0 Replies Latest reply: Oct 15, 2012 11:11 AM by bilias RSS

    ISW Group sync

    bilias
      Hi,

      I'm trying to enable Group sync in ISW 6.1 without luck.

      While checking on audit.log I see the following changes without GROUP sync enabled and without:

      WITHOUT GROUP SYNC:
      --------------------------

      [15/Oct/2012:18:58:02.885 +0300] FINE "Not Matched: Filter :[(&(|(objectclass=user))(objectClass=group))]; Action :[Action: UNKNOWN dn='CN=noc-test,OU=All Groups,OU=People,DC=example,DC=com']"
      [15/Oct/2012:18:58:02.887 +0300] FINE "Action dropped because it is not in any sync scope

      WITH GROUP SYNC:
      ----------------------
      [15/Oct/2012:18:50:17.360 +0300] FINE 42 "Not Matched: Filter :[(&(|(objectclass=user)(objectclass=msExchBaseClass)(objectclass=posixGroup)(objectclass=domainRelatedObject)(objectclass=posixAccount)(objectclass=msExchCustomAttributes)(objectclass=msExchIMRecipient)(objectclass=samDomain)(objectclass=msExchCertificateInformation)(objectclass=msExchOmaUser)(objectclass=msExchMultiMediaUser)(objectclass=ieee802Device)(objectclass=samDomainBase)(objectclass=dynamicObject)(objectclass=ipHost)(objectclass=securityPrincipal)(objectclass=msExchMailStorage)(objectclass=bootableDevice)(objectclass=shadowAccount)(objectclass=eduPerson)(objectclass=simpleSecurityObject)(objectclass=mailRecipient)(objectclass=msExchMailboxManagerPolicy))(objectClass=group))]; Action :[Action: UNKNOWN dn='CN=noc-test,OU=All Groups,OU=People,DC=example,DC=com']"

      So when I enable GROUP SYNC it adds all those objectClasses in search.
      However none of these evaluate since the GROUP in AD has
      objectClass: top
      objectClass: group

      I've tried to 'hack' in cn=168,ou=ActiveDirectory,ou=Globals,cn=active[58],ou=GlobalConfig,ou=1.1,
      ou=IdentitySynchronization,ou=Services,ou=isw_data
      and add
      pswOtherObjectClass: group
      in order for the 2nd search to evaluate

      Then I had another problem. ISW was adding dspswuserlink without dspswuser objectClass:

      "Matched: Filter :[(&(|(objectclass=user)(objectclass=msExchBaseClass)(objectcla
      ss=posixGroup)(objectclass=domainRelatedObject)(objectclass=posixAccount)(objectclass=msExchCustomAttributes)(objectclass=msExchIMRecipient)(objectclass=samDomain)(objectclass=msExchCertificateInformation)(objectclass=msExchOmaUser)(objectclass=msExchMultiMediaUser)(objectclass=ieee802Device)(objectclass=samDomainBase)(objectclass=dynamicObject)(objectclass=ipHost)(objectclass=securityPrincipal)(objectclass=msExchMailStorage)(objectclass=bootableDevice)(objectclass=shadowAccount)(objectclass=eduPerson)(objectclass=group)(objectclass=simpleSecurityObject)(objectclass=mailRecipient)(objectclass=msExchMailboxManagerPolicy))
      (objectClass=group))]; Action :[Action: UNKNOWN dn='CN=noc-test,OU=All Groups,OU=People,DC=example,DC=com']"

      "LDAP Add Request: [cn: noc-test] [dspswuserlink: KrdbZt6EYkWyfm4GVA0h9g==] [objectclass: groupofuniquenames, top] "

      "LDAP operation on entry cn=noc-test,ou=groups,dc=example,dc=com failed at ldaps://ldap.example.com:636, error(65): Object class violation." (Action ID=CNN102-13A645F1665-3, SN=7)

      on LDAP server:
      Schema - conn=-1 op=-1 msgId=-1 - User error: Entry "cn=noc-test,ou=groups,dc=example,dc=com", attribute "dspswuserlink" is not allowed

      I can't seem to understand how group synchronization works. Documentation is not helpful at all since it has no details at all on group sync.

      regards,

      Giannis