Cool Solution - Sync Users and Groups into a second Domain
From Univention Wiki
This article describes, how to import Users and Groups from one domain into a second through a synchronisation system. This article will keep our target system synchron with changes done on our source system (One-Way Synchronization).
We will assume that our external target system isn't able to reach our internal source system, but our internal source system has SSH access the other way around. This solution is especially helpful to keep a system in a DMZ environment up-to-date with user and group changes in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.
We first have to install two packets. One on our internal source UCS system and one on your target one.
Install the source package on the internal source UCS system:
And install the sink package on your external target UCS system:
We will now configure our connection. All configurations can be done through UCR attributes on our internal UCS source system.
The following attributes on our source system have to be set first. The contained variable $IDENTIFIER has to be replaced with an unique identifier name:
||LDAP Filter for sink <identifier>, that will filter all wanted users and groups out of the source system.|
Note: This variable can be empty, but it has to be set. Connections with empty filters will use the following filters to guarantee to only synchronize users and groups:
||Hostname or IP address of our target UCS system, to which we shall synchronize to|
||User name for data transfer, with which we can connect to the target UCS system through SSH|
||Path to password file for data transfer to the target UCS system, which contains the password of the transfer user|
At last, we will have to create a cron job to trigger our synchronization of our two UCS systems. We will use the following two UCR variables to define it:
||The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: */5 * * * *)|
||The cron job command, which synchronizes the UCS systems (default: see below)|
We will, again, replace the $IDENTIFIER with the chosen unique identifier name. Use the following code as your cron job command. The only thing that has to be modified is the variable IDENT on the beginning:
IDENT='$IDENTIFIER' && univention-ssh-rsync \ $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) --remove-source-files --ignore-missing-args \ /var/lib/univention-user-group-sync-source/$IDENT/* \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address):/var/lib/univention-user-group-sync-sink/ \ && univention-ssh $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address) univention_user_group_sync_sink.py
Now, our source package will write all LDAP changes into files below the /var/lib/univention-user-group-sync-source/$IDENT/ folder, which will be synchronized by our cron job and again be imported by our sink package.