNumber
lsc.tasks.FirstTask.srcService.requestNameForList = getAllPeoplePivots
lsc.tasks.FirstTask.srcService.requestNameForObject = getOnePerson
lsc.tasks.FirstTask.dstService = org.lsc.jndi.SimpleJndiDstService
lsc.tasks.FirstTask.dstService.baseDn = ou=Pole radio,dc=activedirectory,dc=domain
lsc.tasks.FirstTask.dstService.filterAll = (&(sn=*)(objectClass=inetOrgPerson))
lsc.tasks.FirstTask.dstService.pivotAttrs = mail
lsc.tasks.FirstTask.dstService.filterId = (mail={mail})
lsc.tasks.FirstTask.dstService.attrs = telephoneNumber
lsc.tasks.FirstTask.bean = org.lsc.beans.SimpleBean
lsc.tasks.FirstTask.dn = ""
lsc.syncoptions.FirstTask = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions
lsc.syncoptions.FirstTask.default.action = K
lsc.syncoptions.FirstTask.default.delimiter = $
lsc.syncoptions.FirstTask.telephoneNumber.action = F
lsc.syncoptions.FirstTask.telephoneNumber.force_value = StringUtils.replaceFromMap(srcBean.getAttributeValueById("telephoneNumber"), "telephone.csv")

I think most of properties are self-meaning, however here some explanations about few of thems

  • default.action = K, meaning the attribute is not overriden if the value is ok
  • telephoneNumber.action = F, force the attribute to be updated
  • lsc.syncoptions.FirstTask.telephoneNumber.force_value= StringUtils.replaceFromMap(srcBean.getAttributeValueById(“telephoneNumber”), “telephone.csv”) is the code to compute the new value of the telephoneNumber attribute. In that case, I use a CSV files where I specify two fields: the pattern, and the value to replace if the pattern is found. (i.e. “^21,014070”)

Output in dryrun mode


% ./bin/lsc -n -f etc -s FirstTask
juil. 21 16:24:43 - WARN - Starting sync for FirstTask
juil. 21 16:24:43 - INFO - Connecting to LDAP server ldap://sun_hostname:389/dc=rtl,dc=fr anonymously
juil. 21 16:24:44 - INFO - Connecting to LDAP server ldap://ad_hostname:389/dc=activedirectory,dc=domain as admin@activedirectory.domain
juil. 21 16:24:44 - WARN - The method getAttributeValueById() is deprecated and will be removed in a future version of LSC. Please use getAttributeFirstValueById() instead.
juil. 21 16:24:44 - DEBUG - Update condition false. Should have modified object CN=BONFILS Bruno,OU=Users,DC=activedirectory,DC=DOMAIN
dn:: CN=BONFILS Bruno,OU=Users,DC=activedirectory,DC=DOMAIN
changetype: modify
replace: telephoneNumber
telephoneNumber: 0140704049

juil. 21 16:24:44 - INFO - All entries: 1, to modify entries: 0, modified entries: 0, errors: 0

Categories: IAM Tags:

ZSH: Create dynamically associatives array in a function

July 14th, 2010 No comments

I’m currently working on some scripts to create CSV files (to import into iTop, I’ll post about it in few weeks) from data received via snmp. To make things propers, I want to reuse my code as far as possible, so I was looking for a way to create some associatives array in a function, where the array name is give as argument.

Thanks to the ZSH IRC channel (special thanks to ft) here a way to achieve that:


mytest() {
typeset -A -g $1
buffer="$1[$2]"
: ${(P)buffer::=$3}
}

so, the following sample code:


mytest() {
typeset -A -g $1
buffer="$1[$2]"
: ${(P)buffer::=$3}
}

mytest toto 3 42
mytest tutu 4 43

print -l $toto[3]
print -l $tutu[4]

will display 42, and then 43!

One final word: zsh is magic.

Categories: Shell, Sysadmin Tags:

Splunk: useful URL

July 11th, 2010 No comments

as you probably already know IRC is good to learn things, here some URL I learn from the splunk channel:

  • http://host:webport/en-US/debug/refresh reload some parts of splunk, including applications’s views. Very useful when developing a new application. No need to restart each time!
  • https://host:8089/services/admin/inputstatus/TailingProcessor:FileStatus display the status of file monitorings. Note the port is the manager one, not the webone, so I guess this interface is available on agents even if splunkweb is not started. You can hit /services/admin/ to find another log of informations.

Categories: Business tools Tags: