Difference between revisions of "Cool Solution - Sync Users and Groups into a second Domain"

From Univention Wiki

Jump to: navigation, search
Line 17: Line 17:
 
First, you have to install two packets. There is one package each for the source and target systems.
 
First, you have to install two packets. There is one package each for the source and target systems.
  
Install the source package on the leading UCS system:
+
Install the destination package on the target UCS system:
 
<pre>
 
<pre>
univention-install univention-user-group-sync-source
+
apt install univention-user-group-sync-dest
 
</pre>
 
</pre>
further, install the sink package on the target UCS system:
+
This package will create a local service user called 'ucs-sync', which the leading UCS system will transfer it's data to. A password has to be set for this user during the installation, as the leading system needs to create a SSH connection during it's package installation for once. Afterwards, the password isn't needed anymore. The leading UCS system will authorize itself through an identity key.
 +
 
 +
Now, install the source package on the leading UCS system. The hostname or IP address of the target UCS system has to be entered during installation. Further, the set password of user 'ucs-sync' on the target UCS system has to be entered once to transfer an SSH identity file for later authentications
 
<pre>
 
<pre>
univention-install univention-user-group-sync-dest
+
apt install univention-user-group-sync-source
 
</pre>
 
</pre>
  
== Configuration ==
+
After successful installation, the <code>univention-directory-listener</code> service will automatically create files for all user and group objects below the LDAP base. Afterwards, every object change will be tracked.<br>
 +
These files are automatically transferred by a cron job of the leading UCS system and imported again through a cron job of the target UCS system. Both cron jobs are executed every 5 minutes, which can be changed below.
  
You can now configure the connection. All configurations can be done through UCR attributes on the UCS source system.<br>
 
We have a few attributes, that have to be set:
 
{| class=wikitable
 
! UCR variable || Description
 
|-
 
|<code>ldap/sync/filter</code>  || LDAP Filter, that will filter all wanted users and groups out of the source system.<br>'''Note:''' If this variable is empty, a default will be used. The standard filter guarantees ensures that all users and groups are syncronized by nothing else:<br>
 
<code>(|(&(objectClass=posixGroup)(objectClass=univentionGroup))(objectClass=posixAccount))</code>
 
|-
 
|<code>ldap/sync/address</code> || Hostname or IP address of the target UCS system
 
|-
 
|<code>ldap/sync/user</code>    || User name for data transfer, with which the software can connect to the target UCS system through SSH
 
|-
 
|<code>ldap/sync/pwdfile</code> || Path to password file for data transfer to the target UCS system, which contains the password of the transfer user
 
|}
 
  
The variable <code>ldap/sync/filter</code> is needed to guarantee, that only Users and Groups are synchronized. It is at the moment not possible to keep anything else synchronized with this Solution. We will use the default filter, which selects all Users and Groups as noted above. We don't have to restrict the selected Objects further in our example.
+
== Advanced Configuration ==
 
 
The source system needs SSH access to transfer data and execute the script delivered by the sink package to the target system. We will use the ''root'' user of the target system in our example and store it's password in the ''/etc'' folder of the source system:
 
<pre>
 
ucr set ldap/sync/filter="" \
 
ldap/sync/address="192.168.0.20" \
 
ldap/sync/user="root" \
 
ldap/sync/pwdfile="/etc/dmz-root.secret"
 
</pre>
 
  
 +
=== Filter the LDAP objects to be synchronized ===
  
At last, a cron job has to be created to trigger the synchronization of the two UCS systems. The following two UCR variables can be used to define it:
+
By default, all user and group objects below the LDAP base will be synchronized. It is possible to limit the range to be synchronized in an LDAP filter set through the UCR attribute <code>ldap/sync/filter</code>. '''Note:''' It is important, that only user and group objects are listed by the set filter. Other objects aren't supported at this time.<br>
{| class=wikitable
+
The filter <code>(|(&(objectClass=posixGroup)(objectClass=univentionGroup))(objectClass=posixAccount))</code> will be used, if none is set.
! UCR variable || Description
 
|-
 
|<code>cron/ldap-synchronization/time</code>   || The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: ''*/5 * * * *'')
 
|-
 
|<code>cron/ldap-synchronization/command</code> || The cron job command, which synchronizes the UCS systems (default: see below)
 
|}
 
  
The following code creates a cron job, which is run every 5 minutes and then synchronizes and imports all LDAP changes to Users and Groups into the target system:
+
=== Adjust the synchronization times ===
<pre>
 
ucr set cron/ldap-synchronization/time="*/5 * * * *" \
 
cron/ldap-synchronization/command="univention-ssh-rsync \
 
$(ucr get ldap/sync/pwdfile) --remove-source-files --ignore-missing-args \
 
/var/lib/univention-user-group-sync-source/* \
 
$(ucr get ldap/sync/user)@$(ucr get ldap/sync/address):/var/lib/univention-user-group-sync-sink/ \
 
&& univention-ssh $(ucr get ldap/sync/pwdfile) \
 
$(ucr get ldap/sync/user)@$(ucr get ldap/sync/address) univention_user_group_sync_sink.py"
 
</pre>
 
  
Now, the configuration is done. The source package will write all LDAP changes into files below the ''/var/lib/univention-user-group-sync-source/'' folder, which will be synchronized by the cron job and again be imported by the sink package.
+
The synchronization processes for data transfer and data import are executed every five minutes on both systems. This means, that it can - in theory - take almost up to 10 minutes for an object to be existent on the destination system after it's initial creation.<br>
 +
The process timings can be adjusted through UCR attributes. Attribute <code>cron/ldap-sync-src/time</code> is available on the source UCS system to adjust the data transfer process.<br>
 +
The data import process timing can be adjusted through UCR attribute <code>cron/ldap-sync-dest/time</code>.

Revision as of 15:17, 26 October 2018

Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


This article describes, how to import Users and Groups from one domain into a second through a synchronization system. The implementation keeps the target system in sync with the source system (One-Way Synchronization).
For this setup to work, the external target system can be unable to reach the internal source system. However, the internal source system must be able to gain SSH access to the target. This solution is especially helpful to keep a server in the DMZ up-to-date with changes to users and groups in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.

Installation

First, you have to install two packets. There is one package each for the source and target systems.

Install the destination package on the target UCS system:

apt install univention-user-group-sync-dest

This package will create a local service user called 'ucs-sync', which the leading UCS system will transfer it's data to. A password has to be set for this user during the installation, as the leading system needs to create a SSH connection during it's package installation for once. Afterwards, the password isn't needed anymore. The leading UCS system will authorize itself through an identity key.

Now, install the source package on the leading UCS system. The hostname or IP address of the target UCS system has to be entered during installation. Further, the set password of user 'ucs-sync' on the target UCS system has to be entered once to transfer an SSH identity file for later authentications

apt install univention-user-group-sync-source

After successful installation, the univention-directory-listener service will automatically create files for all user and group objects below the LDAP base. Afterwards, every object change will be tracked.
These files are automatically transferred by a cron job of the leading UCS system and imported again through a cron job of the target UCS system. Both cron jobs are executed every 5 minutes, which can be changed below.


Advanced Configuration

Filter the LDAP objects to be synchronized

By default, all user and group objects below the LDAP base will be synchronized. It is possible to limit the range to be synchronized in an LDAP filter set through the UCR attribute ldap/sync/filter. Note: It is important, that only user and group objects are listed by the set filter. Other objects aren't supported at this time.
The filter (|(&(objectClass=posixGroup)(objectClass=univentionGroup))(objectClass=posixAccount)) will be used, if none is set.

Adjust the synchronization times

The synchronization processes for data transfer and data import are executed every five minutes on both systems. This means, that it can - in theory - take almost up to 10 minutes for an object to be existent on the destination system after it's initial creation.
The process timings can be adjusted through UCR attributes. Attribute cron/ldap-sync-src/time is available on the source UCS system to adjust the data transfer process.
The data import process timing can be adjusted through UCR attribute cron/ldap-sync-dest/time.

Personal tools