You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by "Li,Xiaodong" <oy...@gmail.com> on 2016/02/10 00:46:30 UTC
Can not propagate DELETE operation to LDAP
I set up ApacheDS LDAP with Syncope according to this Article.
http://blog.tirasa.net/unlock-full-ldap-features-in.html
The Apache DS version is 2.0.0-16M and built Syncope as my own project with
version 1.2.7.
I changed the core project persistence.properties to use MYSQL as internal
storage.
I can create new users and roles in syncope and they were propagated into
LDAP correctly. I think the connector and resources configurations are
right.
But when I change the user info and delete user, it won't propagate into
LDAP.
I can see the delete user operation in task tab -> propagation task, but
it was not executed even if I click the Execute button, nothing happened.
I checked the user profile,
The internal resource accountlink is right, but why LDAP accountLink has
red exclamation.
Anyone has this problem?
Resource
AccountLink
Status
syncope testuser [image: active icon]
LDAP
[image: notfound icon]
Re: Can not propagate DELETE operation to LDAP
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 11/02/2016 01:58, Li,Xiaodong wrote:
> I changed the Uid Attribute to 'cn', Still can not work on sync with
> Roles
>
> My Role groups based dn is cn={0},ou=groups,dc=test,dc=com
> My users based dn is uid={0},ou=users,dc=test,dc=com
>
> Should I create two connector to sync both of them?
This is not necessary, see below.
> I find the same issue on the discuss here
> http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-td5707398.html
This very old thread refers to Syncope 1.1.X, things have quite changed now.
> any solution ?
Since, as said below, you're using Apache DS and since Syncope is using
exactly that for integration tests where users and roles synchronization
is working fine, I would suggest to separately download and start the
standalone distribution for 1.2.7 as reported in
https://cwiki.apache.org/confluence/display/SYNCOPE/Run+Syncope+standalone+distribution
then start comparing your current LDAP connector and resource
configurations with the ones available in that, which you can take as
reference.
HTH
Regards.
> On Tue, Feb 9, 2016 at 10:43 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> Hi,
>
> please be sure to have
>
> "Uid Attribute" set to "cn"
>
> in your LDAP configuration, as suggested by the blog post reported
> below.
>
>
> HTH
>
> Regards.
>
> On 2016-02-10 02:10 Li,Xiaodong wrote:
>
>> Append:
>> I found the problem, I search the log file on DEBUG information.
>> I use 'uid' as users attribute, so I have to configure Uid
>> Attribute = uid in Connector.
>>
>>
>> Now, I have new problem which can not DELETE Role. I got the
>> DEBUG log below, I think I know which the problem, the syncope
>> search the group by 'uid', but My groups name identified by 'cn',
>> that's why syncope can not find the group. Any one can tell me
>> where to change the group search by 'cn' instead of 'uid'.
>>
>> Searching in [ou=users,dc=test,dc=com, ou=groups,dc=test,dc=com]
>> with filter
>> (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN))
>>
>> 01:01:02.080 DEBUG Enter: getObject(ObjectClass: __GROUP__,
>> Attribute: {Name=__UID__, Value=[ADMIN]}, OperationOptions:
>> {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]})Method: getObject
>>
>> 01:01:02.083 DEBUG Enter: executeQuery(ObjectClass: __GROUP__,
>> LdapFilter[nativeFilter: (uid=ADMIN); entryDN: null],
>> org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@76616ae4,
>> OperationOptions:
>> {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]})Method: executeQuery
>>
>> 01:01:02.083 WARN Attribute __ENABLE__ of object class __GROUP__
>> is not mapped to an LDAP attributeMethod: getLdapAttribute
>>
>> 01:01:02.084 DEBUG Searching in [ou=users,dc=test,dc=com,
>> ou=groups,dc=test,dc=com] with filter
>> (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN)) and
>> SearchControls: {returningAttributes=[cn, uid],
>> scope=SUBTREE}Method: doSearch
>>
>> 01:01:02.088 DEBUG ReturnMethod: executeQuery
>>
>> 01:01:02.088 DEBUG Return: nullMethod: getObject
>>
>>
>> On Tue, Feb 9, 2016 at 3:46 PM, Li,Xiaodong <oyeahot@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> I set up ApacheDS LDAP with Syncope according to this Article.
>> http://blog.tirasa.net/unlock-full-ldap-features-in.html
>> The Apache DS version is 2.0.0-16M and built Syncope as my
>> own project with version 1.2.7.
>> I changed the core project persistence.properties to use
>> MYSQL as internal storage.
>> I can create new users and roles in syncope and they were
>> propagated into LDAP correctly. I think the connector and
>> resources configurations are right.
>> But when I change the user info and delete user, it won't
>> propagate into LDAP.
>> I can see the delete user operation in task tab ->
>> propagation task, but it was not executed even if I click the
>> Execute button, nothing happened.
>> I checked the user profile,
>> The internal resource accountlink is right, but why LDAP
>> accountLink has red exclamation.
>> Anyone has this problem?
>> Resource
>> AccountLink
>> Status
>> syncope testuser active icon
>> LDAP
>> notfound icon
>>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Can not propagate DELETE operation to LDAP
Posted by "Li,Xiaodong" <oy...@gmail.com>.
I changed the Uid Attribute to 'cn', Still can not work on sync with Roles
My Role groups based dn is cn={0},ou=groups,dc=test,dc=com
My users based dn is uid={0},ou=users,dc=test,dc=com
Should I create two connector to sync both of them?
I find the same issue on the discuss here
http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-td5707398.html
any solution ?
On Tue, Feb 9, 2016 at 10:43 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> Hi,
>
> please be sure to have
>
> "Uid Attribute" set to "cn"
>
> in your LDAP configuration, as suggested by the blog post reported below.
>
>
> HTH
>
> Regards.
>
> On 2016-02-10 02:10 Li,Xiaodong wrote:
>
> Append:
>
> I found the problem, I search the log file on DEBUG information.
> I use 'uid' as users attribute, so I have to configure Uid Attribute = uid
> in Connector.
>
>
> Now, I have new problem which can not DELETE Role. I got the DEBUG log
> below, I think I know which the problem, the syncope search the group by
> 'uid', but My groups name identified by 'cn', that's why syncope can not
> find the group. Any one can tell me where to change the group search by
> 'cn' instead of 'uid'.
>
> Searching in [ou=users,dc=test,dc=com, ou=groups,dc=test,dc=com] with
> filter (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN))
>
>
>
> 01:01:02.080 DEBUG Enter: getObject(ObjectClass: __GROUP__, Attribute:
> {Name=__UID__, Value=[ADMIN]}, OperationOptions:
> {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method: getObject
>
> 01:01:02.083 DEBUG Enter: executeQuery(ObjectClass: __GROUP__,
> LdapFilter[nativeFilter: (uid=ADMIN); entryDN: null],
> org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@76616ae4,
> OperationOptions: {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method:
> executeQuery
>
> 01:01:02.083 WARN Attribute __ENABLE__ of object class __GROUP__ is not
> mapped to an LDAP attribute Method: getLdapAttribute
>
> 01:01:02.084 DEBUG Searching in [ou=users,dc=test,dc=com,
> ou=groups,dc=test,dc=com] with filter
> (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN)) and
> SearchControls: {returningAttributes=[cn, uid], scope=SUBTREE} Method:
> doSearch
>
> 01:01:02.088 DEBUG Return Method: executeQuery
>
> 01:01:02.088 DEBUG Return: null Method: getObject
>
> On Tue, Feb 9, 2016 at 3:46 PM, Li,Xiaodong <oy...@gmail.com> wrote:
>
>> I set up ApacheDS LDAP with Syncope according to this Article.
>> http://blog.tirasa.net/unlock-full-ldap-features-in.html
>>
>> The Apache DS version is 2.0.0-16M and built Syncope as my own project
>> with version 1.2.7.
>> I changed the core project persistence.properties to use MYSQL as
>> internal storage.
>>
>> I can create new users and roles in syncope and they were propagated into
>> LDAP correctly. I think the connector and resources configurations are
>> right.
>>
>> But when I change the user info and delete user, it won't propagate into
>> LDAP.
>>
>> I can see the delete user operation in task tab -> propagation task, but
>> it was not executed even if I click the Execute button, nothing happened.
>>
>> I checked the user profile,
>>
>> The internal resource accountlink is right, but why LDAP accountLink has
>> red exclamation.
>>
>> Anyone has this problem?
>>
>>
>> Resource
>> AccountLink
>> Status
>>
>> syncope testuser [image: active
>> icon]
>> LDAP
>>
>> [image: notfound icon]
>>
>>
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer
> http://home.apache.org/~ilgrosso/
>
Re: Can not propagate DELETE operation to LDAP
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi,
please be sure to have
"Uid Attribute" set to "cn"
in your LDAP configuration, as suggested by the blog post reported
below.
HTH
Regards.
On 2016-02-10 02:10 Li,Xiaodong wrote:
> Append:
>
> I found the problem, I search the log file on DEBUG information.
> I use 'uid' as users attribute, so I have to configure Uid Attribute = uid in Connector.
>
> Now, I have new problem which can not DELETE Role. I got the DEBUG log below, I think I know which the problem, the syncope search the group by 'uid', but My groups name identified by 'cn', that's why syncope can not find the group. Any one can tell me where to change the group search by 'cn' instead of 'uid'.
>
> Searching in [ou=users,dc=test,dc=com, ou=groups,dc=test,dc=com] with filter (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN))
>
> 01:01:02.080 DEBUG Enter: getObject(ObjectClass: __GROUP__, Attribute: {Name=__UID__, Value=[ADMIN]}, OperationOptions: {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method: getObject
>
> 01:01:02.083 DEBUG Enter: executeQuery(ObjectClass: __GROUP__, LdapFilter[nativeFilter: (uid=ADMIN); entryDN: null], org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@76616ae4, OperationOptions: {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method: executeQuery
>
> 01:01:02.083 WARN Attribute __ENABLE__ of object class __GROUP__ is not mapped to an LDAP attribute Method: getLdapAttribute
>
> 01:01:02.084 DEBUG Searching in [ou=users,dc=test,dc=com, ou=groups,dc=test,dc=com] with filter (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN)) and SearchControls: {returningAttributes=[cn, uid], scope=SUBTREE} Method: doSearch
>
> 01:01:02.088 DEBUG Return Method: executeQuery
>
> 01:01:02.088 DEBUG Return: null Method: getObject
>
> On Tue, Feb 9, 2016 at 3:46 PM, Li,Xiaodong <oy...@gmail.com> wrote:
>
>> I set up ApacheDS LDAP with Syncope according to this Article.
>> http://blog.tirasa.net/unlock-full-ldap-features-in.html
>>
>> The Apache DS version is 2.0.0-16M and built Syncope as my own project with version 1.2.7.
>> I changed the core project persistence.properties to use MYSQL as internal storage.
>>
>> I can create new users and roles in syncope and they were propagated into LDAP correctly. I think the connector and resources configurations are right.
>>
>> But when I change the user info and delete user, it won't propagate into LDAP.
>>
>> I can see the delete user operation in task tab -> propagation task, but it was not executed even if I click the Execute button, nothing happened.
>>
>> I checked the user profile,
>>
>> The internal resource accountlink is right, but why LDAP accountLink has red exclamation.
>>
>> Anyone has this problem?
>>
>> Resource
>> AccountLink
>> Status
>>
>> syncope testuser
>>
>> LDAP
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer
http://home.apache.org/~ilgrosso/
Re: Can not propagate DELETE operation to LDAP
Posted by "Li,Xiaodong" <oy...@gmail.com>.
Append:
I found the problem, I search the log file on DEBUG information.
I use 'uid' as users attribute, so I have to configure Uid Attribute = uid
in Connector.
Now, I have new problem which can not DELETE Role. I got the DEBUG log
below, I think I know which the problem, the syncope search the group by
'uid', but My groups name identified by 'cn', that's why syncope can not
find the group. Any one can tell me where to change the group search by
'cn' instead of 'uid'.
Searching in [ou=users,dc=test,dc=com, ou=groups,dc=test,dc=com] with
filter (&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN))
01:01:02.080 DEBUG Enter: getObject(ObjectClass: __GROUP__, Attribute:
{Name=__UID__, Value=[ADMIN]}, OperationOptions:
{ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method: getObject
01:01:02.083 DEBUG Enter: executeQuery(ObjectClass: __GROUP__,
LdapFilter[nativeFilter: (uid=ADMIN); entryDN: null],
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@76616ae4,
OperationOptions: {ATTRS_TO_GET:[cn,__UID__,__NAME__,__ENABLE__]}) Method:
executeQuery
01:01:02.083 WARN Attribute __ENABLE__ of object class __GROUP__ is not
mapped to an LDAP attribute Method: getLdapAttribute
01:01:02.084 DEBUG Searching in [ou=users,dc=test,dc=com,
ou=groups,dc=test,dc=com] with filter
(&(&(objectClass=top)(objectClass=groupOfUniqueNames))(uid=ADMIN)) and
SearchControls: {returningAttributes=[cn, uid], scope=SUBTREE} Method:
doSearch
01:01:02.088 DEBUG Return Method: executeQuery
01:01:02.088 DEBUG Return: null Method: getObject
On Tue, Feb 9, 2016 at 3:46 PM, Li,Xiaodong <oy...@gmail.com> wrote:
> I set up ApacheDS LDAP with Syncope according to this Article.
> http://blog.tirasa.net/unlock-full-ldap-features-in.html
>
> The Apache DS version is 2.0.0-16M and built Syncope as my own project
> with version 1.2.7.
> I changed the core project persistence.properties to use MYSQL as internal
> storage.
>
> I can create new users and roles in syncope and they were propagated into
> LDAP correctly. I think the connector and resources configurations are
> right.
>
> But when I change the user info and delete user, it won't propagate into
> LDAP.
>
> I can see the delete user operation in task tab -> propagation task, but
> it was not executed even if I click the Execute button, nothing happened.
>
> I checked the user profile,
>
> The internal resource accountlink is right, but why LDAP accountLink has
> red exclamation.
>
> Anyone has this problem?
>
>
> Resource
> AccountLink
> Status
> syncope testuser [image: active icon]
> LDAP
> [image: notfound icon]
>
>