You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Ashley Day <ac...@hotmail.com> on 2022/10/05 09:50:53 UTC
AD Group Sync error
Good Morning
I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving;
* AD user sync into Syncope. Works.
* AD group sync into Syncope. Works
* AD Group membership into Syncope. Works
* Syncope created User sync into AD. Works (Although user is disabled)
* Syncope created group sync into AD. Works
* Add Group membership in Syncope sync into AD. Failure.
I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope.
Hope to hear from you soon.
Ashley.
Re: AD Group Sync error
Posted by Ashley Day <ac...@hotmail.com>.
Hi Francesco
Do you know if Syncope has any sync issues with Server 2019? I'm still
scratching my head at what could be causing the Group membership not to
sync correctly.
I am running Syncope 2.1.11 if that helps?
Kind regards,
Ashley.
On Wed, Oct 5, 2022 at 10:58 AM Francesco Chicchiriccò <il...@apache.org>
wrote:
> On 05/10/22 11:50, Ashley Day wrote:
>
> Good Morning
>
>
>
> I am trying to use Apache Syncope as a front end management tool for
> active directory so that people can self-provision themselves into groups
> they require, with authorisation from a team leader. Currently during my
> testing I am having difficulty with the group syncing from Syncope ->
> Active Directory. I’ll put some bullet points below on what is working and
> the issue I am receiving;
>
> - AD user sync into Syncope. Works.
> - AD group sync into Syncope. Works
> - AD Group membership into Syncope. Works
> - Syncope created User sync into AD. Works (Although user is disabled)
> - Syncope created group sync into AD. Works
> - Add Group membership in Syncope sync into AD. Failure.
>
>
>
> I imagine it has something to do with the attribute mapping, or I am not
> putting the correct task in, but I was wondering if you had any advice on
> how I might be able to get this sorted, as the Syncope Group syncing into
> AD is the main reason I would like to use Syncope.
>
>
> Hi Ashley,
>
> glad of your interest in Apache Syncope.
>
>
> Have you already had a look at
>
> https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory
>
> ?
>
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMailhttp://home.apache.org/~ilgrosso/
>
>
Re: AD Group Sync error
Posted by Ashley Day <ac...@hotmail.com>.
Hi Francesco
Thank you for getting back to me so quickly.
I have been through that guide and have everything setup like it suggests but the sync between group membership still doesn't sync over into AD. It all works fine in Syncope and the user is showing as a member the group on Syncope, but it doesn't change anything within AD.
Kind regards,
Ashley.
________________________________
From: Francesco Chicchiriccò <il...@apache.org>
Sent: 05 October 2022 10:58
To: user@syncope.apache.org <us...@syncope.apache.org>
Subject: Re: AD Group Sync error
On 05/10/22 11:50, Ashley Day wrote:
Good Morning
I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving;
* AD user sync into Syncope. Works.
* AD group sync into Syncope. Works
* AD Group membership into Syncope. Works
* Syncope created User sync into AD. Works (Although user is disabled)
* Syncope created group sync into AD. Works
* Add Group membership in Syncope sync into AD. Failure.
I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope.
Hi Ashley,
glad of your interest in Apache Syncope.
Have you already had a look at
https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory
?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: AD Group Sync error
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi Ashley,
so you are failing to propagate Syncope group memberships to AD?
e.g. if User U is member of group G in Syncope, let the U counterpart of AD be part of the G counterpart on AD?
If so, please ensure that:
1. your AD resource is configured for both users and groups
2. you have configured the LDAPMembershipPropagationActions for the AD resource
(both things are considered in the blog post I've shared below)
Additionally, ensure to connect to AD via LDAPS (port 636), otherwise some features might not be working (for example, you will be creating disabled users).
HTH
Regards.
On 11/10/22 11:17, Ashley Day wrote:
> Hi
>
> I've attached a bunch of pictures of the configuration for the AD connector and the mappings for users and groups. Wonder if you can see anything wrong here?
>
> Kind regards,
> Ashley.
>
> On Thu, Oct 6, 2022 at 4:49 PM Ashley Day <ac...@hotmail.com> wrote:
>
> Hi Francesco
>
> Do you know if Syncope has any sync issues with Server 2019? I'm still scratching my head at what could be causing the Group membership not to sync correctly.
>
> I am running Syncope 2.1.11 if that helps?
>
> Kind regards,
> Ashley.
>
> On Wed, Oct 5, 2022 at 10:58 AM Francesco Chicchiriccò <il...@apache.org> wrote:
>
> On 05/10/22 11:50, Ashley Day wrote:
>>
>> Good Morning
>>
>> I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving;
>>
>> * AD user sync into Syncope. Works.
>> * AD group sync into Syncope. Works
>> * AD Group membership into Syncope. Works
>> * Syncope created User sync into AD. Works (Although user is disabled)
>> * Syncope created group sync into AD. Works
>> * Add Group membership in Syncope sync into AD. Failure.
>>
>> I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope.
>>
>
> Hi Ashley,
>
> glad of your interest in Apache Syncope.
>
>
> Have you already had a look at
>
> https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory
>
> ?
>
>
> Regards.
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: AD Group Sync error
Posted by Ashley Day <ac...@hotmail.com>.
Hi
I've attached a bunch of pictures of the configuration for the AD connector
and the mappings for users and groups. Wonder if you can see anything wrong
here?
Kind regards,
Ashley.
On Thu, Oct 6, 2022 at 4:49 PM Ashley Day <ac...@hotmail.com> wrote:
> Hi Francesco
>
> Do you know if Syncope has any sync issues with Server 2019? I'm still
> scratching my head at what could be causing the Group membership not to
> sync correctly.
>
> I am running Syncope 2.1.11 if that helps?
>
> Kind regards,
> Ashley.
>
> On Wed, Oct 5, 2022 at 10:58 AM Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 05/10/22 11:50, Ashley Day wrote:
>>
>> Good Morning
>>
>>
>>
>> I am trying to use Apache Syncope as a front end management tool for
>> active directory so that people can self-provision themselves into groups
>> they require, with authorisation from a team leader. Currently during my
>> testing I am having difficulty with the group syncing from Syncope ->
>> Active Directory. I’ll put some bullet points below on what is working and
>> the issue I am receiving;
>>
>> - AD user sync into Syncope. Works.
>> - AD group sync into Syncope. Works
>> - AD Group membership into Syncope. Works
>> - Syncope created User sync into AD. Works (Although user is disabled)
>>
>> - Syncope created group sync into AD. Works
>> - Add Group membership in Syncope sync into AD. Failure.
>>
>>
>>
>> I imagine it has something to do with the attribute mapping, or I am not
>> putting the correct task in, but I was wondering if you had any advice on
>> how I might be able to get this sorted, as the Syncope Group syncing into
>> AD is the main reason I would like to use Syncope.
>>
>>
>> Hi Ashley,
>>
>> glad of your interest in Apache Syncope.
>>
>>
>> Have you already had a look at
>>
>> https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory
>>
>> ?
>>
>>
>> Regards.
>>
>> --
>> Francesco Chicchiriccò
>>
>> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>>
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMailhttp://home.apache.org/~ilgrosso/
>>
>>
Re: AD Group Sync error
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 05/10/22 11:50, Ashley Day wrote:
>
> Good Morning
>
> I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving;
>
> * AD user sync into Syncope. Works.
> * AD group sync into Syncope. Works
> * AD Group membership into Syncope. Works
> * Syncope created User sync into AD. Works (Although user is disabled)
> * Syncope created group sync into AD. Works
> * Add Group membership in Syncope sync into AD. Failure.
>
> I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope.
>
Hi Ashley,
glad of your interest in Apache Syncope.
Have you already had a look at
https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory
?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/