HCL Domino V11 – Directory Synchronzation – Part 6

Synchronize users

In this part of the tutorial, we want to look at what happens when DirSync synchronizes objects from Active Directory

Let’s first take a look into the Directory Assistance document for the AD domain to find the BaseDN.

Using LDAPAdmin, we can now navigate to CN=Sync under the root entry DC=ad,DC=fritz,DC=box. This is where DirSync will for users and groups to sync to the target directory.

Our Directory Sync document for domain AD has an LDAPFilter applied to sync only a subset of all entries under the BaseDN

In this sample, only Darth Vader has a mail address that matches the filter criteria.

Let’s see what happens, when DirSync kicks in.

DirSync connects to the Active Directory using the information from the Directory Assistance document for domain AD. It then finds the configured baseDN and evaluates the LDAP filter expression.

[0290:0004-16DC] DirSync  CSyncFromAD::SyncSpan (NAMEldap_search_ext_s call) : (&(&(|(objectClass=Group)(objectClass=Person))(|(mail=@brightside.)(mail=@darkside.)(mail=@msdn.)))(uSNChanged>=234898)) took 1 msec

[0290:0004-16DC] DirSync  Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'

DirSync has identified “Darth Vader” as a valid candidate for sync, creates a new document in the target directory and copies the values from the object attributes in Active Directory to the matching Notes items in the document

[0290:0004-16DC] DirSync  Modified LastName from '' to 'Vader'
[0290:0004-16DC] DirSync  Modified OfficeCity from '' to 'Tatooine'
[0290:0004-16DC] DirSync  Modified OfficeState from '' to 'Alpha Quadrant'
[0290:0004-16DC] DirSync  Modified o from '' to 'Dark Side Inc.'
[0290:0004-16DC] DirSync  Modified JobTitle from '' to 'Bad Guy'
[0290:0004-16DC] DirSync  Modified Comment from '' to 'description'
[0290:0004-16DC] DirSync  Modified OfficeNumber from '' to 'Deathstar'
[0290:0004-16DC] DirSync  Modified OfficePhoneNumber from '' to '+99(555)DEATHSTAR'
[0290:0004-16DC] DirSync  Modified FirstName from '' to 'Darth'
[0290:0004-16DC] DirSync  Modified memberOf from '' to 'CN=starwars,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  Modified uSNChanged from '' to '234898'
[0290:0004-16DC] DirSync  Modified WebSite from '' to 'www.deathstar.info'
[0290:0004-16DC] DirSync  Modified objectGUID from '' to '8e7032bd93bded4782479eaf66208b25'
[0290:0004-16DC] DirSync  Modified InternetAddress from '' to 'd.vader@brightside.org'
[0290:0004-16DC] DirSync  Modified MailAddress from '' to 'd.vader@brightside.org'
[0290:0004-16DC] DirSync  Modified MailSystem from '' to '5'
[0290:0004-16DC] DirSync  'person' Document updated, Common Name = 'CN=Darth Vader' 
[0290:0004-16DC] DirSync  CSyncFromAD::DoModify - Added New Note for 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'

Finally, DirSync saves the document and prints the sync summary

[0290:0004-16DC] DirSync  
[0290:0004-16DC] 21.01.2020 11:01:03   DIRSYNC From Active Directory (AD) - Summary (0.037 sec, Start=234898, Adds=1, Modifies=0, Deletes=0, Skips=0, Errors=0, End=234898)

Opening names.nsf in the Admin Client, you’ll find a new entry for “Darth Vader”. An icon indicates that this entry has been synced by DirSync.

Additional fields to sync

DirSync by default syncs standard attributes from an Active Directory object to Notes items in the target directory document.

The name in parentheses is not the name of of the target Notes item. It is just descriptive. The actual mapping of an attribute to a Notes item is done via the schema.nsf database on the server.

You can enhance this list and add additional attributes. (higlighted yellow).

In our sample, additional attribute “o” is mapped to the according Notes item “o”.

Currently there is an issue with multi value items. There is no such type in Active Directory. Multiple values are stored in attributes of the same name.
DirSync only syncs the first attribute. This is a known limitation. The issue will be addressed in a future version.

Another known issue is with attributes of type “Image“. They are currently not synced to the person document. The issue is tracked under SPR MOBNBJGSL6 and targeted for V11.0.1.

Internal fields

DirSync adds a couple of internal items to the person document that are needed to identify an Active Directory object in the target directory.

These items should not be modified!

Modifications in Active Directory

During a scheduled sync, DirSync processes only objects that have been changed after the last sync. (uSNChanged)

[0290:0004-16DC] DirSync  Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  Entry with mail address 'd.vader@brightside.org' - NoteID 33050 was found in the target directory.
[0290:0004-16DC] DirSync  CSyncFromAD::DoModify(dn = 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)
[0290:0004-16DC] DirSync  Modified o from 'Dark Side Inc L' to 'Dark Side Inc.'
[0290:0004-16DC] DirSync  Modified uSNChanged from '234927' to '234930'
[0290:0004-16DC] DirSync  'person' Document updated, UTF8 Name = 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box' 
[0290:0004-16DC] DirSync  CSyncFromAD::DoModify - Modified existing Note for 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  
[0290:0004-16DC] 21.01.2020 13:48:06   DIRSYNC From Active Directory (AD) - Summary (0.022 sec, Start=234930, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=234930)

Be careful, when you set an already synced attribute to an empty value; AD will remove such attributes from the object. As a result, the target document will not be modified.

I removed the value from the “o” attribute in the user object. The attribute was removed completely from the object.
DirSync recognised the change and processed the object. But it could no longer find the “o” attribute and left the item in the person document unchanged.

[0290:0004-16DC] DirSync  Processing ldap entry (SyncSpan) #1 from page #1, total entries #1: 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  Entry with mail address 'd.vader@brightside.org' - NoteID 33050 was found in the target directory.
[0290:0004-16DC] DirSync  
DirSync  CSyncFromAD::DoModify(dn = 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box', newentry=0)
[0290:0004-16DC] DirSync  Modified uSNChanged from '234935' to '234936'
[0290:0004-16DC] DirSync  'person' Document updated, UTF8 Name = 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box' 
[0290:0004-16DC] DirSync  CSyncFromAD::DoModify - Modified existing Note for 'CN=Darth Vader,CN=Sync,DC=ad,DC=fritz,DC=box'
[0290:0004-16DC] DirSync  
[0290:0004-16DC] 21.01.2020 13:59:06   DIRSYNC From Active Directory (AD) - Summary (0.022 sec, Start=234936, Adds=0, Modifies=1, Deletes=0, Skips=0, Errors=0, End=234936)

Deleting objects

When users or groups are deleted in Active Directory, they are also deleted in the Domino® directory, with one exception: Active Directory users who are registered as Domino® users (have mail files, etc) are not deleted from Domino. The deletion is not performed during a scheduled sync. You have to initiale a resync to delete persons that do no longer are available in Active Directory.

SyncFromLDAPToNAB - Deleted existing Note for 'Darth Vader'. This is NOT a registered user and could be a deleted orphan
[0290:0005-16E0] DirSync  resyncall - SyncFromLDAPToNAB completed in: 0.225 seconds
[0290:0005-16E0] DirSync  Updating SyncAll Request's DirSyncRequestState to 2
[0290:0005-16E0] 21.01.2020 15:07:10   DIRSYNC Full Resync From Active Directory (AD) - Summary (0.225 sec, Start=0, Adds=0, Modifies=0, Deletes=1, Skips=2, Errors=0, End=234945)