SyncPortal2AD
From Sense/Net 6.0 Wiki
Contents |
[edit] General
The synchronization of users from the portal to an AD can be done by configuring an AD provider to the portal that will save every change on the portal to an AD action node. The saved actions can later be synced by executing a stand-alone console application. The program can be found at
\Tools\ADSync\bin\Debug\SyncPortal2AD.exe
When executed the program goes through all saved actions, connects to the AD servers according to the sync-trees specified in the configuration and registers changes of saved actions in the AD in corresponding order.
For general details please refer to AD sync documentation.
[edit] Installation
To configure portal->AD sync follow these steps:
- 1. Customize and save configuration node
- 2. Add the following line to the Web.config's appSettings section:
<add key="DirectoryProvider" value="SenseNet.DirectoryServices.ADProvider" />
- 3. Make sure that the user running the console application has sufficient rights to connect to the AD and modify/create objects in it*
- 4. Optionally create a task in the task scheduler to run the application periodically.
*Note that the App.config of the application is configured with DesktopAccessProvider so it is adequate to create a user in the AD having the same username and password as the currently logged on Windows user.
[edit] Saved actions
If an object is changed on the portal under a configured sync-tree a saved action node is created under
/Root/System/SystemPlugins/Tools/DirectoryServices/Actions
A saved action node is a standard xml file with similar content as follows:
<?xml version="1.0" encoding="utf-8"?> <ADAction xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ActionType>CreateNewADUser</ActionType> <NodeId>2123</NodeId> <PassWd>1</PassWd> <NewPath>/Root/IMS/NATIV/MyOrg/myNewUser</NewPath> <LastException>Connecting to AD server failed at SenseNet.DirectoryServices.SyncPortal2AD.CreateNewADUser(User user, String newPath, String passwd) in C:\development\SenseNet\Dev\Application\Source\SenseNet\DirectoryServices\SyncPortal2AD.cs:line 313 at SenseNet.DirectoryServices.ADAction.Execute() in C:\development\SenseNet\Dev\Application\Source\SenseNet\DirectoryServices\ADAction.cs:line 82 at SenseNet.DirectoryServices.ADProvider.Worker.DoWork(Object threadContext) in C:\development\SenseNet\Dev\Application\Source\SenseNet\DirectoryServices\ADProvider.cs:line 123 Logon failure: unknown user name or bad password. </LastException> </ADAction>
The info file contains the type of the action, the referenced portal node's ID, and two optional parameters: the cleartext password of the user when it is set or changed and the path of the object when created or moved. The cleartext password is only stored here when allowed by the SaveFailedPassword node in the configuration. Note that error information is also registered here, not only in the log.
If the execution of a saved action is successful and no error is raised then the corresponding saved action node is deleted. When executing an action fails the saved action node is updated with the error description and the program moves on to the next action. Failed actions can later be re-executed by running the console application once again.
[edit] FAQ
Q: What happens if I move a synced orgunit to another path in the same sync-tree?
A: The orgunit and all of its contents will be moved on the AD to the corresponding place.
Q: What happens if I move a synced object to a path that is not under any defined sync-tree?
A: An error message is popped up as this move is not permitted.
Q: What happens if I move a synced object to a path that is under a different sync-tree?
A: If the target sync-tree resides on the same AD server as the source sync-tree, the object is moved. Otherwise an error message is popped up as it is not permitted to move objects to different AD servers.
Q: What happens if I move an unsynced object under a sync-tree?
A: An error message is popped up as this move is not permitted. Create a new user under the sync-tree instead.
Q: What happens if I create a new user under a sync-tree but the AD server is unavailable?
A: The user is created on the portal and an error is logged. The user can later be synced by re-executing failed actions.
Q: What happens if I create a new user under a sync-tree but the properties defined cause an error in the AD?
A: The user is not created and an error is logged. Try changing user properties and re-executing failed actions.
Q: What happens if I update a user so that its name and some properties are changed but some property changes cause an error in the AD?
A: No changes are updated and an error is logged.
Q: What happens if I update a user so that its name and some properties are changed but the name change cause an error in the AD?
A: Property changes get updated but the name remains unchanged and an error is logged.
Q: What happens if I create a new orgunit but the AD server is unavailable and when it becomes available I create a new user under the created orgunit?
A: Both creating the orgunit and the user will raise an error and create failed action files. Re-execution of these will fix the problem and create the orgunit and the user in the portal in corresponding order.
Q: What happens if I put an unsynced user in a synced group?
A: A warning is logged. This does not affect the other users in the group.
Q: What happens if I delete a user from the portal?
A: The corresponding user in the AD is disabled and moved to the configured trash folder. It is renamed and its unique property values are prefixed with the date of deletion.
Q: What happens if I delete an orgunit or AD Folder from the portal?
A: Every AD object contained in the corresponding container is deleted including the container itself. Contained users are disabled and moved to trash folder (see user deletion).
Q: What happens if I delete a group from the portal?
A: The corresponding AD group is deleted. Contained member users remain unchanged.
Q: What happens if I deleted a synced user from the portal and then I create a new user with the same properties?
A: The deleted user is moved to trash and a new user is created with a new Guid.
Q: What happens if I configure a sync-tree to refer to an existing portal path with users in it and I update a user?
A: Nothing happens, since the object does not have a Guid and is considered an unsynced object.
Q: What happens if I clear the value of a synced user's property?
A: The corresponding AD property is erased from the users datasheet.
