Apache syncope integration with Active Directory

[Marius <ma...@par-tec.it>]

Hello,

we are trying to get apache syncope to integrate/communicate with an active
directory, we have a maven installation and have created the AD resource
connector using the connector from the bundle directory and everything seems
to be ok so far, the problem is that apache syncope does not seem to be
communicating with the active directory.

I found this guide online
https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory, and I
tried to create a new resource under the AD resource connector but I seem to
be missing the "LDAPMembershipPropagationActions" action class under the
resource when I try to create it, in fact I miss the other 2 too that he
seems to have under the "Propagation Actions" menu.

Now my question is how do I get on about having those classes available for
usage? do I need to modify something with the sample he provided in the
beginning of the post and then have to re-deploy everything? or is there an
easier way of doing this. Thank you in advance for this

I would like to ask you one more thing, in a working integration of apache
syncope and AD, if I create a user using the apache syncope console does it
get replicated automatically into the AD or do I have to do some additional
configurations? 

Thank you very much in advance.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/

Re: Apache syncope integration with Active Directory

[Marius <ma...@par-tec.it>]

Hello Andrea,

thank you very much for your answer, we did manage to make it work now.

I would like to ask you one more thing, we have a delicate situation going
on with the AD that we are connecting to, basically the administration user
that we have is not able to alter in any way or shape the users but only a
certain group, and when I go and try to modify the user from the apache
syncope console and then assign it to a group I get an error saying that I
do not have enough access rights, this must be because the operation that
syncope is doing is trying to modify the user attribute and assign it to a
group but the administrative user we configured the connector with does not
have enough rights in order to do this.

We have tried to launch an ldif file with ldapmodify using that same
administrative user with restricted access rights in which we modified the
group attribute and that way it worked, an example of how it was is the
following

dn: cn=GroupName,ou=Groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: uid=UserName,ou=People,dc=example,dc=com

So by modifying the group we are able to assign members to it but not by
modifying the users directly, but I could not manage to find if it was
possibile to assign a member to a group using the syncope console this way.

Is there an existing class that is able of letting assign members to a group
this way or do we need to create one?

Thank you very much again.

Best regards

--
Sent from: http://syncope-user.1051894.n5.nabble.com/

Re: Apache syncope integration with Active Directory

[Andrea Patricelli <an...@apache.org>]

Hi Marius,

Il 16/09/20 10:38, Marius ha scritto:
> Hello,
>
> we are trying to get apache syncope to integrate/communicate with an active
> directory, we have a maven installation and have created the AD resource
> connector using the connector from the bundle directory and everything seems
> to be ok so far, the problem is that apache syncope does not seem to be
> communicating with the active directory.
>
> I found this guide online
> https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory, and I
> tried to create a new resource under the AD resource connector but I seem to
> be missing the "LDAPMembershipPropagationActions" action class under the
> resource when I try to create it, in fact I miss the other 2 too that he
> seems to have under the "Propagation Actions" menu.
>
> Now my question is how do I get on about having those classes available for
> usage? do I need to modify something with the sample he provided in the
> beginning of the post and then have to re-deploy everything? or is there an
> easier way of doing this. Thank you in advance for this
Since Syncope 2.1.X implementations [1] have been introduced.
In order to define a cutom propagation actions class you have to create 
your own implementation (from Configuration menu) and then you'll see it 
available under the "Propagation Actions" menu.
> I would like to ask you one more thing, in a working integration of apache
> syncope and AD, if I create a user using the apache syncope console does it
> get replicated automatically into the AD or do I have to do some additional
> configurations?
No, if the connector and the external resource are conrrectly configured 
you only need to assign AD to the user while creating/updating him in 
console.
>
> Thank you very much in advance.
Welcome and best regards,
Andrea
>
> --
> Sent from:http://syncope-user.1051894.n5.nabble.com/
[1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

-- 
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member