Hi all,
could you give the LDAP-Integrated User-Synchronization a lookover?
It currently fails, since …
a) … it retrieves all accounts without an Email Address too. Since the Email field however only allows unique values, this fails on the second account without email address.
b) … it cannot handle the initially created administrator account, if the login was set to anything but the samaccountname.
This all happens in the auto-created application “app_sync_users”.
a) can be fixed by replacing
"(|(samaccountname=*)(uid=*)(userprincipalname=*))"
with
"(&(|(samaccountname=*)(uid=*)(userprincipalname=*))(mail=*))"
though I find the absolute requirement of Email Address fields troublesome. Correlation of SCapp-Account and LDAP-Account should use a more stable property, such as objectGuid. And if it is not used for unique identification, why make the column unique?
b) Is a bit harder to fix, you need to retrieve the LDAP Account object during initial administrator creation and select the original SamAccountName for the login column.
Due to how the foreach loop is defined, it will always use the samaccountname for identification (which is cool, it’s unique), as only objects with samaccountname will be retrieved.
Now if you added the full domain login (samaccountname@domainname) for the Administrator login, it will not find a match, try to do an insert, which will fail due to duplicate values for a unique column (email).
Cheers,
Bosparan