You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Fabio Martelli <fa...@gmail.com> on 2013/04/22 10:19:15 UTC
Re: Can I create a role in syncope which will be propagated to opendj?
Il giorno 22/apr/2013, alle ore 09.46, Nik ha scritto:
> Hi Fabio,
>
> Thanks for the clarification of the roles creation.
>
> I'm still having difficulty understanding how to propagate
> new roles to create ldap groups. I have never used the ldap
> attribute ldapGroups in opendj before. Can you please give me an example if
> you have one?
Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap schema).
You can use it to propagate membership info. Not for role group propagation.
To create a group on your OpenDJ you have to define a "role mapping" for your resource (OpenDJ) defined on syncope.
Just crating a new role and assigning the OpenDJ resource to it a new group on the physical resource will be created.
Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not).
In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN.
To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups.
For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have:
USER | UserSchema | groups | ldapGroups | .... | BOTH
Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex:
GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user.
Best regards,
F.
>
> rgds,
> Nik
>>
>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>
>>> But I would like to create a new group (e.g. using the "secretary" role from syncope) which should make
>>> an ldap group like:
>>>
>>>
>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>> cn: generators
>>> objectClass: groupOfUniqueNames
>>> objectClass: top
>>>
>>> So from what I have been able to work out, so far, is I should create the syncope user titi using Users->"create new user"
>>>
>>> Fill in all the mandatory parts under Details/Attributes tab
>>> Then
>>> select the Resources tab and add my ldap resource from "Available" to "Selected"
>>> Then
>>> select Roles tab and add the secretary role
>>> and save
>>
>> Hi Nik, you cannot propagate a role creation just creating a membership on syncope.
>> If the role doesn't exist yet on the resource, the steps are:
>> 1. create role on syncope and propagate creation
>> 2. create user on syncope, add role (on syncope) and propagate user and membership
>>
>> If the role already exist on the resource you can jump to the step 2 without performing 1.
>>
>> Remember that user memberships are propagate/read by ldapGroups attribute.
>>
>> Best regards,
>> F.
>>
>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Thanks for the extra info Francesco,
I will try your approach after I succeed to do the way Fabio suggest or
rather if I cannot get it to work.
rgds,
Nik
> In this approach suggested by Fabio you are directly dealing with the
> internal mechanism provided by the ConnId LDAP connector.
>
> Alternatively, you can empower
>
> 1. LDAPMembershipPropagationActions as propagation actions class
> (choose this for "Actions class" when defining the LDAP resource from
> the admin console)
> 2. LDAPMembershipSyncActions as synchronization actions class (choose
> this for "Actions class" when defining the synchronization task from
> the admin console)
>
> This approach works under the assumption that:
> 1. you are using the same resource for both users and roles (e.g. you
> have provided both user and role mapping for the resource)
> 2. you did not map the special attribute ldapGroups (as opposite of
> the approach suggested by Fabio)
>
> I know this should be better documented, it's already in my (long)
> TODO list :-)
>
> Regards.
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 22/04/2013 10:19, Fabio Martelli wrote:
>
> Il giorno 22/apr/2013, alle ore 09.46, Nik ha scritto:
>
>> Hi Fabio,
>>
>> Thanks for the clarification of the roles creation.
>>
>> I'm still having difficulty understanding how to propagate
>> new roles to create ldap groups. I have never used the ldap
>> attribute ldapGroups in opendj before. Can you please give me an
>> example if
>> you have one?
>
> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the
> ldap schema).
> You can use it to propagate membership info. Not for role group
> propagation.
>
> To create a group on your OpenDJ you have to define a "role mapping"
> for your resource (OpenDJ) defined on syncope.
> Just crating a new role and assigning the OpenDJ resource to it a new
> group on the physical resource will be created.
>
> Now, let's suppose to have a group on your OpenDJ, with DN
> "cn=groupA,o=isp" (created by syncope or not).
> In order to create a membership with this group you have to propagate
> user info with ldapGroups valued with that DN.
> To propagate ldapGroups you have to define a specific mapping for this
> special attribute. To the user mapping defined for your OpenDJ
> resource add one for ldapGroups.
> For example, if you have a user attribute storing membership
> information (may be a specific user schema called "groups") you'll have:
>
> USER | UserSchema | groups | ldapGroups | .... | BOTH
>
> Please, consider that you can map a group/membership attribute as
> well. Usually I create a specific group schema (let me call it
> "groupDN") and than I add map for it into user mapping. Ex:
>
> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>
> In this way, I can specify a value for multivalued ldapGroups just
> adding one or more syncope role to the user.
In this approach suggested by Fabio you are directly dealing with the
internal mechanism provided by the ConnId LDAP connector.
Alternatively, you can empower
1. LDAPMembershipPropagationActions as propagation actions class
(choose this for "Actions class" when defining the LDAP resource from
the admin console)
2. LDAPMembershipSyncActions as synchronization actions class (choose
this for "Actions class" when defining the synchronization task from the
admin console)
This approach works under the assumption that:
1. you are using the same resource for both users and roles (e.g. you
have provided both user and role mapping for the resource)
2. you did not map the special attribute ldapGroups (as opposite of
the approach suggested by Fabio)
I know this should be better documented, it's already in my (long) TODO
list :-)
Regards.
>>>
>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>>
>>>> But I would like to create a new group (e.g. using the "secretary"
>>>> role from syncope) which should make
>>>> an ldap group like:
>>>>
>>>>
>>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>>> cn: generators
>>>> objectClass: groupOfUniqueNames
>>>> objectClass: top
>>>>
>>>> So from what I have been able to work out, so far, is I should
>>>> create the syncope user titi using Users->"create new user"
>>>>
>>>> Fill in all the mandatory parts under Details/Attributes tab
>>>> Then
>>>> select the Resources tab and add my ldap resource from
>>>> "Available" to "Selected"
>>>> Then
>>>> select Roles tab and add the secretary role
>>>> and save
>>>
>>> Hi Nik, you cannot propagate a role creation just creating a
>>> membership on syncope.
>>> If the role doesn't exist yet on the resource, the steps are:
>>> 1. create role on syncope and propagate creation
>>> 2. create user on syncope, add role (on syncope) and propagate user
>>> and membership
>>>
>>> If the role already exist on the resource you can jump to the step 2
>>> without performing 1.
>>>
>>> Remember that user memberships are propagate/read by ldapGroups
>>> attribute.
>>>
>>> Best regards,
>>> F.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Here are the logs Fabio.
rgds,
Nik
> Il giorno 22/apr/2013, alle ore 15.14, Nik ha scritto:
>
>> Thanks Fabio.
>>
>> Things are beginning to get a bit clearer, but I am hitting many issues all at once.
>>
>> I'll split the issues up into separate emails for brevity:
>>
>> - For some reason I cannot get the ldap resource (uforge_resource) to link with the
>> role I create in syncope (see Selection_107.png - Selection_111.png)
>>
>> steps taken
>> ->Roles
>> -> select "Tree"
>> -> Add child
>> -> set name to deafaultRole
>> -> Resource
>> -> choose uforge_resource for "selected box"
>> "save" result is shown in Selection_111.png (resource is not assigned/selected anymore)
> Hi Nik, strange behavior! I need more info.
> Please, send core logs (core.log, core-rest.log, core-persistence.log, core-connid.log).
>
>> some log trace:
>> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:33 +0200] "GET /syncope-console/wicket/page?20-1.IBehaviorListener.1-RoleForm-rolePanel-details-name-textField&q=defaultRole&_=1366635393066 HTTP/1.1" 200 19
>> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:37 +0200] "POST /syncope-console/wicket/page?20-1.IBehaviorListener.0-RoleForm-rolePanel-details-name-textField HTTP/1.1" 200 5950
>> 127.0.0.1 - - [22/Apr/2013:14:57:22 +0200] "POST /syncope/rest/role/create HTTP/1.1" 201 477
>>
>>
>>
>> rgds,
>> Nik
>>
>>> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap schema).
>>> You can use it to propagate membership info. Not for role group propagation.
>>>
>>> To create a group on your OpenDJ you have to define a "role mapping" for your resource (OpenDJ) defined on syncope.
>>> Just crating a new role and assigning the OpenDJ resource to it a new group on the physical resource will be created.
>>>
>>> Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not).
>>> In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN.
>>> To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups.
>>> For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have:
>>>
>>> USER | UserSchema | groups | ldapGroups | .... | BOTH
>>>
>>> Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex:
>>>
>>> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>>>
>>> In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user.
>>>
>>> Best regards,
>>> F.
>>>
>>>> rgds,
>>>> Nik
>>>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>>>>
>>>>>> But I would like to create a new group (e.g. using the "secretary" role from syncope) which should make
>>>>>> an ldap group like:
>>>>>>
>>>>>>
>>>>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>>>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>>>>> cn: generators
>>>>>> objectClass: groupOfUniqueNames
>>>>>> objectClass: top
>>>>>>
>>>>>> So from what I have been able to work out, so far, is I should create the syncope user titi using Users->"create new user"
>>>>>>
>>>>>> Fill in all the mandatory parts under Details/Attributes tab
>>>>>> Then
>>>>>> select the Resources tab and add my ldap resource from "Available" to "Selected"
>>>>>> Then
>>>>>> select Roles tab and add the secretary role
>>>>>> and save
>>>>> Hi Nik, you cannot propagate a role creation just creating a membership on syncope.
>>>>> If the role doesn't exist yet on the resource, the steps are:
>>>>> 1. create role on syncope and propagate creation
>>>>> 2. create user on syncope, add role (on syncope) and propagate user and membership
>>>>>
>>>>> If the role already exist on the resource you can jump to the step 2 without performing 1.
>>>>>
>>>>> Remember that user memberships are propagate/read by ldapGroups attribute.
>>>>>
>>>>> Best regards,
>>>>> F.
>>>>>
>> <Selection_107.png><Selection_108.png><Selection_109.png><Selection_110.png><Selection_111.png>
>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Fabio Martelli <fa...@gmail.com>.
Il giorno 22/apr/2013, alle ore 15.14, Nik ha scritto:
> Thanks Fabio.
>
> Things are beginning to get a bit clearer, but I am hitting many issues all at once.
>
> I'll split the issues up into separate emails for brevity:
>
> - For some reason I cannot get the ldap resource (uforge_resource) to link with the
> role I create in syncope (see Selection_107.png - Selection_111.png)
>
> steps taken
> ->Roles
> -> select "Tree"
> -> Add child
> -> set name to deafaultRole
> -> Resource
> -> choose uforge_resource for "selected box"
> "save" result is shown in Selection_111.png (resource is not assigned/selected anymore)
Hi Nik, strange behavior! I need more info.
Please, send core logs (core.log, core-rest.log, core-persistence.log, core-connid.log).
>
> some log trace:
> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:33 +0200] "GET /syncope-console/wicket/page?20-1.IBehaviorListener.1-RoleForm-rolePanel-details-name-textField&q=defaultRole&_=1366635393066 HTTP/1.1" 200 19
> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:37 +0200] "POST /syncope-console/wicket/page?20-1.IBehaviorListener.0-RoleForm-rolePanel-details-name-textField HTTP/1.1" 200 5950
> 127.0.0.1 - - [22/Apr/2013:14:57:22 +0200] "POST /syncope/rest/role/create HTTP/1.1" 201 477
>
>
>
> rgds,
> Nik
>
>>
>> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap schema).
>> You can use it to propagate membership info. Not for role group propagation.
>>
>> To create a group on your OpenDJ you have to define a "role mapping" for your resource (OpenDJ) defined on syncope.
>> Just crating a new role and assigning the OpenDJ resource to it a new group on the physical resource will be created.
>>
>> Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not).
>> In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN.
>> To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups.
>> For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have:
>>
>> USER | UserSchema | groups | ldapGroups | .... | BOTH
>>
>> Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex:
>>
>> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>>
>> In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user.
>>
>> Best regards,
>> F.
>>
>>>
>>> rgds,
>>> Nik
>>>>
>>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>>>
>>>>> But I would like to create a new group (e.g. using the "secretary" role from syncope) which should make
>>>>> an ldap group like:
>>>>>
>>>>>
>>>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>>>> cn: generators
>>>>> objectClass: groupOfUniqueNames
>>>>> objectClass: top
>>>>>
>>>>> So from what I have been able to work out, so far, is I should create the syncope user titi using Users->"create new user"
>>>>>
>>>>> Fill in all the mandatory parts under Details/Attributes tab
>>>>> Then
>>>>> select the Resources tab and add my ldap resource from "Available" to "Selected"
>>>>> Then
>>>>> select Roles tab and add the secretary role
>>>>> and save
>>>>
>>>> Hi Nik, you cannot propagate a role creation just creating a membership on syncope.
>>>> If the role doesn't exist yet on the resource, the steps are:
>>>> 1. create role on syncope and propagate creation
>>>> 2. create user on syncope, add role (on syncope) and propagate user and membership
>>>>
>>>> If the role already exist on the resource you can jump to the step 2 without performing 1.
>>>>
>>>> Remember that user memberships are propagate/read by ldapGroups attribute.
>>>>
>>>> Best regards,
>>>> F.
>>>>
>>>
>>
>
> <Selection_107.png><Selection_108.png><Selection_109.png><Selection_110.png><Selection_111.png>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Fabio Martelli <fa...@gmail.com>.
Il giorno 22/apr/2013, alle ore 15.14, Nik ha scritto:
> Thanks Fabio.
>
> Things are beginning to get a bit clearer, but I am hitting many issues all at once.
>
> I'll split the issues up into separate emails for brevity:
>
> - For some reason I cannot get the ldap resource (uforge_resource) to link with the
> role I create in syncope (see Selection_107.png - Selection_111.png)
>
> steps taken
> ->Roles
> -> select "Tree"
> -> Add child
> -> set name to deafaultRole
> -> Resource
> -> choose uforge_resource for "selected box"
> "save" result is shown in Selection_111.png (resource is not assigned/selected anymore)
Hi Nik, strange behavior! I need more info.
Please, send core logs (core.log, core-rest.log, core-persistence.log, core-connid.log).
>
> some log trace:
> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:33 +0200] "GET /syncope-console/wicket/page?20-1.IBehaviorListener.1-RoleForm-rolePanel-details-name-textField&q=defaultRole&_=1366635393066 HTTP/1.1" 200 19
> 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:37 +0200] "POST /syncope-console/wicket/page?20-1.IBehaviorListener.0-RoleForm-rolePanel-details-name-textField HTTP/1.1" 200 5950
> 127.0.0.1 - - [22/Apr/2013:14:57:22 +0200] "POST /syncope/rest/role/create HTTP/1.1" 201 477
>
>
>
> rgds,
> Nik
>
>>
>> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap schema).
>> You can use it to propagate membership info. Not for role group propagation.
>>
>> To create a group on your OpenDJ you have to define a "role mapping" for your resource (OpenDJ) defined on syncope.
>> Just crating a new role and assigning the OpenDJ resource to it a new group on the physical resource will be created.
>>
>> Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not).
>> In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN.
>> To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups.
>> For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have:
>>
>> USER | UserSchema | groups | ldapGroups | .... | BOTH
>>
>> Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex:
>>
>> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>>
>> In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user.
>>
>> Best regards,
>> F.
>>
>>>
>>> rgds,
>>> Nik
>>>>
>>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>>>
>>>>> But I would like to create a new group (e.g. using the "secretary" role from syncope) which should make
>>>>> an ldap group like:
>>>>>
>>>>>
>>>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>>>> cn: generators
>>>>> objectClass: groupOfUniqueNames
>>>>> objectClass: top
>>>>>
>>>>> So from what I have been able to work out, so far, is I should create the syncope user titi using Users->"create new user"
>>>>>
>>>>> Fill in all the mandatory parts under Details/Attributes tab
>>>>> Then
>>>>> select the Resources tab and add my ldap resource from "Available" to "Selected"
>>>>> Then
>>>>> select Roles tab and add the secretary role
>>>>> and save
>>>>
>>>> Hi Nik, you cannot propagate a role creation just creating a membership on syncope.
>>>> If the role doesn't exist yet on the resource, the steps are:
>>>> 1. create role on syncope and propagate creation
>>>> 2. create user on syncope, add role (on syncope) and propagate user and membership
>>>>
>>>> If the role already exist on the resource you can jump to the step 2 without performing 1.
>>>>
>>>> Remember that user memberships are propagate/read by ldapGroups attribute.
>>>>
>>>> Best regards,
>>>> F.
>>>>
>>>
>>
>
> <Selection_107.png><Selection_108.png><Selection_109.png><Selection_110.png><Selection_111.png>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Thanks Fabio.
Things are beginning to get a bit clearer, but I am hitting many issues
all at once.
I'll split the issues up into separate emails for brevity:
- For some reason I cannot get the ldap resource (uforge_resource) to
link with the
role I create in syncope (see Selection_107.png - Selection_111.png)
steps taken
->Roles
-> select "Tree"
-> Add child
-> set name to deafaultRole
-> Resource
-> choose uforge_resource for "selected box"
"save" result is shown in Selection_111.png (resource is not
assigned/selected anymore)
some log trace:
0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:33 +0200] "GET
/syncope-console/wicket/page?20-1.IBehaviorListener.1-RoleForm-rolePanel-details-name-textField&q=defaultRole&_=1366635393066
HTTP/1.1" 200 19
0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:37 +0200] "POST
/syncope-console/wicket/page?20-1.IBehaviorListener.0-RoleForm-rolePanel-details-name-textField
HTTP/1.1" 200 5950
127.0.0.1 - - [22/Apr/2013:14:57:22 +0200] "POST
/syncope/rest/role/create HTTP/1.1" 201 477
rgds,
Nik
>
> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the
> ldap schema).
> You can use it to propagate membership info. Not for role group
> propagation.
>
> To create a group on your OpenDJ you have to define a "role mapping"
> for your resource (OpenDJ) defined on syncope.
> Just crating a new role and assigning the OpenDJ resource to it a new
> group on the physical resource will be created.
>
> Now, let's suppose to have a group on your OpenDJ, with DN
> "cn=groupA,o=isp" (created by syncope or not).
> In order to create a membership with this group you have to propagate
> user info with ldapGroups valued with that DN.
> To propagate ldapGroups you have to define a specific mapping for this
> special attribute. To the user mapping defined for your OpenDJ
> resource add one for ldapGroups.
> For example, if you have a user attribute storing membership
> information (may be a specific user schema called "groups") you'll have:
>
> USER | UserSchema | groups | ldapGroups | .... | BOTH
>
> Please, consider that you can map a group/membership attribute as
> well. Usually I create a specific group schema (let me call it
> "groupDN") and than I add map for it into user mapping. Ex:
>
> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>
> In this way, I can specify a value for multivalued ldapGroups just
> adding one or more syncope role to the user.
>
> Best regards,
> F.
>
>>
>> rgds,
>> Nik
>>>
>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
>>>
>>>> But I would like to create a new group (e.g. using the "secretary"
>>>> role from syncope) which should make
>>>> an ldap group like:
>>>>
>>>>
>>>> dn: cn=secretary,ou=Groups,o=usharesoft
>>>> uniqueMember: uid=toto,ou=people,o=usharesoft
>>>> cn: generators
>>>> objectClass: groupOfUniqueNames
>>>> objectClass: top
>>>>
>>>> So from what I have been able to work out, so far, is I should
>>>> create the syncope user titi using Users->"create new user"
>>>>
>>>> Fill in all the mandatory parts under Details/Attributes tab
>>>> Then
>>>> select the Resources tab and add my ldap resource from
>>>> "Available" to "Selected"
>>>> Then
>>>> select Roles tab and add the secretary role
>>>> and save
>>>
>>> Hi Nik, you cannot propagate a role creation just creating a
>>> membership on syncope.
>>> If the role doesn't exist yet on the resource, the steps are:
>>> 1. create role on syncope and propagate creation
>>> 2. create user on syncope, add role (on syncope) and propagate user
>>> and membership
>>>
>>> If the role already exist on the resource you can jump to the step 2
>>> without performing 1.
>>>
>>> Remember that user memberships are propagate/read by ldapGroups
>>> attribute.
>>>
>>> Best regards,
>>> F.
>>>
>>
>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
>> Here is another issue Fabio,
>>
>> - create a new User->Normal syncope attribute called groups (see Selection_112.png)
>> - Resources
>> -> uforge_resource
>> -> User mapping
>> add USER | UserSchema | groups | ldapGroups | .... | BOTH as you suggested (see Selection_113.png)
>> "Save"
> As per the previous email .... really strange behavior.
> Btw, looking at your attachments I can see three mappings for groups attribute (two perfectly equals).
oops I added these just to see what happens if I added duplicates ... I
will delete 2 straight away ;-)
>
>> - Resources
>> -> uforge_resource
>> -> User mapping. The change is no longer there! (see Selection_114.png)
>>
>> WRT to suggestion GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
> For roles, you don't need to propagate ldapGroups. It has to be used just for memberships and not for role provisioning.
> You have to remove ldapGroups items from Rolle Mapping.
Ok will do.
rgds,
Nik
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Fabio Martelli <fa...@gmail.com>.
Il giorno 22/apr/2013, alle ore 15.33, Nik ha scritto:
> Here is another issue Fabio,
>
> - create a new User->Normal syncope attribute called groups (see Selection_112.png)
> - Resources
> -> uforge_resource
> -> User mapping
> add USER | UserSchema | groups | ldapGroups | .... | BOTH as you suggested (see Selection_113.png)
> "Save"
As per the previous email .... really strange behavior.
Btw, looking at your attachments I can see three mappings for groups attribute (two perfectly equals).
> - Resources
> -> uforge_resource
> -> User mapping. The change is no longer there! (see Selection_114.png)
>
> WRT to suggestion GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
For roles, you don't need to propagate ldapGroups. It has to be used just for memberships and not for role provisioning.
You have to remove ldapGroups items from Rolle Mapping.
> There is no "Entity" category GROUP in the standalone 1.1.0 "schema or user" sections that I have. (see Selection_115.png)
> So I try
> ROLE | RoleSchema | groupDN | ldapGroups | ... | BOTH (see Selection_116.png)
> but after the save it disappears like the USER data.
>
>
> rgds,
> Nik
>
>> Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not).
>> In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN.
>> To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups.
>> For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have:
>>
>> USER | UserSchema | groups | ldapGroups | .... | BOTH
>>
>> Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex:
>>
>> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>>
>> In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user.
>>
>>
>
> <Selection_116.png><Selection_115.png><Selection_114.png><Selection_113.png><Selection_112.png>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Here is another issue Fabio,
- create a new User->Normal syncope attribute called groups (see
Selection_112.png)
- Resources
-> uforge_resource
-> User mapping
add USER | UserSchema | groups | ldapGroups | .... | BOTH as
you suggested (see Selection_113.png)
"Save"
- Resources
-> uforge_resource
-> User mapping. The change is no longer there! (see
Selection_114.png)
WRT to suggestion GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
There is no "Entity" category GROUP in the standalone 1.1.0 "schema or
user" sections that I have. (see Selection_115.png)
So I try
ROLE | RoleSchema | groupDN | ldapGroups | ... | BOTH (see
Selection_116.png)
but after the save it disappears like the USER data.
rgds,
Nik
> Now, let's suppose to have a group on your OpenDJ, with DN
> "cn=groupA,o=isp" (created by syncope or not).
> In order to create a membership with this group you have to propagate
> user info with ldapGroups valued with that DN.
> To propagate ldapGroups you have to define a specific mapping for this
> special attribute. To the user mapping defined for your OpenDJ
> resource add one for ldapGroups.
> For example, if you have a user attribute storing membership
> information (may be a specific user schema called "groups") you'll have:
>
> USER | UserSchema | groups | ldapGroups | .... | BOTH
>
> Please, consider that you can map a group/membership attribute as
> well. Usually I create a specific group schema (let me call it
> "groupDN") and than I add map for it into user mapping. Ex:
>
> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
>
> In this way, I can specify a value for multivalued ldapGroups just
> adding one or more syncope role to the user.
>
>