You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by "Smith, Bruce (Mr)" <Br...@nmmu.ac.za> on 2015/10/08 10:04:14 UTC

RE: How to suck in roles from a database

Hi,

I've implemented the groovy scripts as suggested and I've gotten 98% of the way there. The system is pulling roles from the database, creating them in Syncope properly linked to the LDAP resource and they propagate to the AD correctly. However the resource isn't capturing the token value, so it attempts to recreate the existing groups every time the synchronization task executes from the scheduler. I'd like to eliminate this. It does it with and without the full reconciliation option active in the sync task.

This is with the net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector connector. If I use the org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector with the same groovy scripts, the logs show that the task sees the roles from the database query, but it doesn't create them in Syncope at all. No errors are thrown in the logs when this happens. Both resources and sync tasks for the two connectors are identically configured.

I know this has to be something simple, but I cannot spot anything explitictly throwing errors.

Thank you in advance,
Bruce

From: Marco Di Sabatino Di Diodoro [mailto:marco.disabatino@tirasa.net]
Sent: Tuesday, September 22, 2015 5:55 PM
To: user@syncope.apache.org
Subject: Re: How to suck in roles from a database

Hi Bruce,

great to hear you are working fine with Apache Syncope and thank you for the compliments.
Il 22/09/2015 16:21, Smith, Bruce (Mr) ha scritto:

Firstly, let me pass on my team's appreciation for the excellent software package that is Syncope. We love working with the combination of easy GUI and powerful backend.



What we are trying to achieve with Syncope is the complete automation of creating Active Directory accounts, home drives and email boxes for our students at the moment they are registered for a course at our university.



We've gotten to the stage where Syncope is sucking in the user records from the database and propagating the user to Active Directory via the connid.ad connector. Manually created roles are also propagating properly. Home drives and email boxes will be handled by Powershell scripts called via the connid.cmd connector.



Our current issue seems simple, but I can't quite figure out how to import roles from the database and also link the roles to the users using the database as the source. We use AD groups based on our internal subject code and add students to each group based on what subjects they are registered for. We have three tables in the staging database storing student details, subject details and the link data between student and subject.



Today, I found out that the db.table connector only supports account creation and not role creation.
The simplest way to sync roles from your database is to use the Scripted Sql connector [1]. This connector provides great flexibility (groovy script) in the interaction with a db resource.





What would be the simplest way to suck the role definition from the database into Syncope?
You can implement the groovy script to retrieve the roles from your database[2].

Regards
Marco

[1] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+Scripted+SQL+resource




We want to avoid manual creation of the role via the GUI or automation via calling the REST interface as we are trying to get rid of custom-written, unsupported data transformation programs and replace them with a managed solution like Syncope.



Thanks,

Bruce Smith

Nelson Mandela Metropolitan University



________________________________



NOTICE: Please note that this eMail, and the contents thereof, is subject to the standard NMMU eMail disclaimer which may be found at:

http://www.nmmu.ac.za/disclaimer/email.htm





--

Dott. Marco Di Sabatino Di Diodoro

Tel. +39 3939065570



Tirasa S.r.l.

Viale D'Annunzio 267 - 65127 Pescara

Tel +39 0859116307 / FAX +39 0859111173

http://www.tirasa.net



Apache Syncope PMC Member

http://people.apache.org/~mdisabatino/

________________________________

NOTICE: Please note that this eMail, and the contents thereof, is subject to the standard NMMU eMail disclaimer which may be found at:
http://www.nmmu.ac.za/disclaimer/email.htm

Re: How to suck in roles from a database

Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.

Hi

Il 08/10/2015 10:04, Smith, Bruce (Mr) ha scritto:
>
> Hi,
>
> I’ve implemented the groovy scripts as suggested and I’ve gotten 98% 
> of the way there. The system is pulling roles from the database, 
> creating them in Syncope properly linked to the LDAP resource and they 
> propagate to the AD correctly. However the resource isn’t capturing 
> the token value, so it attempts to recreate the existing groups every 
> time the synchronization task executes from the scheduler. I’d like to 
> eliminate this. It does it with and without the full reconciliation 
> option active in the sync task.
>
If you want to work with an incremental synchronization the full 
reconciliation option must be disabled.
Are you sure that your sync groovy script is correct? Check if the sync 
token is initialized, you can see it from the core-connid.log or 
http://localhost:9080/syncope/rest/resources/{resourceName}

after, make a diff with your resource timestamp field and check if your 
query works properly.

> This is with the 
> net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector 
> connector. If I use the 
> org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector with 
> the same groovy scripts, the logs show that the task sees the roles 
> from the database query, but it doesn’t create them in Syncope at all. 
> No errors are thrown in the logs when this happens. Both resources and 
> sync tasks for the two connectors are identically configured.
>
I've never worked with OpenIcf ScriptedSqlConnector.

Regards
Marco
>
> I know this has to be something simple, but I cannot spot anything 
> explitictly throwing errors.
>
> Thank you in advance,
>
> Bruce
>
> *From:*Marco Di Sabatino Di Diodoro [mailto:marco.disabatino@tirasa.net]
> *Sent:* Tuesday, September 22, 2015 5:55 PM
> *To:* user@syncope.apache.org
> *Subject:* Re: How to suck in roles from a database
>
> Hi Bruce,
>
> great to hear you are working fine with Apache Syncope and thank you 
> for the compliments.
>
> Il 22/09/2015 16:21, Smith, Bruce (Mr) ha scritto:
>
>     Firstly, let me pass on my team's appreciation for the excellent software package that is Syncope. We love working with the combination of easy GUI and powerful backend.
>
>     What we are trying to achieve with Syncope is the complete automation of creating Active Directory accounts, home drives and email boxes for our students at the moment they are registered for a course at our university.
>
>     We've gotten to the stage where Syncope is sucking in the user records from the database and propagating the user to Active Directory via the connid.ad connector. Manually created roles are also propagating properly. Home drives and email boxes will be handled by Powershell scripts called via the connid.cmd connector.
>
>     Our current issue seems simple, but I can't quite figure out how to import roles from the database and also link the roles to the users using the database as the source. We use AD groups based on our internal subject code and add students to each group based on what subjects they are registered for. We have three tables in the staging database storing student details, subject details and the link data between student and subject.
>
>     Today, I found out that the db.table connector only supports account creation and not role creation.
>
> The simplest way to sync roles from your database is to use the 
> Scripted Sql connector [1]. This connector provides great flexibility 
> (groovy script) in the interaction with a db resource.
>
>     What would be the simplest way to suck the role definition from the database into Syncope?
>
> You canimplement the groovy script to retrieve the roles from your 
> database[2].
>
> Regards
> Marco
>
> [1] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
> [2] 
> https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+Scripted+SQL+resource
>
>     We want to avoid manual creation of the role via the GUI or automation via calling the REST interface as we are trying to get rid of custom-written, unsupported data transformation programs and replace them with a managed solution like Syncope.
>
>     Thanks,
>
>     Bruce Smith
>
>     Nelson Mandela Metropolitan University
>
>     ________________________________
>
>     NOTICE: Please note that this eMail, and the contents thereof, is subject to the standard NMMU eMail disclaimer which may be found at:
>
>     http://www.nmmu.ac.za/disclaimer/email.htm
>
>
>
> -- 
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/ 
> <http://people.apache.org/%7Emdisabatino/>
>
> ------------------------------------------------------------------------
>
> NOTICE: Please note that this eMail, and the contents thereof, is 
> subject to the standard NMMU eMail disclaimer which may be found at:
> http://www.nmmu.ac.za/disclaimer/email.htm
>

-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/