Cool Solution - Sync Users and Groups into a second Domain

From Univention Wiki

Revision as of 16:09, 22 October 2018 by Hpeter (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

This article describes, how to import Users and Groups from one domain into a second through a synchronisation system. This article will keep our target system synchronized with changes done on the source system (One-Way Synchronization).
We will assume that the external target system is not able to reach the internal source system, but the internal source system has SSH access the other way around. This solution is especially helpful to keep a system in a DMZ environment up-to-date with user and group changes in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.


We first have to install two packets. One on the internal source UCS system and one on the target one.

Install the source package on the internal source UCS system:

univention-install univention-user-group-sync-source

And install the sink package on the external target UCS system:

univention-install univention-user-group-sync-sink


We will now configure the connection. All configurations can be done through UCR attributes on the internal UCS source system.
The following attributes on the source system have to be set first. The contained variable $IDENTIFIER has to be replaced with an unique identifier name:

UCR variable Description
ldap/sync/source/$IDENTIFIER/sink/filter LDAP Filter for sink <identifier>, that will filter all wanted users and groups out of the source system.
Note: This variable can be empty, but it has to be set. Connections with empty filters will use the following filters to guarantee to only synchronize users and groups:


ldap/sync/source/$IDENTIFIER/sink/address Hostname or IP address of the target UCS system, to which we shall synchronize to
ldap/sync/source/$IDENTIFIER/sink/user User name for data transfer, with which we can connect to the target UCS system through SSH
ldap/sync/source/$IDENTIFIER/sink/pwdfile Path to password file for data transfer to the target UCS system, which contains the password of the transfer user

At last, we will have to create a cron job to trigger the synchronization of the two UCS systems. We will use the following two UCR variables to define it:

UCR variable Description
cron/ldap-sync-$IDENTIFIER/time The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: */5 * * * *)
cron/ldap-sync-$IDENTIFIER/command The cron job command, which synchronizes the UCS systems (default: see below)

We will, again, replace the $IDENTIFIER with the chosen unique identifier name. Use the following code as the cron job command. The only thing that has to be modified is the variable IDENT on the beginning:

IDENT='$IDENTIFIER' && univention-ssh-rsync \
$(ucr get ldap/sync/source/$IDENT/sink/pwdfile) --remove-source-files --ignore-missing-args \
/var/lib/univention-user-group-sync-source/$IDENT/* \
$(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address):/var/lib/univention-user-group-sync-sink/ \
&& univention-ssh $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) \
$(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address)

Now, the source package will write all LDAP changes into files below the /var/lib/univention-user-group-sync-source/$IDENT/ folder, which will be synchronized by the cron job and again be imported by the sink package.

Personal tools