Re: Synchronize only attributes you want ADAMSync
- From: Enrico <nricko@xxxxxxxxx>
- Date: Wed, 01 Aug 2007 15:09:40 -0000
On Jul 31, 6:35 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:
Hi
"Enrico" <nri...@xxxxxxxxx> wrote in message
news:1185912413.751367.104430@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lee,
[1] Regarding your [1] answer, how could I shrink the ADAM default
schema to be only the user and Organizational-Unit classes (plus
dependencies) if the adam default schema already has classes/
attributes created before I do any sort of schema updates?
Apologies that was a very bad typo on my part it should have said "cannot
have
a smaller schema than the default"
[3]I included the NT-Security-Descriptor, Object-Category,
Organizational-Unit-Name and Common-Name attributes as they were
listed as mandory attributes of the Organization-Unit and user classes
on the Microsoft class definition site. Removing these as well as the
Instance-Type, Object-Class,Object-Sid, SAM-Account-Name from the
configuration seems not to cause any major issues, as some of their
attributes still sync their values into my ADAM schema, even though
they are not specified in the Sync file. I also noticed that some
attributes such as canonicalName and structuralObjectClass attribute
values are also syncronizing.
I would:
[1]install a clean ADAM instance
[2]full import of your AD schema into ADAM via ADSchemaAnalyzer
[3]import ms-adamsyncmetadata.ldf into ADAM
[4]use include elements to specify *just* the attributes you want
in your XML config, keep the rest of the config as before
[5]adamsync /install the XML config
[6]adamsync /sync with /log to see what (if any) attributes ADAMsync
complains about the absence of and go back to step [4] and add
those attributes and repeat
A. Is this because for the line <object-filter>(objectClass=*)</
object-filter>, I am grabbing all of the object classes contained
under the TestOU tree, instead of simply setting a 2 option object-
filter for:
<object-filter>(objectClass=Organizational-Unit)</object-filter>
<object-filter>(objectClass=User)</object-filter>
to further decrease the amount of data synched.
object-filter is a *single* XML element and has to be a valid LDAP filter,
try sticking with (objectClass=*) and follow the steps above to see what
you get
Addtionially, a couple of minor errors I am noticing in my ADAMSync
output log are as follows:
B. It seems like the data I need is being syncronized into my schema,
so should these errors be a concern?
let's see what errors (if any) you get when you try the steps above
C. Also, since I will potentially be performing an LDAP query to grab
my custom attributes from a user or OU object, I do not have to worry
about the size of my ADAM schema (the default install included classes/
attributes I cannot delete), since most of the attributes will contain
<NotSet> values? These attributes and classes are simply there to
ensure that my ADAM schema matches the required classes/attributes
needed by the OU and user object classes as well as the ADAMSync
program.
I agree do not worry about size of schema at this stage.
Lee Flight
Lee,
I received no syncronization errors, when I performed a full import of
the AD schema into my ADAM instance.
-----------From what I can gather of the error:
Updating the configuration file DirSync cookie with a new value.
Ldap error occured. ldap_add_sW: No Such Attribute.
Extended Info: .
Ldap error occured. ldap_add_sW: No Such Attribute.
Extended Info: .
Saving Configuration File on DC=TEST,DC=COM
Saved configuration file.
----------------
it seems this a dependency missing for a particular attribute that I
am trying to synchronize:
CN=target,CN=Watchers,CN=SharePointSites,CN=Services,CN=_Private,OU=testorg1,OU=CM,OU=TestOU,dc=TEST,dc=com.
Given that I only want to synchronize users and organizational units,
I don't believe the inability to synchronize these _Private objects
will be an issue. I was able to remove this error by modifying my
object filter to only include user attributes.
<object-filter>(objectClass=User)</object-filter>
This brings over the OrganizationUnits and their associated users only
(where as before with objectClass=*, I was also bring over security
groups and these variables that one can only see in advanced view
mode).
After doing some reasearch online, it seems that <object-
filter>(objectClass=User)</object-filter> is not the most efficient
way for me to grab user objects from AD via ADAMsync. In an attempt
to clean this up, I have been working with the filter:
<object-filter>(&(objectCategory=Person)(objectClass=User))</object-
filter>
Even though most references on the internet say this is the way to
specify a user search, I keep getting a syntax error when attempting
to install my MS-AdamSyncConf file.
----------
Error: Error parsing XML File. A name was started with an invalid
character. . Line 13, Position 21 in (null)
Any ideas as to why I cannot use the & character in my Sync file to
refine my search (all white spaces have been deleted from the sync
file as well). I would like to also add the option not to sync
disabled accounts with (!userAccountControl:1.2.840.113556.1.4.803:=2)
but will not be able to do this or other advanced search options until
I get my object-filter working with more than 1 filter using the &
character.
My Sync file is below:
Thanks again Lee
<?xml version="1.0"?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>TEST.com</source-ad-name>
<source-ad-partition>dc=TEST,dc=com</source-ad-partition>
<source-ad-account>administrator</source-ad-account>
<account-domain>TEST.com</account-domain>
<target-dn>dc=TEST,dc=com</target-dn>
<query>
<base-dn>ou=TestOU,dc=TEST,dc=com</base-dn>
<object-filter>(&(objectCategory=Person)(objectClass=User))</object-
filter>
<attributes>
<include>lastAgedChange</include>
<include>sourceObjectGuid</include>
<include>customAttribute01</include>
<include>customAttribute02</include>
<include>customAttribute03</include>
<include>customAttribute04</include>
<include>customAttribute05</include>
<exclude></exclude>
</attributes>
</query>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>
.
- Follow-Ups:
- Re: Synchronize only attributes you want ADAMSync
- From: tstrand
- Re: Synchronize only attributes you want ADAMSync
- From: Lee Flight
- Re: Synchronize only attributes you want ADAMSync
- References:
- Re: Synchronize only attributes you want ADAMSync
- From: Lee Flight
- Re: Synchronize only attributes you want ADAMSync
- Prev by Date: Re: profile issues.
- Next by Date: Re: Search for accounts based on advanced security permissions
- Previous by thread: Re: Synchronize only attributes you want ADAMSync
- Next by thread: Re: Synchronize only attributes you want ADAMSync
- Index(es):
Relevant Pages
|
