LDAP数据采集器

名称:LDAP数据采集器

描述:库存LDAP数据采集器

版本:1.2.2

发布:2020-07-07

扩散:iTop Hub,Combodo网站

代码:itop-data-collector-ldap

github 模块 1:https:github.commCombodooitop-数据-采集器-base

github 模块 2:https:github.commCombodooitop-数据-采集器-ldap

独立:

这个独立的应用从单个LDAP目录中收集信息,以便自动动态iTop中的人员和用户。

Data collector for LDAP

特征

主要功能:

基于LDAP数据在iTop中自动创建和更新人员和用户。

基于LDAP组自动将简档(角色)的分派发送给用户(这是可选的)。

技术方面:

采集器可以驻留在任何具有对iTop的Web访问和对LDAP目录的LDAP访问的系统上

采集器与Windows Active Directory兼容

LDAP字段和iTop字段之间的映射的定义是完全可配置的。

在iTop中同步数据源的创建是完全自动化的。

该采集器利用iTop的内置数据同步机制。有关数据同步如何工作的更多信息,请参考数据同步概述并依靠基础数据采集器机制

修订记录

版本发布日期注释 
2020-07-071.2.2支持用于连接的LDAP URI方案,
通过ldap-test。php获得更好的调试信息,
可配置的目标类,以创建例如UserLDAP或UserExternal类型的用户。
仅请求所需的属性(并明确请求成员)
ldap_test。php的其他命令行参数
多配置文件
新的CSV采集器
在日志中添加了可配置的时间戳
使用新选项:-救命
 
2020-02-171.2.1从未公开发布,仅更新了基础数据采集器。
修复“未定义常量TABLENAME_PATTERN”
拒绝database_table_name的无效字符
性能增强功能:执行查找时仅检索所需的字段
添加了特定的类MySQLCollector,该类强制数据库连接使用UTF-8字符
 
2018-08-281.2.0iTopHub上的第一个公众发布,对代码和参数配置进行了重构。 
2017-06-221.1.1版本使用采集器-base的最新版本 
2015-05-291.1.0版本修复UTF8编码问题 
2015-05-071.0.0初始版本 

局限性

当前的版本既不同步组织也不同步位置。

人员的位置与人员的经理不同步。

一台采集器仅从一个LDAP目录实例中收集数据。

要求

PHP(命令行界面),版本5.3.0最高为7.2,并已安装php-ldap,php-dom和php-simplexml扩展。

通过LDAP访问Enterprise目录,并读取用户以访问数据。

通过HTTP/HTTPS访问iTop Web服务(REST + synchro_import.php and synchro_exec.php)

基础数据采集器要求。

安装

  • 在将运行采集器应用的计算机上的文件夹中,展开邮政编码归档“ ldap-data-collector”的内容。该计算机必须具有对Enterprise目录的LDAP访问权限以及对iTop采集器的Web访问权限。
  • 创建文件conf/params.local.xml以适合您的安装,并提供适当的凭据以连接到LDAP服务器和iTop。

默认情况下,此文件应包含用于连接到LDAP服务器和iTop服务器的值:

params.local.xml
 
<?xml version="1.0" encoding="UTF-8"?>
<!-- conf/params.local.xml - your specific configuration parameters -->
<parameters>
  <itop_url>http://localhost/</itop_url>
  <itop_login>admin</itop_login>
  <itop_password>admin</itop_password>
  <contact_to_notify>john.doe@demo.com</contact_to_notify>
  <synchro_user>admin</synchro_user>
  <ldapuri>ldap://localhost:389</ldaphost>
  <ldapdn>DC=company,DC=com</ldapdn>
  <ldaplogin>CN=ITOP-LDAP,DC=company,DC=com</ldaplogin>
  <ldappassword>password</ldappassword>
  <!--
    Set a non empty (and unique) prefix if you run several instances of the collector against the same iTop Server
    This is the recommended method to collect data from several LDAP servers. (assign a unique prefix to each "source" LDAP server)
    Note: this prefix can be set but do not touch the one inside json_placeholders
    -->
  <prefix></prefix>
  <json_placeholders>
    <full_load_interval>604800</full_load_interval><!-- 7 days (in seconds): 7*24*60*60 -->
    <users_target_class>UserLDAP</users_target_class>
    <synchro_status>production</synchro_status>
  </json_placeholders>
</parameters>
参数含义样品价值
itop_url指向iTop应用的URLhttps:本地主机
itop_login连接到iTop的登录名(用户账号)。必须具有用于执行数据同步的权利,才能创建人员和用户(并在2.5.0以上的iTop上连接到REST服务)管理员
itop_passwordiTop账号的密码。 
contact_to_notifyiTop中现有联系人的发送邮件地址,如果在同步期间使用错误,则将通知该地址john.doe@demo.com
synchro_useriTop用户设置为允许运行同步。强烈建议使用与itop_登录名相同的名称管理员
ldaphost过时,请改用ldapuri。本地主机
ldaport时,请使用ldapuri。389
ldapdn公司DN与LDAP对接DC =公司,DC = com
ldaplogin登录名连接到LDAP服务器CN = ITOP-LDAP,DC =company,DC = com
ldappassword连接到LDAP服务器的密码 
ldapuri用于连接到LDAP服务器的URI,可以是ldap ::: <host>:<port>或ldaps :::: <host>:<port> 
prefix每个LDAP服务器的唯一字符串。如果对同一个iTop实例运行采集器的多个实例,则必须为非空。只能包含[a-z0-9_]字符。 
full_load_interval保留在LDAP中找不到的记录的持续时间(以秒为单位)。 
synchro_status有关信息:同步数据源(生产的实施或已淘汰的状况)生产

users_target_class

同步用户时在iTop中创建的用户对象的类。 UserLDAP或UserExternal用户LDAP

从iTop版本2.5.0开始,用于连接到iTop的账号必须具有简档REST服务用户,才能被允许使用Web服务。

在iTop版本2.5.0之前,只有管理员用户可以创建用户

配置

params.distrib.xml文件包含参数的默认值。这两个文件(params.distrib.xml和params.local.xml)使用完全相同的格式。但是,params.distrib.xml被视为引用,应保持不变。如果您需要变更的变更和价值,请在params.local.xml中复制并修改其定义。 inparams.local.xml中的值优先于params.distrib.xml中的值

数据集合的配置的默认值在文件collectors/params.distrib.xml中定义。此配置定义了在LDAP配置上执行哪些LDAP查询以检索数据,如何将LDAP字段与iTop字段以及iTop字段的一些默认值进行映射。

配置如下所示:

<parameters>
        <!-- Parameters for Person synchronization -->
        <ldappersonfilter>(objectClass=person)</ldappersonfilter>
        <person_fields>
                <!--  Mapping between LDAP fields and iTop Person's object fields -->
                <primary_key>samaccountname</primary_key>
                <name>sn</name>
                <first_name>givenname</first_name>
                <email>mail</email>
                <phone>telephonenumber</phone>
                <mobile_phone>mobile</mobile_phone>
                <function>title</function>
                <employee_number>employeenumber</employee_number>
        </person_fields>
        <person_defaults>
                <!--  Default values for iTop Person's object fields -->
                <org_id>Demo</org_id>
                <status>active</status>
        </person_defaults>
        <!-- Parameters for User synchronization -->
        <collect_person_only>no</collect_person_only>
        <ldapuserfilter>(&amp;(objectClass=person)(mail=*))</ldapuserfilter>
        <synchronize_profiles>no</synchronize_profiles>
        <itop_group_pattern>/^CN=itop-(.*),OU=.*/</itop_group_pattern>
        <user_fields>
                <!--  Mapping between LDAP fields and iTop UserLDAP's object fields -->
                <primary_key>samaccountname</primary_key>
                <login>samaccountname</login>
                <contactid>mail</contactid>
        </user_fields>
        <user_defaults>
                <!--  Default values for iTop UserLDAP's object fields -->
                <profile>Portal user</profile>
                <language>EN US</language>
        </user_defaults>
</parameters>
参数含义默认价值
ldapperson过滤器用于检索LDAPPAD中人员的LDAP查询(对象类= 人)
人员字段从LDAP数据填充的Person对象的iTop字段的列表,对于每个iTop字段,其映射到对应的LDAP字段 
<person_fields>
  <primary_key>samaccountname</primary_key>
  <name>sn</name>
  <first_name>givenname</first_name>
  <email>mail</email>
  <phone>telephonenumber</phone>
  <mobile_phone>mobile</mobile_phone>
  <function>title</function>
  <employee_number>employeenumber</employee_number>
</person_fields>
个人默认值人员的某些iTop字段的默认值。 LDAP查询返回空的价值或未为该字段定义映射时使用 
<person_defaults>
  <org_id>Demo</org_id>
  <status>active</status>
</person_defaults>
参数含义默认值
ldappersonfilterLDAP查询用于检索LDAP/广告人员(对象类= 人)
person_fieldsiTop Person对象的字段的列表来填充从LDAP数据,并为每个iTop领域映射到相应的LDAP字段
<person_fields>
  <primary_key>samaccountname</primary_key>
  <name>sn</name>
  <first_name>givenname</first_name>
  <email>mail</email>
  <phone>telephonenumber</phone>
  <mobile_phone>mobile</mobile_phone>
  <function>title</function>
  <employee_number>employeenumber</employee_number>
</person_fields>
person_defaults一些iTop人的字段的默认值。在LDAP查询时,使用返回空值,或者如果不为该字段定义的映射
<person_defaults>
  <org_id>Demo</org_id>
  <status>active</status>
</person_defaults>
collect_person_only是否从LDAP同步用户(是/否)no 
ldapuser 过滤器于检索LDAP中的用户信息的LDAP查询。注意:&字符是XML中的特殊字符,必须写为&amp;。(&amp;(objectClass=person)(mail=*))
synchronize_profiles基于定义的LDAP组来激活或不激活用户简档(角色)同步的标志。如果设置为yes,则简档(角色)的同步将使用itop_group_pattern标识相应的组。如果设置为no,则确保您指定了默认的简档(角色),因为如果没有至少一个简档(角色),就无法创建用户。没有
itop_group_pattern常规表达式模式可检索LDAP组列表以与iTop配置文件进行映射。第一个捕获组(即括号)必须返回现有iTop简档的名称。默认常规表达式查找名为itop- <iTop表达式Name>的组/^CN=itop-(.*),OU=.*/
user_fields从LDAP数据填充的LDAPUser对象的iTop字段的列表,对于每个iTop字段,其对应的LDAP字段的映射<user_fields> <primary_key>samaccountname</primary_key> <login>samaccountname</login> <contactid>mail</contactid> </user_fields>
user_defaultsUserLDAP的某些iTop字段的默认值。 LDAP查询返回空的价值或未为该字段定义映射时使用。
<user_defaults>
  <profile>Portal user</profile>
  <language>EN US</language>
</user_defaults>

这些参数可以在文件 conf/params.local.xml 中重新定义,以便考虑您的特定需求。(例如 iTop 和 LDAP 属性之间的映射)
用户/person_defaults的预期org_id是组织名称,而不是 ID
用户/登录user_fields值可以是 UID、samcountname、邮件,...但字段必须包含唯一值
电子邮件/user_fields/联系人 id 的预期值是包含电子邮件地址的字段
user_defaults/配置文件是一个快捷方式,用于使用一个唯一的配置文件profile_list的 LDAP 用户字段。
如果要将多个配置文件分配给 LDAP 用户,请使用具有以下profile_list标记:

 

<user_defaults>
  <profile_list>profileid->name:name_of_profile1|profileid->name:name_of_profile2</profile_list>
  ...

其他可选参数

可以重新定义以下参数以更改采集器的默认行为:

参数含义默认价值
max_chunk_size一次迭代中流程的最大元素数(用于iTop中的上传和同步)。如果元素数超过此数目,则流程将自动进行迭代。1000
itop_synchro_timeout等待执行一个数据同步任务的超时时间(以秒为单位)-需要php_curl600
stop_on_synchro_error同步期间发生错误时是否停止(是或否)。没有
console_log_level控制台的输出级别。从-1(无)到9(调试)。6 (info)
console_log_dateformat记录器时间戳格式[Y-m-d H:i:s]
curl_options使用cUrl连接到iTop Web服务时,可以在本节中指定cUrl选项。语法是<CURLOPT_NAME_OF_THE_OPTION1>价值1 << CURLOPT_NAME_OF_THE_OPTION1>,其中价值_x是:
选项的数字价值,
或对应的PHP“定义”的字符串表示形式(区分大小写)。
可以定义几个php_curl选项,如下例所示
 
data_path1.1.4中的新增功能存储采集器生成的临时文件的路径。您可以使用特殊的占位符,%APPROOT%来指定相对于采集器根文件夹的pth。%APPROOT %%数据

<curl_options>
    <CURLOPT_SSL_VERIFYHOST>0</CURLOPT_SSL_VERIFYHOST>
    <CURLOPT_SSL_VERIFYPEER>1</CURLOPT_SSL_VERIFYPEER>
  </curl_options>

测试 iTop REST API 连接

您可能会遇到网络/身份验证问题,无法到达需要同步的 iTop 服务器。要测试该连接,请使用以下命令:

php toolkit/testconnection.php 
UNIX system
    curl_init exists: 1
Problem opening URL: https://localhost/iTop/webservices/rest.php?version=1.0
    error msg: Failed to connect to localhost port 443: Connection refused
    curl_init error code: 7 (cf https://www.php.net/manual/en/function.curl-errno.php)

数据源的配置中的占位符

用于配置数据源的JSON文件包含从以上配置初始化的几个占位符($contact_to_notify $),以及特定于数据源的其他占位符。这些占位符可以在参数文件的<json_placeholders>数据内部进行配置:

<?xml version="1.0" encoding="UTF-8"?>
  <parameters>
    ...
    <contact_to_notify>itop-admin@demo.com</contact_to_notify>
    <synchro_user>cron-user</synchro_user>
    <json_placeholders type="hash">
      <prefix>vSphere</prefix>
      <full_load_interval>60</full_load_interval>
    </json_placeholders> 
    ...
  </parameters>
参数含义默认价值
synchro_user如果用于运行此同步的用户账号不是管理员,则必须在此处指定其登录名,因为iTop仅允许管理员和指定的用户运行同步。 

contact_to_notify

iTop中现有联系人的发送邮件地址,将被通知同步结果 
full_load_interval两次完整导入数据之间的延迟(以秒为单位)。如果采集器在超过此间隔的时间间隔内未检测到对象,则将其视为过时并在iTop中进行标记。调整此价值依赖的计划周期。604800
prefixiTop中所有Synchronization数据Sources名称的前缀。如果您运行采集器的多个实例(以从多个vSphere服务器收集信息),请变更此价值,以便每个数据源具有唯一的名称。vSphere

故障排除

连接问题

要对测试进行故障排除并解决连接问题,请使用位于collector/bin文件夹中的脚本ldap-测试。php。该脚本使用与普通采集器相同的参数,但产生更多的调试测试。

因此,请在conf/params.local.xml文件中编辑配置,然后通过在命令提示符下键入以下命令来启动测试脚本。

PHP收集器sbin/ldap-test。php

如果您看到类似以下的消息:

错误-ldap_bind('cn = admin,dc = combodo,dc = com','*******')失败(无法联系人LDAP服务器)。

则与LDAP服务器的连接有问题。

检查参数<ldapuri>是否正确。 (协议,主机和端口)

检查与服务器的连接没有被防火墙阻止(您可以使用命令telnet <主机> <端口>并查看是否已建立连接)。

检查TSL/SSL问题。如果您在ldap-test.php脚本的输出中看到以下文本,则问题可能与TLS证书相关:

尝试连接:

连接成功

TLS: 对等证书不受信任或已撤销(0x402)

TLS: 无法连接:(未知错误代码)。

解决方案是通过将以下行添加到LDAP配置文件中来指示LDAP忽略此错误的证书(请参阅以下注释)。

#忽略服务器的证书

TLS_REQCERT永不

在Linux系统上; PHP使用的OpenLDAP库尝试依次加载以下配置文件:

您可以将上述参数放在任何文件中,但请注意,第一个文件((etccldap/ldap.conf)影响整个系统,而其他配置文件影响在当前用户下运行的脚本,或者仅从该用户运行的脚本。当前目录。

所有这些文件的语法都是相同的。有关更多信息,请参阅:ldap.conf手册页

数据收集问题

如果ldap-test.php脚本的输出包含:

Error - ldap_search('dc=combodo,dc=net', '(objectClass=inetOrgPerson)') FAILED (No such object).

然后检查用于检索“联系人”的LDAP查询。该查询由两个参数定义:

 <ldapdn>DC=company,DC=com</ldapdn>
 
    <!-- Parameters for Person synchronization -->
    <ldappersonfilter>(objectClass=person)</ldappersonfilter>

如果LDAP查询正确,则应该看到类似以下内容的输出:

List of the attributes to retrieve (taken from the mapping):
uid,sn,givenname,mail,telephonenumber,mobile,title,employeenumber,memberof
Use --attributes=x,y,z to retrieve x, y and z instead. Use --attributes=* to retrieve all fields.
Debug - ldap_connect('ldaps://customers.combodo.com')...
Debug - ldap_bind('cn=admin,dc=combodo,dc=com', 'c8mb0do')...
Debug - ldap_bind() Ok.
Debug - ldap_search('dc=combodo,dc=com', '(objectClass=inetOrgPerson)', ['uid', 'sn', 'givenname', 'mail', 'telephonenumber', 'mobile', 'title', 'employeenumber', 'memberof'])...
Debug - ldap_search() Ok.
The LDAP query '(objectClass=inetOrgPerson)' returned 13 elements.
Displaying only 10 elements (use --max-records=xx to change this limit).
------------------------------------------------
LDAP Structure:
Info: when a field is empty on a given record, it is not returned by LDAP.
------------------------------------------------
givenname : bruce
sn        : Lee
uid       : blee
mail      : bruce.lee2@combodo.com
mobile    : 0608080808
------------------------------------------------
givenname : chuck
mail      : chuck.norris@combodo.com
sn        : Norris
uid       : cnorris
------------------------------------------------

输出的第一列是 LDAP 中的字段的名称(列出了 LDAP 查询返回的所有字段),第二列显示 LDAP 中找到的第一个记录的值。根据显示的值,您可以在配置文件 conf/params.local.xml 中完成映射的配置。

默认情况下,ldap_test.php 仅请求人员映射中使用的属性。要请求所有可用的 LDAP 属性,请将参数 --attributes=*  添加到 ldap_test.php 命令行

默认情况下,ldap_test.php 仅转储结果的前 10 条记录。您可以通过在命令行上指定--max-records=xx 来将此数字调整为 xx 记录。

最后,您可以通过从命令行运行以下命令来测试配置,而无需在 iTop 中导入任何数据:

php exec.php --console_log_level=9 --collect_only

这将生成类似于如下所示的输出:

Debug - OK, the required PHP version to run this application is 5.3.0. The current PHP version is 7.2.7-0ubuntu0.18.04.2.
Debug - OK, the required extension 'simplexml' is installed (current version: 7.2.7-0ubuntu0.18.04.2 >= 0.1).
Debug - OK, the required extension 'dom' is installed (current version: 20031129 >= 1.0).
Debug - The following configuration files were loaded (in this order):

        1. /opt/dev/ldap-collector/conf/params.distrib.xml
        2. /opt/dev/ldap-collector/collectors/params.distrib.xml
        3. /opt/dev/ldap-collector/conf/params.local.xml

The resulting configuration is:

<?xml version="1.0" encoding="UTF-8"?>
<parameters>
  <itop_url>http://itop-demo/trunk</itop_url>
  <itop_login>admin</itop_login>
  <itop_password>admin</itop_password>
  <console_log_level>6</console_log_level>
  <syslog_log_level>-1</syslog_log_level>
  <max_chunk_size>1000</max_chunk_size>
  <itop_synchro_timeout>600</itop_synchro_timeout>
  <stop_on_synchro_error>no</stop_on_synchro_error>
  <curl_options>
    <CURLOPT_SSLVERSION>CURL_SSLVERSION_SSLv3</CURLOPT_SSLVERSION>
    <CURLOPT_SSL_VERIFYHOST>0</CURLOPT_SSL_VERIFYHOST>
    <CURLOPT_SSL_VERIFYPEER>1</CURLOPT_SSL_VERIFYPEER>
  </curl_options>
  <collect_person_only>no</collect_person_only>
  <ldaphost>192.168.10.13</ldaphost>
  <ldapport>389</ldapport>
  <ldapdn>OU=FGA,DC=combodo,DC=net</ldapdn>
  <ldaplogin>COMBODO\administrateur</ldaplogin>
  <ldappassword>xxxxxx</ldappassword>
  <ldappersonfilter>(objectClass=person)</ldappersonfilter>
  <itop_group_pattern>/^CN=itop-(.*),OU=.*/</itop_group_pattern>
  <person_fields>
    <primary_key>samaccountname</primary_key>
    <name>sn</name>
    <first_name>givenname</first_name>
    <email>mail</email>
    <phone>telephonenumber</phone>
    <mobile_phone>mobile</mobile_phone>
    <function>title</function>
    <employee_number>employeenumber</employee_number>
  </person_fields>
  <person_defaults>
    <org_id>Demo</org_id>
    <status>active</status>
  </person_defaults>
  <ldapuserfilter/>
  <user_id>samaccountname</user_id>
  <user_contactid>mail</user_contactid>
  <synchronize_profiles>no</synchronize_profiles>
  <user_fields>
    <primary_key>samaccountname</primary_key>
    <login>samaccountname</login>
    <contactid>mail</contactid>
  </user_fields>
  <user_defaults>
    <profile>Portal user</profile>
    <language>EN US</language>
  </user_defaults>
  <prefix/>
  <json_placeholders>
    <prefix>$prefix$</prefix>
    <persons_data_table>synchro_data_$prefix$ldap_persons</persons_data_table>
    <users_data_table>synchro_data_$prefix$ldap_users</users_data_table>
  </json_placeholders>
  <ldapfilter>(objectClass=person)</ldapfilter>
</parameters>

Debug - Persons: Mapping of the fields:
   iTop 'primary_key' is filled from LDAP 'samaccountname' 
   iTop 'name' is filled from LDAP 'sn' 
   iTop 'first_name' is filled from LDAP 'givenname' 
   iTop 'email' is filled from LDAP 'mail' 
   iTop 'phone' is filled from LDAP 'telephonenumber' 
   iTop 'mobile_phone' is filled from LDAP 'mobile' 
   iTop 'function' is filled from LDAP 'title' 
   iTop 'employee_number' is filled from LDAP 'employeenumber' 
   iTop 'org_id' is filled with the constant value 'Demo'
   iTop 'status' is filled with the constant value 'active'

Debug - LDAPUsers: Mapping of the fields:
   iTop 'primary_key' is filled from LDAP 'samaccountname' 
   iTop 'login' is filled from LDAP 'samaccountname' 
   iTop 'contactid' is filled from LDAP 'mail' 
   iTop 'language' is filled with the constant value 'EN US'
   iTop 'profile_list' is filled with the constant value 'profileid->name:Portal user'
  
...

您可以查看配置文件的加载顺序和生成的配置。

用法

要启动数据集合并与iTop同步,请运行以下命令(从安装应用的根目录):

php exec.php

以下(可选)命令行选项可用:

选项含义默认价值
- config_file指定配置文件的完整路径。如果省略此参数,则默认使用conf/params.local.xml文件。空的
--console_log_level = <级别>控制台的输出级别。从-1(无)到9(调试)。6(info)
- collect_only仅运行数据集合,但不运行带有iTop的动态数据
--synchro_only将以前收集的数据与iTop同步(存储在数据目录中)。不要运行该集合。
- configure_only检查(并根据需要更新)iTop中的同步数据源并退出。不要运行收集或同步 
--max_chunk_size = <size>一遍传递给流程的最大项目数,用于保留系统的内存。如果流程还有更多项目,则流程将进行迭代。1000
- help使用模式显示exec.php帮助。 

运行采集器的多个实例

在许多情况下,使用一组不同的参数运行采集器几次可能会很有用。例如,从多个LDAP服务器(iTop LDAP数据采集器)收集人员信息,或从多个vSphere服务器(iTop vSphere数据采集器)收集虚拟机信息。

在框架版本1.1.4之前,您必须完全复制采集器应用并在每个副本上调整文件conf/params.local.xml。

自版本1.1.4起,您只能拥有采集器应用的一个副本,并为要运行的每个集合指定不同的配置文件(带有命令行选项--config_file)(即每个LDAP或vSphere配置一个配置文件)。

但是,为避免在收集数据以及与iTop同步期间出现任何麻烦,必须在配置文件内正确配置以下参数:

在每个不同的配置文件中使用不同的<prefix>。这样可以确保为每个配置文件创建一组特定的同步数据源。

为每个配置文件使用不同的<data_path>变量。这将导致采集器将其收集的所有数据(包括一些临时文件)存储在专用目录中。这样可以防止采集器的一个实例覆盖另一实例的数据。您可以使用数据<数据_path>%APPROOT %% data/collector1 <<数据>在数据文件夹中创建一个子文件夹collection1。

命令行的执行将:

连接到iTop以创建同步数据源(或检查它们的定义是否已存在,并在需要时进行更新)

连接到LDAP服务器以收集有关人员和用户的信息

将收集的数据上传到iTop

动态使用现有的iTop Person和Users收集数据。

运行采集器时,将创建两个同步数据源并将其用于同步iTop中的Person和LDAPUser对象:-

排程

交互式运行数据采集器之后,下一步是安排其执行时间,以便定期定期进行收集和导入。

数据采集器没有提供任何特定的调度机制,但是可以使用以下任一命令来调度简单的命令行php exec.php克朗(在Linux系统上)或使用任务计划程序在Windows上。

为了获得最佳结果,请不要忘记调整配置参数full_load_interval以使其与调度频率保持一致。

从版本1.1.x迁移到1.2.x

在版本1.1.1和1.2.0之间,配置的结构略有变化:

LDAP和iTop之间的字段映射现在定义为Person对象的数组<person_fields>和LDAPUser对象的数组<user_fields>。同样适用于分别在数组<person_defaults>和<user_defaults>中配置的字段的默认值。如果您更改了这些项目的默认配置,则必须相应地调整配置文件。

参数 synchro_profils已重命名为同步_同步

参数动态_组织已弃用。如果您不想使用动态组织,请不要提供org_idfield的映射(在<person_fields>中),并在<person_defaults>中为org_id提供默认的价值。

版本1.1不支持针对同一iTop实例(对于多个LDAP服务器)运行采集器的多个实例,因此保存同步数据的SQL表的名称使用了不同的方案。要保留与SQL数据表相同的名称,请编辑配置文件并将以下行放在<json_placeholders>部分中:

  <json_placeholders>
                <prefix></prefix>
                <persons_data_table>synchro_data_PersonAD</persons_data_table>
                <users_data_table></users_data_table>
        </json_placeholders>

将数据与多个LDAP服务器同步

LDAP数据采集器的当前版本仅支持一个源LDAP服务器。但是,您可以运行采集器的多个实例,每个实例具有不同的配置,以连接到不同的LDAP服务器,但是连接到相同的iTop实例。

在这样的配置中,请确保每个LDAP服务器的<prefix>参数都不同,因为每个采集器需求都要在iTop中创建自己的一组同步数据源。

创建LDAP数据采集器的两个副本:collector器-ldap1和collector

-ldap2。在采集器-ldap11conf/params.local.xml中输入:

<parameters>
        ...
        <ldaphost>ldap-server1.demo.com</ldaphost>
        <ldapport>389</ldapport>
        <prefix>ldap1_</prefix> <!-- IMPORTANT to have a unique prefix, use only [a-z0-9_] characters -->
</parameters>

In collector-ldap2/conf/params.local.xml put:

<parameters>
        ...
        <ldaphost>ldap-server2.demo.com</ldaphost>
        <ldapport>389</ldapport>
        <prefix>ldap2_</prefix> <!-- IMPORTANT to have a unique prefix, use only [a-z0-9_] characters -->
</parameters>

这将创建两组独立的Synchronization数据Sources:

Synchro Data Sources

原文:https://www.itophub.io/wiki/page?id=extensions%3Aldap-data-collector


Data collector for LDAP

name:
Data collector for LDAP
description:
Inventory Data Collector for LDAP
version:
1.2.2
release:
2020-07-07
diffusion:
iTop Hub, Combodo site
code:
ldap-data-collector
standalone:
yes

This stand-alone application collects information from a single LDAP Directory in order to automatically synchronize the persons and the users in iTop.

Data collector for LDAP

Features

Main functions:

  • Automatic creation and update of Persons and Users in iTop based on LDAP data.

  • Automatic assignment of Profiles to Users based on LDAP groups (this is optional).

  •  

Technical aspects:

  • The collector can reside on any system with web access to iTop and LDAP access to the LDAP Directory

  • The collector is compatible with Windows Active Directory

  • The definition of the mapping between LDAP fields and iTop fields is fully configurable.

  • The creation of the Synchronization Data Sources in iTop is fully automated.

This collector makes use of iTop's built-in Data Synchronization mechanism. For more information about how the data synchronization works, refer to Data Synchronization Overviewand relies on Data collector Base mechanism

Revision History

VersionRelease DateComments
2020-07-071.2.2Support of LDAP URI scheme for the connection,
Better debug information via ldap-test.php,
Configurable target class to create either users of type UserLDAP or UserExternal for example.
Request only the needed attributes (and explicitely request memberof)
Additional command line parameters for ldap_test.php
Multi configuration file
New CSV collector
Configurable timestamp added in the logs
New option for usage: –help
2020-02-171.2.1Never publicly released, only updates to data collector base.
Fix “undefined constant TABLENAME_PATTERN”
Reject invalid characters for database_table_name
Performance enhancement: retrieve only the needed fields when performing a lookup
Added the specific class MySQLCollector which forces the DB connection to use UTF-8 characters
2018-08-281.2.0First public release on iTopHub, refactoring of the code and configuration parameters.
2017-06-221.1.1Version to use latest version of collector-base
2015-05-291.1.0Version to fix UTF8 encoding issue
2015-05-071.0.0Initial version

Limitations

  • The current version is synchronizing neither the Organizations nor the Locations.

  • The location of person and the manager of a person are not synchronized.

  • One collector is collecting data from one single LDAP directory instance only.

Requirements

  • PHP (command line interface), version 5.3.0 up to 7.2 with the php-ldap, php-dom and php-simplexml extensions installed.

  • An LDAP access to the Enterprise directory and a read user to access the data.

  • An HTTP/HTTPS access to the iTop web services (REST + synchro_import.php and synchro_exec.php)

  • Data collector Base requirements.

Installation

  • Expand the content of the zip archive “ldap-data-collector” in a folder on the machine that will run the collector application. This machine must have an LDAP access to the Enterprise directory and a web access to the iTop server.

  • create the file conf/params.local.xml to suit your installation, supplying the appropriate credentials to connect to LDAP server and iTop.

By default this file should contains the values used to connect to the LDAP server and to the iTop server:

params.local.xml
 
<?xml version="1.0" encoding="UTF-8"?>
<!-- conf/params.local.xml - your specific configuration parameters -->
<parameters>
  <itop_url>http://localhost/</itop_url>
  <itop_login>admin</itop_login>
  <itop_password>admin</itop_password>
  <contact_to_notify>john.doe@demo.com</contact_to_notify>
  <synchro_user>admin</synchro_user>
  <ldapuri>ldap://localhost:389</ldaphost>
  <ldapdn>DC=company,DC=com</ldapdn>
  <ldaplogin>CN=ITOP-LDAP,DC=company,DC=com</ldaplogin>
  <ldappassword>password</ldappassword>
  <!--
    Set a non empty (and unique) prefix if you run several instances of the collector against the same iTop Server
    This is the recommended method to collect data from several LDAP servers. (assign a unique prefix to each "source" LDAP server)
    Note: this prefix can be set but do not touch the one inside json_placeholders
    -->
  <prefix></prefix>
  <json_placeholders>
    <full_load_interval>604800</full_load_interval><!-- 7 days (in seconds): 7*24*60*60 -->
    <users_target_class>UserLDAP</users_target_class>
    <synchro_status>production</synchro_status>
  </json_placeholders>
</parameters>
ParameterMeaningSample value
itop_urlURL to the iTop Applicationhttps://localhost/
itop_loginLogin (user account) for connecting to iTop. Must have rights for executing the data synchro, to create Persons and Users (and connect to REST services on iTop above 2.5.0)admin
itop_passwordPassword for the iTop account. 
contact_to_notifyThe email address of an existing contact in iTop, to be notified in case of error during the synchronizationjohn.doe@demo.com
synchro_useriTop user set as allowed to run synchronization. It is highly recommended to use the same as itop_loginadmin
ldaphostobsolete, Use ldapuri instead.localhost
ldapportobsoelete, use ldapuri instead.389
ldapdnCompany DN for LDAPDC=company,DC=com
ldaploginLogin to connect to LDAP serverCN=ITOP-LDAP,DC=company,DC=com
ldappasswordPassword to connect to LDAP server 
ldapuriThe URI to connect to the LDAP server, either ldap://<host>:<port> or ldaps://<host>:<port> 
prefixA unique string for each LDAP server. MUST be non-empty if you run several instances of the collector against the same iTop instance. Can contain only [a-z0-9_] characters. 
full_load_intervalDuration (in seconds) for which to retain records not found in LDAP. 
synchro_statusFor information: the status of the Synchronization Data Sources (production, implementation or obsolete)production
users_target_classThe class of User objects to create in iTop when synchronizing users. Either UserLDAP or UserExternalUserLDAP

Starting with iTop version 2.5.0, the account used to connect to iTop must have the profile REST Services user in order to be allowed to use the web services.

Before iTop version 2.5.0, only Administrators users can create Users

Configuration

The default values for the configuration of the data collection is defined in the file collectors/params.distrib.xml. This configuration defines which LDAP queries are executed on the LDAP server to retrieve the data, how to map the LDAP fields with the iTop fields and some default values for the iTop fields.

The file params.distrib.xml contains the default values for the parameters, it's the reference and should remain unmodified.
The file params.local.xml contains the values you have defined. They have precedence over the default values defined in params.distrib.xml
Both files use exactly the same format.

The configuration looks as follows:

<parameters>
        <!-- Parameters for Person synchronization -->
        <ldappersonfilter>(objectClass=person)</ldappersonfilter>
        <person_fields>
                <!--  Mapping between LDAP fields and iTop Person's object fields -->
                <primary_key>samaccountname</primary_key>
                <name>sn</name>
                <first_name>givenname</first_name>
                <email>mail</email>
                <phone>telephonenumber</phone>
                <mobile_phone>mobile</mobile_phone>
                <function>title</function>
                <employee_number>employeenumber</employee_number>
        </person_fields>
        <person_defaults>
                <!--  Default values for iTop Person's object fields -->
                <org_id>Demo</org_id>
                <status>active</status>
        </person_defaults>
        <!-- Parameters for User synchronization -->
        <collect_person_only>no</collect_person_only>
        <ldapuserfilter>(&amp;(objectClass=person)(mail=*))</ldapuserfilter>
        <synchronize_profiles>no</synchronize_profiles>
        <itop_group_pattern>/^CN=itop-(.*),OU=.*/</itop_group_pattern>
        <user_fields>
                <!--  Mapping between LDAP fields and iTop UserLDAP's object fields -->
                <primary_key>samaccountname</primary_key>
                <login>samaccountname</login>
                <contactid>mail</contactid>
        </user_fields>
        <user_defaults>
                <!--  Default values for iTop UserLDAP's object fields -->
                <profile>Portal user</profile>
                <language>EN US</language>
        </user_defaults>
</parameters>
ParameterMeaningDefault value
ldappersonfilterThe LDAP query used to retrieve the persons in LDAP/AD(objectClass=person)
person_fieldsThe list of iTop fields of the Person object to populate from the LDAP data, and for each iTop field its mapping to the corresponding LDAP field 
<person_fields>
  <primary_key>samaccountname</primary_key>
  <name>sn</name>
  <first_name>givenname</first_name>
  <email>mail</email>
  <phone>telephonenumber</phone>
  <mobile_phone>mobile</mobile_phone>
  <function>title</function>
  <employee_number>employeenumber</employee_number>
</person_fields>
person_defaultsThe default values for some iTop fields for a Person. Used either when the LDAP query returns an empty value or if no mapping is defined for the field 
<person_defaults>
  <org_id>Demo</org_id>
  <status>active</status>
</person_defaults>
collect_person_onlyWhether or not to synchronize users from LDAP (yes/no)no
ldapuserfilterThe LDAP query to use to retrive user information in LDAP. Note: the ampersand character & is a special character in XML and must be written as &amp;(&amp;(objectClass=person)(mail=*))
synchronize_profilesFlag to activate or not synchronization of the user profiles based on defined LDAP groups. If set to yes, the synchronization of the profiles is using the itop_group_pattern to identify corresponding group. If set to no make sure that you specify a default profile, since users cannot be created without at least one profile.no
itop_group_patternRegular expression pattern to retrieve list of LDAP group to map with iTop profils. The first capturing group (i.e. parentheses) must return the name of an existing iTop profile. The default regular expression looks for groups named itop-<iTop Profile Name>/^CN=itop-(.*),OU=.*/
user_fieldsThe list of iTop fields for the LDAPUser object, to populate from the LDAP data, and for each iTop field its mapping to the corresponding LDAP field 
<user_fields>
  <primary_key>samaccountname</primary_key>
  <login>samaccountname</login>
  <contactid>mail</contactid>
</user_fields>
user_defaultsThe default values for some iTop fields for a UserLDAP. Used either when the LDAP query returns an empty value or if no mapping is defined for the field. 
<user_defaults>
  <profile>Portal user</profile>
  <language>EN US</language>
</user_defaults>

Those parameters can be redefined in the file conf/params.local.xml in order to take into account your specific needs. (For instance the mapping between iTop and LDAP attributes)

The expected value for person_defaults/org_id is an organization name, not an id

The expected value for user_fields/login can be UID, samaccountname, mail,… but the field must contain unique values

The expected value for user_fields/contactid is a field containing an email address

user_defaults/profile is a shortcut to fill the LDAP User field named profile_list with one unique profile.
If you want to assign several profiles to the LDAP Users, use the tag profile_list with this format:

<user_defaults>
  <profile_list>profileid->name:name_of_profile1|profileid->name:name_of_profile2</profile_list>
  ...

Troubleshooting

Connection problems

To test and troubleshoot connection problems, use the script ldap-test.php located in the collector/bin folder. The script uses the same parameters as the normal collector, but produces more debug output.

So edit the configuration in the file conf/params.local.xml then launch the test script by typing the following command from the command prompt.

php collectors/bin/ldap-test.php

If you see a message like:

Error - ldap_bind('cn=admin,dc=combodo,dc=com', '*******') FAILED (Can't contact LDAP server).

then something is wrong with the connection to the LDAP server.

  1. Check that parameter <ldapuri> is correct. (protocol, host and port)

  2. Check that the connection to the server is not blocked by a firewall (You can use the command telnet <host> <port> and see if the connection is established).

  3. Check for TSL/SSL problems. If you see the following text in the output of the ldap-test.php script, then the problem is likely related to a TLS certificate:

attempting to connect: 
connect success
TLS: peer cert untrusted or revoked (0x402)
TLS: can't connect: (unknown error code).

The solution is to instruct LDAP to ignore this faulty certificate, by adding the following lines to the LDAP configuration file (see the note below).

# Ignore the server's certificate
TLS_REQCERT never

On Linux systems; the OpenLDAP library used by PHP tries to load successively the following configuration files:

  1. /etc/ldap/ldap.conf

  2. /home/<current_user>/ldaprc

  3. /home/<current_user>/.ldaprc

  4. <current_folder>/ldaprc

You can put the above mentioned parameter in any of the files, but be aware that the first file (/etc/ldap/ldap.conf) affects the whole system, whereas the other configuration files affect scripts running under the current user, or only scripts ran from the current directory.

The syntax for all thoses files is the same. For more information, refer to: ldap.conf man page

Data collection problems

If the output of the ldap-test.php script contains:

Error - ldap_search('dc=combodo,dc=net', '(objectClass=inetOrgPerson)') FAILED (No such object).

Then check the LDAP query used for retrieving the “contacts”. This query is defined by the two parameters:

    <ldapdn>DC=company,DC=com</ldapdn>
 
    <!-- Parameters for Person synchronization -->
    <ldappersonfilter>(objectClass=person)</ldappersonfilter>

If the LDAP query is correct, you should see an output similar to:

List of the attributes to retrieve (taken from the mapping):
uid,sn,givenname,mail,telephonenumber,mobile,title,employeenumber,memberof
Use --attributes=x,y,z to retrieve x, y and z instead. Use --attributes=* to retrieve all fields.
Debug - ldap_connect('ldaps://customers.combodo.com')...
Debug - ldap_bind('cn=admin,dc=combodo,dc=com', 'c8mb0do')...
Debug - ldap_bind() Ok.
Debug - ldap_search('dc=combodo,dc=com', '(objectClass=inetOrgPerson)', ['uid', 'sn', 'givenname', 'mail', 'telephonenumber', 'mobile', 'title', 'employeenumber', 'memberof'])...
Debug - ldap_search() Ok.
The LDAP query '(objectClass=inetOrgPerson)' returned 13 elements.
Displaying only 10 elements (use --max-records=xx to change this limit).
------------------------------------------------
LDAP Structure:
Info: when a field is empty on a given record, it is not returned by LDAP.
------------------------------------------------
givenname : bruce
sn        : Lee
uid       : blee
mail      : bruce.lee2@combodo.com
mobile    : 0608080808
------------------------------------------------
givenname : chuck
mail      : chuck.norris@combodo.com
sn        : Norris
uid       : cnorris
------------------------------------------------

The first column of the output is the name of the field in LDAP (all fields returned by the LDAP query are listed) and the second column shows the values of the first record found in LDAP. Based on the values displayed you can complete the configuration of the mapping in the configuration file conf/params.local.xml.

By default ldap_test.php only requests the attributes used in the Person's mapping. To request all the available LDAP attributes, add the parameter --attributes=* to the ldap_test.phpcommand line

By default ldap_test.php dumps only the first 10 records of the results. You can adjust this number to xx records by specifying the parameter --max-records=xx on the command line.

Finally you can test your configuration without importing any data in iTop by running the following command from the command line:

php exec.php --console_log_level=9 --collect_only

This produces an output similar to the one shown below:

Debug - OK, the required PHP version to run this application is 5.3.0. The current PHP version is 7.2.7-0ubuntu0.18.04.2.
Debug - OK, the required extension 'simplexml' is installed (current version: 7.2.7-0ubuntu0.18.04.2 >= 0.1).
Debug - OK, the required extension 'dom' is installed (current version: 20031129 >= 1.0).
Debug - The following configuration files were loaded (in this order):

        1. /opt/dev/ldap-collector/conf/params.distrib.xml
        2. /opt/dev/ldap-collector/collectors/params.distrib.xml
        3. /opt/dev/ldap-collector/conf/params.local.xml

The resulting configuration is:

<?xml version="1.0" encoding="UTF-8"?>
<parameters>
  <itop_url>http://itop-demo/trunk</itop_url>
  <itop_login>admin</itop_login>
  <itop_password>admin</itop_password>
  <console_log_level>6</console_log_level>
  <syslog_log_level>-1</syslog_log_level>
  <max_chunk_size>1000</max_chunk_size>
  <itop_synchro_timeout>600</itop_synchro_timeout>
  <stop_on_synchro_error>no</stop_on_synchro_error>
  <curl_options>
    <CURLOPT_SSLVERSION>CURL_SSLVERSION_SSLv3</CURLOPT_SSLVERSION>
    <CURLOPT_SSL_VERIFYHOST>0</CURLOPT_SSL_VERIFYHOST>
    <CURLOPT_SSL_VERIFYPEER>1</CURLOPT_SSL_VERIFYPEER>
  </curl_options>
  <collect_person_only>no</collect_person_only>
  <ldaphost>192.168.10.13</ldaphost>
  <ldapport>389</ldapport>
  <ldapdn>OU=FGA,DC=combodo,DC=net</ldapdn>
  <ldaplogin>COMBODO\administrateur</ldaplogin>
  <ldappassword>xxxxxx</ldappassword>
  <ldappersonfilter>(objectClass=person)</ldappersonfilter>
  <itop_group_pattern>/^CN=itop-(.*),OU=.*/</itop_group_pattern>
  <person_fields>
    <primary_key>samaccountname</primary_key>
    <name>sn</name>
    <first_name>givenname</first_name>
    <email>mail</email>
    <phone>telephonenumber</phone>
    <mobile_phone>mobile</mobile_phone>
    <function>title</function>
    <employee_number>employeenumber</employee_number>
  </person_fields>
  <person_defaults>
    <org_id>Demo</org_id>
    <status>active</status>
  </person_defaults>
  <ldapuserfilter/>
  <user_id>samaccountname</user_id>
  <user_contactid>mail</user_contactid>
  <synchronize_profiles>no</synchronize_profiles>
  <user_fields>
    <primary_key>samaccountname</primary_key>
    <login>samaccountname</login>
    <contactid>mail</contactid>
  </user_fields>
  <user_defaults>
    <profile>Portal user</profile>
    <language>EN US</language>
  </user_defaults>
  <prefix/>
  <json_placeholders>
    <prefix>$prefix$</prefix>
    <persons_data_table>synchro_data_$prefix$ldap_persons</persons_data_table>
    <users_data_table>synchro_data_$prefix$ldap_users</users_data_table>
  </json_placeholders>
  <ldapfilter>(objectClass=person)</ldapfilter>
</parameters>

Debug - Persons: Mapping of the fields:
   iTop 'primary_key' is filled from LDAP 'samaccountname' 
   iTop 'name' is filled from LDAP 'sn' 
   iTop 'first_name' is filled from LDAP 'givenname' 
   iTop 'email' is filled from LDAP 'mail' 
   iTop 'phone' is filled from LDAP 'telephonenumber' 
   iTop 'mobile_phone' is filled from LDAP 'mobile' 
   iTop 'function' is filled from LDAP 'title' 
   iTop 'employee_number' is filled from LDAP 'employeenumber' 
   iTop 'org_id' is filled with the constant value 'Demo'
   iTop 'status' is filled with the constant value 'active'

Debug - LDAPUsers: Mapping of the fields:
   iTop 'primary_key' is filled from LDAP 'samaccountname' 
   iTop 'login' is filled from LDAP 'samaccountname' 
   iTop 'contactid' is filled from LDAP 'mail' 
   iTop 'language' is filled with the constant value 'EN US'
   iTop 'profile_list' is filled with the constant value 'profileid->name:Portal user'
  
...

You can see the order in which the configuration files were loaded and the resulting configuration.

Usage

To launch the data collection and synchronization with iTop, run the following command (from the root directory where the application is installed):

php exec.php

The following (optional) command line options are available:

OptionMeaningdefault value
--config_fileSpecify the full path to the configuration file. The file conf/params.local.xml is used by default if this parameter is omitted.empty
--console_log_level=<level>Level of ouput to the console. From -1 (none) to 9 (debug).6 (info)
--collect_onlyRun only the data collection, but do not synchronize the data with iTopfalse
--synchro_onlySynchronizes the data previously collected (stored in the data directory) with iTop. Do not run the collection.false
--configure_onlyCheck (and update if necessary) the synchronization data sources in iTop and exit. Do NOT run the collection or the synchronization 
--max_chunk_size=<size>Maximum number of items to process in one pass, for preserving the memory of the system. If there are more items to process, the application will iterate.1000
--helpUsage mode to display exec.php help. 

Running several instances of the collector

In many circumstances it may be useful to run several times the collector with a different set of parameters. For example to collect persons information from several LDAP servers (iTop Data Collector for LDAP) or Virtual Machines information from several vSphere servers (iTop Data Collector for vSphere).

Prior to version 1.1.4 of the framework, you had to completely duplicate the collector application and adjust the file conf/params.local.xml on each copy.

Since version 1.1.4 you can have just one single copy the of the collector application and specify a different configuration file (with the command line option --config_file) for each collection to run (i.e. one configuration file per LDAP or vSphere server).

However, to avoid any troubles during the collection of the data and the synchronization with iTop, the following parameters must be properly configured inside the configuration file:

  • Use a different <prefix> inside each different configuration file. This ensures that a specific set of Synchronization Data Sources will be created for each configuration file.

  • Use a different <data_path> variable for each configuration file. This will cause the collector to store all its collected data (including some temporary files) in a dedicated directory. This prevents one instance of the collector to overwrite the data of another one. You can use the syntax<data_path>%APPROOT%/data/collector1</data> to have a subfolder collector1 created inside the data folder.


The execution of the command line will:

  1. Connect to iTop to create the Synchronization Data Sources (or check their definition if they already exist, updating them if needed)

  2. Connect to the LDAP server to collect the information about the Persons and the Users

  3. Upload the collected data into iTop

  4. Synchronize the collected data with the existing iTop Person and Users.

When the collector is run, two Synchro Data Sources are created and used for synchrponizing Person and LDAPUser objects in iTop:Synchro Data Sources

Scheduling

Once you've run the data collector interactively, the next step is to schedule its execution so that the collection and import occurs automatically at regular intervals.

The data collector does not provide any specific scheduling mechanism, but the simple command line php exec.php can be scheduled with either cron (on Linux systems) or using the Task Scheduler on Windows.

For optimal results, don't forget to adjust the configuration parameter full_load_interval to make it consistent with the frequency of the scheduling.

Migrating from version 1.1.x to 1.2.x

Between version 1.1.1 and 1.2.0 the structure of the configuration has slightly changed:

  • The mapping of the fields between LDAP and iTop is now defined as an array <person_fields> for the Person object and <user_fields> for the LDAPUser object. The same applies to the default values for the fields which are respectively configured in the arrays <person_defaults> and <user_defaults>. If you changed the default configuration for these items, you'll have to adjust your configuration file accordingly.

  • The parameter synchro_profils has been renamed to synchro_profiles

  • The parameter synchronize_organization has been deprecated. If you don't want to synchronize the organizations, don't provide a mapping for the org_idfield (in <person_fields>) and provide a default value for org_id in <person_defaults>.

  • Version 1.1 did not support to run several instances of the collector against the same iTop instance (for multiple LDAP servers), and thus the name of the SQL tables holding the synchro data was using a different scheme. To retain the same name of the SQL data tables, edit the configuration file and put the folling line in the <json_placeholders> section:

  <json_placeholders>
                <prefix></prefix>
                <persons_data_table>synchro_data_PersonAD</persons_data_table>
                <users_data_table></users_data_table>
        </json_placeholders>

Synchronizing data with several LDAP servers

The current version of the Data collector for LDAP supports only one source LDAP server. However you can run several instances of the collector, each with a different configuration to connect to different LDAP servers but the to the same iTop instance.

In such a configuration, make sure that the <prefix> parameter is different for each LDAP server, since each collector needs to create its own set of the Synchro Data Sources in iTop.

Example

Create two copies of the LDAP data collector: collector-ldap1 and collector-ldap2. In collector-ldap1/conf/params.local.xml put:

<parameters>
        ...
        <ldaphost>ldap-server1.demo.com</ldaphost>
        <ldapport>389</ldapport>
        <prefix>ldap1_</prefix> <!-- IMPORTANT to have a unique prefix, use only [a-z0-9_] characters -->
</parameters>

In collector-ldap2/conf/params.local.xml put:

<parameters>
        ...
        <ldaphost>ldap-server2.demo.com</ldaphost>
        <ldapport>389</ldapport>
        <prefix>ldap2_</prefix> <!-- IMPORTANT to have a unique prefix, use only [a-z0-9_] characters -->
</parameters>

This will create two independent sets of Synchronization Data Sources:Synchro Data Sources

标签:
由 superadmin 在 2020/08/27, 16:06 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司