Synchronization of several Active Directory domains with one UCS 5.0 directory service

As described in the manual, it is possible to configure and run multiple AD-Connector instances to synchronize user and group objects from or to several different Active Directory domains.

With UCS 5.0 two things changed regarding the mapping configuration: First, the AD-Connector doesn’t use the UCR template file mapping any longer but instead a pure Python file And second this file needs to contain Python 3.7 compatible program code.

In UCS 4.4 the AD-Connector read the UCR template mapping during startup and converted it into a Python file in the same directory, and that Python file then was imported for execution.

In UCS 5.0 the AD-Connector doesn’t consider the UCR template mapping any longer but directly loads it’s default mapping (a Python module), which in turn checks for a file If that exists (under /etc/univention/con*/ad/, then it attempts to load it and call a function mapping_hook.

Before updating a UCS 4.4 system running multiple AD-Connector instances to UCS 5.0, the individual /etc/univention/con*/ad/ files need to be copied into a new filename and the mapping_hook function needs to be added to it, as described in the manual. Additionally the Python code needs to be checked for Python 3 compatibility, see e.g. Univention Corporate Server

Assuming the additional connector instance is called connector2, this is an example of the required steps before the update:


# mapping
if ! [ -e /etc/univention/"$CONFIGBASENAME"/ad/ ]; then
    cat /etc/univention/"$CONFIGBASENAME"/ad/mapping \
        | univention-config-registry filter --encode-utf8 \
    mv /etc/univention/"$CONFIGBASENAME"/ad/ \
    sed -i 's/baseConfig as configRegistry,/configRegistry,/' \
    echo -e 'def mapping_hook(org_mapping):\n    return ad_mapping' \
        >> /etc/univention/"$CONFIGBASENAME"/ad/

# start script
mv /usr/sbin/univention-ad-"$CONFIGBASENAME" \
cp /usr/sbin/univention-ad-connector \
sed  -i "s|\(python3 -W ignore -m\) \(.*\)|python3 -W ignore -m --configbase \"$CONFIGBASENAME\" \2|" /usr/sbin/univention-ad-"$CONFIGBASENAME"
sed  -i "s|\(python2.7 -W ignore -m\) \(.*\)|python3 -W ignore -m --configbase \"$CONFIGBASENAME\" \2|" /usr/sbin/univention-ad-"$CONFIGBASENAME"

After the update the functionality of the connector instances has to be checked.