Difference between revisions of "Cool Solution - Sync Users and Groups into a second Domain"
From Univention Wiki
|Line 43:||Line 43:|
The variable <code>ldap/sync/source/$IDENTIFIER/sink/filter</code> is needed to guarantee, that only Users and Groups are synchronized. It is at the moment not possible to keep anything else
The variable <code>ldap/sync/source/$IDENTIFIER/sink/filter</code> is needed to guarantee, that only Users and Groups are synchronized. It is at the moment not possible to keep anything else with this Solution. We will use the default filter, which selects all Users and Groups as noted above. We don't have to restrict the selected Objects further in our example. Our unique identifier will be ''DMZ''.
Revision as of 10:33, 24 October 2018
This article describes, how to import Users and Groups from one domain into a second through a synchronization system. The implementation keeps the target system in sync with the source system (One-Way Synchronization).
For this setup to work, the external target system can be unable to reach the internal source system. However, the internal source system must be able to gain SSH access to the target. This solution is especially helpful to keep a server in the DMZ up-to-date with changes to users and groups in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.
First, you have to install two packets. There is one package each for the source and target systems.
Install the source package on the leading UCS system:
further, install the sink package on the target UCS system:
You can now configure the connection. All configurations can be done through UCR attributes on the UCS source system.
We have a few attributes on the source system, that have to be set first. The contained variable $IDENTIFIER has to be replaced with an unique identifier name:
||LDAP Filter for sink <identifier>, that will filter all wanted users and groups out of the source system.|
Note: If this variable is empty, a default will be used. The standard filter guarantees ensures that all users and groups are syncronized by nothing else:
||Hostname or IP address of the target UCS system|
||User name for data transfer, with which the software can connect to the target UCS system through SSH|
||Path to password file for data transfer to the target UCS system, which contains the password of the transfer user|
ldap/sync/source/$IDENTIFIER/sink/filter is needed to guarantee, that only Users and Groups are synchronized. It is at the moment not possible to keep anything else synchronized with this Solution. We will use the default filter, which selects all Users and Groups as noted above. We don't have to restrict the selected Objects further in our example. Our unique identifier will be DMZ.
ucr set ldap/sync/source/DMZ/sink/filter="" \ ldap/sync/source/DMZ/sink/address="192.168.0.20" \ ldap/sync/source/DMZ/sink/user="root" \ ldap/sync/source/DMZ/sink/pwdfile="/etc/dmz-root.secret"
At last, a cron job has to be created to trigger the synchronization of the two UCS systems. The following two UCR variables can be used to define it:
||The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: */5 * * * *)|
||The cron job command, which synchronizes the UCS systems (default: see below)|
The unique identifier DMZ at the top of the following code has to be replaced again. The following code creates a cron job, which is run every 5 minutes and then synchronizes and imports all LDAP changes to Users and Groups into the target system:
IDENT='DMZ' ucr set cron/ldap-sync-$IDENT/time="*/5 * * * *" \ cron/ldap-sync-$IDENT/command="univention-ssh-rsync \ $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) --remove-source-files --ignore-missing-args \ /var/lib/univention-user-group-sync-source/$IDENT/* \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address):/var/lib/univention-user-group-sync-sink/ \ && univention-ssh $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address) univention_user_group_sync_sink.py"
Now, the configuration is done. The source package will write all LDAP changes into files below the /var/lib/univention-user-group-sync-source/$IDENTIFIER/ folder, which will be synchronized by the cron job and again be imported by the sink package.