With version 1.2.26 of the ID Broker plugin and version 2.3.2 of the UCS@school ID Connector it is now possible to sync workgroups. This guide provides a walk-through of how to migrate your current connection to support the sync of workgroups to the ID Broker.
Enable Workgroup Support
On the system, where the UCS@school ID Connector is installed, we need to update
- the UCS@school ID Connector to a version
2.3.2or higher, - and the package
id-broker-pluginto a version1.2.26or higher.
After installing the new
id-broker-pluginthe ID Connector has to be restarted to make use of the updated plugin.
After this, changes like creating, modifying or deleting workgroups and their members on the school authority side will trigger a sync of the respective object to the ID Broker.
Add already existing Workgroups to ID Broker
Please note that the syncing one group takes approximately six secondes.
The following part covers the synchronization of already existing groups to the ID-Broker systems.
Create a file containing the names of all workgroups with the following command:
univention-ldapsearch -LLL ucsschoolRole=workgroup:* cn | grep '^cn:' | cut -c 5- > /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/workgroups_to_synchronize
We can now execute the following commands from the command line:
univention-app shell ucsschool-id-connector
# schedule all groups
while read -r WORKGROUP; do
schedule_group "$WORKGROUP"
done < /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/workgroups_to_synchronize
# remove the file after successful execution
rm /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/workgroups_to_synchronize
exit
The expected output will look like this:
DEBUG: Searching LDAP for group with groupname 'ou1-wg1'...
INFO : Adding group to in-queue: 'cn=ou1-wg1,cn=schueler,cn=groups,ou=ou1,dc=traeger2,dc=test'.
DEBUG: Done.
DEBUG: Searching LDAP for group with groupname 'ou2-wg1'...
INFO : Adding group to in-queue: 'cn=ou2-wg1,cn=schueler,cn=groups,ou=ou2,dc=traeger2,dc=test'.
DEBUG: Done.
This will schedule a sync of the groups existing on the school authority system. The actual sync is performed by the UCS@school ID Connector in the background. We get information about the state by looking at the log file of the queue:
less /var/log/univention/ucsschool-id-connector/queues.log
and by checking the length of the queue:
ls -l /var/lib/univention-appcenter/apps/ucsschool-id-connector/data/listener/*.json 2>/dev/null | wc -l
When the number reaches 0, all groups have been synced to the ID Broker.