Cool Solution - Sync Users and Groups into a second Domain
From Univention Wiki
This article describes, how to import Users and Groups from one domain into a second through a synchronisation system. This article will keep our target system synchronized with changes done on the source system (One-Way Synchronization).
We will assume that the external target system is not able to reach the internal source system, but the internal source system has SSH access the other way around. This solution is especially helpful to keep a system in a DMZ environment up-to-date with user and group changes in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.
We first have to install two packets. One on the internal source UCS system and one on the target one.
Install the source package on the internal source UCS system:
And install the sink package on the external target UCS system:
We will now configure the connection. All configurations can be done through UCR attributes on the internal UCS source system.
The following attributes on the source system have to be set first. The contained variable $IDENTIFIER has to be replaced with an unique identifier name:
||LDAP Filter for sink <identifier>, that will filter all wanted users and groups out of the source system.|
Note: This variable can be empty, but it has to be set. Connections with empty filters will use the following filters to guarantee to only synchronize users and groups:
||Hostname or IP address of the target UCS system, to which we shall synchronize to|
||User name for data transfer, with which we can connect to the target UCS system through SSH|
||Path to password file for data transfer to the target UCS system, which contains the password of the transfer user|
At last, we will have to create a cron job to trigger the synchronization of the two UCS systems. We will use the following two UCR variables to define it:
||The cron job time, which specifies the execution time in Cron syntax (default every 5 minutes: */5 * * * *)|
||The cron job command, which synchronizes the UCS systems (default: see below)|
We will, again, replace the $IDENTIFIER with the chosen unique identifier name. Use the following code as the cron job command. The only thing that has to be modified is the variable IDENT on the beginning:
IDENT='$IDENTIFIER' && univention-ssh-rsync \ $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) --remove-source-files --ignore-missing-args \ /var/lib/univention-user-group-sync-source/$IDENT/* \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address):/var/lib/univention-user-group-sync-sink/ \ && univention-ssh $(ucr get ldap/sync/source/$IDENT/sink/pwdfile) \ $(ucr get ldap/sync/source/$IDENT/sink/user)@$(ucr get ldap/sync/source/$IDENT/sink/address) univention_user_group_sync_sink.py
Now, the source package will write all LDAP changes into files below the /var/lib/univention-user-group-sync-source/$IDENT/ folder, which will be synchronized by the cron job and again be imported by the sink package.