Name

lsc - LSC command

Synopsis

$LSC_HOME/bin/lsc or $LSC_HOME/bin/lsc.bat

Description

lsc is the command line that will launch LSC synchronization engine. It may be a run-and-stop or a run-and-block command depending on the synchronization mode. Connections and synchronization options are defined in lsc.xml(5) file.

Ldap Synchronization Connector, or LSC, is a tool for synchronizing data repositories, with a particular focus on identity information.

It can read from a variety of different sources, perform limitless transformations of data on-the-fly and write the results to a LDAP directory. The tool is designed to be fast, and extensible in all areas.

It is an open source project, released under the BSD license.

Requirements: JRE 1.6. Most tests are run against Sun / Oracle JRE but basic build is also achieved through OpenJDK 6.

General description

The LSC XML file format is directly map with configuration objects. The settings full description is included as the Javadoc class comments. You will find there a shorter version excluding plugins.

Each parameter can be either a static or a dynamic value. If dynamic the value is interpreted as a scripting string, Javascript by default or any JSR 223 supported language.

In the XML file, you will find 3 main sections : - tasks - connections - security settings

The tasks described how the source service is synchronized with the destination service. It mainly contains specific services settings (LDAP filter, SQL request, ...) and synchronization options (mapping from a dataset to another). The connections zone contains the description of the basic services settings (url, login, password, ...). The security zone includes severeals shared settings about encryption, hashing, ...

This documentation is organized in a "A.B.C = TEXT" format that must be understood in XML notation like : <lsc> <A> <B> <C>TEXT</C> </B> </A> </lsc> The lsc xml node is not included in the following options description but is implied and mandatory </p> <p> The id attribute that may be included inside node is forced by the XML to object mapping engine (XStream) and does not have any particular meaning. If you manipulate the XML file format by your own, just remove it, XStream will do the job. Take core not to copy it to avoid giving the same id to two different nodes.

Task section

task.name

Each task must be uniquely named to identify it inside the engine and it inside log messages. MANDATORY - STATIC

task.bean

This option describes the Java object i OPTIONAL - STATIC - Default to "org.lsc.beans.SimpleBean"

dn.real_root

LSC also has to know the real root DN (used to build factice DN for service as database for example). You should specify a complete LDAP DN, like dn.real_root = dc=lsc-project,dc=org for example.

dn.people

LSC also has to know the RDN of the people's tree. You should specify a LDAP RDN, like dn.people = ou=people for example.

lsc.tasks

Name of available LSC tasks, separated by commas. For example, you could have task1, task2, task3 as a value. Be careful that tasks also have to be defined.

Service configuration options

These are global configuration options to define the source and destination services. You must replace the term X in option label by src to configure source service, or dst to configure destination service.

X.java.naming.factory.initial

Initial context factory to use for data abstraction layer. You could specify the value com.sun.jndi.ldap.LdapCtxFactory. It should be the same value for both LDAP source and destination services.

X.java.naming.ldap.version

Version of the LDAP protocol to use to connect to the LDAP server. 3 is recommended.

X.java.naming.provider.url

URI LDAP to connect to. Note that specifying the search base in the URI is not necessary, but could improve performance.

X.java.naming.security.authentication

LDAP authentication mechanism to use. Generally, this value does not need to be changed. Put simple value to use authentication based on DN and password.

X.java.naming.security.principal

LSC uses a DN on the LDAP server to authenticate itself and get rights on LDAP data. The value is a complete DN of an existing entry in the specified LDAP server.

X.java.naming.security.credentials

The appropriate password for the DN used above, in case you use simple LDAP authentication.

X.java.naming.referral

Choose how to follow LDAP referrals. Values could be ignore, follow, or throw.

X.java.naming.ldap.derefAliases

Choose how to follow LDAP aliases. Values could be never, always, search or find.

Task configuration options

This section describes available options to configure a LSC task. You should replace TASKNAME by a task name specified in the global configuration option lsc.tasks.

lsc.tasks.TASKNAME.object

The full name of the JAVA class to use for plain LDAP object. For example, for person, you could use org.lsc.objects.inetOrgPerson. Be careful that this class has to exist in this instance of LSC.

lsc.tasks.TASKNAME.bean

The full name of the JAVA BEAN class to use for specialisation of the synchronization. For example, for person, you could use org.lsc.beans.inetOrgPersonBean. Be careful that this class has to exist in this instance of LSC.

lsc.tasks.TASKNAME.type

The synchronisation type for this task between the two defined services.

lsc.tasks.TASKNAME.srcService

The fullname of the JAVA JNDI class to use to retrieve information from source service. There is a generic class for LDAP connection, which is org.lsc.jndi.SimpleJndiSrcService.

lsc.tasks.TASKNAME.srcService.baseDn

The RDN of the people tree on the source service. Generally, it should be ou=people.

lsc.tasks.TASKNAME.srcService.attrId

The attribute used to identify a user in the source service. This attribute must be used in the identity LDAP filter (see filterId below). For example, if users have a unique value of the LDAP attribute "uid", then you could use the value uid here.

lsc.tasks.TASKNAME.srcService.filterAll

This is the "global LDAP filter" used to retrieve all user DNs from the source service.

lsc.tasks.TASKNAME.srcService.filterId

This is the "identity LDAP filter" used to retrieve one entry from the source service. You have to use the string {0} in the filter. This string represents a user identifier found in user entry returned by the global LDAP filter. So, for example, a filter could be (&(objectclass=inetOrgPerson)(mail=*)(uid={0}))

lsc.tasks.TASKNAME.srcService.attrs

Here, you specify all returned attributes from the source service for one LDAP entry. Generally, these attributes will be used to build the new SASL userPassword. Be careful that the value of this option has to be same as in the source code of this instance of LSC. In fact, the algorithm used is in the JAVA BEAN, in the method named by attributes specified here. So, it strictly not recommended to modify this value (loginName userPassword).

lsc.tasks.TASKNAME.dstService

The fullname of the JAVA JNDI class to use to retrieve information from destination service. There is a generic class for LDAP connection, which is org.lsc.jndi.SimpleJndiSrcService.

lsc.tasks.TASKNAME.dstService.baseDn

The RDN of the people tree on the destination service. Generally, it should be ou=people.

lsc.tasks.TASKNAME.dstService.attrId

The attribute used to identify a user in the destination service. This attribute must be used in the identity LDAP filter (see filterId below). For example, if users have a unique value of the LDAP attribute "uid", then you could use the value uid here.

lsc.tasks.TASKNAME.dstService.filterAll

This is the "global LDAP filter" used to retrieve all user DNs from the destination service.

lsc.tasks.TASKNAME.dstService.filterId

This is the "identity LDAP filter" used to retrieve one entry from the destination service. You have to use the string {0} in the filter. This string represents a user identifier found in user entry returned by the global LDAP filter. So, for example, a filter could be (&(objectclass=inetOrgPerson)(mail=*)(uid={0}))

lsc.tasks.TASKNAME.dstService.attrs

Here, you specify all returned attributes from the destination service one LDAP entry. Generally, these attributes will be used to build the new SASL userPassword. Be careful that the value of this option has to be same as in the source code of this instance of LSC. In fact, the algorithm used is in the JAVA BEAN, in the method named by attributes specified here. So, it strictly not recommended to modify this value (loginName userPassword).

Synchronization rule options

This section describes synchronization rule options available for this instance of LSC. You should replace TASKNAME by a task name specified in the global configuration option lsc.tasks.

lsc.syncoptions.TASKNAME

This is the full name of the JAVA class used to provide synchronization option mechanism. For this instance of LSC, you must use the org.lsc.beans.syncoptions.PropertiesBasedSyncOptions value.

lsc.syncoptions.TASKNAME.default.action

Default action on the destination directory. Here, two values are possible, K to keep data (means no modification at all), or F for allowing modification on the data (update, create or delete). For this instance of LSC, you must use K because source and destination service are in fact the same real server.

lsc.syncoptions.TASKNAME.userPassword.action

Choose the action to use onto the userPassword LDAP attribute. As default action, you could put K to keep password updates, or F to force modifications.

Authors

lsc-passwords was written by Sebastien Bahloul <sbahloul@lsc-project.org>, Jonathan Clarke <jclarke@lsc-project.org>, Remy-Christophe Schermesser <rschermesser@lsc-project.org>, Thomas Chemineau <tchemineau@lsc-project.org>.

See also

lsc-agent(1) lsc.xml(5)

http://lsc-project.org/

Comments

This man page was written using xmltoman(1).