Scribd Logo
Upload

Welcome to Scribd!

  • 12 views

    Ldap User Sync

    Uploaded by

    Udayaprakash Rai
    Ldap User Sync

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Ldap User Sync

    Uploaded by

    Udayaprakash Rai
    12 views6 pages
    Ldap User Sync

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Ldap User Sync

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    12 views6 pages

    Ldap User Sync

    Uploaded by

    Udayaprakash Rai
    Ldap User Sync

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 6

    1.

    Ldap User sync


    SDP username takes only email format. Make sure you configure attribute which is of
    the format of email.
    Below are steps how SDP sync works:

    step 1 - all users matching given criteria are fetched form AD(ldap) and stored in temp sync tab
    sdp_temp_sync_data
    step2 - records are read thru this table one by one and again will make call to AD to get full
    details of the user
    step3 - user will be inserted to SDP DB
    Let start with Ldap configuration,
    Below is the configuration is used in NB environment.
    For user urai userPricipalName is urai@nb.com

    Click Test connection to confirm ldap connection is working. If you connecting secure
    ldap url, import the certificate to java cacert path before executing the sync.
    Below is the SDP attribute mapping section, username attribute configured above
    should match with User Name field here.

    All fields are mandatory here.


    Next step is adding Account type Ldap mapping:

    Next section add the search filter

    This will create a filter condition, in sdp_user_sync_search_filters table.


    ldap_search_filter='(&(&(company=NB*)(objectClass=organizationalPerson))
    (objectClass=top)(objectClass=user)(objectClass=person))'

    You can remove this entry from this table


    Search filter condition section not shown in ldap configuration on SDP UI.
    Now you are done with Ldap configuration and time to execute the Ldap user sync.
    You can set the time interval as mid night - ladp sync will run every day at 00:00:00
    hour.

    To execute ldap sync in current time


    Check the current jboss (java) log time and add 2-3 min additional time and save the
    ldap configuration.
    You can see log start showing ldap sync activity once cron job start executed.

    1.

    Ldap User sync using REST call.


    You can get already configured ldap configuration using rest call.
    Set authentication header superadmin@sdp.com/superadmin
    And content type: application/xml

    Click on SEND button, gives you the ldap configuration in xml format.
    Below is the sample xml..
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ldapAccountSyncConfig
    xmlns:ns2="http://sdp.cisco.com/core/ldap/config"><createdBy>superadmin@sdp.com</createdBy><create
    dOn>2015-02-

    06T14:56:38.179+05:30</createdOn><id>10000</id><updatedBy>exchange@sdp.com</updatedBy><updated
    On>2015-02-11T15:39:43.099+05:30</updatedOn><cronExpression><cronExpression>* 0/5 * * * ?
    </cronExpression><days>0</days><hours>0</hours><minutes>0</minutes><seconds>0</seconds></cro
    nExpression><ldapConfig><createdBy>superadmin@sdp.com</createdBy><createdOn>2015-0206T14:56:38.116+05:30</createdOn><id>3500000</id><updatedBy>exchange@sdp.com</updatedBy><updat
    edOn>2015-0211T15:39:43.099+05:30</updatedOn><accountTypeId>101</accountTypeId><attributeMappings><attributeMa
    pEntries><createdBy>superadmin@sdp.com</createdBy><createdOn>2015-0206T14:56:38.152+05:30</createdOn><id>500000</id><updatedBy>exchange@sdp.com</updatedBy><update
    dOn>2015-0211T15:13:21.185+05:30</updatedOn><accountAttributeDefinitionId>0</accountAttributeDefinitionId><custo
    m>false</custom><logicalAttributeName>ATTRIBUTE_USER_NAME</logicalAttributeName><mandatory>false
    </mandatory><objectClass>person</objectClass><physicalAttributeName>cn</physicalAttributeName></att
    ributeMapEntries><attributeMapEntries><createdBy>superadmin@sdp.com</createdBy><createdOn>20150206T14:56:38.159+05:30</createdOn><id>500001</id><updatedBy>exchange@sdp.com</updatedBy><update
    dOn>2015-0211T15:13:21.185+05:30</updatedOn><accountAttributeDefinitionId>0</accountAttributeDefinitionId><custo
    m>false</custom><logicalAttributeName>ATTRIBUTE_FIRST_NAME</logicalAttributeName><mandatory>false
    </mandatory><objectClass>person</objectClass><physicalAttributeName>sn</physicalAttributeName></attr
    ibuteMapEntries><attributeMapEntries><createdBy>superadmin@sdp.com</createdBy><createdOn>2015-0206T14:56:38.166+05:30</createdOn><id>500002</id><updatedBy>exchange@sdp.com</updatedBy><update
    dOn>2015-0211T15:13:21.185+05:30</updatedOn><accountAttributeDefinitionId>0</accountAttributeDefinitionId><custo
    m>false</custom><logicalAttributeName>ATTRIBUTE_PHONENUMBER</logicalAttributeName><mandatory>fa
    lse</mandatory><objectClass>person</objectClass><physicalAttributeName>telephoneNumber</physicalAtt
    ributeName></attributeMapEntries></attributeMappings><authnSearchFilter>cn={username}</authnSearchF
    ilter><baseDN>dc=scc,dc=com</baseDN><bindAdminDN>cn=Directory
    manager</bindAdminDN><bindPassword>********</bindPassword><ignoreReferral>true</ignoreReferral><ldap
    URL>ldap://10.127.152.148:389</ldapURL><objectClassString></objectClassString><objectClasses></object
    Classes><userDNTemplate>cn={cn}</userDNTemplate><writable>false</writable></ldapConfig><maxRecords
    ToFetch>0</maxRecordsToFetch><ownerId>1011</ownerId><syncEnabled>true</syncEnabled></ldapAccount
    SyncConfig>

    Noe: dont use above payload, always get the configuration from REST GET call.
    You can modify ldap configuration sending post request and payload in post body.

    For example to assign a group, specify group id in the xml payload (UI this option is not
    available).

    1.

    You messed upAfter ldap sync you realized that you messed up. Accounts are already created.
    Deleting all the accounts are one option.
    Here is the back end procedure to do that.
    Delete entry from SDP Account related table
    smartspace_29389=# delete from sdp_account_attr where sdp_account_attr_set_id in
    (select sdp_account_attr_set_id from sdp_account_attr_set where sdp_accountccount
    where created_by ='CUSDP_INTERNAL_USER'));
    DELETE <N>
    smartspace_29389=# delete from sdp_account_attr_set where sdp_account_id in (select
    sdp_account_id from sdp_account where created_by ='CUSDP_INTERNAL_USER');
    DELETE <N>
    smartspace_29389=# delete from sdp_account where sdp_account_id in (select
    sdp_account_id from sdp_account where created_by ='CUSDP_INTERNAL_USER');

    DELETE <N>
    Delete entry from SSP_USER table
    smartspace_29389=# delete from ssp_user where
    updated_by='CUSDP_INTERNAL_USER' and user_id >= 500000;
    DELETE <N>
    Note: make sure you are not deleting CUSDP_INTERNAL_USER :-) :-)
    Reset the sync change identifier
    smartspace_29389=# update sdp_ldap_sync_params set
    highest_changed_identifier='1';
    UPDATE 1
    Delete temporary sync data.
    smartspace_29389=# delete from sdp_temp_sync_data;
    DELETE 15737

    You might also like