You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by jeverling <je...@surfnet.nl> on 2013/11/07 15:54:07 UTC
ConnId LDAP searches for uid in groupOfUniqueNames
Dear Mailinglist,
Since I haven't found a similar problem on this mailinglist I hope by making
an own topic can solve my issue.
I am trying to create a full LDAP sync and the users seem to synchronise,
except the roles (groups in LDAP) seem to get stuck.
I have located this specific line in my logging. I know for a fact that
groupOfUniqueNames does not contain an uid and therefore it returns the
error: No attribute named uid found in the search result
[ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
filter (objectClass=groupofUniqueNames) and SearchControls:
{returningAttributes=[description, uid], scope=SUBTREE}
Does anyone know where I can change the connector settings? I am probably
missing something very stupid.
I can post information as needed.
Kind regards,
Jeffrey Everling
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-tp5707398.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: ConnId LDAP searches for uid in groupOfUniqueNames
Posted by jeverling <je...@surfnet.nl>.
Hello francesco,
Thanks you for the response. I divided groups and users into two
connectors. As far as I can see the uid problem is solved. Now I am
running into new errors. Hope I can figure these out on my own.
ilgrosso [via syncope-user] schreef op 07-11-13 16:01:
> On 07/11/2013 15:54, jeverling wrote:
>
>> Dear Mailinglist,
>>
>> Since I haven't found a similar problem on this mailinglist I hope by
> making
>> an own topic can solve my issue.
>>
>> I am trying to create a full LDAP sync and the users seem to synchronise,
>> except the roles (groups in LDAP) seem to get stuck.
>>
>> I have located this specific line in my logging. I know for a fact that
>> groupOfUniqueNames does not contain an uid and therefore it returns the
>> error: No attribute named uid found in the search result
>>
>> [ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
>> filter (objectClass=groupofUniqueNames) and SearchControls:
>> {returningAttributes=[description, uid], scope=SUBTREE}
>>
>> Does anyone know where I can change the connector settings? I am probably
>> missing something very stupid.
>>
>> I can post information as needed.
>
> Hi,
> if you want to use the same LDAP connector for both users and groups,
> you should set the 'Uid Attribute' configuration parameter value to 'cn'
> (it's 'uid' by default).
>
> FYI, you can find a full working sample plus some more information in
> this post:
>
> http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
>
> HTH
> Regards.
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
> http://people.apache.org/~ilgrosso/
>
>
--
Kind regards,
Jeffrey Everling
Interne Automatisering
SURFnet BV
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-tp5707398p5707400.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: ConnId LDAP searches for uid in groupOfUniqueNames
Posted by jeverling <je...@surfnet.nl>.
Hello Ilgrosso,
>
> Hi,
> if you are interested in ConnId LDAP connector internals, I'd suggest
> to
> subscribe [hidden email] and move this discussion there.
Ok I will consider that. Thanks
>
> From the log below I see that the search is being performed with
> filter
> (besides object classes):
>
> (&&(cn=guus)(uid=*))
>
> which looks correct, e.g. searching for any user with any value for
> uid
> and 'guus' as cn.
>
> AFAIK there is no need to have LDAP cn == Syncope username - I'd
> recommend it, though.
I was using cn as stated in RFC2256 which is 'gn + sn'. Therefore i had
a manual usermapping for cn. This was a derived attribute from Syncope
'givenName + " " + surName' to cn (cn=Guus Geluk)
The Syncope configuration then still tries to search with cn == Syncope
username (cn=guus)
In that case it won't find any users when searching for cn == 'Syncope
username' (unless I use 'Guus Geluk' as username ofcourse)
After removing the usermapping for cn and started using the cn attribute
as stated in your documentation the configurations works as expected
ofcourse
>
> As recently remembered in this mailing list [1], the 'membership'
> concept is not handled by ConnId, so you need some additional setup
> in
> Syncope to keep memberships when propagating and / or synchronizing.
>
> In case of LDAP you need to:
>
> 1. choose
> org.apache.syncope.core.propagation.impl.LDAPMembershipPropagationActions
> as
> Actions Class in the External Resource configuration
>
> 2. choose org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions
> as Actions Class in the Synchronization Task configuration
>
> These steps are illustrated in the suggested LDAP configuration of my
> post [2] where, however, I'm using a single resource for either users
> and roles.
> The configuration suggested in that post has been checked and proven
> working, so it should be a good starting base.
Thanks for explaining everything in detail. Point 1 and 2 were already
correctly configured, it was purely the "cn" problem. My LDAP connection
works like a charm now.
Kind regards,
Jeffrey Everling
-----
Kind Regards,
Jeffrey Everling
Your friendly neighborhood IT guy
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-tp5707398p5707447.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: ConnId LDAP searches for uid in groupOfUniqueNames
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 11/11/2013 00:22, jeverling wrote:
> Hello Ilgrosso,
>
> After struggling for a while with the LDAP and AD connectors I kept wondering why the LDAP connector doesn't search for groups with "Group Name Attributes" instead of "Uid Attribute".
> I was hoping you can illustrate me why it searches on "Uid Attribute" it makes me curious.
Hi,
if you are interested in ConnId LDAP connector internals, I'd suggest to
subscribe connid-users@googlegroups.com and move this discussion there.
> Also it seems for me now, that the only way to set up a succesful user and group (de)prov with one connector is by using a cn as your username in Syncope itself (and probably in LDAP aswell for best practice). When using the uid value it creates a strange search query (see below). As cn=Guus Geluk it won't find any results since it is searching for the uid value (uid=guus).
From the log below I see that the search is being performed with filter
(besides object classes):
(&&(cn=guus)(uid=*))
which looks correct, e.g. searching for any user with any value for uid
and 'guus' as cn.
AFAIK there is no need to have LDAP cn == Syncope username - I'd
recommend it, though.
> I haven't found a connector configuration which fixes this yet, so I thought you might have any idea. Since I also haven't seen any other questions about this scenario, so I am starting to wonder if this is such a unique scenario
> to use uid's aswell in Syncope as well as in LDAP.
>
> When using two connectors the user and group (de)prov goes well. Except the memberships don't seem to get propagated or synchronized from the LDAP server. I will try a bit harder to get this (and the one connector) setup
> working this week. If you like I can keep you posted.
As recently remembered in this mailing list [1], the 'membership'
concept is not handled by ConnId, so you need some additional setup in
Syncope to keep memberships when propagating and / or synchronizing.
In case of LDAP you need to:
1. choose
org.apache.syncope.core.propagation.impl.LDAPMembershipPropagationActions as
Actions Class in the External Resource configuration
2. choose org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions
as Actions Class in the Synchronization Task configuration
These steps are illustrated in the suggested LDAP configuration of my
post [2] where, however, I'm using a single resource for either users
and roles.
The configuration suggested in that post has been checked and proven
working, so it should be a good starting base.
HTH
Regards.
> 23:55:25.647 DEBUG
> org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch Searching in
> [ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
> filter
> (&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=extensibleObject))(cn=guus)(uid=*))
> and SearchControls: {returningAttributes=[cn, description, email, gidNumber,
> givenName, homeDirectory, sn, uidNumber, userPassword], scope=SUBTREE}
[1]
http://syncope-user.1051894.n5.nabble.com/Synchronizing-role-membership-with-the-scripted-SQL-connector-tp5707397p5707403.html
[2]
http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: ConnId LDAP searches for uid in groupOfUniqueNames
Posted by jeverling <je...@surfnet.nl>.
Hello Ilgrosso,
After struggling for a while with the LDAP and AD connectors I kept
wondering why the LDAP connector doesn't search for groups with "Group Name
Attributes" instead of "Uid Attribute".
I was hoping you can illustrate me why it searches on "Uid Attribute" it
makes me curious.
Also it seems for me now, that the only way to set up a succesful user and
group (de)prov with one connector is by using a cn as your username in
Syncope itself (and probably in LDAP aswell for best practice). When using
the uid value it creates a strange search query (see below). As cn=Guus
Geluk it won't find any results since it is searching for the uid value
(uid=guus).
I haven't found a connector configuration which fixes this yet, so I thought
you might have any idea. Since I also haven't seen any other questions about
this scenario, so I am starting to wonder if this is such a unique scenario
to use uid's aswell in Syncope as well as in LDAP.
When using two connectors the user and group (de)prov goes well. Except the
memberships don't seem to get propagated or synchronized from the LDAP
server. I will try a bit harder to get this (and the one connector) setup
working this week. If you like I can keep you posted.
23:55:25.647 DEBUG
org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch Searching in
[ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
filter
(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=extensibleObject))(cn=guus)(uid=*))
and SearchControls: {returningAttributes=[cn, description, email, gidNumber,
givenName, homeDirectory, sn, uidNumber, userPassword], scope=SUBTREE}
Kind regards,
Jeffrey Everling
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/ConnId-LDAP-searches-for-uid-in-groupOfUniqueNames-tp5707398p5707423.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: ConnId LDAP searches for uid in groupOfUniqueNames
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 07/11/2013 15:54, jeverling wrote:
> Dear Mailinglist,
>
> Since I haven't found a similar problem on this mailinglist I hope by making
> an own topic can solve my issue.
>
> I am trying to create a full LDAP sync and the users seem to synchronise,
> except the roles (groups in LDAP) seem to get stuck.
>
> I have located this specific line in my logging. I know for a fact that
> groupOfUniqueNames does not contain an uid and therefore it returns the
> error: No attribute named uid found in the search result
>
> [ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
> filter (objectClass=groupofUniqueNames) and SearchControls:
> {returningAttributes=[description, uid], scope=SUBTREE}
>
> Does anyone know where I can change the connector settings? I am probably
> missing something very stupid.
>
> I can post information as needed.
Hi,
if you want to use the same LDAP connector for both users and groups,
you should set the 'Uid Attribute' configuration parameter value to 'cn'
(it's 'uid' by default).
FYI, you can find a full working sample plus some more information in
this post:
http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
HTH
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/