You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2014/11/04 07:29:45 UTC
Re: Pattern regular expressions for poliices
On 03/11/2014 23:03, Manfredo Hopp wrote:
> Hello, I want to create accounts ids composed only by digits, and get
> InvaledUserName as result of
> EntityValidationListener.validate.
>
> My guess is that validation is controlled by AccountPolicies where I
> can see an entry for regular expressions, which is not documented,
>
> Entering a regular expression doesnt change anithing, so waht is that
> item for?
> And where can I control name ids?
Hi,
you are right, the pattern option for account policies - introduced with
1.2.0 - is not yet reported at [1].
When you define a policy (account, password, sync) you also need to
configure for which users such policy is going to be applied: if created
as GLOBAL policy it will be applied to all users, otherwise you will
need to associate it to a role or a resource in order to make it
effective (for users owning that role or assigned to that resource,
clearly).
Additional information: when not specified, the pattern for user names
is "[a-zA-Z0-9-_@. ]+".
Could you please provide more details of what you are doing?
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
now it not null!
12:59:36.892 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
CREATE_OR_UPDATE for 12218 as ObjectClass: __ACCOUNT__
12:59:36.940 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
Transformed: org.apache.syncope.common.to.UserTO@21276131[
memberships=[]
status=<null>
token=<null>
tokenExpireTime=<null>
username=12218
lastLoginDate=<null>
changePwdDate=<null>
failedLogins=<null>
securityQuestion=<null>
securityAnswer=<null>
resources=[sarauth2]
propagationStatusTOs=[]
id=0
derAttrs=[]
virAttrs=[]
attrs=[org.apache.syncope.common.to.AttributeTO@205de8f8[
schema=nombre
values=[MARIA EUGENIA]
readonly=false
], org.apache.syncope.common.to.AttributeTO@756a0261[
schema=usrnum
values=[12218]
readonly=false
], org.apache.syncope.common.to.AttributeTO@2c26a80[
schema=apellido
values=[]
readonly=false
], org.apache.syncope.common.to.AttributeTO@29ddfaea[
schema=usrnum
values=[12218]
readonly=false
]]
creator=<null>
creationDate=<null>
lastModifier=<null>
lastChangeDate=<null>
]
2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> On 04/11/2014 16:23, Manfredo Hopp wrote:
>
> Thanks Francesco for prompt reply!
>
> Ok for your testing, in my case the mentioned account policy is directly
> attached to resource used in a syncronization task where mapping of
> accountId is with __NAME__ (primary key of resource is Long)
> through a resource, so maybe there is a difference in how accounts are
> created.
>
>
> Manfredo,
> when looking at the log below that says "username=<null>" I'd say that the
> problem is the resource user mapping (or the user template); the account
> policy says that username is not valid because it is null.
>
> HTH
> Regards.
>
>
> 12:19:31.067 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
> CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
> 12:19:31.133 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
> memberships=[]
> status=<null>
> token=<null>
> tokenExpireTime=<null>
> username=<null>
> lastLoginDate=<null>
> changePwdDate=<null>
> failedLogins=<null>
> securityQuestion=<null>
> securityAnswer=<null>
> resources=[sarauth2]
> propagationStatusTOs=[]
> id=0
> derAttrs=[]
> virAttrs=[]
> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
> schema=nombre
> values=[Daniel]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@611011f7[
> schema=usrnum
> values=[33]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
> schema=apellido
> values=[]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@5715556[
> schema=usrnum
> values=[33]
> readonly=false
> ]]
> creator=<null>
> creationDate=<null>
> lastModifier=<null>
> lastChangeDate=<null>
> ]
> 12:19:31.303 ERROR
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
> create USER 33
> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
> SyncopeUser [Standard, InvalidUsername]
>
>
> Regards
>
> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>
>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>
>> HI Francesco, our user database has account ids expressed in digits and
>> the idea is having the same id in syncope, but it seems that digits are not
>> accepted since an expression like [0-9]+ throws
>>
>> 19:45:50.464 ERROR
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>> create USER 69
>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>> SyncopeUser [Standard, InvalidUsername]
>> at
>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
>> ~[EntityValidationListener.class:?]
>> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
>> ~[?:?]
>>
>>
>> Hi Manfredo,
>> I cannot replicate this problem.
>>
>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>>
>> 1. created an account policy "onlyDigits" with only option for pattern
>> ([0-9]+)
>> 2. created a role "roleForOnlyDigits" and set it with the account policy
>> above
>> 3. created a new user, assigned the roleForOnlyDigits role, set username
>> to "test" - got validation error, as expected
>> 4. changed username to "12345678" - create completed successfully
>>
>> This specific issue is also checked by
>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>> - see [2].
>>
>> Regards.
>>
>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>
>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>
>>>> Hello, I want to create accounts ids composed only by digits, and get
>>>> InvaledUserName as result of
>>>> EntityValidationListener.validate.
>>>>
>>>> My guess is that validation is controlled by AccountPolicies where I
>>>> can see an entry for regular expressions, which is not documented,
>>>>
>>>> Entering a regular expression doesnt change anithing, so waht is that
>>>> item for?
>>>> And where can I control name ids?
>>>>
>>>
>>> Hi,
>>> you are right, the pattern option for account policies - introduced with
>>> 1.2.0 - is not yet reported at [1].
>>>
>>> When you define a policy (account, password, sync) you also need to
>>> configure for which users such policy is going to be applied: if created as
>>> GLOBAL policy it will be applied to all users, otherwise you will need to
>>> associate it to a role or a resource in order to make it effective (for
>>> users owning that role or assigned to that resource, clearly).
>>>
>>> Additional information: when not specified, the pattern for user names
>>> is "[a-zA-Z0-9-_@. ]+" <[a-zA-Z0-9-_@.]+>.
>>>
>>> Could you please provide more details of what you are doing?
>>>
>>> Regards.
>>>
>>> [1]
>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>
>> [2]
>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Pattern regular expressions for poliices
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/11/2014 20:41, Manfredo Hopp wrote:
> Franceso, neither P or C: G (gov)
I was meaning Proof-of-Concept :-)
Anywyay, just keep us updated as far as you are allowed to.
> Last questions regarding this configuration: what is the need of
> username beeing mandatory if there is an accountid check (which
> itself is mandatory)? Isnt accountId a kind of username replacement?
> Maybe a more accurate explanation should arise from documents.
Username is mandatory because it is required for log-in. Account id on a
given resource might or might not be mapped to username.
Account id is just the system-generated identifier for the user object.
When propagating or pushing (Syncope -> external resource) users,
username is not necessarily needed.
When synchronizing (external resource -> Syncope, as in your case)
username is required to be provided either via mapping, user template or
synchronization action.
Take a look at wiki's concepts section for some more explanation:
documentation needs to be improved for sure, but this is an Open Source
community so your contribution is very welcome :-)
Regards.
> 2014-11-04 14:36 GMT-03:00 Francesco Chicchiriccò <ilgrosso@apache.org
> <ma...@apache.org>>:
>
> Eh eh eh, thank you :-)
>
> Please keep us updated with the outcomes of your Syncope
> experiments (PoC?).
>
> Regards.
>
>
> On 04/11/2014 17:23, Manfredo Hopp wrote:
>> OK Francesco THANKS TO YOU!
>>
>> youre IL GROSSO
>>
>> :)
>>
>> 2014-11-04 13:20 GMT-03:00 Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>>:
>>
>> On 04/11/2014 17:16, Manfredo Hopp wrote:
>>> I made it work creating a mapping for username which seems
>>> to be mandatory in order to create users,
>>
>> Oh, nice idea! Where did you get it from? ;-)
>>
>>> so why not include it as mandatory in the mapping screen, or
>>> with default mapping value when I know that task is creating
>>> users!
>>
>> To me it looks like a configuration error, instead.
>> Anyway, if you think this is an improvement, feel free to
>> open an issue on JIRA and provide a patch.
>>
>> Regards.
>>
>>
>>> 2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>
>>> On 04/11/2014 16:23, Manfredo Hopp wrote:
>>>> Thanks Francesco for prompt reply!
>>>>
>>>> Ok for your testing, in my case the mentioned account
>>>> policy is directly attached to resource used in a
>>>> syncronization task where mapping of accountId is with
>>>> __NAME__ (primary key of resource is Long)
>>>> through a resource, so maybe there is a difference in
>>>> how accounts are created.
>>>
>>> Manfredo,
>>> when looking at the log below that says
>>> "username=<null>" I'd say that the problem is the
>>> resource user mapping (or the user template); the
>>> account policy says that username is not valid because
>>> it is null.
>>>
>>> HTH
>>> Regards.
>>>
>>>
>>>> 12:19:31.067 DEBUG
>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>>> - Process CREATE_OR_UPDATE for 33 as ObjectClass:
>>>> __ACCOUNT__
>>>> 12:19:31.133 DEBUG
>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>>> - Transformed:
>>>> org.apache.syncope.common.to.UserTO@364b2379[
>>>> memberships=[]
>>>> status=<null>
>>>> token=<null>
>>>> tokenExpireTime=<null>
>>>> username=<null>
>>>> lastLoginDate=<null>
>>>> changePwdDate=<null>
>>>> failedLogins=<null>
>>>> securityQuestion=<null>
>>>> securityAnswer=<null>
>>>> resources=[sarauth2]
>>>> propagationStatusTOs=[]
>>>> id=0
>>>> derAttrs=[]
>>>> virAttrs=[]
>>>> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
>>>> schema=nombre
>>>> values=[Daniel]
>>>> readonly=false
>>>> ], org.apache.syncope.common.to.AttributeTO@611011f7[
>>>> schema=usrnum
>>>> values=[33]
>>>> readonly=false
>>>> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
>>>> schema=apellido
>>>> values=[]
>>>> readonly=false
>>>> ], org.apache.syncope.common.to.AttributeTO@5715556[
>>>> schema=usrnum
>>>> values=[33]
>>>> readonly=false
>>>> ]]
>>>> creator=<null>
>>>> creationDate=<null>
>>>> lastModifier=<null>
>>>> lastChangeDate=<null>
>>>> ]
>>>> 12:19:31.303 ERROR
>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>>> - Could not create USER 33
>>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>>> SyncopeUser [Standard, InvalidUsername]
>>>>
>>>>
>>>> Regards
>>>>
>>>> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò
>>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>>
>>>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>>>> HI Francesco, our user database has account ids
>>>>> expressed in digits and the idea is having the
>>>>> same id in syncope, but it seems that digits are
>>>>> not accepted since an expression like [0-9]+ throws
>>>>>
>>>>> 19:45:50.464 ERROR
>>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>>>> - Could not create USER 69
>>>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>>>> SyncopeUser [Standard, InvalidUsername]
>>>>> at
>>>>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)~[EntityValidationListener.class:?]
>>>>> at
>>>>> sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
>>>>> Source) ~[?:?]
>>>>
>>>> Hi Manfredo,
>>>> I cannot replicate this problem.
>>>>
>>>> In embedded mode from a fresh generated
>>>> 1.2.1-SNAPSHOT project I have:
>>>>
>>>> 1. created an account policy "onlyDigits" with
>>>> only option for pattern ([0-9]+)
>>>> 2. created a role "roleForOnlyDigits" and set it
>>>> with the account policy above
>>>> 3. created a new user, assigned the
>>>> roleForOnlyDigits role, set username to "test" -
>>>> got validation error, as expected
>>>> 4. changed username to "12345678" - create
>>>> completed successfully
>>>>
>>>> This specific issue is also checked by
>>>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>>>> - see [2].
>>>>
>>>> Regards.
>>>>
>>>>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò
>>>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>>>
>>>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>>>
>>>>> Hello, I want to create accounts ids
>>>>> composed only by digits, and get
>>>>> InvaledUserName as result of
>>>>> EntityValidationListener.validate.
>>>>>
>>>>> My guess is that validation is controlled
>>>>> by AccountPolicies where I can see an
>>>>> entry for regular expressions, which is
>>>>> not documented,
>>>>>
>>>>> Entering a regular expression doesnt
>>>>> change anithing, so waht is that item for?
>>>>> And where can I control name ids?
>>>>>
>>>>>
>>>>> Hi,
>>>>> you are right, the pattern option for account
>>>>> policies - introduced with 1.2.0 - is not yet
>>>>> reported at [1].
>>>>>
>>>>> When you define a policy (account, password,
>>>>> sync) you also need to configure for which
>>>>> users such policy is going to be applied: if
>>>>> created as GLOBAL policy it will be applied to
>>>>> all users, otherwise you will need to
>>>>> associate it to a role or a resource in order
>>>>> to make it effective (for users owning that
>>>>> role or assigned to that resource, clearly).
>>>>>
>>>>> Additional information: when not specified,
>>>>> the pattern for user names is "[a-zA-Z0-9-_@.
>>>>> ]+" <mailto:[a-zA-Z0-9-_@.]+>.
>>>>>
>>>>> Could you please provide more details of what
>>>>> you are doing?
>>>>>
>>>>> Regards.
>>>>>
>>>>> [1]
>>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>>>
>>>> [2]
>>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>>>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
Franceso, neither P or C: G (gov)
Last questions regarding this configuration: what is the need of username
beeing mandatory if there is an accountid check (which itself is
mandatory)? Isnt accountId a kind of username replacement? Maybe a more
accurate explanation should arise from documents.
Thank you again for your patience!
Regards
2014-11-04 14:36 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> Eh eh eh, thank you :-)
>
> Please keep us updated with the outcomes of your Syncope experiments
> (PoC?).
>
> Regards.
>
>
> On 04/11/2014 17:23, Manfredo Hopp wrote:
>
> OK Francesco THANKS TO YOU!
>
> youre IL GROSSO
>
> :)
>
> 2014-11-04 13:20 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>
>> On 04/11/2014 17:16, Manfredo Hopp wrote:
>>
>> I made it work creating a mapping for username which seems to be
>> mandatory in order to create users,
>>
>>
>> Oh, nice idea! Where did you get it from? ;-)
>>
>> so why not include it as mandatory in the mapping screen, or with
>> default mapping value when I know that task is creating users!
>>
>>
>> To me it looks like a configuration error, instead.
>> Anyway, if you think this is an improvement, feel free to open an issue
>> on JIRA and provide a patch.
>>
>> Regards.
>>
>>
>> 2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>
>>> On 04/11/2014 16:23, Manfredo Hopp wrote:
>>>
>>> Thanks Francesco for prompt reply!
>>>
>>> Ok for your testing, in my case the mentioned account policy is
>>> directly attached to resource used in a syncronization task where mapping
>>> of accountId is with __NAME__ (primary key of resource is Long)
>>> through a resource, so maybe there is a difference in how accounts are
>>> created.
>>>
>>>
>>> Manfredo,
>>> when looking at the log below that says "username=<null>" I'd say that
>>> the problem is the resource user mapping (or the user template); the
>>> account policy says that username is not valid because it is null.
>>>
>>> HTH
>>> Regards.
>>>
>>>
>>> 12:19:31.067 DEBUG
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
>>> CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
>>> 12:19:31.133 DEBUG
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>>> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
>>> memberships=[]
>>> status=<null>
>>> token=<null>
>>> tokenExpireTime=<null>
>>> username=<null>
>>> lastLoginDate=<null>
>>> changePwdDate=<null>
>>> failedLogins=<null>
>>> securityQuestion=<null>
>>> securityAnswer=<null>
>>> resources=[sarauth2]
>>> propagationStatusTOs=[]
>>> id=0
>>> derAttrs=[]
>>> virAttrs=[]
>>> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
>>> schema=nombre
>>> values=[Daniel]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@611011f7[
>>> schema=usrnum
>>> values=[33]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
>>> schema=apellido
>>> values=[]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@5715556[
>>> schema=usrnum
>>> values=[33]
>>> readonly=false
>>> ]]
>>> creator=<null>
>>> creationDate=<null>
>>> lastModifier=<null>
>>> lastChangeDate=<null>
>>> ]
>>> 12:19:31.303 ERROR
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>>> create USER 33
>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>> SyncopeUser [Standard, InvalidUsername]
>>>
>>>
>>> Regards
>>>
>>> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>>
>>>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>>>
>>>> HI Francesco, our user database has account ids expressed in digits and
>>>> the idea is having the same id in syncope, but it seems that digits are not
>>>> accepted since an expression like [0-9]+ throws
>>>>
>>>> 19:45:50.464 ERROR
>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>>>> create USER 69
>>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>>> SyncopeUser [Standard, InvalidUsername]
>>>> at
>>>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)~[EntityValidationListener.class:?]
>>>> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
>>>> Source) ~[?:?]
>>>>
>>>>
>>>> Hi Manfredo,
>>>> I cannot replicate this problem.
>>>>
>>>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>>>>
>>>> 1. created an account policy "onlyDigits" with only option for pattern
>>>> ([0-9]+)
>>>> 2. created a role "roleForOnlyDigits" and set it with the account
>>>> policy above
>>>> 3. created a new user, assigned the roleForOnlyDigits role, set
>>>> username to "test" - got validation error, as expected
>>>> 4. changed username to "12345678" - create completed successfully
>>>>
>>>> This specific issue is also checked by
>>>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>>>> - see [2].
>>>>
>>>> Regards.
>>>>
>>>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>
>>>> :
>>>>
>>>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>>>
>>>>>> Hello, I want to create accounts ids composed only by digits, and get
>>>>>> InvaledUserName as result of
>>>>>> EntityValidationListener.validate.
>>>>>>
>>>>>> My guess is that validation is controlled by AccountPolicies where I
>>>>>> can see an entry for regular expressions, which is not documented,
>>>>>>
>>>>>> Entering a regular expression doesnt change anithing, so waht is that
>>>>>> item for?
>>>>>> And where can I control name ids?
>>>>>>
>>>>>
>>>>> Hi,
>>>>> you are right, the pattern option for account policies - introduced
>>>>> with 1.2.0 - is not yet reported at [1].
>>>>>
>>>>> When you define a policy (account, password, sync) you also need to
>>>>> configure for which users such policy is going to be applied: if created as
>>>>> GLOBAL policy it will be applied to all users, otherwise you will need to
>>>>> associate it to a role or a resource in order to make it effective (for
>>>>> users owning that role or assigned to that resource, clearly).
>>>>>
>>>>> Additional information: when not specified, the pattern for user names
>>>>> is "[a-zA-Z0-9-_@. ]+" <[a-zA-Z0-9-_@.]+>.
>>>>>
>>>>> Could you please provide more details of what you are doing?
>>>>>
>>>>> Regards.
>>>>>
>>>>> [1]
>>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>>>
>>>> [2]
>>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>>>
>>> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Pattern regular expressions for poliices
Posted by Francesco Chicchiriccò <il...@apache.org>.
Eh eh eh, thank you :-)
Please keep us updated with the outcomes of your Syncope experiments (PoC?).
Regards.
On 04/11/2014 17:23, Manfredo Hopp wrote:
> OK Francesco THANKS TO YOU!
>
> youre IL GROSSO
>
> :)
>
> 2014-11-04 13:20 GMT-03:00 Francesco Chicchiriccò <ilgrosso@apache.org
> <ma...@apache.org>>:
>
> On 04/11/2014 17:16, Manfredo Hopp wrote:
>> I made it work creating a mapping for username which seems to be
>> mandatory in order to create users,
>
> Oh, nice idea! Where did you get it from? ;-)
>
>> so why not include it as mandatory in the mapping screen, or with
>> default mapping value when I know that task is creating users!
>
> To me it looks like a configuration error, instead.
> Anyway, if you think this is an improvement, feel free to open an
> issue on JIRA and provide a patch.
>
> Regards.
>
>
>> 2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>>:
>>
>> On 04/11/2014 16:23, Manfredo Hopp wrote:
>>> Thanks Francesco for prompt reply!
>>>
>>> Ok for your testing, in my case the mentioned account policy
>>> is directly attached to resource used in a syncronization
>>> task where mapping of accountId is with __NAME__ (primary
>>> key of resource is Long)
>>> through a resource, so maybe there is a difference in how
>>> accounts are created.
>>
>> Manfredo,
>> when looking at the log below that says "username=<null>" I'd
>> say that the problem is the resource user mapping (or the
>> user template); the account policy says that username is not
>> valid because it is null.
>>
>> HTH
>> Regards.
>>
>>
>>> 12:19:31.067 DEBUG
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>> - Process CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
>>> 12:19:31.133 DEBUG
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>> - Transformed: org.apache.syncope.common.to.UserTO@364b2379[
>>> memberships=[]
>>> status=<null>
>>> token=<null>
>>> tokenExpireTime=<null>
>>> username=<null>
>>> lastLoginDate=<null>
>>> changePwdDate=<null>
>>> failedLogins=<null>
>>> securityQuestion=<null>
>>> securityAnswer=<null>
>>> resources=[sarauth2]
>>> propagationStatusTOs=[]
>>> id=0
>>> derAttrs=[]
>>> virAttrs=[]
>>> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
>>> schema=nombre
>>> values=[Daniel]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@611011f7[
>>> schema=usrnum
>>> values=[33]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
>>> schema=apellido
>>> values=[]
>>> readonly=false
>>> ], org.apache.syncope.common.to.AttributeTO@5715556[
>>> schema=usrnum
>>> values=[33]
>>> readonly=false
>>> ]]
>>> creator=<null>
>>> creationDate=<null>
>>> lastModifier=<null>
>>> lastChangeDate=<null>
>>> ]
>>> 12:19:31.303 ERROR
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>> - Could not create USER 33
>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>> SyncopeUser [Standard, InvalidUsername]
>>>
>>>
>>> Regards
>>>
>>> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>
>>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>>> HI Francesco, our user database has account ids
>>>> expressed in digits and the idea is having the same id
>>>> in syncope, but it seems that digits are not accepted
>>>> since an expression like [0-9]+ throws
>>>>
>>>> 19:45:50.464 ERROR
>>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>>> - Could not create USER 69
>>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>>> SyncopeUser [Standard, InvalidUsername]
>>>> at
>>>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)~[EntityValidationListener.class:?]
>>>> at
>>>> sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
>>>> Source) ~[?:?]
>>>
>>> Hi Manfredo,
>>> I cannot replicate this problem.
>>>
>>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT
>>> project I have:
>>>
>>> 1. created an account policy "onlyDigits" with only
>>> option for pattern ([0-9]+)
>>> 2. created a role "roleForOnlyDigits" and set it with
>>> the account policy above
>>> 3. created a new user, assigned the roleForOnlyDigits
>>> role, set username to "test" - got validation error, as
>>> expected
>>> 4. changed username to "12345678" - create completed
>>> successfully
>>>
>>> This specific issue is also checked by
>>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>>> - see [2].
>>>
>>> Regards.
>>>
>>>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò
>>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>>
>>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>>
>>>> Hello, I want to create accounts ids composed
>>>> only by digits, and get InvaledUserName as
>>>> result of
>>>> EntityValidationListener.validate.
>>>>
>>>> My guess is that validation is controlled by
>>>> AccountPolicies where I can see an entry for
>>>> regular expressions, which is not documented,
>>>>
>>>> Entering a regular expression doesnt change
>>>> anithing, so waht is that item for?
>>>> And where can I control name ids?
>>>>
>>>>
>>>> Hi,
>>>> you are right, the pattern option for account
>>>> policies - introduced with 1.2.0 - is not yet
>>>> reported at [1].
>>>>
>>>> When you define a policy (account, password, sync)
>>>> you also need to configure for which users such
>>>> policy is going to be applied: if created as GLOBAL
>>>> policy it will be applied to all users, otherwise
>>>> you will need to associate it to a role or a
>>>> resource in order to make it effective (for users
>>>> owning that role or assigned to that resource,
>>>> clearly).
>>>>
>>>> Additional information: when not specified, the
>>>> pattern for user names is "[a-zA-Z0-9-_@. ]+"
>>>> <mailto:[a-zA-Z0-9-_@.]+>.
>>>>
>>>> Could you please provide more details of what you
>>>> are doing?
>>>>
>>>> Regards.
>>>>
>>>> [1]
>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>>
>>> [2]
>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
OK Francesco THANKS TO YOU!
youre IL GROSSO
:)
2014-11-04 13:20 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> On 04/11/2014 17:16, Manfredo Hopp wrote:
>
> I made it work creating a mapping for username which seems to be mandatory
> in order to create users,
>
>
> Oh, nice idea! Where did you get it from? ;-)
>
> so why not include it as mandatory in the mapping screen, or with
> default mapping value when I know that task is creating users!
>
>
> To me it looks like a configuration error, instead.
> Anyway, if you think this is an improvement, feel free to open an issue on
> JIRA and provide a patch.
>
> Regards.
>
>
> 2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>
>> On 04/11/2014 16:23, Manfredo Hopp wrote:
>>
>> Thanks Francesco for prompt reply!
>>
>> Ok for your testing, in my case the mentioned account policy is
>> directly attached to resource used in a syncronization task where mapping
>> of accountId is with __NAME__ (primary key of resource is Long)
>> through a resource, so maybe there is a difference in how accounts are
>> created.
>>
>>
>> Manfredo,
>> when looking at the log below that says "username=<null>" I'd say that
>> the problem is the resource user mapping (or the user template); the
>> account policy says that username is not valid because it is null.
>>
>> HTH
>> Regards.
>>
>>
>> 12:19:31.067 DEBUG
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
>> CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
>> 12:19:31.133 DEBUG
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
>> memberships=[]
>> status=<null>
>> token=<null>
>> tokenExpireTime=<null>
>> username=<null>
>> lastLoginDate=<null>
>> changePwdDate=<null>
>> failedLogins=<null>
>> securityQuestion=<null>
>> securityAnswer=<null>
>> resources=[sarauth2]
>> propagationStatusTOs=[]
>> id=0
>> derAttrs=[]
>> virAttrs=[]
>> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
>> schema=nombre
>> values=[Daniel]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@611011f7[
>> schema=usrnum
>> values=[33]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
>> schema=apellido
>> values=[]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@5715556[
>> schema=usrnum
>> values=[33]
>> readonly=false
>> ]]
>> creator=<null>
>> creationDate=<null>
>> lastModifier=<null>
>> lastChangeDate=<null>
>> ]
>> 12:19:31.303 ERROR
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>> create USER 33
>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>> SyncopeUser [Standard, InvalidUsername]
>>
>>
>> Regards
>>
>> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>
>>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>>
>>> HI Francesco, our user database has account ids expressed in digits and
>>> the idea is having the same id in syncope, but it seems that digits are not
>>> accepted since an expression like [0-9]+ throws
>>>
>>> 19:45:50.464 ERROR
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>>> create USER 69
>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>> SyncopeUser [Standard, InvalidUsername]
>>> at
>>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
>>> ~[EntityValidationListener.class:?]
>>> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
>>> ~[?:?]
>>>
>>>
>>> Hi Manfredo,
>>> I cannot replicate this problem.
>>>
>>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>>>
>>> 1. created an account policy "onlyDigits" with only option for pattern
>>> ([0-9]+)
>>> 2. created a role "roleForOnlyDigits" and set it with the account
>>> policy above
>>> 3. created a new user, assigned the roleForOnlyDigits role, set
>>> username to "test" - got validation error, as expected
>>> 4. changed username to "12345678" - create completed successfully
>>>
>>> This specific issue is also checked by
>>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>>> - see [2].
>>>
>>> Regards.
>>>
>>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>>
>>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>>
>>>>> Hello, I want to create accounts ids composed only by digits, and get
>>>>> InvaledUserName as result of
>>>>> EntityValidationListener.validate.
>>>>>
>>>>> My guess is that validation is controlled by AccountPolicies where I
>>>>> can see an entry for regular expressions, which is not documented,
>>>>>
>>>>> Entering a regular expression doesnt change anithing, so waht is that
>>>>> item for?
>>>>> And where can I control name ids?
>>>>>
>>>>
>>>> Hi,
>>>> you are right, the pattern option for account policies - introduced
>>>> with 1.2.0 - is not yet reported at [1].
>>>>
>>>> When you define a policy (account, password, sync) you also need to
>>>> configure for which users such policy is going to be applied: if created as
>>>> GLOBAL policy it will be applied to all users, otherwise you will need to
>>>> associate it to a role or a resource in order to make it effective (for
>>>> users owning that role or assigned to that resource, clearly).
>>>>
>>>> Additional information: when not specified, the pattern for user names
>>>> is "[a-zA-Z0-9-_@. ]+" <[a-zA-Z0-9-_@.]+>.
>>>>
>>>> Could you please provide more details of what you are doing?
>>>>
>>>> Regards.
>>>>
>>>> [1]
>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>>
>>> [2]
>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>>
>> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Pattern regular expressions for poliices
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/11/2014 17:16, Manfredo Hopp wrote:
> I made it work creating a mapping for username which seems to be
> mandatory in order to create users,
Oh, nice idea! Where did you get it from? ;-)
> so why not include it as mandatory in the mapping screen, or with
> default mapping value when I know that task is creating users!
To me it looks like a configuration error, instead.
Anyway, if you think this is an improvement, feel free to open an issue
on JIRA and provide a patch.
Regards.
> 2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò <ilgrosso@apache.org
> <ma...@apache.org>>:
>
> On 04/11/2014 16:23, Manfredo Hopp wrote:
>> Thanks Francesco for prompt reply!
>>
>> Ok for your testing, in my case the mentioned account policy is
>> directly attached to resource used in a syncronization task where
>> mapping of accountId is with __NAME__ (primary key of resource
>> is Long)
>> through a resource, so maybe there is a difference in how
>> accounts are created.
>
> Manfredo,
> when looking at the log below that says "username=<null>" I'd say
> that the problem is the resource user mapping (or the user
> template); the account policy says that username is not valid
> because it is null.
>
> HTH
> Regards.
>
>
>> 12:19:31.067 DEBUG
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>> Process CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
>> 12:19:31.133 DEBUG
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
>> memberships=[]
>> status=<null>
>> token=<null>
>> tokenExpireTime=<null>
>> username=<null>
>> lastLoginDate=<null>
>> changePwdDate=<null>
>> failedLogins=<null>
>> securityQuestion=<null>
>> securityAnswer=<null>
>> resources=[sarauth2]
>> propagationStatusTOs=[]
>> id=0
>> derAttrs=[]
>> virAttrs=[]
>> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
>> schema=nombre
>> values=[Daniel]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@611011f7[
>> schema=usrnum
>> values=[33]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
>> schema=apellido
>> values=[]
>> readonly=false
>> ], org.apache.syncope.common.to.AttributeTO@5715556[
>> schema=usrnum
>> values=[33]
>> readonly=false
>> ]]
>> creator=<null>
>> creationDate=<null>
>> lastModifier=<null>
>> lastChangeDate=<null>
>> ]
>> 12:19:31.303 ERROR
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>> Could not create USER 33
>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>> SyncopeUser [Standard, InvalidUsername]
>>
>>
>> Regards
>>
>> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>>:
>>
>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>> HI Francesco, our user database has account ids expressed in
>>> digits and the idea is having the same id in syncope, but it
>>> seems that digits are not accepted since an expression like
>>> [0-9]+ throws
>>>
>>> 19:45:50.464 ERROR
>>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
>>> - Could not create USER 69
>>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>>> SyncopeUser [Standard, InvalidUsername]
>>> at
>>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
>>> ~[EntityValidationListener.class:?]
>>> at
>>> sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
>>> Source) ~[?:?]
>>
>> Hi Manfredo,
>> I cannot replicate this problem.
>>
>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT
>> project I have:
>>
>> 1. created an account policy "onlyDigits" with only option
>> for pattern ([0-9]+)
>> 2. created a role "roleForOnlyDigits" and set it with the
>> account policy above
>> 3. created a new user, assigned the roleForOnlyDigits role,
>> set username to "test" - got validation error, as expected
>> 4. changed username to "12345678" - create completed
>> successfully
>>
>> This specific issue is also checked by
>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>> - see [2].
>>
>> Regards.
>>
>>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>>:
>>>
>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>
>>> Hello, I want to create accounts ids composed only
>>> by digits, and get InvaledUserName as result of
>>> EntityValidationListener.validate.
>>>
>>> My guess is that validation is controlled by
>>> AccountPolicies where I can see an entry for regular
>>> expressions, which is not documented,
>>>
>>> Entering a regular expression doesnt change
>>> anithing, so waht is that item for?
>>> And where can I control name ids?
>>>
>>>
>>> Hi,
>>> you are right, the pattern option for account policies -
>>> introduced with 1.2.0 - is not yet reported at [1].
>>>
>>> When you define a policy (account, password, sync) you
>>> also need to configure for which users such policy is
>>> going to be applied: if created as GLOBAL policy it will
>>> be applied to all users, otherwise you will need to
>>> associate it to a role or a resource in order to make it
>>> effective (for users owning that role or assigned to
>>> that resource, clearly).
>>>
>>> Additional information: when not specified, the pattern
>>> for user names is "[a-zA-Z0-9-_@. ]+"
>>> <mailto:[a-zA-Z0-9-_@.]+>.
>>>
>>> Could you please provide more details of what you are doing?
>>>
>>> Regards.
>>>
>>> [1]
>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>
>> [2]
>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
I made it work creating a mapping for username which seems to be mandatory
in order to create users, so why not include it as mandatory in the mapping
screen, or with default mapping value when I know that task is creating
users!
Regards
2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> On 04/11/2014 16:23, Manfredo Hopp wrote:
>
> Thanks Francesco for prompt reply!
>
> Ok for your testing, in my case the mentioned account policy is directly
> attached to resource used in a syncronization task where mapping of
> accountId is with __NAME__ (primary key of resource is Long)
> through a resource, so maybe there is a difference in how accounts are
> created.
>
>
> Manfredo,
> when looking at the log below that says "username=<null>" I'd say that the
> problem is the resource user mapping (or the user template); the account
> policy says that username is not valid because it is null.
>
> HTH
> Regards.
>
>
> 12:19:31.067 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
> CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
> 12:19:31.133 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
> memberships=[]
> status=<null>
> token=<null>
> tokenExpireTime=<null>
> username=<null>
> lastLoginDate=<null>
> changePwdDate=<null>
> failedLogins=<null>
> securityQuestion=<null>
> securityAnswer=<null>
> resources=[sarauth2]
> propagationStatusTOs=[]
> id=0
> derAttrs=[]
> virAttrs=[]
> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
> schema=nombre
> values=[Daniel]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@611011f7[
> schema=usrnum
> values=[33]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
> schema=apellido
> values=[]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@5715556[
> schema=usrnum
> values=[33]
> readonly=false
> ]]
> creator=<null>
> creationDate=<null>
> lastModifier=<null>
> lastChangeDate=<null>
> ]
> 12:19:31.303 ERROR
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
> create USER 33
> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
> SyncopeUser [Standard, InvalidUsername]
>
>
> Regards
>
> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>
>> On 04/11/2014 14:16, Manfredo Hopp wrote:
>>
>> HI Francesco, our user database has account ids expressed in digits and
>> the idea is having the same id in syncope, but it seems that digits are not
>> accepted since an expression like [0-9]+ throws
>>
>> 19:45:50.464 ERROR
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
>> create USER 69
>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>> SyncopeUser [Standard, InvalidUsername]
>> at
>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
>> ~[EntityValidationListener.class:?]
>> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
>> ~[?:?]
>>
>>
>> Hi Manfredo,
>> I cannot replicate this problem.
>>
>> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>>
>> 1. created an account policy "onlyDigits" with only option for pattern
>> ([0-9]+)
>> 2. created a role "roleForOnlyDigits" and set it with the account policy
>> above
>> 3. created a new user, assigned the roleForOnlyDigits role, set username
>> to "test" - got validation error, as expected
>> 4. changed username to "12345678" - create completed successfully
>>
>> This specific issue is also checked by
>> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
>> - see [2].
>>
>> Regards.
>>
>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>>
>>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>>
>>>> Hello, I want to create accounts ids composed only by digits, and get
>>>> InvaledUserName as result of
>>>> EntityValidationListener.validate.
>>>>
>>>> My guess is that validation is controlled by AccountPolicies where I
>>>> can see an entry for regular expressions, which is not documented,
>>>>
>>>> Entering a regular expression doesnt change anithing, so waht is that
>>>> item for?
>>>> And where can I control name ids?
>>>>
>>>
>>> Hi,
>>> you are right, the pattern option for account policies - introduced with
>>> 1.2.0 - is not yet reported at [1].
>>>
>>> When you define a policy (account, password, sync) you also need to
>>> configure for which users such policy is going to be applied: if created as
>>> GLOBAL policy it will be applied to all users, otherwise you will need to
>>> associate it to a role or a resource in order to make it effective (for
>>> users owning that role or assigned to that resource, clearly).
>>>
>>> Additional information: when not specified, the pattern for user names
>>> is "[a-zA-Z0-9-_@. ]+" <[a-zA-Z0-9-_@.]+>.
>>>
>>> Could you please provide more details of what you are doing?
>>>
>>> Regards.
>>>
>>> [1]
>>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>>
>> [2]
>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Pattern regular expressions for poliices
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/11/2014 16:23, Manfredo Hopp wrote:
> Thanks Francesco for prompt reply!
>
> Ok for your testing, in my case the mentioned account policy is
> directly attached to resource used in a syncronization task where
> mapping of accountId is with __NAME__ (primary key of resource is Long)
> through a resource, so maybe there is a difference in how accounts
> are created.
Manfredo,
when looking at the log below that says "username=<null>" I'd say that
the problem is the resource user mapping (or the user template); the
account policy says that username is not valid because it is null.
HTH
Regards.
> 12:19:31.067 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
> Process CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
> 12:19:31.133 DEBUG
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
> Transformed: org.apache.syncope.common.to.UserTO@364b2379[
> memberships=[]
> status=<null>
> token=<null>
> tokenExpireTime=<null>
> username=<null>
> lastLoginDate=<null>
> changePwdDate=<null>
> failedLogins=<null>
> securityQuestion=<null>
> securityAnswer=<null>
> resources=[sarauth2]
> propagationStatusTOs=[]
> id=0
> derAttrs=[]
> virAttrs=[]
> attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
> schema=nombre
> values=[Daniel]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@611011f7[
> schema=usrnum
> values=[33]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@660ba0e9[
> schema=apellido
> values=[]
> readonly=false
> ], org.apache.syncope.common.to.AttributeTO@5715556[
> schema=usrnum
> values=[33]
> readonly=false
> ]]
> creator=<null>
> creationDate=<null>
> lastModifier=<null>
> lastChangeDate=<null>
> ]
> 12:19:31.303 ERROR
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could
> not create USER 33
> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
> SyncopeUser [Standard, InvalidUsername]
>
>
> Regards
>
> 2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <ilgrosso@apache.org
> <ma...@apache.org>>:
>
> On 04/11/2014 14:16, Manfredo Hopp wrote:
>> HI Francesco, our user database has account ids expressed in
>> digits and the idea is having the same id in syncope, but it
>> seems that digits are not accepted since an expression like
>> [0-9]+ throws
>>
>> 19:45:50.464 ERROR
>> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
>> Could not create USER 69
>> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
>> SyncopeUser [Standard, InvalidUsername]
>> at
>> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
>> ~[EntityValidationListener.class:?]
>> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
>> Source) ~[?:?]
>
> Hi Manfredo,
> I cannot replicate this problem.
>
> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>
> 1. created an account policy "onlyDigits" with only option for
> pattern ([0-9]+)
> 2. created a role "roleForOnlyDigits" and set it with the account
> policy above
> 3. created a new user, assigned the roleForOnlyDigits role, set
> username to "test" - got validation error, as expected
> 4. changed username to "12345678" - create completed successfully
>
> This specific issue is also checked by
> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
> - see [2].
>
> Regards.
>
>> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>>:
>>
>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>
>> Hello, I want to create accounts ids composed only by
>> digits, and get InvaledUserName as result of
>> EntityValidationListener.validate.
>>
>> My guess is that validation is controlled by
>> AccountPolicies where I can see an entry for regular
>> expressions, which is not documented,
>>
>> Entering a regular expression doesnt change anithing, so
>> waht is that item for?
>> And where can I control name ids?
>>
>>
>> Hi,
>> you are right, the pattern option for account policies -
>> introduced with 1.2.0 - is not yet reported at [1].
>>
>> When you define a policy (account, password, sync) you also
>> need to configure for which users such policy is going to be
>> applied: if created as GLOBAL policy it will be applied to
>> all users, otherwise you will need to associate it to a role
>> or a resource in order to make it effective (for users owning
>> that role or assigned to that resource, clearly).
>>
>> Additional information: when not specified, the pattern for
>> user names is "[a-zA-Z0-9-_@. ]+" <mailto:[a-zA-Z0-9-_@.]+>.
>>
>> Could you please provide more details of what you are doing?
>>
>> Regards.
>>
>> [1]
>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>
> [2]
> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
Thanks Francesco for prompt reply!
Ok for your testing, in my case the mentioned account policy is directly
attached to resource used in a syncronization task where mapping of
accountId is with __NAME__ (primary key of resource is Long)
through a resource, so maybe there is a difference in how accounts are
created.
12:19:31.067 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Process
CREATE_OR_UPDATE for 33 as ObjectClass: __ACCOUNT__
12:19:31.133 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler -
Transformed: org.apache.syncope.common.to.UserTO@364b2379[
memberships=[]
status=<null>
token=<null>
tokenExpireTime=<null>
username=<null>
lastLoginDate=<null>
changePwdDate=<null>
failedLogins=<null>
securityQuestion=<null>
securityAnswer=<null>
resources=[sarauth2]
propagationStatusTOs=[]
id=0
derAttrs=[]
virAttrs=[]
attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
schema=nombre
values=[Daniel]
readonly=false
], org.apache.syncope.common.to.AttributeTO@611011f7[
schema=usrnum
values=[33]
readonly=false
], org.apache.syncope.common.to.AttributeTO@660ba0e9[
schema=apellido
values=[]
readonly=false
], org.apache.syncope.common.to.AttributeTO@5715556[
schema=usrnum
values=[33]
readonly=false
]]
creator=<null>
creationDate=<null>
lastModifier=<null>
lastChangeDate=<null>
]
12:19:31.303 ERROR
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
create USER 33
org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
SyncopeUser [Standard, InvalidUsername]
Regards
2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> On 04/11/2014 14:16, Manfredo Hopp wrote:
>
> HI Francesco, our user database has account ids expressed in digits and
> the idea is having the same id in syncope, but it seems that digits are not
> accepted since an expression like [0-9]+ throws
>
> 19:45:50.464 ERROR
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
> create USER 69
> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
> SyncopeUser [Standard, InvalidUsername]
> at
> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
> ~[EntityValidationListener.class:?]
> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
> ~[?:?]
>
>
> Hi Manfredo,
> I cannot replicate this problem.
>
> In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
>
> 1. created an account policy "onlyDigits" with only option for pattern
> ([0-9]+)
> 2. created a role "roleForOnlyDigits" and set it with the account policy
> above
> 3. created a new user, assigned the roleForOnlyDigits role, set username
> to "test" - got validation error, as expected
> 4. changed username to "12345678" - create completed successfully
>
> This specific issue is also checked by
> org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
> - see [2].
>
> Regards.
>
> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
>
>> On 03/11/2014 23:03, Manfredo Hopp wrote:
>>
>>> Hello, I want to create accounts ids composed only by digits, and get
>>> InvaledUserName as result of
>>> EntityValidationListener.validate.
>>>
>>> My guess is that validation is controlled by AccountPolicies where I can
>>> see an entry for regular expressions, which is not documented,
>>>
>>> Entering a regular expression doesnt change anithing, so waht is that
>>> item for?
>>> And where can I control name ids?
>>>
>>
>> Hi,
>> you are right, the pattern option for account policies - introduced with
>> 1.2.0 - is not yet reported at [1].
>>
>> When you define a policy (account, password, sync) you also need to
>> configure for which users such policy is going to be applied: if created as
>> GLOBAL policy it will be applied to all users, otherwise you will need to
>> associate it to a role or a resource in order to make it effective (for
>> users owning that role or assigned to that resource, clearly).
>>
>> Additional information: when not specified, the pattern for user names is "[a-zA-Z0-9-_@.
>> ]+" <[a-zA-Z0-9-_@.]+>.
>>
>> Could you please provide more details of what you are doing?
>>
>> Regards.
>>
>> [1]
>> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>>
> [2]
> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Pattern regular expressions for poliices
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/11/2014 14:16, Manfredo Hopp wrote:
> HI Francesco, our user database has account ids expressed in digits
> and the idea is having the same id in syncope, but it seems that
> digits are not accepted since an expression like [0-9]+ throws
>
> 19:45:50.464 ERROR
> org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could
> not create USER 69
> org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
> SyncopeUser [Standard, InvalidUsername]
> at
> org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
> ~[EntityValidationListener.class:?]
> at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
> Source) ~[?:?]
Hi Manfredo,
I cannot replicate this problem.
In embedded mode from a fresh generated 1.2.1-SNAPSHOT project I have:
1. created an account policy "onlyDigits" with only option for pattern
([0-9]+)
2. created a role "roleForOnlyDigits" and set it with the account
policy above
3. created a new user, assigned the roleForOnlyDigits role, set
username to "test" - got validation error, as expected
4. changed username to "12345678" - create completed successfully
This specific issue is also checked by
org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
- see [2].
Regards.
> 2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <ilgrosso@apache.org
> <ma...@apache.org>>:
>
> On 03/11/2014 23:03, Manfredo Hopp wrote:
>
> Hello, I want to create accounts ids composed only by digits,
> and get InvaledUserName as result of
> EntityValidationListener.validate.
>
> My guess is that validation is controlled by AccountPolicies
> where I can see an entry for regular expressions, which is not
> documented,
>
> Entering a regular expression doesnt change anithing, so waht
> is that item for?
> And where can I control name ids?
>
>
> Hi,
> you are right, the pattern option for account policies -
> introduced with 1.2.0 - is not yet reported at [1].
>
> When you define a policy (account, password, sync) you also need
> to configure for which users such policy is going to be applied:
> if created as GLOBAL policy it will be applied to all users,
> otherwise you will need to associate it to a role or a resource in
> order to make it effective (for users owning that role or assigned
> to that resource, clearly).
>
> Additional information: when not specified, the pattern for user
> names is "[a-zA-Z0-9-_@. ]+".
>
> Could you please provide more details of what you are doing?
>
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
>
[2]
https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Pattern regular expressions for poliices
Posted by Manfredo Hopp <mh...@gmail.com>.
HI Francesco, our user database has account ids expressed in digits and the
idea is having the same id in syncope, but it seems that digits are not
accepted since an expression like [0-9]+ throws
19:45:50.464 ERROR
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler - Could not
create USER 69
org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
SyncopeUser [Standard, InvalidUsername]
at
org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)
~[EntityValidationListener.class:?]
at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
~[?:?]
Thanks Manfredo
2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò <il...@apache.org>:
> On 03/11/2014 23:03, Manfredo Hopp wrote:
>
>> Hello, I want to create accounts ids composed only by digits, and get
>> InvaledUserName as result of
>> EntityValidationListener.validate.
>>
>> My guess is that validation is controlled by AccountPolicies where I can
>> see an entry for regular expressions, which is not documented,
>>
>> Entering a regular expression doesnt change anithing, so waht is that
>> item for?
>> And where can I control name ids?
>>
>
> Hi,
> you are right, the pattern option for account policies - introduced with
> 1.2.0 - is not yet reported at [1].
>
> When you define a policy (account, password, sync) you also need to
> configure for which users such policy is going to be applied: if created as
> GLOBAL policy it will be applied to all users, otherwise you will need to
> associate it to a role or a resource in order to make it effective (for
> users owning that role or assigned to that resource, clearly).
>
> Additional information: when not specified, the pattern for user names is
> "[a-zA-Z0-9-_@. ]+".
>
> Could you please provide more details of what you are doing?
>
> Regards.
>
> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-
> AccountPolicies
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC
> http://people.apache.org/~ilgrosso/
>
>
>