Why Syncope only add new memberships from LDAP but don't remove old memberships (are removed from LDAP)

[Alex123 <my...@gmail.com>]

Hi!
I have Syncope 2.1.0 and Ldap connector 1.5.2. All works fine, but 

THERE IS A PROBLEM: 
When I remove attribute
'uniqueMember'='uid=myldapuser,ou=Users,o=client1,dc=xyz,dc=net'  in one of
LDAP groups such as 'MyGroup' and then pull changes to Syncope, Syncope does
not remove 'myldapuser' to 'MyGroup' membership.
Syncope only add new memberships from LDAP but don't remove old memberships
(thous are removed in LDAP).

My Ldap connector has next settings: 
- Group Name Attributes  = 'cn'
- Group Member Attribute = 'uniqueMember'
- Maintain LDAP Group Membership = true

LdapSync resource has:
- Actions Selected = LDAPMembershipPropagationActions
- Capabilities - All

LdapSync Pull Task has:
- Pull Mode = ''FULL_RECONCILIATION"
- Remediation = false
- Actions Selected = LDAPMembershipPullActions
- Matching rule = update
- Unmatching rule = ASSIGN
- Allow create = true
- Allow update = true
- Allow delete = true

In debugger I see that Syncope has correct information about memberships
-org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions,
line 175,  in field this.memberships (I see existing memberships and don't
see removed memberships)

BUT
I don't see that in
org.apache.syncope.core.provisioning.java.job.SetUMembershipsJob or in
org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions
Syncope drop any memberships

Thank you in advance for your help.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/

Re: Why Syncope only add new memberships from LDAP but don't remove old memberships (are removed from LDAP)

[Francesco Chicchiriccò <il...@apache.org>]

Hi,
I had to reconsider:

https://issues.apache.org/jira/browse/SYNCOPE-1356

By looking at code in 1_2_X, the missing feature seemed to work.

Regards.

On 16/08/2018 11:06, Francesco Chicchiriccò wrote:
> Hi,
> I am afraid that the behavior you report below is expected.
>
> The way how LDAPMembershipPullActions & SetUMembershipsJob work can be 
> summarized as follows:
>
> 1. when pulling groups, for each pulled group, read "uniquemember" 
> value (thus getting members users DN on LDAP) and save the association 
> "user DN -> groups on Syncope" for later processing
>
> 2. once pull is complete, attempt to convert user DNs into users on 
> Syncope, and obtain the new map "user on Syncope -> groups on 
> Syncope", and pass such map to SetUMembershipsJob
>
> 3. SetUMembershipsJob will go through the received map and patch each 
> user to add membership for the associated group(s)
>
> The problem is that there is no point where Syncope can see which LDAP 
> memberships - coming from that specific resource from which it is 
> pulling - were actually removed, and thus patch users to *remove* 
> mamberships.
> Hence, I believe there is no clean solution for the general case.
>
> Naturally, for your specific use case - where you might have a single 
> LDAP resource, and be sure that all user memberships are coming from 
> LDAP - you could arrange things differently by implementing your own 
> version of LDAPMembershipPullActions or SetUMembershipsJob.
>
> Hope this clarifies.
> Regards.
>
> On 15/08/2018 10:47, Alex123 wrote:
>> Hi!
>> I have Syncope 2.1.0 and Ldap connector 1.5.2. All works fine, but
>>
>> THERE IS A PROBLEM:
>> When I remove attribute
>> 'uniqueMember'='uid=myldapuser,ou=Users,o=client1,dc=xyz,dc=net'  in 
>> one of
>> LDAP groups such as 'MyGroup' and then pull changes to Syncope, 
>> Syncope does
>> not remove 'myldapuser' to 'MyGroup' membership.
>> Syncope only add new memberships from LDAP but don't remove old 
>> memberships
>> (thous are removed in LDAP).
>>
>> My Ldap connector has next settings:
>> - Group Name Attributes  = 'cn'
>> - Group Member Attribute = 'uniqueMember'
>> - Maintain LDAP Group Membership = true
>>
>> LdapSync resource has:
>> - Actions Selected = LDAPMembershipPropagationActions
>> - Capabilities - All
>>
>> LdapSync Pull Task has:
>> - Pull Mode = ''FULL_RECONCILIATION"
>> - Remediation = false
>> - Actions Selected = LDAPMembershipPullActions
>> - Matching rule = update
>> - Unmatching rule = ASSIGN
>> - Allow create = true
>> - Allow update = true
>> - Allow delete = true
>>
>> In debugger I see that Syncope has correct information about memberships
>> -org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions, 
>>
>> line 175,  in field this.memberships (I see existing memberships and 
>> don't
>> see removed memberships)
>>
>> BUT
>> I don't see that in
>> org.apache.syncope.core.provisioning.java.job.SetUMembershipsJob or in
>> org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions 
>>
>> Syncope drop any memberships
>>
>> Thank you in advance for your help.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Why Syncope only add new memberships from LDAP but don't remove old memberships (are removed from LDAP)

[Francesco Chicchiriccò <il...@apache.org>]

Hi,
I am afraid that the behavior you report below is expected.

The way how LDAPMembershipPullActions & SetUMembershipsJob work can be 
summarized as follows:

1. when pulling groups, for each pulled group, read "uniquemember" value 
(thus getting members users DN on LDAP) and save the association "user 
DN -> groups on Syncope" for later processing

2. once pull is complete, attempt to convert user DNs into users on 
Syncope, and obtain the new map "user on Syncope -> groups on Syncope", 
and pass such map to SetUMembershipsJob

3. SetUMembershipsJob will go through the received map and patch each 
user to add membership for the associated group(s)

The problem is that there is no point where Syncope can see which LDAP 
memberships - coming from that specific resource from which it is 
pulling - were actually removed, and thus patch users to *remove* 
mamberships.
Hence, I believe there is no clean solution for the general case.

Naturally, for your specific use case - where you might have a single 
LDAP resource, and be sure that all user memberships are coming from 
LDAP - you could arrange things differently by implementing your own 
version of LDAPMembershipPullActions or SetUMembershipsJob.

Hope this clarifies.
Regards.

On 15/08/2018 10:47, Alex123 wrote:
> Hi!
> I have Syncope 2.1.0 and Ldap connector 1.5.2. All works fine, but
>
> THERE IS A PROBLEM:
> When I remove attribute
> 'uniqueMember'='uid=myldapuser,ou=Users,o=client1,dc=xyz,dc=net'  in one of
> LDAP groups such as 'MyGroup' and then pull changes to Syncope, Syncope does
> not remove 'myldapuser' to 'MyGroup' membership.
> Syncope only add new memberships from LDAP but don't remove old memberships
> (thous are removed in LDAP).
>
> My Ldap connector has next settings:
> - Group Name Attributes  = 'cn'
> - Group Member Attribute = 'uniqueMember'
> - Maintain LDAP Group Membership = true
>
> LdapSync resource has:
> - Actions Selected = LDAPMembershipPropagationActions
> - Capabilities - All
>
> LdapSync Pull Task has:
> - Pull Mode = ''FULL_RECONCILIATION"
> - Remediation = false
> - Actions Selected = LDAPMembershipPullActions
> - Matching rule = update
> - Unmatching rule = ASSIGN
> - Allow create = true
> - Allow update = true
> - Allow delete = true
>
> In debugger I see that Syncope has correct information about memberships
> -org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions,
> line 175,  in field this.memberships (I see existing memberships and don't
> see removed memberships)
>
> BUT
> I don't see that in
> org.apache.syncope.core.provisioning.java.job.SetUMembershipsJob or in
> org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions
> Syncope drop any memberships
>
> Thank you in advance for your help.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/