Page 1 of 1

omldapsync import trouble

Posted: Tue Jan 23, 2007 6:43 am
by andreezer
greetings.

I am doing a synchronization between scalix and an AD 2000 domain controller containing about 1700 users and 200 groups. after creating the sync agreement and testing to see if it would import correctly, I added another user to AD to be imported.
however, the import failed with:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
            <ServiceType>scalix.res</ServiceType>
            <Credentials id="12345">
                <Identity name="sxadmin" passwd="xxxxxxxx"/>
            </Credentials>
            <FunctionName>AddUser</FunctionName>
            <ScalixServers>
                <Host>sca1.nc.com</Host>
            </ScalixServers>
            <AddUserParameters>
                <user type="INTERNET"/>
                <mailNode name="internet,tnef"/>
                <userAttributes>
                    <entity name="UL-AUTHID" value="website"/>
                    <entity name="CN" value="website"/>
                    <entity name="INTERNET-ADDR" value="website@networkcontacto.com"/>
                    <entity name="FOREIGN-ADDR" value="CN=website,CN=Users,DC=nc,DC=com"/>
                    <entity name="GLOBAL-UNIQUE-ID" value="OgQoOiRZgEKW+twleuaKEw=="/>
                    <entity name="userPrincipalName" value="website@nc.com"/>
                    <entity name="ADMINISTERED-BY" value="ldapsync-AD"/>
                </userAttributes>
            </AddUserParameters>
        </scalix-caa:CAARequestMessage>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
>>>>>>>>SOAP Response
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
        <SOAP-ENV:Fault>
            <faultcode>SOAP-ENV:Server</faultcode>
            <faultstring>CAA Service Error</faultstring>
            <detail>
                <scalix-caa:fault-details xmlns:scalix-caa="http://www.scalix.com/caa">
                    <message>Malformed userAttributes element. It must have at least 'G' or 'S' or 'I' elements</message>
                    <errorcode>UM-1012</errorcode>
                </scalix-caa:fault-details>
            </detail>
        </SOAP-ENV:Fault>


I added a surname to the user details and retried the omldapsync -u.
then I started getting the error:



Code: Select all

2007-01-22 18:13:28 STATUS: apply modify data against Scalix ...
Enter CAA Password: --------> Sending SOAP Request to Ubermanager@http://sca1.nc.com/caa/ for method:ModifyUser
--------> Received SOAP Response from Ubermanager@http://sca1.nc.com/caa/
error: Response contains failure report
>>>>>>>>SOAP Request
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <scalix-caa:CAARequestMessage xmlns:scalix-caa="http://www.scalix.com/caa">
            <ServiceType>scalix.res</ServiceType>
            <Credentials id="12345">
                <Identity name="sxadmin" passwd="xxxxxxxx"/>
            </Credentials>
            <FunctionName>ModifyUser</FunctionName>
            <ModifyUserParameters id="OgQoOiRZgEKW+twleuaKEw==">
                <user type="INTERNET"/>
                <mailNode name="internet,tnef"/>
                <userAttributes>
                    <entity name="ADMINISTERED-BY" value="ldapsync-AD"/>
                    <entity name="CN" value="website"/>
                    <entity name="FOREIGN-ADDR" value="CN=website,CN=Users,DC=nc,DC=com"/>
                    <entity name="G" value="website"/>
                    <entity name="GLOBAL-UNIQUE-ID" value="OgQoOiRZgEKW+twleuaKEw=="/>
                    <entity name="INTERNET-ADDR" value="website@networkcontacto.com"/>
                    <entity name="S" value="networkcontacto"/>
                    <entity name="UL-AUTHID" value="website"/>
                    <entity name="userPrincipalName" value="website@nc.com"/>
                </userAttributes>
            </ModifyUserParameters>
        </scalix-caa:CAARequestMessage>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
>>>>>>>>SOAP Response
SOAP part:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
        <SOAP-ENV:Fault>
            <faultcode>SOAP-ENV:Server</faultcode>
            <faultstring>CAA Service Error</faultstring>
            <detail>
                <scalix-caa:fault-details xmlns:scalix-caa="http://www.scalix.com/caa">
                    <message>Failed to locate or retrieve information in LDAP for id OgQoOiRZgEKW+twleuaKEw==</message>
                    <errorcode>UM-1015</errorcode>
                </scalix-caa:fault-details>
            </detail>
        </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


the trouble here seems to be that the user with ID OgQoOiRZgEKW+twleuaKEw== is not found in Scalix directory because it was never added in the first place.

then I did an omldapsync -i AD and chose the "4. accept previous error and update" option. but now, whenever I run omldapsync -u AD it never detects that account for import.

I am running Scalix 11 enterprise on RHEL4 ES.
I read somewhere that I would need to do a omdapsync -L AD to force a (re)load of the entire directory.

I was wondering if there is no better option, since that operation can easily take hours.
How could I make omldapsync recognize this user entry?

my sync.cfg is:

Code: Select all

##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=11
# Sync agreement id - set by argument
SYNC_ID=AD
# NEXT_SYNCID: next sync agreement id to be executed after current
# agreement has completed, e.g. user sync followed by group sync
NEXT_SYNCID=
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME=/usr/java/jdk
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative <value> and press <enter>
#   -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST=rclispt01.nc.com
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON=cn=******
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS=******
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST=sca1.nc.com
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL=http://sca1.nc.com/caa/
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE=
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME=sxadmin
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS=*****
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
# IM_FAIL2WARN_OPCODES: space separated list of opcodes that will be changed
# from failure to warning, a way to auto ignore certain type of error
# opcodes for add/modify/delete users=1/4/7 and groups=2/5/8
# opcodes for add/modify/delete members=3/3/9 and limits=12/12/-
# NOTE: should use a whole set, e.g. "3 9" to auto ignore all members error
IM_FAIL2WARN_OPCODES=
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
EX_SCALIX_ATTRS=SCALIXHIDEUSERENTRY SCALIXMAILBOXCLASS SCALIXLIMITMAILBOXSIZE SCALIXLIMITOUTBOUNDMAIL SCALIXLIMITINBOUNDMAIL SCALIXLIMITNOTIFYUSER EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# SCALIXHIDEUSERENTRY: name of attribute to specify whether the user entry
# should be hidden from Outlook address book
# e.g. "scalixHideUserEntry"
SCALIXHIDEUSERENTRY=scalixHideUserEntry
# SCALIXMAILBOXCLASS: name of attribute to specify whether the mailbox class
# should have full or limited features
# e.g. "scalixMailboxClass"
SCALIXMAILBOXCLASS=scalixMailboxClass
# SCALIXLIMITMAILBOXSIZE: name of attribute to specify whether Scalix limit
# on mailbox size is required, must use a numerical value >= zero
# e.g. "scalixLimitMailboxSize"
SCALIXLIMITMAILBOXSIZE=scalixLimitMailboxSize
# SCALIXLIMITOUTBOUNDMAIL: name of attribute to specify whether Scalix limit
# on outbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitOutboundMail"
SCALIXLIMITOUTBOUNDMAIL=scalixLimitOutboundMail
# SCALIXLIMITINBOUNDMAIL: name of attribute to specify whether Scalix limit
# on inbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitInboundMail"
SCALIXLIMITINBOUNDMAIL=scalixLimitInboundMail
# SCALIXLIMITNOTIFYUSER: name of attribute to specify whether Scalix limit
# on notify user is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitNotifyUser"
SCALIXLIMITNOTIFYUSER=scalixLimitNotifyUser
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix mailbox
# is required, yes if value is set to "true" or "scalix"
# e.g. "scalixScalixObject"
EX_SCALIX_MAILBOX=scalixScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "scalixMailnode"
EX_SCALIX_MAILNODE=scalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "scalixServerLanguage"
EX_SCALIX_MSGLANG=scalixServerLanguage
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "true"
# e.g. "scalixAdministrator"
EX_SCALIX_ADMIN=scalixAdministrator
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "true"
# e.g. "scalixMailboxAdministrator"
EX_SCALIX_MBOXADMIN=scalixMailboxAdministrator
# EX_ATTR: attributes to extract from remote system for import
# e.g. "objectclass displayName sn givenname initials mail proxyAddresses mailNickname <etc>"
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator userAccountControl member distinguishedName userPrincipalName objectclass name displayName sn givenname initials mail scalixEmailAddress mailNickname objectGUID textEncodedORaddress facsimileTelephoneNumber homephone streetAddress st telephoneNumber title c company department description l mobile pager physicalDeliveryOfficeName postalCode secretary cn
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1=cn=users,dc=nc,dc=com
EX_BASE2=
EX_BASE3=
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# NOTE: extra EX_BASE10 upto EX_BASE200 can be defined here
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(mail=*))" for any cn AND mail
#EX_FILTER=(&(cn=*)(scalixScalixObject=TRUE))
EX_FILTER=(&(cn=*)(mail=*)(!(objectClass=group)))
#EX_FILTER=(|(memberOf=CN=Test Group,CN=Users,DC=nc,DC=com)(cn=Test Group))
#EX_FILTER=(|(cn=op020801031)(cn=op04000*)(op=020801031)(cn=op070001573)(cn=op070001572)(cn=op090001569)(cn=op090001570)(cn=Test*))
#EX_FILTER=(|(cn=op020700881))
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet,tnef" or "internet,tnef"
IM_OMADDRESS=/internet,tnef
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "objectGUID"
EX_GUID=objectGUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. "objectGUID"
LDAPCT_BIN_ATT=objectGUID
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
# EX_SCOPE: use one of sub, one, base to control search scope
# e.g. "sub"
#EX_SCOPE=sub
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
#   -presss <enter> to accept the default offered inside []
#   -type in alternative value and press <enter>
#   -type in '-' to remove the line offered
#   -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# tag the entry using sync agreement name
|ADMINISTERED-BY|*|ldapsync-AD
# scalix reserved attributes
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
# real classes full and limited are mapped as-is
# pseudo-class internet indicates "internet user"/contact type entry
scalixMailboxClass|UL-CLASS|FULL|*
scalixMailboxClass|UL-CLASS|LIMITED|*
scalixMailboxClass|UL-CLASS|INTERNET|
# for mailbox classes full and limited, set omMailbox to TRUE, false otherwise
scalixMailboxClass|omMailbox|FULL|TRUE
scalixMailboxClass|omMailbox|LIMITED|TRUE
scalixMailboxClass|omMailbox|INTERNET|FALSE
# ignore other values
scalixMailboxClass||*|
# Advanced Attributes
scalixLimitMailboxSize|scalixLimitMailboxSize|*|*
scalixLimitOutboundMail|scalixLimitOutboundMail|*|*
scalixLimitInboundMail|scalixLimitInboundMail|*|*
scalixLimitNotifyUser|scalixLimitNotifyUser|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
# mailbox locking
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGUNSET=2|unlock
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGISSET=2|lock
# scalix object classes
objectClass|*|group|distributionList
objectClass|*|organizationalPerson|*
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
objectGUID|GLOBAL-UNIQUE-ID|*|*
# common name
name|CN|*,1,64!ISMISSING=displayname|*
name||*|#suppress it otherwise
displayName|CN|*,1,64|*
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# extract surname substitute if real is missing
textEncodedORaddress|S|*|!CUSTOM=EX_TEXT_EOA_TO_SN
# givenname if surname is present
givenName|G|*,1,16!ISPRESENT=surname|*
givenName||*|#suppress it otherwise
# primary internet address for non-scalix user
mail|INTERNET-ADDR|*,1,512!ISMISSING=scalixemailaddress|!CUSTOM=TX_IA_TO_QP_IA
mail||*|#suppress it otherwise
# all internet addresses for scalix user
scalixEmailAddress|INTERNET-ADDR|*,1,512|!CUSTOM=TX_IA_TO_QP_IA
# map to alias
mailNickname|ALIAS|*,1,16|*
# the DN of the entry
distinguishedName|FOREIGN-ADDR|*,1,512|*
# the DN of the group member
member|omMemberForeignAddr|*|*
# authentication id - note down/up shift the name/realm for SSO
#userPrincipalName|UL-AUTHID|*,1,256|!CUSTOM=TO_CANONICAL_PRINCIPAL
cn|UL-AUTHID|*,1,256|!CUSTOM=TO_CANONICAL_PRINCIPAL
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
streetAddress|STREET-ADDRESS|*,1,128|!REPLACE=\015\012|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
c|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
department|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\015\012|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
secretary|ASSISTANT-PHONE|*,1,32|!CUSTOM=TO_PS_STR
#Telephone-Office2|PHONE-2|*,1,32|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################