You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2023/04/07 12:24:34 UTC
Re: Issue with synchronizing group membership from Syncope to LDAP
Hi,
resurrecting this old thread to communicate that the requested feature is planned for Syncope 3.0.3:
https://issues.apache.org/jira/browse/SYNCOPE-1748
Regards.
On 20/01/22 12:54, Francesco Chicchiriccò wrote:
> Ah, here is why:
>
> https://github.com/apache/syncope/blob/2_1_X/ext/scimv2/scim-rest-cxf/src/main/java/org/apache/syncope/ext/scimv2/cxf/service/GroupServiceImpl.java#L95
>
> It seems the PATCH method was left intentionally not implemented.
> As always, PRs welcome :-)
>
> Regards.
>
> On 20/01/22 12:49, fabien@fabln.ovh wrote:
>> I'm afraid no, can't see anything in other logs (regarding PATCH)
>>
>> On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
>>> On 20/01/22 12:36, fabien@fabln.ovh wrote:
>>>> hi Francesco,
>>>> It looks that the PATCH is not generating any logs (/var/log/apache-syncope/core.log don't show anything when I am using PATCH (via Curl or AAD)).
>>>>
>>>> Is this not supported somehow ? Or it there any parameter to modify ?
>>>
>>> Nothing in other Core log files, as core-rest.log, for example?
>>>
>>>> On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
>>>>> On 19/01/22 16:07, fabien@fabln.ovh wrote:
>>>>>> Hi Francesco,
>>>>>> Yes, doing those 2 steps separately works. Which also works is to run a USER Reconciliation, after this, any change to the group memberships (in the Syncope Interface) is populated to LDAP.
>>>>>> I have a last question: I am now testing the SCIM from Azure AD (ultimately I need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
>>>>>> Users and groups are created fine, but no memberships. I saw in the Syncope logs that AAD seems to create users and groups, and then to try to PATCH the group to add the members, and I see a 501 error:
>>>>>>
>>>>>> "PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1" 501 -
>>>>>>
>>>>>>
>>>>>> When I try to reproduce this and PATCH with curl, I also get a similar error.
>>>>>>
>>>>>> For example, trying to remove a member fails:
>>>>>> {
>>>>>> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
>>>>>> "Operations": [{
>>>>>> "op": "Remove",
>>>>>> "path": "members",
>>>>>> "value": [{
>>>>>> "$ref": null,
>>>>>> "value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
>>>>>> }]
>>>>>> }]
>>>>>> }
>>>>>>
>>>>>>
>>>>>> Is there any parameter to set up in Syncope ? Sorry I could not find any documentation going through this process.
>>>>>
>>>>> Honestly, I don't remember many real-case usages of the SCIM 2.0
>>>>> extension, hence it is likely that the operation above is actually
>>>>> hitting some part of the code which was not thoroughly tested.
>>>>>
>>>>> Could you please report as well the stacktrace you see in Syncope Core
>>>>> logs when performing the operation above?
>>>>>
>>>>> Regards.
>>>>>
>>>>>> On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
>>>>>>> On 14/01/22 13:54, fabien@fabln.ovh wrote:
>>>>>>>> Thanks Francesco.
>>>>>>>> Please find more explanations:
>>>>>>>>
>>>>>>>>> Let me recap the flow:
>>>>>>>>> 1. users are created in Syncope (how? via SCIM?), with the LDAP resource assigned
>>>>>>>>
>>>>>>>> I created the users here manually in Syncope (REALMs / Users)
>>>>>>>> For example:
>>>>>>>> local_user1
>>>>>>>> Auxiliary Classes: BaseGroup
>>>>>>>> Groups: none at this stage
>>>>>>>> surname: local_user5
>>>>>>>> external resources: my_resource_LDAP
>>>>>>>>
>>>>>>>> I also tested created the users via SCIM, and then doing a "reconciliation" in the LDAP resource, that also works (users are added in LDAP).
>>>>>>>>
>>>>>>>> after this step, the user local_user1 is synchronized and created in LDAP
>>>>>>>>
>>>>>>>>> 2. group is created in Syncope via SCIM, with 2 members
>>>>>>>>> first question: can you see the group membership in Syncope, for the 2 users created at step 1?
>>>>>>>>
>>>>>>>> Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can see the 2 members.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> 3. the Push Task is run
>>>>>>>>>
>>>>>>>>> second question: is the Push Task configured for both users and groups?
>>>>>>>> yes
>>>>>>>>
>>>>>>>>
>>>>>>>>> 4. you can see both users and group on LDAP, but no members for the group
>>>>>>>> correct, at least initially (when users and groups are created)
>>>>>>>>
>>>>>>>>> 5. you edit the 2 users in Syncope by adding group membership
>>>>>>>> yes
>>>>>>>>
>>>>>>>>> 6. the Push Task is run again, with expected result
>>>>>>>> yes
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I just realized something actually:
>>>>>>>> - I create users
>>>>>>>> - synchronize those users in LDAP
>>>>>>>> - I create a group with members
>>>>>>>> - synchronize this group in LDAP, the group is created in LDAP but no members are in it
>>>>>>>> - in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the members are synchronized in the GROUP in LDAP.
>>>>>>>>
>>>>>>>>
>>>>>>>> Is this actually the way to do ?
>>>>>>>
>>>>>>> The simplest way to accomplish what I think is your goal is:
>>>>>>>
>>>>>>> 1. create group and assign the LDAP resource to it
>>>>>>> 2. create user(s) with membership of such group
>>>>>>>
>>>>>>> If you perform such two steps from Syncope Console (or via REST
>>>>>>> through standard endpoints), and the LDAP resource is configured
>>>>>>> correctly, you get the expected result: users in LDAP, group in LDAP,
>>>>>>> with members set.
>>>>>>>
>>>>>>> This works because by default Syncope works with what we call
>>>>>>> "implicit provisioning": when you assign a Resource to a Group, the
>>>>>>> Group itself and all members will be propagated to the Resource.
>>>>>>>
>>>>>>> One important thing to remember about implicit provisioning is that it
>>>>>>> works by type: when you create / update / delete a User, you will get
>>>>>>> a User propagated to the Resource; e.g. you cannot create or update a
>>>>>>> Group and have Users propagated to LDAP, at least without adding some
>>>>>>> customizations around.
>>>>>>>
>>>>>>> I thin that, since you are updating a Group via SCIM endpoint by
>>>>>>> assigning members, then propagation is not happening as expected in
>>>>>>> the default flow.
>>>>>>>
>>>>>>> HTH
>>>>>>> Regards.
>>>>>>>
>>>>>>>> On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
>>>>>>>>> On 14/01/22 00:35, fabien@fabln.ovh wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I am running Syncope version 2.1.10. I am trying to synchronize groups membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
>>>>>>>>>>
>>>>>>>>>> The problem I have is that when I create users and then groups with members in Syncope, the users and groups are created properly in LDAP but the group don't have the members.
>>>>>>>>>>
>>>>>>>>>> If I edit the users in Syncope and add them to the group, then the group in LDAP is synchronized properly and contains the correct members.
>>>>>>>>>>
>>>>>>>>>> Is it possible to synchronize from Syncope to LDAP group members from the group in Syncope, or do the users in Syncope need to contain the group list ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> My configuration:
>>>>>>>>>>
>>>>>>>>>> I created the users local_user1 and local_user2 in Syncope.
>>>>>>>>>>
>>>>>>>>>> I have the file local_group20.json to create the group "local_group20" with the 2 members "local_user1" and "local_user2" via SCIM:
>>>>>>>>>>
>>>>>>>>>> {
>>>>>>>>>> "schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
>>>>>>>>>> "displayName":"local_group20",
>>>>>>>>>> "externalId": "local_group20",
>>>>>>>>>> "members":[{
>>>>>>>>>> "value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
>>>>>>>>>> "display":"local_user1"
>>>>>>>>>> },{
>>>>>>>>>> "value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
>>>>>>>>>> "display":"local_user2"
>>>>>>>>>> }
>>>>>>>>>> ]
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> I create the groups with the members in SYNCOPE via SCIM:
>>>>>>>>>>
>>>>>>>>>> $ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type: application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json http://localhost:18080/syncope/scim/v2/Groups
>>>>>>>>>>
>>>>>>>>>> I can see the group "local_group20" is created fine in Syncope, with the 2 members in it.
>>>>>>>>>>
>>>>>>>>>> I have an LDAP connector in Syncope, with a propagation action "LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions available in the PUSH task).
>>>>>>>>>>
>>>>>>>>>> When I run the PUSH task, the group is created in LDAP but without the members local_user1 and local_user2.
>>>>>>>>>>
>>>>>>>>>> If I edit the users local_user1 and local_user2 in Syncope, and add them to the group "local_group20" and run the PUSH task again, they appear in the LDAP group members.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Any idea ?
>>>>>>>>> Hi Fabien,
>>>>>>>>> it seems you went pretty far with your use case above: e.g. to use
>>>>>>>>> Syncope to provision users, groups and memberships via SCIM2 to LDAP.
>>>>>>>>>
>>>>>>>>> Let me recap the flow:
>>>>>>>>>
>>>>>>>>> 1. users are created in Syncope (how? via SCIM?), with the LDAP
>>>>>>>>> resource assigned
>>>>>>>>> 2. group is created in Syncope via SCIM, with 2 members
>>>>>>>>>
>>>>>>>>> first question: can you see the group membership in Syncope, for the 2
>>>>>>>>> users created at step 1?
>>>>>>>>>
>>>>>>>>> 3. the Push Task is run
>>>>>>>>>
>>>>>>>>> second question: is the Push Task configured for both users and groups?
>>>>>>>>>
>>>>>>>>> 4. you can see both users and group on LDAP, but no members for the group
>>>>>>>>> 5. you edit the 2 users in Syncope by adding group membership
>>>>>>>>> 6. the Push Task is run again, with expected result
>>>>>>>>>
>>>>>>>>> Is all above correct? Can you provide answers?
>>>>>>>>> Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/