Cool Solution - Sync Users and Groups into a second Domain

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Note: This article is not yet reviewed.

This article describes, how to import Users, Simple authentication accounts and Groups from one domain into a second through a synchronization system. The implementation keeps the target system in sync with the source system (One-Way Synchronization).
For this setup to work, the external target system can be unable to reach the internal source system. However, the internal source system must be able to gain SSH access to the target. This solution is especially helpful to keep a server in the DMZ up-to-date with changes to users and groups in an internal, inaccessible UCS environment. Both systems are allowed to have different LDAP bases.

Warning: Existing users, simple authentication account and groups on the target system might be overwritten by this synchronization system. This solution offers a One-Way Synchronization Service, which means that objects created locally inside the target LDAP system are not protected.


Please note that the target system needs the same Mail Domains to be able to import Users with set E-Mail addresses. These can be easily created through the UMC module Mail with the Mail domain object type.
Also all Containers and Organisational Units containing to be synced objects have to be manually created on the target system.

If needed, it is additionally possible to synchronize User Certificates from the Cool Solution - Creation and management of user and Windows certificates. For this to work, the target system at minimum needs the package 'univention-ldap-usercert' installed. Additionally, the feature has to be enabled through UCR attribute ldap/sync/certificates on the target system.

Note that currently the following attributes are synchronized:

Display name
First name
Last name
Primary e-mail address
User name
User Certificate (see above)


First, you have to install two packets. There is one package each for the source and target systems. It is necessary to use apt or apt-get and not univention-install for the installation to succeed.

Install the destination package on the target UCS system:

apt install univention-user-group-sync-dest

This package will create a local service user called 'ucs-sync', which the leading UCS system will transfer it's data through. A password has to be set for this user during the installation, as the leading system needs to create a SSH connection during it's package installation for one time. Afterwards, the password isn't needed anymore. The leading UCS system will authorize itself through an identity key.

Now, install the source package on the leading UCS system. The hostname or IP address of the target UCS system has to be entered during installation. Further, the set password of user 'ucs-sync' on the target UCS system has to be entered once to transfer an SSH identity file for later authentications

apt install univention-user-group-sync-source

After successful installation, the univention-directory-listener service will automatically create files for all user and group objects below the LDAP base. Afterwards, every object change will be tracked.
These files are automatically transferred by a cron job of the leading UCS system and imported again through another cron job of the target UCS system. Both cron jobs are executed every 5 minutes, which can be changed below.
The temporary files can be found in folder /var/lib/univention-user-group-sync/, if needed.

Advanced Configuration

Filter the LDAP objects to be synchronized

By default, all user and group objects below the LDAP base will be synchronized. It is possible to limit the range to be synchronized with an LDAP filter set through the UCR attribute ldap/sync/filter. Note: The LDAP filter set won't replace the default filter, but append to it as a second filter.
The default filter: (&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(objectClass=inetOrgPerson)(objectClass=univentionGroup))(!(objectClass=univentionHost))(!(univentionObjectFlag=hidden))(!(uidNumber=0))(!(uid=*$))).

Adjust the synchronization times

The synchronization processes for data transfer and data import are executed every five minutes on both systems. This means, that it can - in theory - take almost up to 10 minutes for an object to be existent on the destination system after it's initial creation.
The process timings can be adjusted through UCR attributes. Attribute cron/ldap-sync-src/time is available on the source UCS system to adjust the data transfer process.
The data import process timing can be adjusted through UCR attribute cron/ldap-sync-dest/time.

Resynchronize all Users and Groups

The following command can be used on the source system to regenerate all files for all user and group objects: univention-directory-listener-ctrl resync univention_user_group_sync_source_generate


"LDAP_Error: No such object"

This error occurs if an object couldn't be created, because a container is missing in the structure below. The object path that was last tried to create can be found either in the log file '/var/log/univention/user-group-sync.log' or in the first temporary file in folder '/var/lib/univention-user-group-sync/' .
Please manually create all missing container objects in the object's path.

Personal tools