You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Adam Levine <ad...@gmail.com> on 2021/07/19 08:36:19 UTC
Map/Create ldap group hierarchy to realms
I'm able to create realms based on a group tree from LDAP, thanks to the
guidance on other emails and following the demo deploy. I do get exceptions
when trying to refresh on a pull (have to delete the realms manually first).
Problem: The created realms are flat in hierarchy (all the same depth),
instead of matching the LDAP groups that have several depths.
Using Apache DS
I saw a post that said to reference the demo ldap-orgunit configuration, as
it provided the even/odd realm trees. But when I look at the demo, the
ldap org only has ou=[People|Groups], and it doesn't have any
pull/provision tasks attached to it.
Am I missing something? Guidance is greatly appreciated!
Thank you!
Re: Map/Create ldap group hierarchy to realms
Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.
Il 23/07/21 16:58, Adam Levine ha scritto:
> Follow up: I configured my connector, resource, mapping, and pull
> from the Demo system.
The demo handles the depth of ou only in propagation.
In order to create realms from a pull that respecting the hierarchy,
it's necessary that in your pull action you go to set the parent realm.
As you can see, this information is not provided to Syncope, which means
that all realms are at the same level. How can you do this? You could
parse the dn of the ou.
Regards
M
>
> On Fri, Jul 23, 2021 at 9:40 AM Adam Levine <adam.l.levine@gmail.com
> <ma...@gmail.com>> wrote:
>
> Marco:
> You said: To build the tree from an Ldap -> Syncope pull, you
> need to implement a pull action.
>
> I do have a pull action, which is how the realms are being
> populated from LDAP. But as you can see they're coming in flat.
> Maybe I'm not understanding what you're trying to guide me to
> do. If the JEXL you describe is only for propagation, do I not
> need one for pull?
>
> Thank you!
>
>
> On Fri, Jul 23, 2021 at 2:26 AM Marco Di Sabatino Di Diodoro
> <marco.disabatino@tirasa.net <ma...@tirasa.net>>
> wrote:
>
> Hi
>
> Il 22/07/21 20:28, Adam Levine ha scritto:
>> Marco:
>>
>> Thank you for responding.
>>
>> I can create the realms from LDAP -> Syncope. That's not a
>> problem. It's the multiple hierarchy that doesn't want to
>> work, and it could be a limitation.
>> Let me show pictures
>>
>> Here you can see the tree under people:
>>
>> image.png
>>
>> And here's how it appears in Syncope:
>>
>> image.png
>>
>> I am guessing that the issue is the 'fullpath' attribute
>> having a direct mapping to 'l' instead of a jexl that would
>> concat the ou path into a an 'ou/ou/ou' string.
>
> We used the fullpath attribute to be able to implement a jexl
> function that converts the syncope format to a dn for ldap:
> syncope:fullPath2Dn(fullPath, 'ou') + ',o=isp'
> This function is used only in propagation.
>
> To build the tree from an Ldap -> Syncope pull, you need to
> implement a pull action.
>
> M
>
>>
>> Or is there another issue at hand?
>>
>> Thank you!
>>
>>
>> On Thu, Jul 22, 2021 at 1:53 AM Marco Di Sabatino Di Diodoro
>> <marco.disabatino@tirasa.net
>> <ma...@tirasa.net>> wrote:
>>
>> Hi
>>
>> Il 19/07/21 10:36, Adam Levine ha scritto:
>> > I'm able to create realms based on a group tree from
>> LDAP, thanks to
>> > the guidance on other emails and following the demo
>> deploy. I do get
>> > exceptions when trying to refresh on a pull (have to
>> delete the realms
>> > manually first).
>>
>> What kind of exception?
>>
>> >
>> > Problem: The created realms are flat in hierarchy (all
>> the same
>> > depth), instead of matching the LDAP groups that have
>> several depths.
>> In order to set a depth for each realm to be created, you
>> need to use a
>> pull action.
>> >
>> > Using Apache DS
>> >
>> > I saw a post that said to reference the demo ldap-orgunit
>> > configuration, as it provided the even/odd realm
>> trees. But when I
>> > look at the demo, the ldap org only has
>> ou=[People|Groups], and it
>> > doesn't have any pull/provision tasks attached to it.
>> >
>> > Am I missing something? Guidance is greatly appreciated!
>>
>> The data in the demo is used for testing. If you want to
>> try to create
>> an ou on Apache DS from Syncope, please perform the
>> following steps:
>>
>> 1) From Syncope console, go to root realm (/)
>> 2) Create a new realm where the parent is / and assign
>> resource-ldap-orgunit resource
>> 3) Click Finish
>>
>> Now you are able to see a new OU on Apache DS
>>
>> M
>>
>> >
>> > Thank you!
>>
>> --
>> Dott. Marco Di Sabatino Di Diodoro
>> Tel. +39 3939065570
>>
>> Tirasa S.r.l.
>> Viale Vittoria Colonna, 97 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net <http://www.tirasa.net>
>>
>> Apache Syncope PMC Member
>> http://people.apache.org/~mdisabatino/
>> <http://people.apache.org/~mdisabatino/>
>>
> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net <http://www.tirasa.net>
>
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/ <http://people.apache.org/~mdisabatino/>
>
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
Re: Map/Create ldap group hierarchy to realms
Posted by Adam Levine <ad...@gmail.com>.
Follow up: I configured my connector, resource, mapping, and pull from the
Demo system.
On Fri, Jul 23, 2021 at 9:40 AM Adam Levine <ad...@gmail.com> wrote:
> Marco:
>
> You said: To build the tree from an Ldap -> Syncope pull, you need to
> implement a pull action.
>
> I do have a pull action, which is how the realms are being populated
> from LDAP. But as you can see they're coming in flat. Maybe I'm not
> understanding what you're trying to guide me to do. If the JEXL you
> describe is only for propagation, do I not need one for pull?
>
> Thank you!
>
>
> On Fri, Jul 23, 2021 at 2:26 AM Marco Di Sabatino Di Diodoro <
> marco.disabatino@tirasa.net> wrote:
>
>> Hi
>> Il 22/07/21 20:28, Adam Levine ha scritto:
>>
>> Marco:
>>
>> Thank you for responding.
>>
>> I can create the realms from LDAP -> Syncope. That's not a problem.
>> It's the multiple hierarchy that doesn't want to work, and it could be a
>> limitation.
>> Let me show pictures
>>
>> Here you can see the tree under people:
>>
>> [image: image.png]
>>
>> And here's how it appears in Syncope:
>>
>> [image: image.png]
>>
>> I am guessing that the issue is the 'fullpath' attribute having a direct
>> mapping to 'l' instead of a jexl that would concat the ou path into a an
>> 'ou/ou/ou' string.
>>
>> We used the fullpath attribute to be able to implement a jexl function
>> that converts the syncope format to a dn for ldap:
>> syncope:fullPath2Dn(fullPath, 'ou') + ',o=isp'
>> This function is used only in propagation.
>>
>> To build the tree from an Ldap -> Syncope pull, you need to implement a
>> pull action.
>>
>> M
>>
>>
>> Or is there another issue at hand?
>>
>> Thank you!
>>
>>
>> On Thu, Jul 22, 2021 at 1:53 AM Marco Di Sabatino Di Diodoro <
>> marco.disabatino@tirasa.net> wrote:
>>
>>> Hi
>>>
>>> Il 19/07/21 10:36, Adam Levine ha scritto:
>>> > I'm able to create realms based on a group tree from LDAP, thanks to
>>> > the guidance on other emails and following the demo deploy. I do get
>>> > exceptions when trying to refresh on a pull (have to delete the realms
>>> > manually first).
>>>
>>> What kind of exception?
>>>
>>> >
>>> > Problem: The created realms are flat in hierarchy (all the same
>>> > depth), instead of matching the LDAP groups that have several depths.
>>> In order to set a depth for each realm to be created, you need to use a
>>> pull action.
>>> >
>>> > Using Apache DS
>>> >
>>> > I saw a post that said to reference the demo ldap-orgunit
>>> > configuration, as it provided the even/odd realm trees. But when I
>>> > look at the demo, the ldap org only has ou=[People|Groups], and it
>>> > doesn't have any pull/provision tasks attached to it.
>>> >
>>> > Am I missing something? Guidance is greatly appreciated!
>>>
>>> The data in the demo is used for testing. If you want to try to create
>>> an ou on Apache DS from Syncope, please perform the following steps:
>>>
>>> 1) From Syncope console, go to root realm (/)
>>> 2) Create a new realm where the parent is / and assign
>>> resource-ldap-orgunit resource
>>> 3) Click Finish
>>>
>>> Now you are able to see a new OU on Apache DS
>>>
>>> M
>>>
>>> >
>>> > Thank you!
>>>
>>> --
>>> Dott. Marco Di Sabatino Di Diodoro
>>> Tel. +39 3939065570
>>>
>>> Tirasa S.r.l.
>>> Viale Vittoria Colonna, 97 - 65127 Pescara
>>> Tel +39 0859116307 / FAX +39 0859111173
>>> http://www.tirasa.net
>>>
>>> Apache Syncope PMC Member
>>> http://people.apache.org/~mdisabatino/
>>>
>>> --
>> Dott. Marco Di Sabatino Di Diodoro
>> Tel. +39 3939065570
>>
>> Tirasa S.r.l.
>> Viale Vittoria Colonna, 97 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173http://www.tirasa.net
>>
>> Apache Syncope PMC Memberhttp://people.apache.org/~mdisabatino/
>>
>>
Re: Map/Create ldap group hierarchy to realms
Posted by Adam Levine <ad...@gmail.com>.
Marco:
You said: To build the tree from an Ldap -> Syncope pull, you need to
implement a pull action.
I do have a pull action, which is how the realms are being populated
from LDAP. But as you can see they're coming in flat. Maybe I'm not
understanding what you're trying to guide me to do. If the JEXL you
describe is only for propagation, do I not need one for pull?
Thank you!
On Fri, Jul 23, 2021 at 2:26 AM Marco Di Sabatino Di Diodoro <
marco.disabatino@tirasa.net> wrote:
> Hi
> Il 22/07/21 20:28, Adam Levine ha scritto:
>
> Marco:
>
> Thank you for responding.
>
> I can create the realms from LDAP -> Syncope. That's not a problem.
> It's the multiple hierarchy that doesn't want to work, and it could be a
> limitation.
> Let me show pictures
>
> Here you can see the tree under people:
>
> [image: image.png]
>
> And here's how it appears in Syncope:
>
> [image: image.png]
>
> I am guessing that the issue is the 'fullpath' attribute having a direct
> mapping to 'l' instead of a jexl that would concat the ou path into a an
> 'ou/ou/ou' string.
>
> We used the fullpath attribute to be able to implement a jexl function
> that converts the syncope format to a dn for ldap:
> syncope:fullPath2Dn(fullPath, 'ou') + ',o=isp'
> This function is used only in propagation.
>
> To build the tree from an Ldap -> Syncope pull, you need to implement a
> pull action.
>
> M
>
>
> Or is there another issue at hand?
>
> Thank you!
>
>
> On Thu, Jul 22, 2021 at 1:53 AM Marco Di Sabatino Di Diodoro <
> marco.disabatino@tirasa.net> wrote:
>
>> Hi
>>
>> Il 19/07/21 10:36, Adam Levine ha scritto:
>> > I'm able to create realms based on a group tree from LDAP, thanks to
>> > the guidance on other emails and following the demo deploy. I do get
>> > exceptions when trying to refresh on a pull (have to delete the realms
>> > manually first).
>>
>> What kind of exception?
>>
>> >
>> > Problem: The created realms are flat in hierarchy (all the same
>> > depth), instead of matching the LDAP groups that have several depths.
>> In order to set a depth for each realm to be created, you need to use a
>> pull action.
>> >
>> > Using Apache DS
>> >
>> > I saw a post that said to reference the demo ldap-orgunit
>> > configuration, as it provided the even/odd realm trees. But when I
>> > look at the demo, the ldap org only has ou=[People|Groups], and it
>> > doesn't have any pull/provision tasks attached to it.
>> >
>> > Am I missing something? Guidance is greatly appreciated!
>>
>> The data in the demo is used for testing. If you want to try to create
>> an ou on Apache DS from Syncope, please perform the following steps:
>>
>> 1) From Syncope console, go to root realm (/)
>> 2) Create a new realm where the parent is / and assign
>> resource-ldap-orgunit resource
>> 3) Click Finish
>>
>> Now you are able to see a new OU on Apache DS
>>
>> M
>>
>> >
>> > Thank you!
>>
>> --
>> Dott. Marco Di Sabatino Di Diodoro
>> Tel. +39 3939065570
>>
>> Tirasa S.r.l.
>> Viale Vittoria Colonna, 97 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net
>>
>> Apache Syncope PMC Member
>> http://people.apache.org/~mdisabatino/
>>
>> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173http://www.tirasa.net
>
> Apache Syncope PMC Memberhttp://people.apache.org/~mdisabatino/
>
>
Re: Map/Create ldap group hierarchy to realms
Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.
Hi
Il 22/07/21 20:28, Adam Levine ha scritto:
> Marco:
>
> Thank you for responding.
>
> I can create the realms from LDAP -> Syncope. That's not a
> problem. It's the multiple hierarchy that doesn't want to work, and
> it could be a limitation.
> Let me show pictures
>
> Here you can see the tree under people:
>
> image.png
>
> And here's how it appears in Syncope:
>
> image.png
>
> I am guessing that the issue is the 'fullpath' attribute having a
> direct mapping to 'l' instead of a jexl that would concat the ou path
> into a an 'ou/ou/ou' string.
We used the fullpath attribute to be able to implement a jexl function
that converts the syncope format to a dn for ldap:
syncope:fullPath2Dn(fullPath, 'ou') + ',o=isp'
This function is used only in propagation.
To build the tree from an Ldap -> Syncope pull, you need to implement a
pull action.
M
>
> Or is there another issue at hand?
>
> Thank you!
>
>
> On Thu, Jul 22, 2021 at 1:53 AM Marco Di Sabatino Di Diodoro
> <marco.disabatino@tirasa.net <ma...@tirasa.net>> wrote:
>
> Hi
>
> Il 19/07/21 10:36, Adam Levine ha scritto:
> > I'm able to create realms based on a group tree from LDAP,
> thanks to
> > the guidance on other emails and following the demo deploy. I do
> get
> > exceptions when trying to refresh on a pull (have to delete the
> realms
> > manually first).
>
> What kind of exception?
>
> >
> > Problem: The created realms are flat in hierarchy (all the same
> > depth), instead of matching the LDAP groups that have several
> depths.
> In order to set a depth for each realm to be created, you need to
> use a
> pull action.
> >
> > Using Apache DS
> >
> > I saw a post that said to reference the demo ldap-orgunit
> > configuration, as it provided the even/odd realm trees. But when I
> > look at the demo, the ldap org only has ou=[People|Groups], and it
> > doesn't have any pull/provision tasks attached to it.
> >
> > Am I missing something? Guidance is greatly appreciated!
>
> The data in the demo is used for testing. If you want to try to
> create
> an ou on Apache DS from Syncope, please perform the following steps:
>
> 1) From Syncope console, go to root realm (/)
> 2) Create a new realm where the parent is / and assign
> resource-ldap-orgunit resource
> 3) Click Finish
>
> Now you are able to see a new OU on Apache DS
>
> M
>
> >
> > Thank you!
>
> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net <http://www.tirasa.net>
>
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/
> <http://people.apache.org/~mdisabatino/>
>
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
Re: Map/Create ldap group hierarchy to realms
Posted by Adam Levine <ad...@gmail.com>.
Marco:
Thank you for responding.
I can create the realms from LDAP -> Syncope. That's not a problem.
It's the multiple hierarchy that doesn't want to work, and it could be a
limitation.
Let me show pictures
Here you can see the tree under people:
[image: image.png]
And here's how it appears in Syncope:
[image: image.png]
I am guessing that the issue is the 'fullpath' attribute having a direct
mapping to 'l' instead of a jexl that would concat the ou path into a an
'ou/ou/ou' string.
Or is there another issue at hand?
Thank you!
On Thu, Jul 22, 2021 at 1:53 AM Marco Di Sabatino Di Diodoro <
marco.disabatino@tirasa.net> wrote:
> Hi
>
> Il 19/07/21 10:36, Adam Levine ha scritto:
> > I'm able to create realms based on a group tree from LDAP, thanks to
> > the guidance on other emails and following the demo deploy. I do get
> > exceptions when trying to refresh on a pull (have to delete the realms
> > manually first).
>
> What kind of exception?
>
> >
> > Problem: The created realms are flat in hierarchy (all the same
> > depth), instead of matching the LDAP groups that have several depths.
> In order to set a depth for each realm to be created, you need to use a
> pull action.
> >
> > Using Apache DS
> >
> > I saw a post that said to reference the demo ldap-orgunit
> > configuration, as it provided the even/odd realm trees. But when I
> > look at the demo, the ldap org only has ou=[People|Groups], and it
> > doesn't have any pull/provision tasks attached to it.
> >
> > Am I missing something? Guidance is greatly appreciated!
>
> The data in the demo is used for testing. If you want to try to create
> an ou on Apache DS from Syncope, please perform the following steps:
>
> 1) From Syncope console, go to root realm (/)
> 2) Create a new realm where the parent is / and assign
> resource-ldap-orgunit resource
> 3) Click Finish
>
> Now you are able to see a new OU on Apache DS
>
> M
>
> >
> > Thank you!
>
> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/
>
>
Re: Map/Create ldap group hierarchy to realms
Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.
Hi
Il 19/07/21 10:36, Adam Levine ha scritto:
> I'm able to create realms based on a group tree from LDAP, thanks to
> the guidance on other emails and following the demo deploy. I do get
> exceptions when trying to refresh on a pull (have to delete the realms
> manually first).
What kind of exception?
>
> Problem: The created realms are flat in hierarchy (all the same
> depth), instead of matching the LDAP groups that have several depths.
In order to set a depth for each realm to be created, you need to use a
pull action.
>
> Using Apache DS
>
> I saw a post that said to reference the demo ldap-orgunit
> configuration, as it provided the even/odd realm trees. But when I
> look at the demo, the ldap org only has ou=[People|Groups], and it
> doesn't have any pull/provision tasks attached to it.
>
> Am I missing something? Guidance is greatly appreciated!
The data in the demo is used for testing. If you want to try to create
an ou on Apache DS from Syncope, please perform the following steps:
1) From Syncope console, go to root realm (/)
2) Create a new realm where the parent is / and assign
resource-ldap-orgunit resource
3) Click Finish
Now you are able to see a new OU on Apache DS
M
>
> Thank you!
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
Re: Map/Create ldap group hierarchy to realms
Posted by Adam Levine <ad...@gmail.com>.
Is there anyone out there who has dealt with and solved this problem? Am I
approaching this from the wrong direction?
Thank you !
On Mon, Jul 19, 2021 at 3:36 AM Adam Levine <ad...@gmail.com> wrote:
> I'm able to create realms based on a group tree from LDAP, thanks to the
> guidance on other emails and following the demo deploy. I do get exceptions
> when trying to refresh on a pull (have to delete the realms manually first).
>
> Problem: The created realms are flat in hierarchy (all the same depth),
> instead of matching the LDAP groups that have several depths.
>
> Using Apache DS
>
> I saw a post that said to reference the demo ldap-orgunit configuration,
> as it provided the even/odd realm trees. But when I look at the demo, the
> ldap org only has ou=[People|Groups], and it doesn't have any
> pull/provision tasks attached to it.
>
> Am I missing something? Guidance is greatly appreciated!
>
> Thank you!
>