Cool Solution - Sync Users and Groups into a second Domain

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

This article describes, how to import Users and Groups from one domain into a second through a synchronisation system. This article will keep our target system synchron with changes done on our source system (One-Way Synchronization).
We will assume that our external target system isn't able to reach our internal source system, but our internal source system has SSH access the other way around. This solution is especially helpful to keep a system in a DMZ environment up-to-date with user and group changes in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.


We first have to install two packets. One on our internal source UCS system and one on your target one.

Install the source package on the internal source UCS system:

univention-install univention-user-group-sync-source

And install the sink package on your external target UCS system:

univention-install univention-user-group-sync-sink


We will now configure our connection. All configurations can be done through UCR attributes on our internal UCS source system.
The following attributes on our source system have to be set first. The contained variable $IDENTIFIER has to be replaced with an unique identifier name:

UCR variable Description
ldap/sync/source/$IDENTIFIER/sink/filter LDAP Filter for sink <identifier>, that will filter all wanted users and groups out of the source system.
Note: This variable can be empty, but it has to be set. Connections with empty filters will use the following filters to guarantee to only synchronize users and groups:


ldap/sync/source/$IDENTIFIER/sink/address Hostname or IP address of our target UCS system, to which we shall synchronize to
ldap/sync/source/$IDENTIFIER/sink/user User name for data transfer, with which we can connect to the target UCS system through SSH
ldap/sync/source/$IDENTIFIER/sink/pwdfile Path to password file for data transfer to the target UCS system, which contains the password of the transfer user

At last, we will have to create a cron job to trigger our synchronization of our two UCS systems. We will use the following two UCR variables to define it:

UCR variable Description
cron/ldap-sync-$IDENTIFIER/time The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: */5 * * * *)
cron/ldap-sync-$IDENTIFIER/command The cron job command, which synchronizes the UCS systems (default: see below)

We will, again, replace the $IDENTIFIER with the chosen unique identifier name. Use the following code as your cron job command. The only thing that has to be modified is the variable IDENT on the beginning:

IDENT='$IDENTIFIER' && univention-ssh-rsync \
$(ucr get ldap/sync/source/$IDENT/sink/pwdfile) --remove-source-files --ignore-missing-args \
/var/lib/univention-user-group-sync-source/$IDENT/* \
$(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address):/var/lib/univention-user-group-sync-sink/ \
&& univention-ssh $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) \
$(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address)

Now, our source package will write all LDAP changes into files below the /var/lib/univention-user-group-sync-source/$IDENT/ folder, which will be synchronized by our cron job and again be imported by our sink package.

Personal tools