You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2012/08/10 14:09:40 UTC
Synchronization sanity check
Hi all,
A quick sanity check: Is there any reason why I can't synchronize from an
Apache DS backend in Syncope? I can create users in Syncope and propagate
them to the resource fine, but I can't do the reverse.
Thanks,
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'm not sure if it is the convention or not - I have no strong opinions
either way. I guess I will stay with the existing convention of merging to
a branch first.
Colm.
On Tue, Aug 14, 2012 at 2:37 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 14/08/2012 15.35, Colm O hEigeartaigh wrote:
>
>
> > Correct (I guess): hence the fix should be committed on the 1_0_X
> branch, then merged into the trunk, right?
> > I'll make the necessary corrections on JIRA.
>
> I normally merge to trunk first and then to older branches - at least this
> is the convention used by projects such as Apache CXF.
>
>
> We were actually used to do it in the opposite way, but if this is a
> convention for ASF projects, I wouldn't break it here...
>
>
> Regards.
>
> On Tue, Aug 14, 2012 at 2:31 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 14/08/2012 15.28, Colm O hEigeartaigh wrote:
>>
>> Thanks Francesco! Two queries on the JIRAs:
>>
>> a) Shouldn't the issues also have "1.1.0-incubating" as the fix-for
>> version?
>>
>>
>> Correct (I guess): hence the fix should be committed on the 1_0_X
>> branch, then merged into the trunk, right?
>> I'll make the necessary corrections on JIRA.
>>
>>
>> b) Is SYNCOPE-186 really suitable for a 1.0.1-incubating release given
>> that it is more of a refactor and not a bug as such?
>>
>>
>> Hum, you're right: fixing this as well.
>>
>> Regards.
>>
>>
>> On Tue, Aug 14, 2012 at 9:45 AM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>>> On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
>>>
>>> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>>>
>>> Hi Francesco,
>>>
>>> Thanks for looking into this! The issues sound good to me - will you
>>> open the JIRAs or do you want me to do it?
>>>
>>>
>>> As you prefer.
>>>
>>>
>>> Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and SYNCOPE-187.
>>>
>>> Regards.
>>>
>>>
>>> Should we also create a JIRA for the fact that the deletion error is
>>> not reported on the users console screen?
>>>
>>>
>>> Ah, forgot this: of course, this is also to be opened, taking also care
>>> that all the surrounding conditions are reported.
>>>
>>> Basic question = Is there an easy way of configuring Syncope (embedded
>>> or otherwise) to launch with no pre-existing
>>> User/Schema/Connectors/Resources/etc. configured, but with all of the
>>> Connectors available? So for example if you just want to launch Syncope in
>>> an embedded mode and add your own schemas etc., but without having to
>>> manually delete all of the existing schemas/users/etc?
>>>
>>>
>>> Consider that Syncope performs initialization of its own repository when
>>> the underlying db is found empty (i.e. always in embedded mode) by loading:
>>> * core/src/test/resources/content.xml (embedded)
>>> * core/src/main/resources/content.xml (real-world)
>>>
>>> This means that if you want no "User/Schema/Connectors/Resources/etc.",
>>> you can just play with the correspondent content.xml in your overlay's
>>> sources. This can be done in a couple of ways:
>>> 1. edit the XML source file
>>> 2. make all configurations via console and then export the customized
>>> content with Configuration -> Export DB content
>>>
>>> Regards.
>>>
>>> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò <
>>> ilgrosso@apache.org> wrote:
>>>
>>>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>>>
>>>>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>>>>
>>>>>>
>>>>>> Done, thanks. Two other related questions re potential bugs:
>>>>>>
>>>>>> 1) I created a new user and assigned a (LDAP) Resource. It propagated
>>>>>> successfully + I can see the new user in the backend resource. However,
>>>>>> when I edit the user in Syncope I see:
>>>>>>
>>>>>> Syncope Newuser active icon
>>>>>> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>>>>>>
>>>>>> Why does an "undefined icon" appear when the propagation was
>>>>>> successful?
>>>>>>
>>>>>
>>>>> Could you take a look at the propagation task that was created for
>>>>> this operation (create user on LDAP resource)? There should be an
>>>>> execution, possibly reporting an error message.
>>>>>
>>>>> The "undefined icon" means that the LDAP resource did not return any
>>>>> status information about that user.
>>>>>
>>>>> Is your LDAP resource 'propagation primary'? Is enforcing mandatory
>>>>> constraints?
>>>>>
>>>>> 2) I created a new user and assigned a (LDAP) Resource. It
>>>>>> propagated successfully. However if I try to delete in the Syncope users
>>>>>> console, nothing happens + no error message appears. Looking at logs I see:
>>>>>>
>>>>>> 14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
>>>>>> request for "http://localhost:9080/syncope/rest/user/delete/105"
>>>>>> resulted in 400 (Bad Request); invoking error handler
>>>>>> 14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
>>>>>> Component-targetted feedback message was left unrendered. This could be
>>>>>> because you are missing a FeedbackPanel on the page. Message:
>>>>>> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
>>>>>> reporter = listResult, level = ERROR]
>>>>>>
>>>>>> When I look at the Core log I see:
>>>>>>
>>>>>> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
>>>>>> with path [/syncope] threw exception [Request processing failed; nested
>>>>>> exception is org.apache.syncope.core.propagation.PropagationException:
>>>>>> Exception during provision on resource Apache DS resource
>>>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
>>>>>> cause
>>>>>> org.apache.syncope.core.propagation.PropagationException: Exception
>>>>>> during provision on resource Apache DS resource
>>>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>>>>>> at
>>>>>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>>>>>
>>>>>> So there are potentially two bugs here:
>>>>>>
>>>>>> a) The error is not reported on the Users Console screen.
>>>>>>
>>>>>
>>>>> This is an error for sure.
>>>>>
>>>>> b) User deletion does not appear to be working.
>>>>>>
>>>>>> I could only delete the user when I removed the Resource from the
>>>>>> user first.
>>>>>>
>>>>>
>>>>> I suspect that there is some issue when creating this user on LDAP
>>>>> (possibly an incomplete mapping?): are you running an embedded environment
>>>>> with provided test configuration or have you defined everything from
>>>>> scratch?
>>>>>
>>>>
>>>> Hi Colm,
>>>> I've just tried your procedure above in the embedded environment and
>>>> confirmed all you've found.
>>>>
>>>> Summarizing, I would open the following issues (affecting
>>>> 1.0.1-incubating and 1.1.0-incubating):
>>>>
>>>> 1. 'Enforce mandatory constraints' is not working
>>>> firstname is mapped to cn with mandatoryCondition == 'true' on LDAP
>>>> resource, but Syncope doesn't warn if firstname is not provided
>>>>
>>>> 2. LDAP test connector is not configured for providing status
>>>> information
>>>> No conf value is provided for LDAP connector's statusManagementClass
>>>> Note: this is not a problem itself, and is also the reason why you see
>>>> the 'undefined icon'; anyway, it would be nice to provide a complete
>>>> configuration
>>>>
>>>> 3. Could not delete an user with LDAP resource
>>>> An update operation is issued instead of delete, returning the
>>>> following exception:
>>>> 17:00:11.708 DEBUG
>>>> org.identityconnectors.framework.api.operations.UpdateApiOp.update
>>>> Exception:
>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>> javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Attempt to
>>>> move entry onto itself.]; remaining name 'uid=pippo4@pippo.it
>>>> ,ou=people,o=isp'
>>>> [...]
>>>>
>>>> 4. Build reference flows for propagation and synchronization
>>>> The code behind propagation and synchronization layers is getting
>>>> bigger and plenty of flow exceptions: a reorganization - backed by some
>>>> reference flows to be summarized as wiki pages - is needed.
>>>>
>>>> WDYT?
>>>>
>>> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 14/08/2012 15.35, Colm O hEigeartaigh wrote:
>
> > Correct (I guess): hence the fix should be committed on the 1_0_X
> branch, then merged into the trunk, right?
> > I'll make the necessary corrections on JIRA.
>
> I normally merge to trunk first and then to older branches - at least
> this is the convention used by projects such as Apache CXF.
We were actually used to do it in the opposite way, but if this is a
convention for ASF projects, I wouldn't break it here...
Regards.
> On Tue, Aug 14, 2012 at 2:31 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 14/08/2012 15.28, Colm O hEigeartaigh wrote:
>> Thanks Francesco! Two queries on the JIRAs:
>>
>> a) Shouldn't the issues also have "1.1.0-incubating" as the
>> fix-for version?
>
> Correct (I guess): hence the fix should be committed on the 1_0_X
> branch, then merged into the trunk, right?
> I'll make the necessary corrections on JIRA.
>
>
>> b) Is SYNCOPE-186 really suitable for a 1.0.1-incubating release
>> given that it is more of a refactor and not a bug as such?
>
> Hum, you're right: fixing this as well.
>
> Regards.
>
>
>> On Tue, Aug 14, 2012 at 9:45 AM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
>>> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>>>> Hi Francesco,
>>>>
>>>> Thanks for looking into this! The issues sound good to me -
>>>> will you open the JIRAs or do you want me to do it?
>>>
>>> As you prefer.
>>
>> Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and
>> SYNCOPE-187.
>>
>> Regards.
>>
>>
>>>> Should we also create a JIRA for the fact that the deletion
>>>> error is not reported on the users console screen?
>>>
>>> Ah, forgot this: of course, this is also to be opened,
>>> taking also care that all the surrounding conditions are
>>> reported.
>>>
>>>> Basic question = Is there an easy way of configuring
>>>> Syncope (embedded or otherwise) to launch with no
>>>> pre-existing User/Schema/Connectors/Resources/etc.
>>>> configured, but with all of the Connectors available? So
>>>> for example if you just want to launch Syncope in an
>>>> embedded mode and add your own schemas etc., but without
>>>> having to manually delete all of the existing
>>>> schemas/users/etc?
>>>
>>> Consider that Syncope performs initialization of its own
>>> repository when the underlying db is found empty (i.e.
>>> always in embedded mode) by loading:
>>> * core/src/test/resources/content.xml (embedded)
>>> * core/src/main/resources/content.xml (real-world)
>>>
>>> This means that if you want no
>>> "User/Schema/Connectors/Resources/etc.", you can just play
>>> with the correspondent content.xml in your overlay's
>>> sources. This can be done in a couple of ways:
>>> 1. edit the XML source file
>>> 2. make all configurations via console and then export the
>>> customized content with Configuration -> Export DB content
>>>
>>> Regards.
>>>
>>>> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò
>>>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>>>
>>>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>>>
>>>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>>>
>>>>
>>>> Done, thanks. Two other related questions re
>>>> potential bugs:
>>>>
>>>> 1) I created a new user and assigned a (LDAP)
>>>> Resource. It propagated successfully + I can
>>>> see the new user in the backend resource.
>>>> However, when I edit the user in Syncope I see:
>>>>
>>>> Syncope Newuser active icon
>>>> Apache DS resource
>>>> cn=Newuser,ou=users,ou=system undefined icon
>>>>
>>>> Why does an "undefined icon" appear when the
>>>> propagation was successful?
>>>>
>>>>
>>>> Could you take a look at the propagation task that
>>>> was created for this operation (create user on LDAP
>>>> resource)? There should be an execution, possibly
>>>> reporting an error message.
>>>>
>>>> The "undefined icon" means that the LDAP resource
>>>> did not return any status information about that user.
>>>>
>>>> Is your LDAP resource 'propagation primary'? Is
>>>> enforcing mandatory constraints?
>>>>
>>>> 2) I created a new user and assigned a (LDAP)
>>>> Resource. It propagated successfully. However
>>>> if I try to delete in the Syncope users
>>>> console, nothing happens + no error message
>>>> appears. Looking at logs I see:
>>>>
>>>> 14:27:10.868 WARN
>>>> org.springframework.web.client.RestTemplate -
>>>> GET request for
>>>> "http://localhost:9080/syncope/rest/user/delete/105"
>>>> resulted in 400 (Bad Request); invoking error
>>>> handler
>>>> 14:27:10.869 WARN
>>>> org.apache.wicket.protocol.http.WebSession -
>>>> Component-targetted feedback message was left
>>>> unrendered. This could be because you are
>>>> missing a FeedbackPanel on the page. Message:
>>>> [FeedbackMessage message = "{[Propagation
>>>> [Apache DS resource]], }", reporter =
>>>> listResult, level = ERROR]
>>>>
>>>> When I look at the Core log I see:
>>>>
>>>> SEVERE: Servlet.service() for servlet
>>>> [syncope-core-rest] in context with path
>>>> [/syncope] threw exception [Request processing
>>>> failed; nested exception is
>>>> org.apache.syncope.core.propagation.PropagationException:
>>>> Exception during provision on resource Apache
>>>> DS resource
>>>> [LDAP: error code 68 - Attempt to move entry
>>>> onto itself.]] with root cause
>>>> org.apache.syncope.core.propagation.PropagationException:
>>>> Exception during provision on resource Apache
>>>> DS resource
>>>> [LDAP: error code 68 - Attempt to move entry
>>>> onto itself.]
>>>> at
>>>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>>>
>>>> So there are potentially two bugs here:
>>>>
>>>> a) The error is not reported on the Users
>>>> Console screen.
>>>>
>>>>
>>>> This is an error for sure.
>>>>
>>>> b) User deletion does not appear to be working.
>>>>
>>>> I could only delete the user when I removed the
>>>> Resource from the user first.
>>>>
>>>>
>>>> I suspect that there is some issue when creating
>>>> this user on LDAP (possibly an incomplete
>>>> mapping?): are you running an embedded environment
>>>> with provided test configuration or have you
>>>> defined everything from scratch?
>>>>
>>>>
>>>> Hi Colm,
>>>> I've just tried your procedure above in the embedded
>>>> environment and confirmed all you've found.
>>>>
>>>> Summarizing, I would open the following issues
>>>> (affecting 1.0.1-incubating and 1.1.0-incubating):
>>>>
>>>> 1. 'Enforce mandatory constraints' is not working
>>>> firstname is mapped to cn with mandatoryCondition ==
>>>> 'true' on LDAP resource, but Syncope doesn't warn if
>>>> firstname is not provided
>>>>
>>>> 2. LDAP test connector is not configured for providing
>>>> status information
>>>> No conf value is provided for LDAP connector's
>>>> statusManagementClass
>>>> Note: this is not a problem itself, and is also the
>>>> reason why you see the 'undefined icon'; anyway, it
>>>> would be nice to provide a complete configuration
>>>>
>>>> 3. Could not delete an user with LDAP resource
>>>> An update operation is issued instead of delete,
>>>> returning the following exception:
>>>> 17:00:11.708 DEBUG
>>>> org.identityconnectors.framework.api.operations.UpdateApiOp.update
>>>> Exception:
>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>> javax.naming.NameAlreadyBoundException: [LDAP: error
>>>> code 68 - Attempt to move entry onto itself.];
>>>> remaining name 'uid=pippo4@pippo.it
>>>> <ma...@pippo.it>,ou=people,o=isp'
>>>> [...]
>>>>
>>>> 4. Build reference flows for propagation and
>>>> synchronization
>>>> The code behind propagation and synchronization layers
>>>> is getting bigger and plenty of flow exceptions: a
>>>> reorganization - backed by some reference flows to be
>>>> summarized as wiki pages - is needed.
>>>>
>>>> WDYT?
>>>>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Correct (I guess): hence the fix should be committed on the 1_0_X branch,
then merged into the trunk, right?
> I'll make the necessary corrections on JIRA.
I normally merge to trunk first and then to older branches - at least this
is the convention used by projects such as Apache CXF.
Colm.
On Tue, Aug 14, 2012 at 2:31 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 14/08/2012 15.28, Colm O hEigeartaigh wrote:
>
> Thanks Francesco! Two queries on the JIRAs:
>
> a) Shouldn't the issues also have "1.1.0-incubating" as the fix-for
> version?
>
>
> Correct (I guess): hence the fix should be committed on the 1_0_X branch,
> then merged into the trunk, right?
> I'll make the necessary corrections on JIRA.
>
>
> b) Is SYNCOPE-186 really suitable for a 1.0.1-incubating release given
> that it is more of a refactor and not a bug as such?
>
>
> Hum, you're right: fixing this as well.
>
> Regards.
>
>
> On Tue, Aug 14, 2012 at 9:45 AM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
>>
>> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>>
>> Hi Francesco,
>>
>> Thanks for looking into this! The issues sound good to me - will you open
>> the JIRAs or do you want me to do it?
>>
>>
>> As you prefer.
>>
>>
>> Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and SYNCOPE-187.
>>
>> Regards.
>>
>>
>> Should we also create a JIRA for the fact that the deletion error is
>> not reported on the users console screen?
>>
>>
>> Ah, forgot this: of course, this is also to be opened, taking also care
>> that all the surrounding conditions are reported.
>>
>> Basic question = Is there an easy way of configuring Syncope (embedded or
>> otherwise) to launch with no pre-existing
>> User/Schema/Connectors/Resources/etc. configured, but with all of the
>> Connectors available? So for example if you just want to launch Syncope in
>> an embedded mode and add your own schemas etc., but without having to
>> manually delete all of the existing schemas/users/etc?
>>
>>
>> Consider that Syncope performs initialization of its own repository when
>> the underlying db is found empty (i.e. always in embedded mode) by loading:
>> * core/src/test/resources/content.xml (embedded)
>> * core/src/main/resources/content.xml (real-world)
>>
>> This means that if you want no "User/Schema/Connectors/Resources/etc.",
>> you can just play with the correspondent content.xml in your overlay's
>> sources. This can be done in a couple of ways:
>> 1. edit the XML source file
>> 2. make all configurations via console and then export the customized
>> content with Configuration -> Export DB content
>>
>> Regards.
>>
>> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>>
>>>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>>>
>>>>>
>>>>> Done, thanks. Two other related questions re potential bugs:
>>>>>
>>>>> 1) I created a new user and assigned a (LDAP) Resource. It propagated
>>>>> successfully + I can see the new user in the backend resource. However,
>>>>> when I edit the user in Syncope I see:
>>>>>
>>>>> Syncope Newuser active icon
>>>>> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>>>>>
>>>>> Why does an "undefined icon" appear when the propagation was
>>>>> successful?
>>>>>
>>>>
>>>> Could you take a look at the propagation task that was created for this
>>>> operation (create user on LDAP resource)? There should be an execution,
>>>> possibly reporting an error message.
>>>>
>>>> The "undefined icon" means that the LDAP resource did not return any
>>>> status information about that user.
>>>>
>>>> Is your LDAP resource 'propagation primary'? Is enforcing mandatory
>>>> constraints?
>>>>
>>>> 2) I created a new user and assigned a (LDAP) Resource. It propagated
>>>>> successfully. However if I try to delete in the Syncope users console,
>>>>> nothing happens + no error message appears. Looking at logs I see:
>>>>>
>>>>> 14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
>>>>> request for "http://localhost:9080/syncope/rest/user/delete/105"
>>>>> resulted in 400 (Bad Request); invoking error handler
>>>>> 14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
>>>>> Component-targetted feedback message was left unrendered. This could be
>>>>> because you are missing a FeedbackPanel on the page. Message:
>>>>> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
>>>>> reporter = listResult, level = ERROR]
>>>>>
>>>>> When I look at the Core log I see:
>>>>>
>>>>> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
>>>>> with path [/syncope] threw exception [Request processing failed; nested
>>>>> exception is org.apache.syncope.core.propagation.PropagationException:
>>>>> Exception during provision on resource Apache DS resource
>>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
>>>>> cause
>>>>> org.apache.syncope.core.propagation.PropagationException: Exception
>>>>> during provision on resource Apache DS resource
>>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>>>>> at
>>>>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>>>>
>>>>> So there are potentially two bugs here:
>>>>>
>>>>> a) The error is not reported on the Users Console screen.
>>>>>
>>>>
>>>> This is an error for sure.
>>>>
>>>> b) User deletion does not appear to be working.
>>>>>
>>>>> I could only delete the user when I removed the Resource from the user
>>>>> first.
>>>>>
>>>>
>>>> I suspect that there is some issue when creating this user on LDAP
>>>> (possibly an incomplete mapping?): are you running an embedded environment
>>>> with provided test configuration or have you defined everything from
>>>> scratch?
>>>>
>>>
>>> Hi Colm,
>>> I've just tried your procedure above in the embedded environment and
>>> confirmed all you've found.
>>>
>>> Summarizing, I would open the following issues (affecting
>>> 1.0.1-incubating and 1.1.0-incubating):
>>>
>>> 1. 'Enforce mandatory constraints' is not working
>>> firstname is mapped to cn with mandatoryCondition == 'true' on LDAP
>>> resource, but Syncope doesn't warn if firstname is not provided
>>>
>>> 2. LDAP test connector is not configured for providing status information
>>> No conf value is provided for LDAP connector's statusManagementClass
>>> Note: this is not a problem itself, and is also the reason why you see
>>> the 'undefined icon'; anyway, it would be nice to provide a complete
>>> configuration
>>>
>>> 3. Could not delete an user with LDAP resource
>>> An update operation is issued instead of delete, returning the following
>>> exception:
>>> 17:00:11.708 DEBUG
>>> org.identityconnectors.framework.api.operations.UpdateApiOp.update
>>> Exception:
>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>> javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Attempt to
>>> move entry onto itself.]; remaining name 'uid=pippo4@pippo.it
>>> ,ou=people,o=isp'
>>> [...]
>>>
>>> 4. Build reference flows for propagation and synchronization
>>> The code behind propagation and synchronization layers is getting bigger
>>> and plenty of flow exceptions: a reorganization - backed by some reference
>>> flows to be summarized as wiki pages - is needed.
>>>
>>> WDYT?
>>>
>> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 14/08/2012 15.28, Colm O hEigeartaigh wrote:
> Thanks Francesco! Two queries on the JIRAs:
>
> a) Shouldn't the issues also have "1.1.0-incubating" as the fix-for
> version?
Correct (I guess): hence the fix should be committed on the 1_0_X
branch, then merged into the trunk, right?
I'll make the necessary corrections on JIRA.
> b) Is SYNCOPE-186 really suitable for a 1.0.1-incubating release
> given that it is more of a refactor and not a bug as such?
Hum, you're right: fixing this as well.
Regards.
> On Tue, Aug 14, 2012 at 9:45 AM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
>> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>>> Hi Francesco,
>>>
>>> Thanks for looking into this! The issues sound good to me - will
>>> you open the JIRAs or do you want me to do it?
>>
>> As you prefer.
>
> Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and SYNCOPE-187.
>
> Regards.
>
>
>>> Should we also create a JIRA for the fact that the deletion
>>> error is not reported on the users console screen?
>>
>> Ah, forgot this: of course, this is also to be opened, taking
>> also care that all the surrounding conditions are reported.
>>
>>> Basic question = Is there an easy way of configuring Syncope
>>> (embedded or otherwise) to launch with no pre-existing
>>> User/Schema/Connectors/Resources/etc. configured, but with all
>>> of the Connectors available? So for example if you just want to
>>> launch Syncope in an embedded mode and add your own schemas
>>> etc., but without having to manually delete all of the existing
>>> schemas/users/etc?
>>
>> Consider that Syncope performs initialization of its own
>> repository when the underlying db is found empty (i.e. always in
>> embedded mode) by loading:
>> * core/src/test/resources/content.xml (embedded)
>> * core/src/main/resources/content.xml (real-world)
>>
>> This means that if you want no
>> "User/Schema/Connectors/Resources/etc.", you can just play with
>> the correspondent content.xml in your overlay's sources. This can
>> be done in a couple of ways:
>> 1. edit the XML source file
>> 2. make all configurations via console and then export the
>> customized content with Configuration -> Export DB content
>>
>> Regards.
>>
>>> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>>
>>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>>
>>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>>
>>>
>>> Done, thanks. Two other related questions re
>>> potential bugs:
>>>
>>> 1) I created a new user and assigned a (LDAP)
>>> Resource. It propagated successfully + I can see the
>>> new user in the backend resource. However, when I
>>> edit the user in Syncope I see:
>>>
>>> Syncope Newuser active icon
>>> Apache DS resource cn=Newuser,ou=users,ou=system
>>> undefined icon
>>>
>>> Why does an "undefined icon" appear when the
>>> propagation was successful?
>>>
>>>
>>> Could you take a look at the propagation task that was
>>> created for this operation (create user on LDAP
>>> resource)? There should be an execution, possibly
>>> reporting an error message.
>>>
>>> The "undefined icon" means that the LDAP resource did
>>> not return any status information about that user.
>>>
>>> Is your LDAP resource 'propagation primary'? Is
>>> enforcing mandatory constraints?
>>>
>>> 2) I created a new user and assigned a (LDAP)
>>> Resource. It propagated successfully. However if I
>>> try to delete in the Syncope users console, nothing
>>> happens + no error message appears. Looking at logs
>>> I see:
>>>
>>> 14:27:10.868 WARN
>>> org.springframework.web.client.RestTemplate - GET
>>> request for
>>> "http://localhost:9080/syncope/rest/user/delete/105"
>>> resulted in 400 (Bad Request); invoking error handler
>>> 14:27:10.869 WARN
>>> org.apache.wicket.protocol.http.WebSession -
>>> Component-targetted feedback message was left
>>> unrendered. This could be because you are missing a
>>> FeedbackPanel on the page. Message: [FeedbackMessage
>>> message = "{[Propagation [Apache DS resource]], }",
>>> reporter = listResult, level = ERROR]
>>>
>>> When I look at the Core log I see:
>>>
>>> SEVERE: Servlet.service() for servlet
>>> [syncope-core-rest] in context with path [/syncope]
>>> threw exception [Request processing failed; nested
>>> exception is
>>> org.apache.syncope.core.propagation.PropagationException:
>>> Exception during provision on resource Apache DS
>>> resource
>>> [LDAP: error code 68 - Attempt to move entry onto
>>> itself.]] with root cause
>>> org.apache.syncope.core.propagation.PropagationException:
>>> Exception during provision on resource Apache DS
>>> resource
>>> [LDAP: error code 68 - Attempt to move entry onto
>>> itself.]
>>> at
>>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>>
>>> So there are potentially two bugs here:
>>>
>>> a) The error is not reported on the Users Console
>>> screen.
>>>
>>>
>>> This is an error for sure.
>>>
>>> b) User deletion does not appear to be working.
>>>
>>> I could only delete the user when I removed the
>>> Resource from the user first.
>>>
>>>
>>> I suspect that there is some issue when creating this
>>> user on LDAP (possibly an incomplete mapping?): are you
>>> running an embedded environment with provided test
>>> configuration or have you defined everything from scratch?
>>>
>>>
>>> Hi Colm,
>>> I've just tried your procedure above in the embedded
>>> environment and confirmed all you've found.
>>>
>>> Summarizing, I would open the following issues (affecting
>>> 1.0.1-incubating and 1.1.0-incubating):
>>>
>>> 1. 'Enforce mandatory constraints' is not working
>>> firstname is mapped to cn with mandatoryCondition == 'true'
>>> on LDAP resource, but Syncope doesn't warn if firstname is
>>> not provided
>>>
>>> 2. LDAP test connector is not configured for providing
>>> status information
>>> No conf value is provided for LDAP connector's
>>> statusManagementClass
>>> Note: this is not a problem itself, and is also the reason
>>> why you see the 'undefined icon'; anyway, it would be nice
>>> to provide a complete configuration
>>>
>>> 3. Could not delete an user with LDAP resource
>>> An update operation is issued instead of delete, returning
>>> the following exception:
>>> 17:00:11.708 DEBUG
>>> org.identityconnectors.framework.api.operations.UpdateApiOp.update
>>> Exception:
>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>> javax.naming.NameAlreadyBoundException: [LDAP: error code 68
>>> - Attempt to move entry onto itself.]; remaining name
>>> 'uid=pippo4@pippo.it <ma...@pippo.it>,ou=people,o=isp'
>>> [...]
>>>
>>> 4. Build reference flows for propagation and synchronization
>>> The code behind propagation and synchronization layers is
>>> getting bigger and plenty of flow exceptions: a
>>> reorganization - backed by some reference flows to be
>>> summarized as wiki pages - is needed.
>>>
>>> WDYT?
>>>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
Thanks Francesco! Two queries on the JIRAs:
a) Shouldn't the issues also have "1.1.0-incubating" as the fix-for
version?
b) Is SYNCOPE-186 really suitable for a 1.0.1-incubating release given
that it is more of a refactor and not a bug as such?
Colm.
On Tue, Aug 14, 2012 at 9:45 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
>
> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>
> Hi Francesco,
>
> Thanks for looking into this! The issues sound good to me - will you open
> the JIRAs or do you want me to do it?
>
>
> As you prefer.
>
>
> Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and SYNCOPE-187.
>
> Regards.
>
>
> Should we also create a JIRA for the fact that the deletion error is not
> reported on the users console screen?
>
>
> Ah, forgot this: of course, this is also to be opened, taking also care
> that all the surrounding conditions are reported.
>
> Basic question = Is there an easy way of configuring Syncope (embedded or
> otherwise) to launch with no pre-existing
> User/Schema/Connectors/Resources/etc. configured, but with all of the
> Connectors available? So for example if you just want to launch Syncope in
> an embedded mode and add your own schemas etc., but without having to
> manually delete all of the existing schemas/users/etc?
>
>
> Consider that Syncope performs initialization of its own repository when
> the underlying db is found empty (i.e. always in embedded mode) by loading:
> * core/src/test/resources/content.xml (embedded)
> * core/src/main/resources/content.xml (real-world)
>
> This means that if you want no "User/Schema/Connectors/Resources/etc.",
> you can just play with the correspondent content.xml in your overlay's
> sources. This can be done in a couple of ways:
> 1. edit the XML source file
> 2. make all configurations via console and then export the customized
> content with Configuration -> Export DB content
>
> Regards.
>
> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>
>>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>>
>>>>
>>>> Done, thanks. Two other related questions re potential bugs:
>>>>
>>>> 1) I created a new user and assigned a (LDAP) Resource. It propagated
>>>> successfully + I can see the new user in the backend resource. However,
>>>> when I edit the user in Syncope I see:
>>>>
>>>> Syncope Newuser active icon
>>>> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>>>>
>>>> Why does an "undefined icon" appear when the propagation was successful?
>>>>
>>>
>>> Could you take a look at the propagation task that was created for this
>>> operation (create user on LDAP resource)? There should be an execution,
>>> possibly reporting an error message.
>>>
>>> The "undefined icon" means that the LDAP resource did not return any
>>> status information about that user.
>>>
>>> Is your LDAP resource 'propagation primary'? Is enforcing mandatory
>>> constraints?
>>>
>>> 2) I created a new user and assigned a (LDAP) Resource. It propagated
>>>> successfully. However if I try to delete in the Syncope users console,
>>>> nothing happens + no error message appears. Looking at logs I see:
>>>>
>>>> 14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
>>>> request for "http://localhost:9080/syncope/rest/user/delete/105"
>>>> resulted in 400 (Bad Request); invoking error handler
>>>> 14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
>>>> Component-targetted feedback message was left unrendered. This could be
>>>> because you are missing a FeedbackPanel on the page. Message:
>>>> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
>>>> reporter = listResult, level = ERROR]
>>>>
>>>> When I look at the Core log I see:
>>>>
>>>> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
>>>> with path [/syncope] threw exception [Request processing failed; nested
>>>> exception is org.apache.syncope.core.propagation.PropagationException:
>>>> Exception during provision on resource Apache DS resource
>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
>>>> cause
>>>> org.apache.syncope.core.propagation.PropagationException: Exception
>>>> during provision on resource Apache DS resource
>>>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>>>> at
>>>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>>>
>>>> So there are potentially two bugs here:
>>>>
>>>> a) The error is not reported on the Users Console screen.
>>>>
>>>
>>> This is an error for sure.
>>>
>>> b) User deletion does not appear to be working.
>>>>
>>>> I could only delete the user when I removed the Resource from the user
>>>> first.
>>>>
>>>
>>> I suspect that there is some issue when creating this user on LDAP
>>> (possibly an incomplete mapping?): are you running an embedded environment
>>> with provided test configuration or have you defined everything from
>>> scratch?
>>>
>>
>> Hi Colm,
>> I've just tried your procedure above in the embedded environment and
>> confirmed all you've found.
>>
>> Summarizing, I would open the following issues (affecting
>> 1.0.1-incubating and 1.1.0-incubating):
>>
>> 1. 'Enforce mandatory constraints' is not working
>> firstname is mapped to cn with mandatoryCondition == 'true' on LDAP
>> resource, but Syncope doesn't warn if firstname is not provided
>>
>> 2. LDAP test connector is not configured for providing status information
>> No conf value is provided for LDAP connector's statusManagementClass
>> Note: this is not a problem itself, and is also the reason why you see
>> the 'undefined icon'; anyway, it would be nice to provide a complete
>> configuration
>>
>> 3. Could not delete an user with LDAP resource
>> An update operation is issued instead of delete, returning the following
>> exception:
>> 17:00:11.708 DEBUG
>> org.identityconnectors.framework.api.operations.UpdateApiOp.update
>> Exception:
>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>> javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Attempt to
>> move entry onto itself.]; remaining name 'uid=pippo4@pippo.it
>> ,ou=people,o=isp'
>> [...]
>>
>> 4. Build reference flows for propagation and synchronization
>> The code behind propagation and synchronization layers is getting bigger
>> and plenty of flow exceptions: a reorganization - backed by some reference
>> flows to be summarized as wiki pages - is needed.
>>
>> WDYT?
>>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 18.05, Francesco Chicchiriccò wrote:
> On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
>> Hi Francesco,
>>
>> Thanks for looking into this! The issues sound good to me - will you
>> open the JIRAs or do you want me to do it?
>
> As you prefer.
Done: SYNCOPE-183 SYNCOPE-184 SYNCOPE-185 SYNCOPE-186 and SYNCOPE-187.
Regards.
>> Should we also create a JIRA for the fact that the deletion error is
>> not reported on the users console screen?
>
> Ah, forgot this: of course, this is also to be opened, taking also
> care that all the surrounding conditions are reported.
>
>> Basic question = Is there an easy way of configuring Syncope
>> (embedded or otherwise) to launch with no pre-existing
>> User/Schema/Connectors/Resources/etc. configured, but with all of the
>> Connectors available? So for example if you just want to launch
>> Syncope in an embedded mode and add your own schemas etc., but
>> without having to manually delete all of the existing schemas/users/etc?
>
> Consider that Syncope performs initialization of its own repository
> when the underlying db is found empty (i.e. always in embedded mode)
> by loading:
> * core/src/test/resources/content.xml (embedded)
> * core/src/main/resources/content.xml (real-world)
>
> This means that if you want no
> "User/Schema/Connectors/Resources/etc.", you can just play with the
> correspondent content.xml in your overlay's sources. This can be done
> in a couple of ways:
> 1. edit the XML source file
> 2. make all configurations via console and then export the customized
> content with Configuration -> Export DB content
>
> Regards.
>
>> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>>
>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>
>>
>> Done, thanks. Two other related questions re potential bugs:
>>
>> 1) I created a new user and assigned a (LDAP) Resource.
>> It propagated successfully + I can see the new user in
>> the backend resource. However, when I edit the user in
>> Syncope I see:
>>
>> Syncope Newuser active icon
>> Apache DS resource cn=Newuser,ou=users,ou=system
>> undefined icon
>>
>> Why does an "undefined icon" appear when the propagation
>> was successful?
>>
>>
>> Could you take a look at the propagation task that was
>> created for this operation (create user on LDAP resource)?
>> There should be an execution, possibly reporting an error
>> message.
>>
>> The "undefined icon" means that the LDAP resource did not
>> return any status information about that user.
>>
>> Is your LDAP resource 'propagation primary'? Is enforcing
>> mandatory constraints?
>>
>> 2) I created a new user and assigned a (LDAP) Resource.
>> It propagated successfully. However if I try to delete in
>> the Syncope users console, nothing happens + no error
>> message appears. Looking at logs I see:
>>
>> 14:27:10.868 WARN
>> org.springframework.web.client.RestTemplate - GET
>> request for
>> "http://localhost:9080/syncope/rest/user/delete/105"
>> resulted in 400 (Bad Request); invoking error handler
>> 14:27:10.869 WARN
>> org.apache.wicket.protocol.http.WebSession -
>> Component-targetted feedback message was left unrendered.
>> This could be because you are missing a FeedbackPanel on
>> the page. Message: [FeedbackMessage message =
>> "{[Propagation [Apache DS resource]], }", reporter =
>> listResult, level = ERROR]
>>
>> When I look at the Core log I see:
>>
>> SEVERE: Servlet.service() for servlet [syncope-core-rest]
>> in context with path [/syncope] threw exception [Request
>> processing failed; nested exception is
>> org.apache.syncope.core.propagation.PropagationException:
>> Exception during provision on resource Apache DS resource
>> [LDAP: error code 68 - Attempt to move entry onto
>> itself.]] with root cause
>> org.apache.syncope.core.propagation.PropagationException:
>> Exception during provision on resource Apache DS resource
>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>> at
>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>
>> So there are potentially two bugs here:
>>
>> a) The error is not reported on the Users Console screen.
>>
>>
>> This is an error for sure.
>>
>> b) User deletion does not appear to be working.
>>
>> I could only delete the user when I removed the Resource
>> from the user first.
>>
>>
>> I suspect that there is some issue when creating this user on
>> LDAP (possibly an incomplete mapping?): are you running an
>> embedded environment with provided test configuration or have
>> you defined everything from scratch?
>>
>>
>> Hi Colm,
>> I've just tried your procedure above in the embedded environment
>> and confirmed all you've found.
>>
>> Summarizing, I would open the following issues (affecting
>> 1.0.1-incubating and 1.1.0-incubating):
>>
>> 1. 'Enforce mandatory constraints' is not working
>> firstname is mapped to cn with mandatoryCondition == 'true' on
>> LDAP resource, but Syncope doesn't warn if firstname is not provided
>>
>> 2. LDAP test connector is not configured for providing status
>> information
>> No conf value is provided for LDAP connector's statusManagementClass
>> Note: this is not a problem itself, and is also the reason why
>> you see the 'undefined icon'; anyway, it would be nice to provide
>> a complete configuration
>>
>> 3. Could not delete an user with LDAP resource
>> An update operation is issued instead of delete, returning the
>> following exception:
>> 17:00:11.708 DEBUG
>> org.identityconnectors.framework.api.operations.UpdateApiOp.update Exception:
>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>> javax.naming.NameAlreadyBoundException: [LDAP: error code 68 -
>> Attempt to move entry onto itself.]; remaining name
>> 'uid=pippo4@pippo.it <ma...@pippo.it>,ou=people,o=isp'
>> [...]
>>
>> 4. Build reference flows for propagation and synchronization
>> The code behind propagation and synchronization layers is getting
>> bigger and plenty of flow exceptions: a reorganization - backed
>> by some reference flows to be summarized as wiki pages - is needed.
>>
>> WDYT?
>>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 17.57, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
> Thanks for looking into this! The issues sound good to me - will you
> open the JIRAs or do you want me to do it?
As you prefer.
> Should we also create a JIRA for the fact that the deletion error is
> not reported on the users console screen?
Ah, forgot this: of course, this is also to be opened, taking also care
that all the surrounding conditions are reported.
> Basic question = Is there an easy way of configuring Syncope (embedded
> or otherwise) to launch with no pre-existing
> User/Schema/Connectors/Resources/etc. configured, but with all of the
> Connectors available? So for example if you just want to launch
> Syncope in an embedded mode and add your own schemas etc., but without
> having to manually delete all of the existing schemas/users/etc?
Consider that Syncope performs initialization of its own repository when
the underlying db is found empty (i.e. always in embedded mode) by loading:
* core/src/test/resources/content.xml (embedded)
* core/src/main/resources/content.xml (real-world)
This means that if you want no "User/Schema/Connectors/Resources/etc.",
you can just play with the correspondent content.xml in your overlay's
sources. This can be done in a couple of ways:
1. edit the XML source file
2. make all configurations via console and then export the customized
content with Configuration -> Export DB content
Regards.
> On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>
> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>
>
> Done, thanks. Two other related questions re potential bugs:
>
> 1) I created a new user and assigned a (LDAP) Resource. It
> propagated successfully + I can see the new user in the
> backend resource. However, when I edit the user in Syncope
> I see:
>
> Syncope Newuser active icon
> Apache DS resource cn=Newuser,ou=users,ou=system undefined
> icon
>
> Why does an "undefined icon" appear when the propagation
> was successful?
>
>
> Could you take a look at the propagation task that was created
> for this operation (create user on LDAP resource)? There
> should be an execution, possibly reporting an error message.
>
> The "undefined icon" means that the LDAP resource did not
> return any status information about that user.
>
> Is your LDAP resource 'propagation primary'? Is enforcing
> mandatory constraints?
>
> 2) I created a new user and assigned a (LDAP) Resource.
> It propagated successfully. However if I try to delete in
> the Syncope users console, nothing happens + no error
> message appears. Looking at logs I see:
>
> 14:27:10.868 WARN
> org.springframework.web.client.RestTemplate - GET request
> for "http://localhost:9080/syncope/rest/user/delete/105"
> resulted in 400 (Bad Request); invoking error handler
> 14:27:10.869 WARN
> org.apache.wicket.protocol.http.WebSession -
> Component-targetted feedback message was left unrendered.
> This could be because you are missing a FeedbackPanel on
> the page. Message: [FeedbackMessage message =
> "{[Propagation [Apache DS resource]], }", reporter =
> listResult, level = ERROR]
>
> When I look at the Core log I see:
>
> SEVERE: Servlet.service() for servlet [syncope-core-rest]
> in context with path [/syncope] threw exception [Request
> processing failed; nested exception is
> org.apache.syncope.core.propagation.PropagationException:
> Exception during provision on resource Apache DS resource
> [LDAP: error code 68 - Attempt to move entry onto
> itself.]] with root cause
> org.apache.syncope.core.propagation.PropagationException:
> Exception during provision on resource Apache DS resource
> [LDAP: error code 68 - Attempt to move entry onto itself.]
> at
> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>
> So there are potentially two bugs here:
>
> a) The error is not reported on the Users Console screen.
>
>
> This is an error for sure.
>
> b) User deletion does not appear to be working.
>
> I could only delete the user when I removed the Resource
> from the user first.
>
>
> I suspect that there is some issue when creating this user on
> LDAP (possibly an incomplete mapping?): are you running an
> embedded environment with provided test configuration or have
> you defined everything from scratch?
>
>
> Hi Colm,
> I've just tried your procedure above in the embedded environment
> and confirmed all you've found.
>
> Summarizing, I would open the following issues (affecting
> 1.0.1-incubating and 1.1.0-incubating):
>
> 1. 'Enforce mandatory constraints' is not working
> firstname is mapped to cn with mandatoryCondition == 'true' on
> LDAP resource, but Syncope doesn't warn if firstname is not provided
>
> 2. LDAP test connector is not configured for providing status
> information
> No conf value is provided for LDAP connector's statusManagementClass
> Note: this is not a problem itself, and is also the reason why you
> see the 'undefined icon'; anyway, it would be nice to provide a
> complete configuration
>
> 3. Could not delete an user with LDAP resource
> An update operation is issued instead of delete, returning the
> following exception:
> 17:00:11.708 DEBUG
> org.identityconnectors.framework.api.operations.UpdateApiOp.update
> Exception:
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> javax.naming.NameAlreadyBoundException: [LDAP: error code 68 -
> Attempt to move entry onto itself.]; remaining name
> 'uid=pippo4@pippo.it <ma...@pippo.it>,ou=people,o=isp'
> [...]
>
> 4. Build reference flows for propagation and synchronization
> The code behind propagation and synchronization layers is getting
> bigger and plenty of flow exceptions: a reorganization - backed by
> some reference flows to be summarized as wiki pages - is needed.
>
> WDYT?
>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Francesco,
Thanks for looking into this! The issues sound good to me - will you open
the JIRAs or do you want me to do it? Should we also create a JIRA for the
fact that the deletion error is not reported on the users console screen?
Basic question = Is there an easy way of configuring Syncope (embedded or
otherwise) to launch with no pre-existing
User/Schema/Connectors/Resources/etc. configured, but with all of the
Connectors available? So for example if you just want to launch Syncope in
an embedded mode and add your own schemas etc., but without having to
manually delete all of the existing schemas/users/etc?
Colm.
On Mon, Aug 13, 2012 at 4:27 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 13/08/2012 16.45, Francesco Chicchiriccň wrote:
>
>> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>
>>>
>>> Done, thanks. Two other related questions re potential bugs:
>>>
>>> 1) I created a new user and assigned a (LDAP) Resource. It propagated
>>> successfully + I can see the new user in the backend resource. However,
>>> when I edit the user in Syncope I see:
>>>
>>> Syncope Newuser active icon
>>> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>>>
>>> Why does an "undefined icon" appear when the propagation was successful?
>>>
>>
>> Could you take a look at the propagation task that was created for this
>> operation (create user on LDAP resource)? There should be an execution,
>> possibly reporting an error message.
>>
>> The "undefined icon" means that the LDAP resource did not return any
>> status information about that user.
>>
>> Is your LDAP resource 'propagation primary'? Is enforcing mandatory
>> constraints?
>>
>> 2) I created a new user and assigned a (LDAP) Resource. It propagated
>>> successfully. However if I try to delete in the Syncope users console,
>>> nothing happens + no error message appears. Looking at logs I see:
>>>
>>> 14:27:10.868 WARN org.springframework.web.**client.RestTemplate - GET
>>> request for "http://localhost:9080/**syncope/rest/user/delete/105<http://localhost:9080/syncope/rest/user/delete/105>"
>>> resulted in 400 (Bad Request); invoking error handler
>>> 14:27:10.869 WARN org.apache.wicket.protocol.**http.WebSession -
>>> Component-targetted feedback message was left unrendered. This could be
>>> because you are missing a FeedbackPanel on the page. Message:
>>> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
>>> reporter = listResult, level = ERROR]
>>>
>>> When I look at the Core log I see:
>>>
>>> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
>>> with path [/syncope] threw exception [Request processing failed; nested
>>> exception is org.apache.syncope.core.**propagation.**PropagationException:
>>> Exception during provision on resource Apache DS resource
>>> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
>>> cause
>>> org.apache.syncope.core.**propagation.**PropagationException: Exception
>>> during provision on resource Apache DS resource
>>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>>> at org.apache.syncope.core.**propagation.**
>>> PropagationManager.execute(**PropagationManager.java:577)
>>>
>>> So there are potentially two bugs here:
>>>
>>> a) The error is not reported on the Users Console screen.
>>>
>>
>> This is an error for sure.
>>
>> b) User deletion does not appear to be working.
>>>
>>> I could only delete the user when I removed the Resource from the user
>>> first.
>>>
>>
>> I suspect that there is some issue when creating this user on LDAP
>> (possibly an incomplete mapping?): are you running an embedded environment
>> with provided test configuration or have you defined everything from
>> scratch?
>>
>
> Hi Colm,
> I've just tried your procedure above in the embedded environment and
> confirmed all you've found.
>
> Summarizing, I would open the following issues (affecting 1.0.1-incubating
> and 1.1.0-incubating):
>
> 1. 'Enforce mandatory constraints' is not working
> firstname is mapped to cn with mandatoryCondition == 'true' on LDAP
> resource, but Syncope doesn't warn if firstname is not provided
>
> 2. LDAP test connector is not configured for providing status information
> No conf value is provided for LDAP connector's statusManagementClass
> Note: this is not a problem itself, and is also the reason why you see the
> 'undefined icon'; anyway, it would be nice to provide a complete
> configuration
>
> 3. Could not delete an user with LDAP resource
> An update operation is issued instead of delete, returning the following
> exception:
> 17:00:11.708 DEBUG org.identityconnectors.**framework.api.operations.**UpdateApiOp.update
> Exception:
> org.identityconnectors.**framework.common.exceptions.**ConnectorException:
> javax.naming.**NameAlreadyBoundException: [LDAP: error code 68 - Attempt
> to move entry onto itself.]; remaining name 'uid=pippo4@pippo.it,ou=**
> people,o=isp'
> [...]
>
> 4. Build reference flows for propagation and synchronization
> The code behind propagation and synchronization layers is getting bigger
> and plenty of flow exceptions: a reorganization - backed by some reference
> flows to be summarized as wiki pages - is needed.
>
> WDYT?
>
> --
> Francesco Chicchiriccň
>
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~**ilgrosso/<http://people.apache.org/%7Eilgrosso/>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 16.45, Francesco Chicchiriccò wrote:
> On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>>
>> Done, thanks. Two other related questions re potential bugs:
>>
>> 1) I created a new user and assigned a (LDAP) Resource. It propagated
>> successfully + I can see the new user in the backend resource.
>> However, when I edit the user in Syncope I see:
>>
>> Syncope Newuser active icon
>> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>>
>> Why does an "undefined icon" appear when the propagation was successful?
>
> Could you take a look at the propagation task that was created for
> this operation (create user on LDAP resource)? There should be an
> execution, possibly reporting an error message.
>
> The "undefined icon" means that the LDAP resource did not return any
> status information about that user.
>
> Is your LDAP resource 'propagation primary'? Is enforcing mandatory
> constraints?
>
>> 2) I created a new user and assigned a (LDAP) Resource. It
>> propagated successfully. However if I try to delete in the Syncope
>> users console, nothing happens + no error message appears. Looking at
>> logs I see:
>>
>> 14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
>> request for "http://localhost:9080/syncope/rest/user/delete/105"
>> resulted in 400 (Bad Request); invoking error handler
>> 14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
>> Component-targetted feedback message was left unrendered. This could
>> be because you are missing a FeedbackPanel on the page. Message:
>> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
>> reporter = listResult, level = ERROR]
>>
>> When I look at the Core log I see:
>>
>> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
>> with path [/syncope] threw exception [Request processing failed;
>> nested exception is
>> org.apache.syncope.core.propagation.PropagationException: Exception
>> during provision on resource Apache DS resource
>> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
>> cause
>> org.apache.syncope.core.propagation.PropagationException: Exception
>> during provision on resource Apache DS resource
>> [LDAP: error code 68 - Attempt to move entry onto itself.]
>> at
>> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>>
>> So there are potentially two bugs here:
>>
>> a) The error is not reported on the Users Console screen.
>
> This is an error for sure.
>
>> b) User deletion does not appear to be working.
>>
>> I could only delete the user when I removed the Resource from the
>> user first.
>
> I suspect that there is some issue when creating this user on LDAP
> (possibly an incomplete mapping?): are you running an embedded
> environment with provided test configuration or have you defined
> everything from scratch?
Hi Colm,
I've just tried your procedure above in the embedded environment and
confirmed all you've found.
Summarizing, I would open the following issues (affecting
1.0.1-incubating and 1.1.0-incubating):
1. 'Enforce mandatory constraints' is not working
firstname is mapped to cn with mandatoryCondition == 'true' on LDAP
resource, but Syncope doesn't warn if firstname is not provided
2. LDAP test connector is not configured for providing status information
No conf value is provided for LDAP connector's statusManagementClass
Note: this is not a problem itself, and is also the reason why you see
the 'undefined icon'; anyway, it would be nice to provide a complete
configuration
3. Could not delete an user with LDAP resource
An update operation is issued instead of delete, returning the following
exception:
17:00:11.708 DEBUG
org.identityconnectors.framework.api.operations.UpdateApiOp.update
Exception:
org.identityconnectors.framework.common.exceptions.ConnectorException:
javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Attempt
to move entry onto itself.]; remaining name
'uid=pippo4@pippo.it,ou=people,o=isp'
[...]
4. Build reference flows for propagation and synchronization
The code behind propagation and synchronization layers is getting bigger
and plenty of flow exceptions: a reorganization - backed by some
reference flows to be summarized as wiki pages - is needed.
WDYT?
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 16.20, Colm O hEigeartaigh wrote:
>
> Done, thanks. Two other related questions re potential bugs:
>
> 1) I created a new user and assigned a (LDAP) Resource. It propagated
> successfully + I can see the new user in the backend resource.
> However, when I edit the user in Syncope I see:
>
> Syncope Newuser active icon
> Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
>
> Why does an "undefined icon" appear when the propagation was successful?
Could you take a look at the propagation task that was created for this
operation (create user on LDAP resource)? There should be an execution,
possibly reporting an error message.
The "undefined icon" means that the LDAP resource did not return any
status information about that user.
Is your LDAP resource 'propagation primary'? Is enforcing mandatory
constraints?
> 2) I created a new user and assigned a (LDAP) Resource. It propagated
> successfully. However if I try to delete in the Syncope users console,
> nothing happens + no error message appears. Looking at logs I see:
>
> 14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
> request for "http://localhost:9080/syncope/rest/user/delete/105"
> resulted in 400 (Bad Request); invoking error handler
> 14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
> Component-targetted feedback message was left unrendered. This could
> be because you are missing a FeedbackPanel on the page. Message:
> [FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
> reporter = listResult, level = ERROR]
>
> When I look at the Core log I see:
>
> SEVERE: Servlet.service() for servlet [syncope-core-rest] in context
> with path [/syncope] threw exception [Request processing failed;
> nested exception is
> org.apache.syncope.core.propagation.PropagationException: Exception
> during provision on resource Apache DS resource
> [LDAP: error code 68 - Attempt to move entry onto itself.]] with root
> cause
> org.apache.syncope.core.propagation.PropagationException: Exception
> during provision on resource Apache DS resource
> [LDAP: error code 68 - Attempt to move entry onto itself.]
> at
> org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
>
> So there are potentially two bugs here:
>
> a) The error is not reported on the Users Console screen.
This is an error for sure.
> b) User deletion does not appear to be working.
>
> I could only delete the user when I removed the Resource from the user
> first.
I suspect that there is some issue when creating this user on LDAP
(possibly an incomplete mapping?): are you running an embedded
environment with provided test configuration or have you defined
everything from scratch?
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
Done, thanks. Two other related questions re potential bugs:
1) I created a new user and assigned a (LDAP) Resource. It propagated
successfully + I can see the new user in the backend resource. However,
when I edit the user in Syncope I see:
Syncope Newuser active icon
Apache DS resource cn=Newuser,ou=users,ou=system undefined icon
Why does an "undefined icon" appear when the propagation was successful?
2) I created a new user and assigned a (LDAP) Resource. It propagated
successfully. However if I try to delete in the Syncope users console,
nothing happens + no error message appears. Looking at logs I see:
14:27:10.868 WARN org.springframework.web.client.RestTemplate - GET
request for "http://localhost:9080/syncope/rest/user/delete/105" resulted
in 400 (Bad Request); invoking error handler
14:27:10.869 WARN org.apache.wicket.protocol.http.WebSession -
Component-targetted feedback message was left unrendered. This could be
because you are missing a FeedbackPanel on the page. Message:
[FeedbackMessage message = "{[Propagation [Apache DS resource]], }",
reporter = listResult, level = ERROR]
When I look at the Core log I see:
SEVERE: Servlet.service() for servlet [syncope-core-rest] in context with
path [/syncope] threw exception [Request processing failed; nested
exception is org.apache.syncope.core.propagation.PropagationException:
Exception during provision on resource Apache DS resource
[LDAP: error code 68 - Attempt to move entry onto itself.]] with root cause
org.apache.syncope.core.propagation.PropagationException: Exception during
provision on resource Apache DS resource
[LDAP: error code 68 - Attempt to move entry onto itself.]
at
org.apache.syncope.core.propagation.PropagationManager.execute(PropagationManager.java:577)
So there are potentially two bugs here:
a) The error is not reported on the Users Console screen.
b) User deletion does not appear to be working.
I could only delete the user when I removed the Resource from the user
first.
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 16.11, Colm O hEigeartaigh wrote:
>
> > Do you see any error in the task execution message? I would expect
> that there could be some problem when subscribing an existing
> > user to an external resource, with no password (see SYNCOPE-136).
>
> Thanks, that is the problem:
>
> org.apache.syncope.client.validation.SyncopeClientCompositeErrorException:
> {[RequiredValuesMissing [password cannot be empty when subscribing to
> new resources]], }
> at
> org.apache.syncope.core.rest.data.UserDataBinder.update(UserDataBinder.java:218)
>
> Is this error covered by SYNCOPE-136 or should I open a new JIRA?
If you would add a comment on it, we wouldn't like to miss this
particular aspect when working on it, thanks.
Regards.
> On Mon, Aug 13, 2012 at 2:58 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 13/08/2012 15.15, Colm O hEigeartaigh wrote:
>> Hi Francesco,
>>
>> > Yes: you can define what attributes, roles and resources a
>> synchronized user should have by editing the user template
>> associated to
>> > the synchronization task (look at [1] for an example).
>>
>> Cool thanks. I think there may be a bug here in that this is
>> working fine when you add a resource by editing the user template
>> before the task executes for the first time, but if you later add
>> it in after the user has already been synchronized to Syncope and
>> run the task again, the resource does not show up on the
>> previously synchronized user. Shall I open a JIRA for this?
>
> Has this resource the 'Updated matched identities' flagged as well?
>
> Do you see any error in the task execution message? I would expect
> that there could be some problem when subscribing an existing user
> to an external resource, with no password (see SYNCOPE-136).
>
>
>> A minor suggestion - the configuration page for the LDAP
>> Connector is a bit confusing, as the configuration options seem
>> to appear in a random order. Should we move to either
>> alphabetical or else a more coherent flow as appears here:
>>
>> https://code.google.com/p/connid/wiki/LDAP
>>
>> ?
>
> AFAIK, the presentation order in the Syncope admin console is
> derived from the order defined on each connector bundle.
> For the LDAP bundle [2], there is no ordering defined at all
> (check @ConfigurationProperty annotation), while for the DB bundle
> [3], ordering is well defined.
>
> Regards.
>
> [2]
> http://connid.googlecode.com/svn/bundles/ldap/tags/org.connid.bundles.ldap-1.3.1/src/main/java/org/identityconnectors/ldap/LdapConfiguration.java
> [3]
> http://connid.googlecode.com/svn/bundles/db/tags/db-2.1.2/table/src/main/java/org/identityconnectors/databasetable/DatabaseTableConfiguration.java
>
>
>
>> On Fri, Aug 10, 2012 at 4:34 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 10/08/2012 17.26, Colm O hEigeartaigh wrote:
>>> Great thanks, selecting 'full reconciliation' did the trick.
>>> Do you know is there a fix planned to only use the delta
>>> with Apache DS?
>>
>> Not that I know, but we can discuss this on
>> connid-dev@googlegroups.com
>> <ma...@googlegroups.com> if you want.
>>
>>> Another question: After importing user entries from an
>>> Apache DS backend, they don't have the corresponding
>>> "Resource" selected. So to update a user entry I need to
>>> manually select the corresponding Connector before the
>>> change gets propagated back. Is this expected?
>>
>> Yes: you can define what attributes, roles and resources a
>> synchronized user should have by editing the user template
>> associated to the synchronization task (look at [1] for an
>> example).
>>
>> Regards.
>>
>> [1]
>> https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronize+Active+Directory+with+SQL+database#SynchronizeActiveDirectorywithSQLdatabase-Provideausertemplate
>>
>>> On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>>
>>> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>>>
>>> Hi all,
>>>
>>> A quick sanity check: Is there any reason why I
>>> can't synchronize from an Apache DS backend in
>>> Syncope? I can create users in Syncope and propagate
>>> them to the resource fine, but I can't do the reverse.
>>>
>>>
>>> Hi Colm,
>>> synchronization from an external resource might fail for
>>> many different reasons: I'd suggest to increase the
>>> level for the 'org.apache.syncope.core.scheduling'
>>> logger in order to have some insight about the failure.
>>>
>>> Generally speaking, you can perform a proper
>>> synchronization only when the underlying connector
>>> supports the SYNC operation (and has the correspondent
>>> capability enabled in Syncope). The LDAP connector,
>>> specifically, only supports that for Sun Directory
>>> Server and OpenDS / OpenDJ.
>>>
>>> When SYNC operation is not supported / enabled, you can
>>> only perform a 'full reconciliation' - the difference is
>>> that with the latter all entries are sent at every
>>> request from the external resource, while the former
>>> only sends the delta compared to prior call.
>>>
>>> You can choose full reconciliation from the admin
>>> console, when editing the resource.
>>>
>>> Regards.
>>>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Do you see any error in the task execution message? I would expect that
there could be some problem when subscribing an existing
> user to an external resource, with no password (see SYNCOPE-136).
Thanks, that is the problem:
org.apache.syncope.client.validation.SyncopeClientCompositeErrorException:
{[RequiredValuesMissing [password cannot be empty when subscribing to new
resources]], }
at
org.apache.syncope.core.rest.data.UserDataBinder.update(UserDataBinder.java:218)
Is this error covered by SYNCOPE-136 or should I open a new JIRA?
Colm.
On Mon, Aug 13, 2012 at 2:58 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 13/08/2012 15.15, Colm O hEigeartaigh wrote:
>
> Hi Francesco,
>
> > Yes: you can define what attributes, roles and resources a synchronized
> user should have by editing the user template associated to
> > the synchronization task (look at [1] for an example).
>
> Cool thanks. I think there may be a bug here in that this is working fine
> when you add a resource by editing the user template before the task
> executes for the first time, but if you later add it in after the user has
> already been synchronized to Syncope and run the task again, the resource
> does not show up on the previously synchronized user. Shall I open a JIRA
> for this?
>
>
> Has this resource the 'Updated matched identities' flagged as well?
>
> Do you see any error in the task execution message? I would expect that
> there could be some problem when subscribing an existing user to an
> external resource, with no password (see SYNCOPE-136).
>
>
> A minor suggestion - the configuration page for the LDAP Connector is a
> bit confusing, as the configuration options seem to appear in a random
> order. Should we move to either alphabetical or else a more coherent flow
> as appears here:
>
> https://code.google.com/p/connid/wiki/LDAP
>
> ?
>
>
> AFAIK, the presentation order in the Syncope admin console is derived from
> the order defined on each connector bundle.
> For the LDAP bundle [2], there is no ordering defined at all (check
> @ConfigurationProperty annotation), while for the DB bundle [3], ordering
> is well defined.
>
> Regards.
>
> [2]
> http://connid.googlecode.com/svn/bundles/ldap/tags/org.connid.bundles.ldap-1.3.1/src/main/java/org/identityconnectors/ldap/LdapConfiguration.java
> [3]
> http://connid.googlecode.com/svn/bundles/db/tags/db-2.1.2/table/src/main/java/org/identityconnectors/databasetable/DatabaseTableConfiguration.java
>
>
> On Fri, Aug 10, 2012 at 4:34 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 10/08/2012 17.26, Colm O hEigeartaigh wrote:
>>
>> Great thanks, selecting 'full reconciliation' did the trick. Do you know
>> is there a fix planned to only use the delta with Apache DS?
>>
>>
>> Not that I know, but we can discuss this on connid-dev@googlegroups.comif you want.
>>
>> Another question: After importing user entries from an Apache DS backend,
>> they don't have the corresponding "Resource" selected. So to update a user
>> entry I need to manually select the corresponding Connector before the
>> change gets propagated back. Is this expected?
>>
>>
>> Yes: you can define what attributes, roles and resources a synchronized
>> user should have by editing the user template associated to the
>> synchronization task (look at [1] for an example).
>>
>> Regards.
>>
>> [1]
>> https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronize+Active+Directory+with+SQL+database#SynchronizeActiveDirectorywithSQLdatabase-Provideausertemplate
>>
>> On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>>> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>>>
>>>> Hi all,
>>>>
>>>> A quick sanity check: Is there any reason why I can't synchronize from
>>>> an Apache DS backend in Syncope? I can create users in Syncope and
>>>> propagate them to the resource fine, but I can't do the reverse.
>>>>
>>>
>>> Hi Colm,
>>> synchronization from an external resource might fail for many different
>>> reasons: I'd suggest to increase the level for the
>>> 'org.apache.syncope.core.scheduling' logger in order to have some insight
>>> about the failure.
>>>
>>> Generally speaking, you can perform a proper synchronization only when
>>> the underlying connector supports the SYNC operation (and has the
>>> correspondent capability enabled in Syncope). The LDAP connector,
>>> specifically, only supports that for Sun Directory Server and OpenDS /
>>> OpenDJ.
>>>
>>> When SYNC operation is not supported / enabled, you can only perform a
>>> 'full reconciliation' - the difference is that with the latter all entries
>>> are sent at every request from the external resource, while the former only
>>> sends the delta compared to prior call.
>>>
>>> You can choose full reconciliation from the admin console, when editing
>>> the resource.
>>>
>>> Regards.
>>>
>> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 13/08/2012 15.15, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
> > Yes: you can define what attributes, roles and resources a
> synchronized user should have by editing the user template associated to
> > the synchronization task (look at [1] for an example).
>
> Cool thanks. I think there may be a bug here in that this is working
> fine when you add a resource by editing the user template before the
> task executes for the first time, but if you later add it in after the
> user has already been synchronized to Syncope and run the task again,
> the resource does not show up on the previously synchronized user.
> Shall I open a JIRA for this?
Has this resource the 'Updated matched identities' flagged as well?
Do you see any error in the task execution message? I would expect that
there could be some problem when subscribing an existing user to an
external resource, with no password (see SYNCOPE-136).
> A minor suggestion - the configuration page for the LDAP Connector is
> a bit confusing, as the configuration options seem to appear in a
> random order. Should we move to either alphabetical or else a more
> coherent flow as appears here:
>
> https://code.google.com/p/connid/wiki/LDAP
>
> ?
AFAIK, the presentation order in the Syncope admin console is derived
from the order defined on each connector bundle.
For the LDAP bundle [2], there is no ordering defined at all (check
@ConfigurationProperty annotation), while for the DB bundle [3],
ordering is well defined.
Regards.
[2]
http://connid.googlecode.com/svn/bundles/ldap/tags/org.connid.bundles.ldap-1.3.1/src/main/java/org/identityconnectors/ldap/LdapConfiguration.java
[3]
http://connid.googlecode.com/svn/bundles/db/tags/db-2.1.2/table/src/main/java/org/identityconnectors/databasetable/DatabaseTableConfiguration.java
> On Fri, Aug 10, 2012 at 4:34 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 10/08/2012 17.26, Colm O hEigeartaigh wrote:
>> Great thanks, selecting 'full reconciliation' did the trick. Do
>> you know is there a fix planned to only use the delta with Apache DS?
>
> Not that I know, but we can discuss this on
> connid-dev@googlegroups.com <ma...@googlegroups.com>
> if you want.
>
>> Another question: After importing user entries from an Apache DS
>> backend, they don't have the corresponding "Resource" selected.
>> So to update a user entry I need to manually select the
>> corresponding Connector before the change gets propagated back.
>> Is this expected?
>
> Yes: you can define what attributes, roles and resources a
> synchronized user should have by editing the user template
> associated to the synchronization task (look at [1] for an example).
>
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronize+Active+Directory+with+SQL+database#SynchronizeActiveDirectorywithSQLdatabase-Provideausertemplate
>
>> On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>>
>> Hi all,
>>
>> A quick sanity check: Is there any reason why I can't
>> synchronize from an Apache DS backend in Syncope? I can
>> create users in Syncope and propagate them to the
>> resource fine, but I can't do the reverse.
>>
>>
>> Hi Colm,
>> synchronization from an external resource might fail for many
>> different reasons: I'd suggest to increase the level for the
>> 'org.apache.syncope.core.scheduling' logger in order to have
>> some insight about the failure.
>>
>> Generally speaking, you can perform a proper synchronization
>> only when the underlying connector supports the SYNC
>> operation (and has the correspondent capability enabled in
>> Syncope). The LDAP connector, specifically, only supports
>> that for Sun Directory Server and OpenDS / OpenDJ.
>>
>> When SYNC operation is not supported / enabled, you can only
>> perform a 'full reconciliation' - the difference is that with
>> the latter all entries are sent at every request from the
>> external resource, while the former only sends the delta
>> compared to prior call.
>>
>> You can choose full reconciliation from the admin console,
>> when editing the resource.
>>
>> Regards.
>>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Francesco,
> Yes: you can define what attributes, roles and resources a synchronized
user should have by editing the user template associated to
> the synchronization task (look at [1] for an example).
Cool thanks. I think there may be a bug here in that this is working fine
when you add a resource by editing the user template before the task
executes for the first time, but if you later add it in after the user has
already been synchronized to Syncope and run the task again, the resource
does not show up on the previously synchronized user. Shall I open a JIRA
for this?
A minor suggestion - the configuration page for the LDAP Connector is a bit
confusing, as the configuration options seem to appear in a random order.
Should we move to either alphabetical or else a more coherent flow as
appears here:
https://code.google.com/p/connid/wiki/LDAP
?
Thanks,
Colm.
On Fri, Aug 10, 2012 at 4:34 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 10/08/2012 17.26, Colm O hEigeartaigh wrote:
>
> Great thanks, selecting 'full reconciliation' did the trick. Do you know
> is there a fix planned to only use the delta with Apache DS?
>
>
> Not that I know, but we can discuss this on connid-dev@googlegroups.comif you want.
>
> Another question: After importing user entries from an Apache DS backend,
> they don't have the corresponding "Resource" selected. So to update a user
> entry I need to manually select the corresponding Connector before the
> change gets propagated back. Is this expected?
>
>
> Yes: you can define what attributes, roles and resources a synchronized
> user should have by editing the user template associated to the
> synchronization task (look at [1] for an example).
>
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronize+Active+Directory+with+SQL+database#SynchronizeActiveDirectorywithSQLdatabase-Provideausertemplate
>
> On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>>
>>> Hi all,
>>>
>>> A quick sanity check: Is there any reason why I can't synchronize from
>>> an Apache DS backend in Syncope? I can create users in Syncope and
>>> propagate them to the resource fine, but I can't do the reverse.
>>>
>>
>> Hi Colm,
>> synchronization from an external resource might fail for many different
>> reasons: I'd suggest to increase the level for the
>> 'org.apache.syncope.core.scheduling' logger in order to have some insight
>> about the failure.
>>
>> Generally speaking, you can perform a proper synchronization only when
>> the underlying connector supports the SYNC operation (and has the
>> correspondent capability enabled in Syncope). The LDAP connector,
>> specifically, only supports that for Sun Directory Server and OpenDS /
>> OpenDJ.
>>
>> When SYNC operation is not supported / enabled, you can only perform a
>> 'full reconciliation' - the difference is that with the latter all entries
>> are sent at every request from the external resource, while the former only
>> sends the delta compared to prior call.
>>
>> You can choose full reconciliation from the admin console, when editing
>> the resource.
>>
>> Regards.
>>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 10/08/2012 17.26, Colm O hEigeartaigh wrote:
> Great thanks, selecting 'full reconciliation' did the trick. Do you
> know is there a fix planned to only use the delta with Apache DS?
Not that I know, but we can discuss this on connid-dev@googlegroups.com
if you want.
> Another question: After importing user entries from an Apache DS
> backend, they don't have the corresponding "Resource" selected. So to
> update a user entry I need to manually select the corresponding
> Connector before the change gets propagated back. Is this expected?
Yes: you can define what attributes, roles and resources a synchronized
user should have by editing the user template associated to the
synchronization task (look at [1] for an example).
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronize+Active+Directory+with+SQL+database#SynchronizeActiveDirectorywithSQLdatabase-Provideausertemplate
> On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>
> Hi all,
>
> A quick sanity check: Is there any reason why I can't
> synchronize from an Apache DS backend in Syncope? I can create
> users in Syncope and propagate them to the resource fine, but
> I can't do the reverse.
>
>
> Hi Colm,
> synchronization from an external resource might fail for many
> different reasons: I'd suggest to increase the level for the
> 'org.apache.syncope.core.scheduling' logger in order to have some
> insight about the failure.
>
> Generally speaking, you can perform a proper synchronization only
> when the underlying connector supports the SYNC operation (and has
> the correspondent capability enabled in Syncope). The LDAP
> connector, specifically, only supports that for Sun Directory
> Server and OpenDS / OpenDJ.
>
> When SYNC operation is not supported / enabled, you can only
> perform a 'full reconciliation' - the difference is that with the
> latter all entries are sent at every request from the external
> resource, while the former only sends the delta compared to prior
> call.
>
> You can choose full reconciliation from the admin console, when
> editing the resource.
>
> Regards.
>
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Synchronization sanity check
Posted by Colm O hEigeartaigh <co...@apache.org>.
Great thanks, selecting 'full reconciliation' did the trick. Do you know is
there a fix planned to only use the delta with Apache DS?
Another question: After importing user entries from an Apache DS backend,
they don't have the corresponding "Resource" selected. So to update a user
entry I need to manually select the corresponding Connector before the
change gets propagated back. Is this expected?
Colm.
On Fri, Aug 10, 2012 at 1:25 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
>
>> Hi all,
>>
>> A quick sanity check: Is there any reason why I can't synchronize from an
>> Apache DS backend in Syncope? I can create users in Syncope and propagate
>> them to the resource fine, but I can't do the reverse.
>>
>
> Hi Colm,
> synchronization from an external resource might fail for many different
> reasons: I'd suggest to increase the level for the 'org.apache.syncope.core.
> **scheduling' logger in order to have some insight about the failure.
>
> Generally speaking, you can perform a proper synchronization only when the
> underlying connector supports the SYNC operation (and has the correspondent
> capability enabled in Syncope). The LDAP connector, specifically, only
> supports that for Sun Directory Server and OpenDS / OpenDJ.
>
> When SYNC operation is not supported / enabled, you can only perform a
> 'full reconciliation' - the difference is that with the latter all entries
> are sent at every request from the external resource, while the former only
> sends the delta compared to prior call.
>
> You can choose full reconciliation from the admin console, when editing
> the resource.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~**ilgrosso/<http://people.apache.org/%7Eilgrosso/>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Synchronization sanity check
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 10/08/2012 14.09, Colm O hEigeartaigh wrote:
> Hi all,
>
> A quick sanity check: Is there any reason why I can't synchronize from
> an Apache DS backend in Syncope? I can create users in Syncope and
> propagate them to the resource fine, but I can't do the reverse.
Hi Colm,
synchronization from an external resource might fail for many different
reasons: I'd suggest to increase the level for the
'org.apache.syncope.core.scheduling' logger in order to have some
insight about the failure.
Generally speaking, you can perform a proper synchronization only when
the underlying connector supports the SYNC operation (and has the
correspondent capability enabled in Syncope). The LDAP connector,
specifically, only supports that for Sun Directory Server and OpenDS /
OpenDJ.
When SYNC operation is not supported / enabled, you can only perform a
'full reconciliation' - the difference is that with the latter all
entries are sent at every request from the external resource, while the
former only sends the delta compared to prior call.
You can choose full reconciliation from the admin console, when editing
the resource.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/