Hey @all,
we started a user account and permissions project and realized that most of the apps uses a certain account to read LDAP. We what to split this into a “one ldap read service account per service” rule.
We came across the simple authentication account which sounds to be a better approach than an user (which is more a person).
However, we realized that we cannot use it for the Active Directory. The test service account is not synced to S4. Is this intended or a bug/error?
There is no ignorelist entry that can match:
superadmin@ucs01:~$ sudo ucr search --brief s4 | grep ignorelist
connector/s4/mapping/container/ignorelist: mail,kerberos,MicrosoftDNS
connector/s4/mapping/dc/ignorelist: <empty>
connector/s4/mapping/dns/ignorelist: _ldap._tcp.Default-First-Site-Name._site
connector/s4/mapping/gpo/ignorelist: <empty>
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self,Console Logon,Pre-Windows 2000 Compatible Access,Windows Authorization Access Group,IIS_IUSRS
connector/s4/mapping/msprintconnectionpolicy/ignorelist: <empty>
connector/s4/mapping/ou/ignorelist: <empty>
connector/s4/mapping/user/attributes/ignorelist: userCertificate,initials,physicalDeliveryOfficeName,postOfficeBox
connector/s4/mapping/user/ignorelist: root,ucs-s4sync
connector/s4/mapping/windowscomputer/ignorelist: <empty>
connector/s4/mapping/wmifilter/ignorelist: <empty>
and I do not see relevant log entries in /var/log/univention/connector-s4.log