AD-Sync doesn't ignore computer objects

kevin.neuenfeldt · May 17, 2017, 9:01am

We want to use the AD-connector in sync mode to use UCS in parallel to an AD domain. While installing a new UCS system I chose the option to create a new UCS domain. After the installation was finished I used the Active-Directory-Connection module to set up the sync. After a few minutes the LDAP was completely synced. The manual says that by default only containers, users and groups are synced. Furthermore it explicitly says that computers are not synced. Nevertheless I see all computers from the AD domain in the UCS LDAP-browser.

thorp-hansen · May 18, 2017, 8:09am

I can confirm and reproduce that in my testingenvironment. It seems our documentation regarding this is outdated (we will correct that). Is the sync of the computer accounts at the moment a problem for you?

kevin.neuenfeldt · May 18, 2017, 8:30am

Thank you for the confirmation. I would prefer to not sync them because I don’t need them. It’s somehow annoying but doesn’t cause any problems. I suppose it would be a solution to add computers to the UCR variable connector/ad/mapping/container/ignorelist and delete all synced computers, wouldn’t it? (I have a bidirectional sync and don’t want to delete the computer from the AD).

Grandjean · May 18, 2017, 8:49am

To stop new computers or modified ones from syncing, it should be sufficient to set:

ucr set connector/ad/mapping/computer/syncmode=none

and restart the service univention-ad-connector.

kevin.neuenfeldt · June 20, 2017, 6:39am

I tried

ucr set connector/ad/mapping/container/ignorelist=mail,kerberos,computers

because

connector/ad/mapping/container/ignorelist: mail,kerberos,computers
 The names of LDAP containers specified here are not synchronised by the connector. Multiple values need to be separated by commas. The cn= part is not needed. E.g. to ignore 'cn=mail' simply specify 'mail'.
 Categories: service-adcon

But this variable seems not be used in any template file. The change had no noticeable effect.

@Grandjean: Thank you for your suggestion. It looks like this should work. Unfortunately this variable does not exist on my system but a rather strange one named con.*/ad/mapping/computer/syncmode:

root@kepler:~# ucr search syncmode
con.*/ad/mapping/computer/syncmode: <empty>
Defines the synchronisation mode for computer objects between the UCS LDAP and Active Directory. The following values are supported: 'read' (Only changes in Active Directory are synchronised to UCS LDAP), 'write' (Only changes in UCS LDAP are synchronised to Active Directory) and 'sync' (bidirectional synchronisation, changes in both directory services are synchronised). If this variable is not set, the value of connector/ad/mapping/syncmode will be used.

A ucr get, ucr set or ucr info on con.*/ad/mapping/computer/syncmode does not work. Can someone help with this behaviour?

Grandjean · June 20, 2017, 7:55am

Hi and welcome back

if a variable does not exist, you can simply create it via “ucr set”:

ucr set connector/ad/mapping/computer/syncmode=none

The reason why the connector variables are named a bit strange is the following:
It is possible to run more than one instance of the Univention-AD-Connector on the same host (not via the UMC module, needs to be configurde on the shell). This way UCS can sync with several independent MS Active Directories:

                   +-----------+
                   |           |
                   |    UCS    |
          +-------->           <---------+
          |        |           |         |
          |        +-----------+         |
connector |                              | connector2
          |                              |
          |                              |
          |                              |
          |                              |
   +------v-----+                  +-----v------+
   |            |                  |            |
   |            |                  |            |
   |   AD 1     |                  |   AD 2     |
   |            |                  |            |
   |            |                  |            |
   +------------+                  +------------+

The first (default) instance is always called connector but the second can be named as you like as long as it starts with “con”. The “con.*” you see in the UCR variables is just the corresponding regular expression to make this work. Think of it as a placeholder.

kevin.neuenfeldt · June 20, 2017, 8:13am

Thank you, now I understand.

Just for the record: can you tell me something about the connector/ad/mapping/container/ignorelist variable?

Grandjean · June 20, 2017, 9:13am

Sorry, sure. I just checked and it’s still there and referenced in the attribute/object mapping of the AD-Connector
With the AD-Connector (and the S4-Connector), those UCR variables are not directly written to a config template file, but are evaluated on every restart of the service (univention-ad-connector) in the so-called mapping-file (somewhere underneath /etc/univention/connector/ad/...).
So it’s still there and should work, even if you don’t see a configuration file that is committed after setting a UCR variable. Not sure why it doesn’t seem to have an effect in your case.
There’s also connector/ad/mapping/ignoresubtree to exclude certain LDAP subtrees (containers or OUs and all child objects.

kevin.neuenfeldt · June 20, 2017, 9:26am

Okay, thanks. I’ll try the syncmode then