You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Nik <ni...@usharesoft.com> on 2013/04/16 18:10:04 UTC
Can I create a role in syncope which will be propagated to opendj?
Hi,
I'm new to syncope, but I like what I'm seeing already, this is a nifty
open source offering, thanks.
I have a requirement which no doubt others may have had.
Can I create a role in syncope which will be propagated to opendj ldap
(group x, y or z)?
Details:
in such a fashion that syncope (role create process) does an ldap add
(propagate) of that role to an ldap base group e.g.
ou=groups,o=usharesoft, and just for fun be able to add that role (+
other roles) to a new user which will be propagated to the ldap at the
same time "atomically"?
Thinking about it, it could be a 3 step work flow a) create role(s) and
b) assign role(s) to user(s)
c) send to ldap.
I tried to follow the doc but got lost with inputting the "virtual
value" for an rvirtualdata. Any tips, clarifications, syncope roles
specific blogs or RTFM
rgds,
Nik
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Thanks for the reply Francesco.
I tried my nest but fail to create a group in the ldap server.
I have seen some chatter on this alias of propagating syncope roles
(user assigned) to ldap and using the ApacheDS resource in the syncope
1.1.0 standalone.
- I can easily create a user in syncope and propagate it (uid=titi) to
opendj ldap
below we can see the traffic coming into ldap from syncope
nik@nik-laptop OpenDJ]$ grep conn=194 logs/access
[19/Apr/2013:12:12:08 +0200] CONNECT conn=194 from=10.0.0.123:56715
to=10.0.0.121:1389 protocol=LDAP
[19/Apr/2013:12:12:08 +0200] BIND REQ conn=194 op=0 msgID=1 version=3
type=SIMPLE dn="cn=directory manager"
[19/Apr/2013:12:12:08 +0200] BIND RES conn=194 op=0 msgID=1 result=0
authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=1 msgID=2 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=1 msgID=2 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=2 msgID=3 base=""
scope=baseObject filter="(objectClass=*)" attrs="vendorVersion"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=2 msgID=3 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=3 msgID=4
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=3 msgID=4 result=0
nentries=0 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=4 msgID=5
base="ou=groups,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=4 msgID=5 result=0
nentries=0 etime=1
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=5 msgID=6 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=5 msgID=6 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] ADD REQ conn=194 op=6 msgID=7
dn="uid=titi,ou=people,o=usharesoft"
[19/Apr/2013:12:12:08 +0200] ADD RES conn=194 op=6 msgID=7 result=0 etime=8
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=7 msgID=8
base="uid=titi,ou=people,o=usharesoft" scope=baseObject
filter="(objectClass=*)" attrs="uid"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=7 msgID=8 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=8 msgID=9 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=8 msgID=9 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=9 msgID=10
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=9 msgID=10 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:14 +0200] SEARCH REQ conn=194 op=10 msgID=11 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:13:14 +0200] SEARCH RES conn=194 op=10 msgID=11 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:14 +0200] SEARCH REQ conn=194 op=11 msgID=12
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:13:14 +0200] SEARCH RES conn=194 op=11 msgID=12 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:29 +0200] SEARCH REQ conn=194 op=12 msgID=13 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:13:29 +0200] SEARCH RES conn=194 op=12 msgID=13 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:29 +0200] SEARCH REQ conn=194 op=13 msgID=14
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:13:29 +0200] SEARCH RES conn=194 op=13 msgID=14 result=0
nentries=1 etime=1
[nik@nik-laptop OpenDJ]$
I confirm it is really in the ldap backend.
[nik@nik-laptop OpenDJ]$ bin/ldapsearch -p 1389 -D"cn=directory manager"
-w secret -bou=people,o=usharesoft uid=titi
dn: uid=titi,ou=people,o=usharesoft
userPassword: {SSHA}eWXKXa71VZK5n/MYUMfYBH8k/uQTzVyI5DbGQw==
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
uid: titi
cn: titi
cn: titi@uuss.com
sn: titi
I have some groups already defined in my ldap.
[nik@nik-laptop OpenDJ]$ bin/ldapsearch -p 1389 -D"cn=directory manager"
-w secret -bou=groups,o=usharesoft objectclass=*
dn: ou=Groups,o=usharesoft
ou: Groups
objectClass: organizationalUnit
objectClass: top
dn: cn=generators,ou=Groups,o=usharesoft
uniqueMember: uid=jeff,ou=people,o=usharesoft
cn: generators
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=publisher,ou=Groups,o=usharesoft
uniqueMember: uid=jeff,ou=people,o=usharesoft
cn: publisher
objectClass: groupOfUniqueNames
objectClass: top
[nik@nik-laptop OpenDJ]$
But I would like to create a new group (e.g. using the "secretary" role
from syncope) which should make
an ldap group like:
dn: cn=secretary,ou=Groups,o=usharesoft
uniqueMember: uid=toto,ou=people,o=usharesoft
cn: generators
objectClass: groupOfUniqueNames
objectClass: top
So from what I have been able to work out, so far, is I should create
the syncope user titi using Users->"create new user"
Fill in all the mandatory parts under Details/Attributes tab
Then
select the Resources tab and add my ldap resource from "Available"
to "Selected"
Then
select Roles tab and add the secretary role
and save
looking at the ldap access log I see
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=14 msgID=15 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=14 msgID=15 result=0
nentries=1 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=15 msgID=16
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=15 msgID=16 result=0
nentries=0 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=16 msgID=17
base="ou=groups,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=16 msgID=17 result=0
nentries=0 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=17 msgID=18 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=17 msgID=18 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] ADD REQ conn=194 op=18 msgID=19
dn="uid=toto,ou=people,o=usharesoft"
[19/Apr/2013:13:12:42 +0200] ADD RES conn=194 op=18 msgID=19 result=0
etime=7
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=19 msgID=20
base="uid=toto,ou=people,o=usharesoft" scope=baseObject
filter="(objectClass=*)" attrs="uid"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=19 msgID=20 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=20 msgID=21 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=20 msgID=21 result=0
nentries=1 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=21 msgID=22
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=21 msgID=22 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] MODIFY REQ conn=-1 op=1525 msgID=1526
dn="o=usharesoft" type=synchronization
[19/Apr/2013:13:12:42 +0200] MODIFY RES conn=-1 op=1525 msgID=1526
result=0 etime=1
I would expect to see and ADD of the cn=secretary,ou=Groups,o=usharesoft
and something that shows the assignment of toto to this group.
We see success in syncope see image 1.png
Obviously, I have not configured some properly on my resource mapping
(2.png through 5.png) or my connector(6.png through 8.png)
Is there something obviously wrong dear experts?
- I have no idea how/where to add uniqueMember in syncope
Best Regards,
Nik
> On 16/04/2013 18:10, Nik wrote:
>> Hi,
>>
>> I'm new to syncope, but I like what I'm seeing already, this is a
>> nifty open source offering, thanks.
>
> Hi Nik, and welcome to Syncope!
>
>> I have a requirement which no doubt others may have had.
>>
>> Can I create a role in syncope which will be propagated to opendj
>> ldap (group x, y or z)?
>
> Absolutely yes: starting with 1.1.0, role provisioning to external
> resources is fully supported.
>
>> Details:
>> in such a fashion that syncope (role create process) does an ldap add
>> (propagate) of that role to an ldap base group e.g.
>> ou=groups,o=usharesoft, and just for fun be able to add that role (+
>> other roles) to a new user which will be propagated to the ldap at
>> the same time "atomically"?
>>
>> Thinking about it, it could be a 3 step work flow a) create role(s) and
>> b) assign role(s) to user(s)
>> c) send to ldap.
>>
>> I tried to follow the doc but got lost with inputting the "virtual
>> value" for an rvirtualdata. Any tips, clarifications, syncope roles
>> specific blogs or RTFM
>
> Since you are new to Syncope, I'd rather suggest to download [1] the
> 1.1.0 standalone distribution: if you take a look at what is included
> [2], you will notice that there is an LDAP resource provided by
> ApacheDS, fully configured to achieve the goals you report above.
>
> You can take the LDAP configuration of the standalone distribution as
> reference for your own use case with OpenDJ.
>
> I will try in the coming weeks to post something about this with some
> detailed instructions - or barely extend [3] for 1.1.0 - but until
> then I think you'd better take inspiration from the standalone
> distribution's LDAP configuration.
>
> Regards.
>
> [1] http://syncope.apache.org/downloads.html
> [2]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Run+Syncope+standalone+distribution
> [3]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+LDAP+resource
>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 18:10, Nik wrote:
> Hi,
>
> I'm new to syncope, but I like what I'm seeing already, this is a
> nifty open source offering, thanks.
Hi Nik, and welcome to Syncope!
> I have a requirement which no doubt others may have had.
>
> Can I create a role in syncope which will be propagated to opendj ldap
> (group x, y or z)?
Absolutely yes: starting with 1.1.0, role provisioning to external
resources is fully supported.
> Details:
> in such a fashion that syncope (role create process) does an ldap add
> (propagate) of that role to an ldap base group e.g.
> ou=groups,o=usharesoft, and just for fun be able to add that role (+
> other roles) to a new user which will be propagated to the ldap at the
> same time "atomically"?
>
> Thinking about it, it could be a 3 step work flow a) create role(s) and
> b) assign role(s) to user(s)
> c) send to ldap.
>
> I tried to follow the doc but got lost with inputting the "virtual
> value" for an rvirtualdata. Any tips, clarifications, syncope roles
> specific blogs or RTFM
Since you are new to Syncope, I'd rather suggest to download [1] the
1.1.0 standalone distribution: if you take a look at what is included
[2], you will notice that there is an LDAP resource provided by
ApacheDS, fully configured to achieve the goals you report above.
You can take the LDAP configuration of the standalone distribution as
reference for your own use case with OpenDJ.
I will try in the coming weeks to post something about this with some
detailed instructions - or barely extend [3] for 1.1.0 - but until then
I think you'd better take inspiration from the standalone distribution's
LDAP configuration.
Regards.
[1] http://syncope.apache.org/downloads.html
[2]
https://cwiki.apache.org/confluence/display/SYNCOPE/Run+Syncope+standalone+distribution
[3]
https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+LDAP+resource
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/