You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Mikael Ekblom <mi...@arcada.fi> on 2017/05/23 08:12:44 UTC
Dynamic assignment of users to groups-> propagation to AD
Hi,
I'll ask a small question here, before I start to implement my own action.
We have most of the basic functionality working now (automatic user name creation and password assignments etc. ) and through the template functionality for the external resources able to assign users to basic groups within Syncope and propagate these group memberships to AD too while pulling users from the external HR resource etc.
My question though regards dynamic assignments of users to groups based on an attribute for example. This works fine internally and the users are assigned to a group dynamically based on an existing cost center attribute value in the HR system, but those minor changes are not propagated towards AD as a change within the memberships for that group object. By this I mean that the group in AD is still empty, while the console shows that the membership is there within Synope as a dynamic group membership.
As for a resource, you have the propagation actions for provisioning users like the ldapmembership, ldappassword etc. and these seem to work pretty much out if the box when you assign "regular" group memberships during a pull. A change in the user will trigger a propagation action towards the external AD resource.
But the dynamic assignment of groups do not seem to propagate as I thought that it maybe could. So, I guess that assigning dynamic memberships according to some cost center value during an initial pull, will not trigger a group membership propagation action automatically towards AD for that group object? Is Syncope even designed for that?
I guess we need to assign groups through a pull action for the cost center part during update, because the group membership will change through time though during updates? Not a big job either, but I decided to ask just in case. It would be cleaner to have it done as a standard configuration change from the console or maybe added as a feature.
Regards,
Mikael
Mikael Ekblom
Systemutvecklare/System developer
Arcada, IT
Jan-Magnus Janssons plats 1,
FIN-00560 Helsingfors,
Finland
TFn: +358 207 699 467
Mobil: +358 207 699 467
RE: Dynamic assignment of users to groups-> propagation to AD
Posted by Mikael Ekblom <mi...@arcada.fi>.
Hi,
Ok, nice if it could be worked out. I worked around it by implementing a pull action that assign regular memberships according to cost center value and that works.
But, it would be nice or cleaner to have it out of the box!
Regards,
Mikael
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: perjantai 26. toukokuuta 2017 14.46
To: user@syncope.apache.org
Subject: Re: Dynamic assignment of users to groups-> propagation to AD
Hi Mikael,
the fact that dynamic group assignment does not trigger propagation sounds like a bug: I have created
https://issues.apache.org/jira/browse/SYNCOPE-1099
Thanks for reporting.
Regards.
On 23/05/2017 10:12, Mikael Ekblom wrote:
Hi,
I’ll ask a small question here, before I start to implement my own action.
We have most of the basic functionality working now (automatic user name creation and password assignments etc. ) and through the template functionality for the external resources able to assign users to basic groups within Syncope and propagate these group memberships to AD too while pulling users from the external HR resource etc.
My question though regards dynamic assignments of users to groups based on an attribute for example. This works fine internally and the users are assigned to a group dynamically based on an existing cost center attribute value in the HR system, but those minor changes are not propagated towards AD as a change within the memberships for that group object. By this I mean that the group in AD is still empty, while the console shows that the membership is there within Synope as a dynamic group membership.
As for a resource, you have the propagation actions for provisioning users like the ldapmembership, ldappassword etc. and these seem to work pretty much out if the box when you assign “regular” group memberships during a pull. A change in the user will trigger a propagation action towards the external AD resource.
But the dynamic assignment of groups do not seem to propagate as I thought that it maybe could. So, I guess that assigning dynamic memberships according to some cost center value during an initial pull, will not trigger a group membership propagation action automatically towards AD for that group object? Is Syncope even designed for that?
I guess we need to assign groups through a pull action for the cost center part during update, because the group membership will change through time though during updates? Not a big job either, but I decided to ask just in case. It would be cleaner to have it done as a standard configuration change from the console or maybe added as a feature.
Regards,
Mikael
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Dynamic assignment of users to groups-> propagation to AD
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi Mikael,
the fact that dynamic group assignment does not trigger propagation
sounds like a bug: I have created
https://issues.apache.org/jira/browse/SYNCOPE-1099
Thanks for reporting.
Regards.
On 23/05/2017 10:12, Mikael Ekblom wrote:
>
> Hi,
>
> I’ll ask a small question here, before I start to implement my own
> action.
>
> We have most of the basic functionality working now (automatic user
> name creation and password assignments etc. ) and through the template
> functionality for the external resources able to assign users to basic
> groups within Syncope and propagate these group memberships to AD too
> while pulling users from the external HR resource etc.
>
> My question though regards dynamic assignments of users to groups
> based on an attribute for example. This works fine internally and the
> users are assigned to a group dynamically based on an existing cost
> center attribute value in the HR system, but those minor changes are
> not propagated towards AD as a change within the memberships for that
> group object. By this I mean that the group in AD is still empty,
> while the console shows that the membership is there within Synope as
> a dynamic group membership.
>
> As for a resource, you have the propagation actions for provisioning
> users like the ldapmembership, ldappassword etc. and these seem to
> work pretty much out if the box when you assign “regular” group
> memberships during a pull. A change in the user will trigger a
> propagation action towards the external AD resource.
>
> But the dynamic assignment of groups do not seem to propagate as I
> thought that it maybe could. So, I guess that assigning dynamic
> memberships according to some cost center value during an initial
> pull, will not trigger a group membership propagation action
> automatically towards AD for that group object? Is Syncope even
> designed for that?
>
> I guess we need to assign groups through a pull action for the cost
> center part during update, because the group membership will change
> through time though during updates? Not a big job either, but I
> decided to ask just in case. It would be cleaner to have it done as a
> standard configuration change from the console or maybe added as a
> feature.
>
> Regards,
>
> Mikael
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/