You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by "Kettunen, Juhani" <ju...@cgi.com> on 2016/03/10 17:23:55 UTC
Synchronize task does not remove users from syncope?
Hello,
I have two external resources working fine (AD and PostgreSQL database) as well as a synchronize task from the AD.
The sync task does create and update all users in syncope and in the database, but it does not remove any users (deprovision). For example if I delete a user in AD it doesn't get deleted from Syncope's internal users and therefore not from the external resource either.
This same applies when I edit a previously synchronized user in Active Directory so that it doesn't meet connectors membership or accountSearchFilter rules anymore - it does not get removed from Syncope and other resources.
What am I missing?
The Synchronization Task has only Matching (update) and Unmatching (provision). Should it have at least a third matching rule: Source Missing Rule - which would most likely always be used for deprovisioning?
Best regards,
Juhani Kettunen
Re: Synchronize task does not remove users from syncope?
Posted by Fabio Martelli <fa...@gmail.com>.
Il 16/03/2016 10:22, Marco Di Sabatino Di Diodoro ha scritto:
> Hi Juhani
>
> Il 15/03/2016 14:07, Kettunen, Juhani ha scritto:
>>
>> Hello Francesco,
>>
>> Thank you for the reply.
>>
>> I created my active directory connector, resource and the
>> synchronization task from scratch and I did not check the full
>> reconciliation so now it should be doing the SYNC.
>>
>> But now I’m getting below error, what could be wrong?
>>
>> org.identityconnectors.framework.common.exceptions.ConnectorException: Could
>> not set DirSync request controls
>>
>> at
>> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
>> ~[?:?]
>>
>> at
>> net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
>> ~[?:?]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
> I think there is a problem with the Active Directory connector.
> Please, write to ConnId Mailing List [1][2]
Issue AD-53 has been opened.
Kind regards,
F.
[1] https://connid.atlassian.net/browse/AD-53
>
> Regards
> M
>
> [1] connid-users@googlegroups.com
> [2] https://groups.google.com/forum/?fromgroups#!forum/connid-users
>
>> Best Regards,
>>
>> Juhani
>>
>> Full stack trace:
>>
>> 12:28:44.521 DEBUG Enter: getLatestSyncToken(ObjectClass:
>> __ACCOUNT__) Method: getLatestSyncToken
>>
>> 12:29:02.602 DEBUG Latest sync token set to SyncToken: [B@2baedc04
>> Method: getLatestSyncToken
>>
>> 12:29:02.602 DEBUG Return: SyncToken: [B@2baedc04 Method:
>> getLatestSyncToken
>>
>> 12:29:02.603 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken:
>> [B@64eea103,
>> org.apache.syncope.core.sync.impl.UserSyncResultHandler@6e8cffb9,
>> OperationOptions:
>> {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]})
>> Method: sync
>>
>> 12:29:02.663 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken:
>> [B@64eea103,
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl$1@299fe21d,
>> OperationOptions:
>> {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]})
>> Method: sync
>>
>> 12:29:02.663 DEBUG Synchronization with token. Method: sync
>>
>> 12:29:02.663 DEBUG Exception: Method: sync
>>
>> org.identityconnectors.framework.common.exceptions.ConnectorException: Could
>> not set DirSync request controls
>>
>> at
>> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
>> ~[?:?]
>>
>> at
>> net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
>> ~[?:?]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> Caused by: java.nio.BufferOverflowException
>>
>> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
>>
>> at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
>>
>> at
>> net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100)
>> ~[?:?]
>>
>> at
>> net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75)
>> ~[?:?]
>>
>> at
>> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165)
>> ~[?:?]
>>
>> ... 19 more
>>
>> 12:29:02.671 DEBUG Exception: Method: sync
>>
>> org.identityconnectors.framework.common.exceptions.ConnectorException: Could
>> not set DirSync request controls
>>
>> at
>> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
>> ~[?:?]
>>
>> at
>> net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
>> ~[?:?]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[?:1.7.0_95]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.7.0_95]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>>
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159)
>> ~[connector-framework-internal-1.4.1.0.jar:?]
>>
>> Caused by: java.nio.BufferOverflowException
>>
>> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
>>
>> at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
>>
>> at
>> net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100)
>> ~[?:?]
>>
>> at
>> net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75)
>> ~[?:?]
>>
>> at
>> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165)
>> ~[?:?]
>>
>> ... 19 more
>>
>> *From:*Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
>> *Sent:* 10. maaliskuuta 2016 18:56
>> *To:* user@syncope.apache.org
>> *Subject:* Re: Synchronize task does not remove users from syncope?
>>
>> On 10/03/2016 17:23, Kettunen, Juhani wrote:
>>
>> Hello,
>>
>> I have two external resources working fine (AD and PostgreSQL
>> database) as well as a synchronize task from the AD.
>>
>> The sync task does create and update all users in syncope and in
>> the database, but it does not remove any users (deprovision). For
>> example if I delete a user in AD it doesn’t get deleted from
>> Syncope’s internal users and therefore not from the external
>> resource either.
>>
>> This same applies when I edit a previously synchronized user in
>> Active Directory so that it doesn’t meet connectors membership or
>> accountSearchFilter rules anymore – it does not get removed from
>> Syncope and other resources.
>>
>> What am I missing?
>>
>> The Synchronization Task has only Matching (update) and
>> Unmatching (provision). Should it have at least a third matching
>> rule: Source Missing Rule – which would most likely always be
>> used for deprovisioning?
>>
>>
>> Hi,
>> synchronization from Syncope either relies on ConnId's SEARCH [1] or
>> SYNC [2], depending on whether you've set the the "Full
>> reconciliation" flag on the related SyncTask.
>>
>> With that option flagged, Syncope will barely ask the external
>> resource for all users available at the moment; without such flag,
>> Syncope will ask for all the changes occurred since previous
>> synchronization.
>> Only the latter is the capable of instructing Syncope about to delete
>> users (or roles).
>> More information on this topic is available at [3].
>>
>> Please consider that not all ConnId connectors implement SYNC - but
>> either Active Directory [4], Database table [5] and Scripted SQL [6] do.
>> In any case, SYNC might required additional configuration options on
>> the related connector instance.
>>
>> Hope this helps.
>> Regards.
>>
>> [1]
>> http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SearchApiOp.html
>> [2]
>> http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SyncApiOp.html
>> [3] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
>> [4] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
>> [5] https://connid.atlassian.net/wiki/display/BASE/Database+Table
>> [6] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
>>
>> --
>> Francesco Chicchiriccò
>> Tirasa - Open Source Excellence
>> http://www.tirasa.net/
>> Involved at The Apache Software Foundation:
>> member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
>> http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/>
>
> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/
Re: Synchronize task does not remove users from syncope?
Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.
Hi Juhani
Il 15/03/2016 14:07, Kettunen, Juhani ha scritto:
>
> Hello Francesco,
>
> Thank you for the reply.
>
> I created my active directory connector, resource and the
> synchronization task from scratch and I did not check the full
> reconciliation so now it should be doing the SYNC.
>
> But now I’m getting below error, what could be wrong?
>
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> Could not set DirSync request controls
>
> at
> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
> ~[?:?]
>
> at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
> ~[?:?]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
I think there is a problem with the Active Directory connector. Please,
write to ConnId Mailing List [1][2]
Regards
M
[1] connid-users@googlegroups.com
[2] https://groups.google.com/forum/?fromgroups#!forum/connid-users
> Best Regards,
>
> Juhani
>
> Full stack trace:
>
> 12:28:44.521 DEBUG Enter: getLatestSyncToken(ObjectClass: __ACCOUNT__)
> Method: getLatestSyncToken
>
> 12:29:02.602 DEBUG Latest sync token set to SyncToken: [B@2baedc04
> Method: getLatestSyncToken
>
> 12:29:02.602 DEBUG Return: SyncToken: [B@2baedc04 Method:
> getLatestSyncToken
>
> 12:29:02.603 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken:
> [B@64eea103,
> org.apache.syncope.core.sync.impl.UserSyncResultHandler@6e8cffb9,
> OperationOptions:
> {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]})
> Method: sync
>
> 12:29:02.663 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken:
> [B@64eea103,
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl$1@299fe21d,
> OperationOptions:
> {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]})
> Method: sync
>
> 12:29:02.663 DEBUG Synchronization with token. Method: sync
>
> 12:29:02.663 DEBUG Exception: Method: sync
>
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> Could not set DirSync request controls
>
> at
> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
> ~[?:?]
>
> at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
> ~[?:?]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> Caused by: java.nio.BufferOverflowException
>
> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
>
> at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
>
> at
> net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100)
> ~[?:?]
>
> at
> net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75)
> ~[?:?]
>
> at
> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165)
> ~[?:?]
>
> ... 19 more
>
> 12:29:02.671 DEBUG Exception: Method: sync
>
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> Could not set DirSync request controls
>
> at
> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168)
> ~[?:?]
>
> at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143)
> ~[?:?]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[?:1.7.0_95]
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.7.0_95]
>
> at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
>
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159)
> ~[connector-framework-internal-1.4.1.0.jar:?]
>
> Caused by: java.nio.BufferOverflowException
>
> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
>
> at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
>
> at
> net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100)
> ~[?:?]
>
> at
> net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75)
> ~[?:?]
>
> at
> net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165)
> ~[?:?]
>
> ... 19 more
>
> *From:*Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
> *Sent:* 10. maaliskuuta 2016 18:56
> *To:* user@syncope.apache.org
> *Subject:* Re: Synchronize task does not remove users from syncope?
>
> On 10/03/2016 17:23, Kettunen, Juhani wrote:
>
> Hello,
>
> I have two external resources working fine (AD and PostgreSQL
> database) as well as a synchronize task from the AD.
>
> The sync task does create and update all users in syncope and in
> the database, but it does not remove any users (deprovision). For
> example if I delete a user in AD it doesn’t get deleted from
> Syncope’s internal users and therefore not from the external
> resource either.
>
> This same applies when I edit a previously synchronized user in
> Active Directory so that it doesn’t meet connectors membership or
> accountSearchFilter rules anymore – it does not get removed from
> Syncope and other resources.
>
> What am I missing?
>
> The Synchronization Task has only Matching (update) and Unmatching
> (provision). Should it have at least a third matching rule: Source
> Missing Rule – which would most likely always be used for
> deprovisioning?
>
>
> Hi,
> synchronization from Syncope either relies on ConnId's SEARCH [1] or
> SYNC [2], depending on whether you've set the the "Full
> reconciliation" flag on the related SyncTask.
>
> With that option flagged, Syncope will barely ask the external
> resource for all users available at the moment; without such flag,
> Syncope will ask for all the changes occurred since previous
> synchronization.
> Only the latter is the capable of instructing Syncope about to delete
> users (or roles).
> More information on this topic is available at [3].
>
> Please consider that not all ConnId connectors implement SYNC - but
> either Active Directory [4], Database table [5] and Scripted SQL [6] do.
> In any case, SYNC might required additional configuration options on
> the related connector instance.
>
> Hope this helps.
> Regards.
>
> [1]
> http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SearchApiOp.html
> [2]
> http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SyncApiOp.html
> [3] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
> [4] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
> [5] https://connid.atlassian.net/wiki/display/BASE/Database+Table
> [6] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
>
> --
> Francesco Chicchiriccò
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
> http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/>
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
RE: Synchronize task does not remove users from syncope?
Posted by "Kettunen, Juhani" <ju...@cgi.com>.
Hello Francesco,
Thank you for the reply.
I created my active directory connector, resource and the synchronization task from scratch and I did not check the full reconciliation so now it should be doing the SYNC.
But now I'm getting below error, what could be wrong?
org.identityconnectors.framework.common.exceptions.ConnectorException: Could not set DirSync request controls
at net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168) ~[?:?]
at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143) ~[?:?]
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139) ~[connector-framework-internal-1.4.1.0.jar:?]
Best Regards,
Juhani
Full stack trace:
12:28:44.521 DEBUG Enter: getLatestSyncToken(ObjectClass: __ACCOUNT__) Method: getLatestSyncToken
12:29:02.602 DEBUG Latest sync token set to SyncToken: [B@2baedc04 Method: getLatestSyncToken
12:29:02.602 DEBUG Return: SyncToken: [B@2baedc04 Method: getLatestSyncToken
12:29:02.603 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken: [B@64eea103, org.apache.syncope.core.sync.impl.UserSyncResultHandler@6e8cffb9, OperationOptions: {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]}) Method: sync
12:29:02.663 DEBUG Enter: sync(ObjectClass: __ACCOUNT__, SyncToken: [B@64eea103, org.identityconnectors.framework.impl.api.local.operations.SyncImpl$1@299fe21d, OperationOptions: {ATTRS_TO_GET:[mail,sn,title,department,sAMAccountName,__UID__,__NAME__,l,givenName,__ENABLE__...]}) Method: sync
12:29:02.663 DEBUG Synchronization with token. Method: sync
12:29:02.663 DEBUG Exception: Method: sync
org.identityconnectors.framework.common.exceptions.ConnectorException: Could not set DirSync request controls
at net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168) ~[?:?]
at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143) ~[?:?]
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139) ~[connector-framework-internal-1.4.1.0.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) ~[connector-framework-internal-1.4.1.0.jar:?]
at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98) ~[connector-framework-internal-1.4.1.0.jar:?]
at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159) ~[connector-framework-internal-1.4.1.0.jar:?]
Caused by: java.nio.BufferOverflowException
at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
at net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100) ~[?:?]
at net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75) ~[?:?]
at net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165) ~[?:?]
... 19 more
12:29:02.671 DEBUG Exception: Method: sync
org.identityconnectors.framework.common.exceptions.ConnectorException: Could not set DirSync request controls
at net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:168) ~[?:?]
at net.tirasa.connid.bundles.ad.ADConnector.sync(ADConnector.java:143) ~[?:?]
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:139) ~[connector-framework-internal-1.4.1.0.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) ~[connector-framework-internal-1.4.1.0.jar:?]
at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:98) ~[connector-framework-internal-1.4.1.0.jar:?]
at com.sun.proxy.$Proxy215.sync(Unknown Source) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_95]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_95]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_95]
at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_95]
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:159) ~[connector-framework-internal-1.4.1.0.jar:?]
Caused by: java.nio.BufferOverflowException
at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0_95]
at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0_95]
at net.tirasa.adsddl.ntsd.controls.DirSyncControl.berEncodedValue(DirSyncControl.java:100) ~[?:?]
at net.tirasa.adsddl.ntsd.controls.DirSyncControl.<init>(DirSyncControl.java:75) ~[?:?]
at net.tirasa.connid.bundles.ad.sync.ADSyncStrategy.sync(ADSyncStrategy.java:165) ~[?:?]
... 19 more
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: 10. maaliskuuta 2016 18:56
To: user@syncope.apache.org
Subject: Re: Synchronize task does not remove users from syncope?
On 10/03/2016 17:23, Kettunen, Juhani wrote:
Hello,
I have two external resources working fine (AD and PostgreSQL database) as well as a synchronize task from the AD.
The sync task does create and update all users in syncope and in the database, but it does not remove any users (deprovision). For example if I delete a user in AD it doesn't get deleted from Syncope's internal users and therefore not from the external resource either.
This same applies when I edit a previously synchronized user in Active Directory so that it doesn't meet connectors membership or accountSearchFilter rules anymore - it does not get removed from Syncope and other resources.
What am I missing?
The Synchronization Task has only Matching (update) and Unmatching (provision). Should it have at least a third matching rule: Source Missing Rule - which would most likely always be used for deprovisioning?
Hi,
synchronization from Syncope either relies on ConnId's SEARCH [1] or SYNC [2], depending on whether you've set the the "Full reconciliation" flag on the related SyncTask.
With that option flagged, Syncope will barely ask the external resource for all users available at the moment; without such flag, Syncope will ask for all the changes occurred since previous synchronization.
Only the latter is the capable of instructing Syncope about to delete users (or roles).
More information on this topic is available at [3].
Please consider that not all ConnId connectors implement SYNC - but either Active Directory [4], Database table [5] and Scripted SQL [6] do.
In any case, SYNC might required additional configuration options on the related connector instance.
Hope this helps.
Regards.
[1] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SearchApiOp.html
[2] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SyncApiOp.html
[3] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
[4] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
[5] https://connid.atlassian.net/wiki/display/BASE/Database+Table
[6] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Synchronize task does not remove users from syncope?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 10/03/2016 17:23, Kettunen, Juhani wrote:
>
> Hello,
>
> I have two external resources working fine (AD and PostgreSQL
> database) as well as a synchronize task from the AD.
>
> The sync task does create and update all users in syncope and in the
> database, but it does not remove any users (deprovision). For example
> if I delete a user in AD it doesn’t get deleted from Syncope’s
> internal users and therefore not from the external resource either.
>
> This same applies when I edit a previously synchronized user in Active
> Directory so that it doesn’t meet connectors membership or
> accountSearchFilter rules anymore – it does not get removed from
> Syncope and other resources.
>
> What am I missing?
>
> The Synchronization Task has only Matching (update) and Unmatching
> (provision). Should it have at least a third matching rule: Source
> Missing Rule – which would most likely always be used for deprovisioning?
>
Hi,
synchronization from Syncope either relies on ConnId's SEARCH [1] or
SYNC [2], depending on whether you've set the the "Full reconciliation"
flag on the related SyncTask.
With that option flagged, Syncope will barely ask the external resource
for all users available at the moment; without such flag, Syncope will
ask for all the changes occurred since previous synchronization.
Only the latter is the capable of instructing Syncope about to delete
users (or roles).
More information on this topic is available at [3].
Please consider that not all ConnId connectors implement SYNC - but
either Active Directory [4], Database table [5] and Scripted SQL [6] do.
In any case, SYNC might required additional configuration options on the
related connector instance.
Hope this helps.
Regards.
[1]
http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SearchApiOp.html
[2]
http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SyncApiOp.html
[3] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
[4] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
[5] https://connid.atlassian.net/wiki/display/BASE/Database+Table
[6] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/