Active Directory connection and replication configuration
General
Click here for general information about user replication.
Active Directory
Active Directory is divided into three parts: Schema, Configuration and Domain.
-
A schema is a template for all Active Directory entries. It defines object types, their classes and attributes as well as their attribute syntax. By defining new types, it is possible to influence which object types are available in Active Directory. The underlying template for this is the schema that defines the objects and their attributes.
-
The configuration represents the structure of the Active Directory forest and its trees.
-
Finally, the domain contains all the information that describes itself and the objects created in it.
The first two parts of the Active Directory are replicated between all domain controllers in the forest, while the domain-specific information is basically only available within the respective domain, i.e. on their respective domain controllers. Therefore, there is an additional so-called global catalog in each domain. It represents all information of its own domain and additionally contains important sub-information of the other domain from the overall structure and therefore enables cross-domain search operations, for example.
The records in the database are defined in Active Directory as objects and their properties as attributes. The attributes are defined depending on their type. Objects are uniquely identified by their name.
Objects can be divided into two main categories:
-
Accounts, such as user, group, and computer accounts
-
Resources, such as file and printer shares
The potentially up to many millions of objects are stored in containers (organizational units), also called OUs (Organizational Unit). Some containers are predefined, any further organizational units can be created with subunits (suborganizational units). As an object-based system, Active Directory supports passing on object container properties to child objects that can also be containers themselves. This allows Active Directory to build networks logically and hierarchically.
An Active Directory contains various objects. In addition to the user, there are permission objects such as user groups and roles, as well as organizations, organizational units, general containers and distribution groups (mail system). In addition, an Active Directory from different systems is not necessarily identical. Each system comes with its own characteristics.
Intrexx offers various replication profiles that are adapted to the different Active Directory systems. These must be selected accordingly when configuring a replication job.
Profile name |
Description |
---|---|
Active Directory Large Groups.xml | Profile for Active Directories with groups containing more than 1000 members. This profile takes more time to replicate and should be used only if the group membership exceeds the said value. |
Active Directory NTLM compatible.xml | This Active Directory profile is used when NTLMv1 login and domain names are desired in Intrexx, e.g. for the integrated authentication via Tomcat. |
Active Directory | Standard Active Directory replication profile |
Attribute Based Role Sample.xml | Example profile: In this profile, users are placed in the default user container (placing="fixed") and assigned to a role based on one of their attributes (here: roleattr). |
Dynamic OU Path Sample.xml | Example profile: Here users are assigned to a container which is read from one of their attributes (here: ou). The attribute value is expected as a path with backslash separators (2nd Parameter of $path) |
Dynamic OU Sample.xml | Example profile: Similar to Profile Dynamic OU Path Sample, except that only the last part of the path is evaluated to determine the container. |
eDirectory.xml | Novell eDirectory |
OpenLDAP - POSIX.xml | OpenLDAP |
Sun ONE.xml | SUN One |
The following tables represent the most common attributes, i.e. only a part of the actual scope. In particular, the attributes are extended by other applications (e.g. Microsoft Exchange) but optional attributes can also be configured individually.
Table of Active Directory fields of the group object
Class |
Field name |
Description |
---|---|---|
General | distinguishedName | Distinguished name |
General | cn | Common name |
General | objectClass | Object class (USER) |
General | uSNCreated | Original USN |
General | uSNChanged | Current USN |
General | whenCreated | Created on |
General | whenChanged | Changed on |
General | objectGUID | Object GUID |
user | Given name | First name |
user | sn | Last name |
user | name | Display name |
user | samAccountName | Login name NT |
user | userPrincipalName | Login name |
user | description | Description |
user | title | Title |
user | initials | Initials |
user | employeeID | Employee number/ID |
user | physicalDeliveryOfficeName | Office name |
user | company | Company |
user | department | Department |
user | streetAddress | Street |
user | postalCode | Postal/Zip code |
user | postOfficeBox | PO box |
user | l | City |
user | st | State/province |
user | co | Country (name) |
user | countryCode | Country code (ISO-3166) |
user | c | Country code (ISO-3166) |
user | wwwHomePage | Website |
user | url | Other websites |
user | Business email | |
user | telephoneNumber | Phone |
user | otherTelephone | Other telephone numbers |
user | mobile | Mobile |
user | otherMobile | Other cellphone numbers |
user | facsimileTelephoneNumber | Facsimile |
user | otherFacsimileTelephoneNumber | Other fax numbers |
user | ipPhone | IP telephone |
user | otherIpPhone | Other IP telephone numbers |
user | pager | Pager |
user | otherPager | Other pagers |
user | homePhone | Private phone |
user | otherHomePhone | Other private home numbers Phone no. |
user | msExchHideFromAddressLists | Do not show in Exchange address lists True = hide null/empty = show |
user | thumbnailPhoto | Photo (max. 100kB) |
user | accountExpires | Account lifetime Value 0 = Unlimited. Date value is calculated as 100ns interval since 01/01/1601 (UTC). |
user | passwordlastset | Last password change as long value (100ns interval since 01.01.1601 UTC |
user | userAccountControl Account options | |
user | info | Comments on user |
user | homeDirectory | Base directory |
user | lastLoginTimestamp | Last time of login |
user | primaryGroupID | Primary group assignment |
user | Nsaccountlock | |
user | uid | Login name (RFC 1274) |
Table of Active Directory fields of the group object
Class |
Field name |
Description |
---|---|---|
General | distinguishedName | Distinguished name |
General | cn | Common name |
General | objectClass | Object class (GROUP) |
General | uSNCreated | Original USN |
General | uSNChanged | Current USN |
General | whenCreated | Created on |
General | whenChanged | Changed on |
General | objectGUID | Object GUID |
group | sAMAccountName | Group name (NT) |
group | description | Description |
group | groupType | Group area/type |
group | info | Comment |
group | ||
group | memberOf | Member of |
group | managedBy | Managed by |
group | primaryGroupToken | Primary group assignment |
Table of Active Directory fields of the organization object
Class |
Field name |
Description |
---|---|---|
General | distinguishedName | Distinguished name |
General | cn | Common name |
General | objectClass | Object class |
General | uSNCreated | Original USN |
General | uSNChanged | Current USN |
General | whenCreated | Created on |
General | whenChanged | Changed on |
General | objectGUID | Object GUID |
organizationalUnit | name | Name |
organizationalUnit | Description | Description |
organizationalUnit | gPLink |
Intrexx User Manager
The "Users" module consists of several database tables and a view to manage the components.
Database table |
Function |
---|---|
DSOBJECT | Object management of all objects of the user management |
DSORGANIZATION | Organization attributes |
DSORGUNIT | Organizational unit attributes |
DSCONTAINER | Container attributes |
DSDISTLIST | Distribution list attributes |
DSGROUP | User group attributes |
DSUSER | User attributes |
DSROLE | Role assignment table |
DSSET | User group assignment table |
DSCLASS | Object classes and associated data groups |
DSCLASSTITLE | Multilingual object class titles |
DSATTRIBUTE | Management of all user management attributes and their properties |
DSATTRIBUTETITLE | Multilingual attribute titles |
VBLUSER | View from DSUSER and DSOBJECT referring to the users |
Field user attributes (DSUSER)
Name |
Data field |
Description |
Type |
Size |
---|---|---|---|---|
- | LID | User ID | Integer | |
- | STRGUID | User GUID | String | 255 |
LOGIN | STRLOGIN | Login name | String | 64 |
LOGINLWR | STRLOGINLWR | Login name (short description) | String | 64 |
DOMAIN | STRDOMAIN | Domain | String | 48 |
DOMAINLWR | STRDOMAINLWR | Domain (short description) | String | 48 |
TIMEZONE | STRTIMEZONE | Time zone | String | 32 |
FIRSTNAME | STRFIRSTNAME | First name | String | 64 |
LASTNAME | STRLASTNAME | Last name | String | 64 |
MIDDLENAME | STRMIDDLENAME | 2. First name | String | 64 |
FULLNAME | STRFULLNAME | Full name | String | 172 |
TITLE | STRTITLE | Title | String | 64 |
GENDER | LGENDER | Gender | Integer | |
STREET | STRSTREET | Street | String | 96 |
POSTALCODE | STRPOSTALCODE | Postal/Zip code | String | 10 |
POBOX | STRPOBOX | PO box | String | 10 |
CITY | STRCITY | City | String | 96 |
STATE | STRSTATE | State/province | String | 32 |
COUNTRY | STRCOUNTRY | Country | String | 32 |
MAILBIZ | STRMAILBIZ | Business email | String | 192 |
PHONEBIZ | STRPHONEBIZ | Phone | String | 40 |
PHONEMOBILEBIZ | PHONEMOBILEBIZ | Business cellphone number | String | 40 |
PHONEFAX | STRPHONEFAX | Facsimile | String | 40 |
PHONEPAGER | STRPHONEPAGER | Pager | String | 40 |
MAILHOME | STRMAILHOME | Private email | String | 192 |
PHONEHOME | STRPHONEHOME | Private phone | String | 40 |
PHONEMOBILEHOME | STRPHONEMOBILEHOME | Private cellphone number | String | 40 |
BIRTH | DTBIRTH | Date of birth | DateTime | |
ENTER | DTENTER | Date of entry | DateTime | |
LOGINATTEMPTS | LLOGINATTEMPTS | Login attempts(V7) | Integer | |
PWDCHANGED | DTPWDCHANGED | Date password was changed (V7) | DateTime | |
DEFAULTLANGUAGE | STRDEFAULTLANG | Default language | String | 2 |
MUSTCHANGEPASS | BMUSTCHANGEPASS | User must change password at next login (V7) | Boolean | |
MUSTNOTCHANGEPASS | BMUSTNOTCHANGEPASS | User cannot change password (V7) | Boolean | |
PWDEXPIRES | BPWDEXPIRES | Password expires (V7) | Boolean | |
DEFAULTLOCALE | STRDEFAULTLOCALE | Default locale (V7) | String | 50 |
TIMEZONE | STRTIMEZONE | Time zone | String | 32 |
Organizational attribute fields (DSORGANIZATION)
Name |
Data field |
Description |
Data type |
Size |
---|---|---|---|---|
ID | LID | Organization ID | Integer | |
STREET | STRSTREET | Street | String | 96 |
POSTALCODE | STRPOSTALCODE | Postal/Zip code | String | 10 |
POBOX | STRPOBOX | PO box | String | 10 |
CITY | STRCITY | City | String | 96 |
STATE | STRSTATE | Province/State/Canton | String | 32 |
COUNTRY | STRCOUNTRY | Country | String | 32 |
Organizational unit fields (DSORGUNIT)
Name |
Data field |
Description |
Data type |
Size |
---|---|---|---|---|
ID | LID | Organizational unit ID | Integer | |
STREET | STRSTREET | Street | String | 96 |
POSTALCODE | STRPOSTALCODE | Postal/Zip code | String | 10 |
POBOX | STRPOBOX | PO box | String | 10 |
CITY | STRCITY | City | String | 96 |
STATE | STRSTATE | Province/State/Canton | String | 32 |
COUNTRY | STRCOUNTRY | Country | String | 32 |
Object table fields (DSOBJECT)
Name |
Data field |
Description |
Data type |
Size |
---|---|---|---|---|
ID | LID | Object ID | Integer | |
CONTAINERID | LCONTAINERID | Integer | ||
NAME | STRNAME | Object name | String | 128 |
CLASSID | LCLASSID |
Object class ID: 2 = User 3 = Container 5 = Role 6 = User group 7 = Distribution list 8 = Organizational unit 9 = Organization |
Integer | |
GUID | STRGUID | Internal object GUID | String | 40 |
PRIORITY | LPRIORITY |
Priority (0 ... 100): 100 = Maximum 0 = Minimum |
Integer | |
DELETABLE | BDELETABLE | Object is deletable | Boolean | |
DELETED | BDELETED | Object deleted | Boolean | |
DISABLED | BDISABLED | Object deactivated | Boolean | |
INTERNALUSN | LINTERNALUSN | Integer | ||
RPLGUID | STRREPLGUID | Replication job GUID | String | 40 |
DN | STRDN | Distinguished name | String | 512 |
DESCRIPTION | STRDESCRIPTION | Object description | String | 512 |
EXTERNALGUID | STREXTERNALGUID | External object GUID (Active Directory) | String | 40 |
EXTPRIMGRPTKN | ||||
EXTPRIMGRPID | LEXTPRIMGRPID | External primary group assignment (primaryGroupID) | Integer |
The Intrexx replication profile
LDAP replication profiles in the installation directory cfg/ldapconfig serve to define the replication between LDAP sources and the Intrexx organizational structure.
The replication profiles are XML files that contain a mapping definition for each object type to be transferred. Each object type recorded in the Intrexx organization schema can be replicated. Every attribute is writable.
The <ldap> element (document root node)
Global settings can be made in this element. It is the root element for the XML document.
<ldap xmlns="https://schemas.unitedplanet.de/intrexx/server/ldap/replication/" enablePaging="true">
…
</ldap>
Parameters |
As of version |
Description |
---|---|---|
enablePaging | 5.2 | This parameter can be used to enable page-by-page querying of LDAP directories. Some directory servers limit the number of entries per result page, e.g. Active Directory to 1000 hits. If you enable this option, the directory server will be instructed to deliver the other pages on demand, not just the first one. |
pageSize | 7 | The pageSize attribute of the ldap element can be used to set the page size for replication. |
pageSize | 5.2 | The system property de.uplanet.lucy.server.usermanager.replication.ldap.pagesize can be used to specify the page size. The default value is 500. |
The <item> element
The <item> element is used to define the mapping between Intrexx object types and LDAP query results. It may include a number of other definition:
<item class="<Target class>" query="<LDAP-Query>" placing="<Placement mode>" [dnfilter="<Filter-Regexp>"]> <attribute source="<Source attribute>"/>
...
<attribute destination="<Target attribute>" source="<Source expression>"/>
...
<call class="<Tool class>" method="<Methode>" [execafterwrite="true|false"]> <parameter type="<Builtin-Parameter>"/>
...
<parameter type="<Java class>" value="<Value>"/>
...
</call>
...
</item>
Parameters |
Description |
---|---|
Target class | Class name in the Intrexx schema, e.g. USER for user. |
LDAP query | LDAP query that is used to query the objects in the external directory. Please refer to https://tools.ietf.org/html/rfc2254 for the definition. |
Placement mode |
Intrexx provides the following here:
parent: Intrexx attempts to determine the correct location in the Intrexx organizational structure based on the placement in the source directory.
fixed: Intrexx uses a standard container (e.g. users) as the target container. To be used when you want to replicate only the user objects without the organizational structure.
fixed by domain: Intrexx uses a subcontainer of the standard container that corresponds to the domain name of the object. For this to work, the domain attribute of the target object must be filled correctly.
dynamic <source expression>: Intrexx determines the corresponding target container from the directory data based on the source expression. The definition of the source expressions can be found in the <attribute> element section. |
dnfilter |
dnfilter="<Filter-Regexp>" The dnfilter attribute is optional. A regexp pattern can be specified here to filter the objects to be replicated by DN (Distinguished Names), e.g. dnfilter=".*ou=Intrexx User.*" |
The <attribute> element
This element exists in two forms: with a target specification, it serves to assign source expressions to Intrexx target fields; without a target specification, it is an instruction to the replication module to also query the specified source attribute, since it will be needed at a later time. If a source attribute is not specified in either variant, it will not be read.
Target attribute:
Attribute of the Intrexx target class
Source attribute:
Attribute of the LDAP object class
Source expression:
<source expression> = [<source attribute>|<function call>]
The expression consists of either an attribute or a function call.
Function call:
<function call>=$functionname([<source expression>[,...]])
A function can have 0-n parameters, which in turn are source expressions. The documentation of the available built-in functions can be found here.
The <call> element
Not every task can be performed via a simple assignment via attribute element. For this reason, there is the option of integrating specialized code by defining calls to Java classes. To parameterize the call, the <call> element can contain 0-n <parameter> elements.
Tool class:
Name of the Java class that contains the static method to be called.
Methods:
Method to be called
execafterwrite attribute:
Defines whether the method takes place immediately or only after the Intrexx object has been written.
The <parameter> element
The parameter element always has a type attribute. This contains either the name of a built-in parameter, which is automatically filled correctly, or the name of a known Java class whose content is defined via the value attribute. At the moment, java.lang.String and the numeric classes built into the JRE are supported here.
Built-in parameters:
Parameters |
Description |
---|---|
$destinationitem | Contains the target object (IDs* object) for the element |
$dircontext | Contains the LDAP directory context |
$domain | Contains the already created domain name for the target object (only available if execafterwrite=true and it is a user object) |
$inserted | Contains a flag that specifies whether the target object was new or updated (only available if execafterwrite=true) |
$itemconnector | Contains the reference to the instance of the internal class that performs the attribute mapping. |
$jdbcconnection | Contains the JDBC system database connection from Intrexx |
$login | Contains the already created login name for the target object (only available if execafterwrite=true and if it is a user object) |
$replicationconfig | Contains the replication configuration object |
$searchresult | Contains the current record in the LDAP search result |
$sourceconfig | Contains a source definition object |
$usn | Contains the unique number of the current replication run |
$dbmanager | Type-dependent DbManager object for editing the Intrexx organization schema |
Built-in functions
The following functions are available at various points:
Function |
Intrexx version |
Description |
---|---|---|
$add | 5.2 | $add(val0, val1) Add two values together |
$ansiTime | 7.0 | $ansiTime(value) Converts a long value (100ns interval since 01/01/1601 UTC) as used in the passwordlastset field. |
$bitand | 5.2 | $bitand(value, bitmask) Compound value with bitmask |
$call | 6.0 | $call(class, method [, param type, param value [...]] Calling an individual method |
$case | 5.2 | $case(value, checkval0, result0[,checkval1, result1...][elseresult]) Case construct |
$concat | 7.0 OU7 | $concat(<string-expression1>, <string-expression2>) Merges two strings together |
$datetime | 6.0 | $datetime(format [, [locale,] timezone], value) Create a timestamp from a string, e.g.: <attribute destination="myDateField" source="$datetime("dd.MM.yyyy", "Europe/Berlin", whenChanged)"/> |
$format | 5.2 | $format(formatstring, value...) Formating a value. The JAVA notation applies to the formatstring. |
$generalizedTime | 7.0 | $generalizedTime(value) Generate a timestamp from a string in generalized time format (YYYYMMDDHHmmSS.fffZ). |
$last | 5.2 | $last(array) Extracts last element from an array $last(value, number) Extracts the last n characters from a string |
$length | 5.2 | $length(value) Returns the length of a string |
$lower | 5.2 | $lower(value) Converts a string to lowercase letters |
$null | 5.2 | $null() Null value |
6.0 | $print(value-array, separator) Write an array of values into a single field, separator is <separator>. | |
$sid | 11.0 |
$sid(value) Transforms the Microsoft ID into an Intrexx GUID. Example: <attribute destination="EXTERNALSID" source="$sid(objectSID;binary)"/> |
$split | 5.2 | $split(value, delimiter) Splits a string into single strings. |
$substring | 5.2 | $substring(string, beginindex [,endindex]) Extract a part from a string |
$trim | 7.0 OU7 | $trim(<string expression>) |
$upper | 5.2 | $upper(value) Converts a string to uppercase letters |
LDAP queries
The definition of LDAP requests is covered in RFC 4515.
RFC 4515
Lightweight Directory Access Protocol (LDAP):
String Representation of Search Filters
https://www.ietf.org/rfc/rfc4517.txt
Syntax and operators
LDAP queries consist of one or more criteria that are linked together using AND or OR operators. The operators are noted at the beginning followed by the search criteria. The search criteria are listed in round brackets, which are again enclosed in round brackets.
AND link:
(& ( S1 ) ( S2 ) … ( Sn ) )
OR link:
(| ( S1 ) ( S2 ) … ( S3 ))
Interleaved links:
Each AND/OR operation can be defined as a single criterion again:
(|(& ( S1 ) ( S2 ))(& ( S3 ) ( S4 ))) corresponds to: (S1 AND S2) OR (S3 AND S4)
Negation:
The negation / reversal of a query is implemented with an exclamation mark:
(! ( S1 ))
Comparison:
A query is compared using an equal sign:
Same | (givenName=Max) |
Greater than comparison | (passwordlastset >= 130575614253222449) |
Less than comparison | (passwordlastset <= 130575614253222449) |
Approximate comparison | (givenName~=Meier) |
Defined | (givenName=Max) |
Wildcards | (givenName=Max*) (givenName=*meier*) |
Only accounts with login names starting with 8 or 9 (e.g. if the login name is a personnel number and only certain number ranges are to be replicated):
(|(sAMAccountName=8*)( sAMAccountName=9*)
Tips and Tricks
Domains with many objects (> 5,000)
The number of objects per replication or query in Active Directory is limited for security reasons (Windows Server 2008 R2 = Max. 5,000). This limit can be removed by administrators in the Active Directory by configuring the dSHeuristic attribute accordingly. However, this customization is done at your own risk and Microsoft also excludes any liability for this customization.
From Intrexx 6.0 onwards, the ability to process data from the Active Directory block by block has been implemented. The parameter enablePaging is already set to true in the profiles. In this process, 1,000 elements are read per block.
<ldap xmlns=https://schemas.unitedplanet.de/intrexx/server/ldap/replication/enablePaging="true">
Truncate field contents from Active Directory
The Intrexx user data has field length limitations, which under certain circumstances leads to so-called truncation errors during replications because fields in the Active Directory are partially misused and field contents are transmitted that are longer than usual. To counteract this situation, the field lengths in Intrexx can be extended via the Schema Manager, or the contents of the AD fields can be truncated during processing. To be on the safe side, you should provide such delimiters for string fields - even after adjusting the length.
<attribute destination="FIRSTNAME" source="$case(givenName, $null, $null, $format("%1.64s",givenName))"/>
In the example, the first name is limited to 64 characters. The corresponding length value must be entered for the position highlighted in blue. With $format, the field content is truncated, and with $case, it is ensured that zero is written into the Intrexx field if the value is missing.
Replication of the superior
The supervisor replication is already predefined in the Active Directory profile templates but commented out by default. If the supervisor is stored under Manager, the section can be activated in the replication profile. The function determines the user in Intrexx based on the assignment in the Active Directory and assigns it.
<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignBoss" execafterwrite="true">
<parameter type="$dbmanager"/>
<parameter type="$destinationitem"/>
<parameter type="$itemconnector"/>
<parameter type="$searchresult"/>
<parameter type="$jdbcconnection"/>
<parameter type="$usn"/>
<parameter type="java.lang.String" value="manager"/>
</call>
Replication of user photos
Since Windows 2000, there are attributes for the management of user photos in the Active Directory. However, the photo information can only be used and displayed from the Active Directory as of Outlook/Exchange 2010. The size per photo is limited to 100kB but if there are many employees in a company, the volume to be replicated can become correspondingly high. Microsoft recommends that thumbnail photos have 96 x 96 pixels with a maximum size of 10KB. The photos must also be updated in the Active Directory - i.e. this work must be handled by the administrators. In addition, a procedure must still be in place to document consent from the respective employee to use the photo.
<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignImage" execafterwrite="true">
<parameter type="$dbmanager"/>
<parameter type="$destinationitem"/>
<parameter type="$itemconnector"/>
<parameter type="$searchresult"/>
<parameter type="$jdbcconnection"/>
<parameter type="$inserted"/>
<parameter type="java.lang.String" value="thumbnailPhoto"/>
</call>
Class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools
Here is an overview of the methods of the class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools:
assignMembers
public void assignMembers(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException
With this method, members specified in an LDAP attribute of a group object are assigned to the corresponding Intrexx group. The member attribute must contain the group members in an array of distinguished names.
Parameters:
p_item | Intrexx group object |
p_connector | Item connector |
p_sr | Search result of the LDAP group object |
p_conn | Database connection |
p_iInternalUsn | Current internal USN |
p_strMemberAttr | Member attribute of the LDAP group |
p_log | Job log, if available |
Throws:
SQLException - when an exception occurs
NamingException - when an exception occurs
assignMembersByLoginName
public void assignMembersByLoginName(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDomainQuery, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException
With this method, members specified in an LDAP attribute of a group object are assigned to the corresponding Intrexx group. The member attribute must contain the group members in an array with login names.
Parameters:
p_item | Intrexx group object |
p_connector | Item connector |
p_sr | Search result of the LDAP group object |
p_conn | Database connection |
p_iInternalUsn | Current internal USN |
p_strMemberAttr | Member attribute of the LDAP group |
p_log | Job log reference |
p_strDomainQuery | User domain query |
Throws:
SQLException - when an exception occurs
NamingException - when an exception occurs
assignDomain
public void assignDomain(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException
Assigns a domain specified by the content of an LDAP attribute to an Intrexx object.
Parameters:
p_item | Intrexx item |
p_connector | Intrexx item connector |
p_sr | LDAP search result |
p_conn | Database connection |
p_strDomainQuery | LDAP domain query |
p_strDomainAttribute | LDAP domain attribute |
Throws:
NamingException - when an exception occurs
assignCredentialsWithDomainQuery
public void assignCredentialsWithDomainQuery(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strLoginAttribute, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException
Assigns credentials to an Intrexx object and the domain via domain attribute and query.
Parameters:
p_item | Intrexx item |
p_connector | Intrexx item connector |
p_sr | LDAP search result |
p_strDomainQuery | LDAP domain query |
p_strDomainAttribute | LDAP domain attribute |
p_strDomainAttribute | LDAP login attribute |
Throws:
NamingException - when an exception occurs
getDomain
public void getDomain(LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException
Throws:
NamingException
assignNameFromLogin
public void assignNameFromLogin(IDsObjectRecord p_record)
Assigns an Intrexx login name as the object name.
Parameters:
p_record | Intrexx user object record |
assignPathRoleFromOUAttribute
public void assignPathRoleFromOUAttribute(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strTopOUAttribute) throws Exception
Assigns an object to a group, role or set to be imported with an OUAttribute of the object.
Parameters:
p_item | Intrexx item |
p_connector | Intrexx item connector |
p_sr | Search result |
p_conn | Database connection |
p_iInternalUsn | Internal USN |
p_strTopOUAttribute | OU attribute |
Throws:
Exception - when an exception occurs
makeRelative
public String makeRelative(String p_strBaseDn, String p_strDn) throws InvalidNameException
Throws:
InvalidNameException
findUser
public int findUser(JdbcConnection p_conn, LDAPItemConnector p_itemConnector, String p_strMember, String p_strLogin, String p_strDomain) throws Exception
Parameters:
p_conn | Database connection |
p_itemConnector | Intrexx item connector |
p_strMember | Member attribute name |
p_strLogin | Login name |
p_strDomain | Domain name |
Returns:
User ID
Throws:
Exception - when an exception occurs
assignBoss
public void assignBoss(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strBossAttr) throws SQLException, NamingException
Assigns the supervisor to an object.
Parameters:
p_dbMan | Database manager |
p_item | Item |
p_connector | Item connector |
p_sr | Search result |
p_conn | JDBC connection |
p_iInternalUsn | Internal USN |
p_strBossAttr | Boss attribute name |
Throws:
SQLException - when an exception occurs
NamingException - when an exception occurs
normalizeName
public static String normalizeName(String p_strName) throws InvalidNameException
Throws:
InvalidNameException
dnForQuery
public static String dnForQuery(String p_strDN) throws InvalidNameException
Throws:
InvalidNameException
assignImage
public void assignImage(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, boolean p_bInsert, String p_strImageAttribute) throws Exception
Assigns a user photo.
Parameters:
p_dbMan | Database manager |
p_item | Intrexx item |
p_connector | Intrexx item connector |
p_sr | LDAP search result |
p_conn | Database connection |
p_bInsert | true for insert, false for update |
p_strImageAttribute | LDAP image attribute name |
Throws:
Exception - when an exception occurs
assignAsMember
public void assignAsMember(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberOfAttr) throws SQLException, NamingException
Assigns a user to a group set, identified by a user attribute.
Parameters:
p_item | User item |
p_connector | LDAP item connector |
p_sr | LDAP search result |
p_conn | System database connection |
p_iInternalUsn | Internal replication USN |
p_strMemberOfAttr | "Member of" attribute |
Throws:
SQLException - when an exception occurs
NamingException - when an exception occurs
assignDefaultSet
public void assignDefaultSet(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDefaultSetGuid) throws SQLException
Assigns a user to a default set.
Parameters:
p_item | User item |
p_connector | LDAP item connector |
p_sr | LDAP search result |
p_conn | System database connection |
p_iInternalUsn | Internal replication USN |
p_strDefaultSetGuid | Default set GUID |
Throws:
SQLException - when an exception occurs
assignToSet
public void assignToSet(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strSetGUID) throws SQLException
Assigns a user to a set, identified by the given name.
Parameters:
p_item | User item |
p_connector | LDAP item connector |
p_sr | LDAP search result |
p_conn | System database connection |
p_iInternalUsn | Internal replication USN |
p_strSetGUID | Set GUID |
Throws:
SQLException - when an exception occurs
getContainers
public Map<String,IValueHolder<?>> getContainers()
getRoles
public Map<String,IValueHolder<?>> getRoles()
Prevent deactivation of accounts from the domain
When replicating users, their activation state is transferred to the account options. This means, in the same way as whether the account is activated or deactivated in the domain, the user will also be activated or deactivated in Intrexx. The state of the option is determined with the method $bitand and assigned to the Intrexx attribute "DISABLED".
<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>
If you would like to independently determine which account should be active after replication in Intrexx, the statement in the replication profile must be commented out or removed.
Replicate date fields
There are two dates in an Active Directory that are stored in the format yyyy-MM-ddTHH:mm:ss.000: the date for the creation (whenCreated) and the date of the last change (whenChanged) of the account. Further date information, such as the date of birth or entry date, is not provided and must be defined additionally. To transfer such date information into Intrexx, the following construct can be applied in the replication profile. As an example, it fills the date of birth in Intrexx with a date value from the Active Directory. BIRTHDAY stands for the attribute name from the Active Directory.
<attribute destination="BIRTH" source="$case(BIRTHDAY, $null, $null, $datetime("dd.MM.yyyy", "Europe/Berlin", $case(BIRTHDAY, $null, "01.01.1900", BIRTHDAY)))"/>
Fix domain when replicating
In larger corporate structures with continuous acquisitions or mergers, there are also extensions and restructurings in the Active Directory. It is not uncommon for these to happen during ongoing operations or for the new domain to be integrated and then gradually converted. Often, this reconstruction follows the organizational reconstruction. This has its pitfalls because actually a domain should be consolidated before it is included. The following example was the solution in a replication scenario where two user objects from two different domain replications contained the same domain in the user attribute "Domain". During replication, the user name is now used and the domain information is fixed per replication (domain) and not read from the AD field.
<!-- Replication of the user with a fixed domain -->
<attribute destination="LOGIN" source="sAMAccountName"/>
<attribute destination="LOGINLWR" source="$lower(sAMAccountName)"/>
<attribute destination="DOMAIN" source=""meinedomain.de""/>
<attribute destination="DOMAINLWR" source=""meinedomain.de""/>
Write fixed value to a field
To generally write a fixed value into a field during replication - independent of an LDAP field - the string must be enclosed with " in the source attribute.
<attribute destination="TYPE" source=""Text""/>
Evaluate UserAccountControl
The Active Directory attribute UserAccountControl contains various settings that in most cases are only relevant for control in the domain. Intrexx already uses the option "User account deactivated" from this by default. If some of the options are to be replicated due to workflow controls or for information purposes, corresponding "Boolean" attributes must be created beforehand in the Intrexx Users module (User attribute).
Label |
Hex |
---|---|
The login script was executed | 0x00000001 |
User account deactivated | 0x00000002 |
Home directory required | 0x00000008 |
No password required | 0x00000020 |
Password never expires | 0x00010000 |
User must authenticate with smartcard | 0x00040000 |
Computer account that is a member of this domain | 0x00001000 |
Computer account for a system backup domain controller that is a member of this domain | 0x00002000 |
The hex value must be specified as the second parameter in the $bitand function. The first parameter is always the attribute from the Active Directory (userAccountControl):
<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>
<-- Example for retrieving "No password required"
<attribute destination="NOPWREQ" source="$bitand(userAccountControl,20)"/>
Report replication error
A corresponding email address must be entered in the execution options in each LDAP job in order to detect, analyze and correct error-related interruptions at an early stage. Select the "Error" setting in "From status".
Replicate multiple domains into one portal
If multiple domains are synchronized into a portal, a job should be designated that is configured as the initial replication that is executed automatically. The replication jobs for the remaining domains are executed sequentially starting from this first job by defining a chain of subsequent jobs. This prevents overlapping of the individual replication jobs, which could cause performance problems or locking situations on the database.
The subsequent jobs can be configured in the corresponding replication job in the task scheduler. When you edit the schedule, a group can be defined for each job and the LDAP job can be added. Attention: There may be only one LDAP job per group. All entries of a group are executed in parallel!
If one of the replications in the chain causes an error, all subsequent replications are not executed. To prevent this, the setting "Start subsequent processes even in case of error" can be activated.
Any errors that occur should be reported by email and then corrected promptly so that even failed replications are completed again when they are executed again.
Replication without an organizational structure
Replication in Intrexx creates an image of the Active Directory.
However, replication only works 1:1 if the "Import organizational structure" setting is set for the import job. Users are assigned to their respective organizational unit (parent) during import. If the organizational units were not imported before, they cannot be assigned. Therefore, users are not imported. Only users and user groups that are not assigned to an organizational unit in the Active Directory are imported.
Importing all users without the organizational structure works only by adjusting the profile. The adjustment should be made only on the copy of an existing profile.
Replace the word parent with fixed by domain in each of the following two places:
<item class="USER" query="(&(objectClass=User)(objectCategory=Person)(!(cn=*$)))" placing="parent">
<item class="GROUP" query="(&(objectClass=Group)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">
After this change has been made, users and user groups are also imported without organizational units and included in the default container for new users, which is defined in the "Users" module via the "Users / Configuration" main menu.
Replication of users of a user group
If you want to restrict the replication of users to a user group, you need to adjust the profile for replication.
Here you can add the condition "memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=en))" to the user query, e.g. for the group "Support".
<main use-usns="false" path-separator-char=","escape-char="\" user-query="(&(objectClass=User)(objectCategory=Person)(!(cn=*$)(memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=de))" group-query="(objectClass=Group)" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />
If all inherited permissions (i.e. all objects that are members of the specified group) are also to be taken into account during replication, a special filter can be added to the query statement when querying a Windows domain from Windows Server 2003 SP2:
<main use-usns="false" path-separator-char="," escape-char="\" user-query="(&(objectClass=User)(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SUPPORTER,OU=Team-Gruppen,DC=meinedomain,DC=org)(!(cn=*$)))" group-query="(&(objectClass=Group)" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />
If the replication of user groups should also be restricted, the condition (name=SUPPORTER) can be added to the group query.
<main use-usns="false" path-separator-char="," escape-char="\" user-query="(&(objectClass=User)(objectCategory=Person)(!(cn=*$)))" group-query="(&(objectClass=Group)(name=SUPPORTER))" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />
You can find more information about special LDAP filters here:
Replication without user groups and distribution lists
If the user groups or distribution lists from the Active Directory cannot be used meaningfully in Intrexx, it is also possible to import only the users and the organizational structure. The user groups can also be defined in Intrexx and the users assigned from the Active Directory. However, the maintenance of the assignment must always take place in Intrexx and this is a corresponding administrative effort. In an existing replication profile, the two responsible blocks can be commented out as follows:
<!—Deactivate group replication
<item class="GROUP"
…
</item>
-->
<!—Deactivate group replication
<item class="DISTLIST"
…
</item>
-->
Actions after a replication
It may well be useful to perform subsequent maintenance on the replicated users after replication. An important action after replication is to perform indexing for the search engine.
That means, as a subsequent job after user replication, the application indexing "User/User search" should be executed so that both new users and changed users can be found via the search.
Another downstream action is the analysis of certain data in the user and the definition of additional data or assignments dependent on it. An example is the creation of an additional attribute "sort name" for users. This should contain the name in the form "Last name, First name" to use it in drop-down lists, for example. A process executed after replication can use Groovy to combine the first and last name appropriately and write back to the additional attribute in the user.
In a second example, an attribute is replicated from the Active Directory that contains an organizational characteristic such as the cost center or an organizational abbreviation. Based on this characteristic, the user is now to be assigned to a specific permissions object (group, role) or organizational object (organizational unit). In this way, administration can be partially automated if the AD structure does not provide usable structures and permissions objects for the portal.
Use a timer event source with a connection to the user data group to define a post-replication process. It is imperative that the event source is deactivated, as this is not to be executed periodically but via the follow-on event chain of the replication job. This is possible via the main menu "Edit/Disable Element" if the timer is marked on the workspace. Then save the process.
A Groovy action is executed via the event handler associated with the timer, which can be used to handle the respective user object.
def l_intUserId = g_record["E3911A1A0198AFAD87AE026B161B7F7F202D557A"].value
/* datafield (PK) (S) User ID <integer> */
def l_strFirstname = g_record["71F6E73DF87EF94D5B2CB5F6946C7CC4093D876C"].value /* datafield Firstname <string> */
def l_strLastname = g_record["22BF94B5B5D9794429B741D8FD42128CC5E93A62"].value /* datafield Lastname <string> */
// Create sortname
def l_strSortname = l_strLastname + ", " + l_strFirstname
//Update of user record
g_dbQuery.executeUpdate(conn, "UPDATE DSUSER SET STR_SORTNAME = ? WHERE LID = ?") {
setString(1, l_strSortname)
setInt(8, l_intUserId)
}
}
If Intrexx Share is installed in the portal, a profile update can also be executed after the replication to take into account name changes, for example. To do this, you must first check whether a profile exists for the current user.
With the following Groovy script, the GUID of the user can be used to check whether a profile record exists in Intrexx Share. If this is the case, the output "profile_exist" is triggered, which subsequently executes a data group action to update the corresponding fields in the profile.
def conn = g_dbConnections.systemConnection
def l_strUserGuid = g_record["ACF15A10BE183A1EFBC7EF8C462069428F1E4663"].value
/* datafield Guid <string> */
if(l_strUserGuid != null)
{
def l_intShareProfile = g_dbQuery.executeAndGetScalarIntValue(conn, "SELECT COUNT(*) FROM DATAGROUP('198F73334DF58D0996897A5D7EF8DB12E6727E8D') WHERE STRID = ? AND B_DELETED = ?", 0)
{
setString(1, l_strUserGuid)
setBoolean(2, false)
}
if(l_intShareProfile > 0)
{
return profile_exist
}
}
Limited replication of groups
To replicate only certain groups that follow a certain naming convention, the query for the group objects (also for any other object type) can be customized. In the example, all groups starting with "IX_" in the name are replicated.
If the groups in turn contain memberships in other groups or permissions objects that are relevant for the assignment of users, it must be carefully checked whether loopholes open up when the objects are replicated in a limited manner.
<item class="GROUP" query="(&(objectClass=Group)(cn=IX_*)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">
Frequent error messages
Unprocessed continuation reference(s)
Since the LDAP import interface of Intrexx is also compatible with OpenLDAP, a function is called that is not correctly implemented with Microsoft Active Directory. The LDAP referrals are not implemented by Microsoft in a standard-compliant way. Therefore, this warning message occurs when importing from Microsoft Active Directory. The message is in many cases inconsequential and does not cause an error during import. In rare cases, however, it may be an indication of a break. In any case, you should check the replication result (compare the number of objects in the AD against the number of replicated objects).
WARN 2008-06-19 11:29:44,110 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=unitedplanet,DC=de'
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=unitedplanet,DC=de'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2784)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)
WARN 2008-06-19 11:29:45,637 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]
Data truncation
This is not an error on the part of Intrexx. User import does not work because there are entries in Active Directory that are too long in one or more records. The maximum field length of the corresponding target data field in the Intrexx Users module is too small or the Active Directory entry is too long.
Possible solutions to prevent an error and termination of replication can be found in the section "Truncate field contents from Active Directory".
Import job finished with errors:
de.uplanet.jdbc.StandardDbException: Error: 0, SQLState: 22001: Data truncation
at de.uplanet.jdbc.sqlserver.SQLServerDescriptor.convertException(Unknown Source)
at de.uplanet.jdbc.JdbcPreparedStatement.executeUpdate(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager._doUpdateInsert(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.insert(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)
03.12.2008 15:17:54: *** ERROR OCCURED, JOB STOPPED ***
Class DISTLIST is not castable to the class GROUP
This error occurs when the class of an object in Active Directory is changed. When an object is created, its function is defined by the class (user group or a distribution list).
The conversion of an object such as a distribution list group into a user group or vice versa has effects on Intrexx and the objects replicated there. In the Active Directory, the objects are distinguished by a flag whereas in Intrexx, each object type is managed in its own data group. A conversion results in a replication error:
Error when processing search result:
mail=adresse@domain.de
objectGUID;binary=[B@64250a59
name=Objektbezeichnung
memberOf=CN=Benutzer,OU=Empfänger,DC=row,DC=domain,DC=de
primaryGroupToken=5338
de.uplanet.lucy.usermanager.DsRuntimeException: The dest ds class DISTLIST is not castable to the class GROUP
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.selectFullRecord(Unknown Source)
at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.selectFullRecord(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)
at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
Connection timed out: connect
This error occurs when the specified domain controller is unreachable. This may be caused by lack of access permissions to the server or blocked ports. If the error occurs while a replication job is running and has already been successfully set up, the cause may be a server failure or a changed IP address or access permissions. It is important, especially in large organizations with multiple independently maintained domains, that changes are coordinated to avoid such problems.
20.07.2014 22:17:36: *** User Replication Job 912496D87C849A5D109ED500F0D696A01B60D680 STARTED ***
Configuration:06C3620E8A4A3AB57992EF33A0263409CE7727C9 / DOMAIN
javax.naming.CommunicationException: 192.168.10.100:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:209)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)
at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)
at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:529)
at java.net.Socket.connect(Socket.java:478)
at java.net.Socket.<init>(Socket.java:375)
at java.net.Socket.<init>(Socket.java:189)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:351)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:186)
... 18 more
20.07.2014 22:17:57: *** ERROR OCCURRED, JOB STOPPED ***
Tools
The search dialog of the Jxplorer is useful for testing a query.
Websites tool
Apache Directory Studio: https://directory.apache.org/studio/
LDAP Adnub: http://www.ldapadmin.org/
More information
Objects, Classes and Attributes
The areas of the "User" module
Replication - user and group import
Portal login via identity provider
Use proxy server for authentication