You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Martin van Es <mr...@gmail.com> on 2013/04/16 14:26:42 UTC
Conditional resource propagation
I was wondering if it's possible to automatically provisioin certain
resource for one account based on a condition (attribute) set in the source
resource.
A hypothetical situation:
A CSVdir synchronisation resource contains all my users, some of which
initially need to have an LDAP account propagated, other a DB account and a
lucky few both.
Is there a way to specify a role attribute in the CSVdir resource that gets
mapped to a role, that assigns the LDAP and/or the DB resource for the
user? I tried creating two roles (LDAP/DB) with mappings to my resources
LDAP and DB, but in the interface, the assigned resources are not preserved
in the role definition dialog. Apart from that, would this be a possibility
in Syncope?
Regards,
Martin
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 19/04/2013 09:34, Martin van Es wrote:
> Hi Francesco,
>
> On Fri, Apr 19, 2013 at 8:27 AM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 18/04/2013 20:12, Martin van Es wrote:
>> On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 16/04/2013 14:26, Martin van Es wrote:
>>
>> I was wondering if it's possible to automatically
>> provisioin certain resource for one account based on a
>> condition (attribute) set in the source resource.
>>
>> Hi Martin,
>> I've understood that you want to assign upon synchronization
>> role A, B or C to users from a CSVDir resource where A has
>> assigned a LDAP resource, B a DB resource and C both. Is this
>> correct?
>>
>> If so, you need to define a SyncJobActionsClass [1] or
>> SyncActionsClass [2] (depending on the Syncope version you
>> are running) and implement the logic "assign role A, B or C
>> to synchronizing user" in the before() method.
>>
>>
>> I was googling on syncope role membership and found this snippet
>> on [1]
>> > The possible implementations could be:
>> > 1. I could ignore role/membership attribute mappings during synchronization (this is
>> the current implementation ---> no issue to open)
>> > 2. I can try to synchronize these information also:
>> > a. Role attribute mappings could be used to assign syncope roles dynamically during
>> synchronization
>>
>> Example, again: let's suppose we are synchronizing an LDAP user user1
>> with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope
>> will try to assign role B (i.e. Syncope role with same value of
>> "membershipsOnLDAP") to Syncope user matching user1 on LDAP.
>> This would match my question for conditional resources. Since you participated in this thread and it's more than a year old, can you tell me what the status of implementation 2 is? Is it completely off radar?
>
> Basically, with LDAP and Active Directory connectors, you can
> actually propagate / synchronize memberships from / to Syncope by
> empowering two specific action classes
> (LDAPMembershipPropagationActions and LDAPMembershipSyncActions),
> and a good schema mapping that will include both user and role
> mapping.
>
> This is nog what I mean, the part of the thread I'm referring to is
> the example: By being member of "cn=B,ou=groups,dc=tirasa,dc=net",
> Syncope would try to assign role B to syncope user, based on the match
> in the role attribute membershipsOnLDAP. If this was implemented (and
> extended to a role attribute value in the synchronisation source e.g.)
> I would have a way of conditionally provision resources to users (by
> mapping resources to the matched role). I see your objections further
> in the discussion that it would be a very complicated logistic process
> managing all requirements of mandatory attributes following the role
> assignment, but in the simple case it would be a very handy way of
> conditionally propagating users to resources (not memberships on
> resources).
Nope: if this is what you are asking, I can only repeat my first answer
above: implement this logic in a SyncActionsClass.
As said, LDAP is a very particular case, because of the extended
capabilities of the associated connector.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
Hi Francesco,
On Fri, Apr 19, 2013 at 8:27 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 18/04/2013 20:12, Martin van Es wrote:
>
> On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 16/04/2013 14:26, Martin van Es wrote:
>>
>>> I was wondering if it's possible to automatically provisioin certain
>>> resource for one account based on a condition (attribute) set in the source
>>> resource.
>>>
>>> Hi Martin,
>> I've understood that you want to assign upon synchronization role A, B or
>> C to users from a CSVDir resource where A has assigned a LDAP resource, B a
>> DB resource and C both. Is this correct?
>>
>> If so, you need to define a SyncJobActionsClass [1] or SyncActionsClass
>> [2] (depending on the Syncope version you are running) and implement the
>> logic "assign role A, B or C to synchronizing user" in the before() method.
>>
>>
> I was googling on syncope role membership and found this snippet on [1]
>
> > The possible implementations could be:
> > 1. I could ignore role/membership attribute mappings during synchronization (this is
> the current implementation ---> no issue to open)
> > 2. I can try to synchronize these information also:
> > a. Role attribute mappings could be used to assign syncope roles dynamically during
> synchronization
>
> Example, again: let's suppose we are synchronizing an LDAP user user1
> with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope
> will try to assign role B (i.e. Syncope role with same value of
> "membershipsOnLDAP") to Syncope user matching user1 on LDAP.
>
> This would match my question for conditional resources. Since you participated in this thread and it's more than a year old, can you tell me what the status of implementation 2 is? Is it completely off radar?
>
>
> Basically, with LDAP and Active Directory connectors, you can actually
> propagate / synchronize memberships from / to Syncope by empowering two
> specific action classes (LDAPMembershipPropagationActions and
> LDAPMembershipSyncActions), and a good schema mapping that will include
> both user and role mapping.
>
> This is nog what I mean, the part of the thread I'm referring to is the
example: By being member of "cn=B,ou=groups,dc=tirasa,dc=net", Syncope
would try to assign role B to syncope user, based on the match in the role
attribute membershipsOnLDAP. If this was implemented (and extended to a
role attribute value in the synchronisation source e.g.) I would have a way
of conditionally provision resources to users (by mapping resources to the
matched role). I see your objections further in the discussion that it
would be a very complicated logistic process managing all requirements of
mandatory attributes following the role assignment, but in the simple case
it would be a very handy way of conditionally propagating users to
resources (not memberships on resources).
Best regards.
Martin
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 18/04/2013 20:12, Martin van Es wrote:
> Hi Fransesco,
>
>
> On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 16/04/2013 14:26, Martin van Es wrote:
>
> I was wondering if it's possible to automatically provisioin
> certain resource for one account based on a condition
> (attribute) set in the source resource.
>
> Hi Martin,
> I've understood that you want to assign upon synchronization role
> A, B or C to users from a CSVDir resource where A has assigned a
> LDAP resource, B a DB resource and C both. Is this correct?
>
> If so, you need to define a SyncJobActionsClass [1] or
> SyncActionsClass [2] (depending on the Syncope version you are
> running) and implement the logic "assign role A, B or C to
> synchronizing user" in the before() method.
>
>
> I was googling on syncope role membership and found this snippet on [1]
> > The possible implementations could be:
> > 1. I could ignore role/membership attribute mappings during synchronization (this is
> the current implementation ---> no issue to open)
> > 2. I can try to synchronize these information also:
> > a. Role attribute mappings could be used to assign syncope roles dynamically during
> synchronization
>
> Example, again: let's suppose we are synchronizing an LDAP user user1
> with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope
> will try to assign role B (i.e. Syncope role with same value of
> "membershipsOnLDAP") to Syncope user matching user1 on LDAP.
> This would match my question for conditional resources. Since you participated in this thread and it's more than a year old, can you tell me what the status of implementation 2 is? Is it completely off radar?
Hi Martin,
that's a very old thread!
That discussion was referring to pre-1.0.0; after that, in 1.1.0 many
things have changed in that area, mainly due to SYNCOPE-26 [2].
Basically, with LDAP and Active Directory connectors, you can actually
propagate / synchronize memberships from / to Syncope by empowering two
specific action classes (LDAPMembershipPropagationActions and
LDAPMembershipSyncActions), and a good schema mapping that will include
both user and role mapping.
An example of this is contained in the standalone distribution, so take
a look there if you want to get more details.
As a side note, consider that for LDAP the object classes 'groupOfNames'
or 'groupOfUniqueNames' are used for groups.
Regards.
> [1]
> http://mail-archives.apache.org/mod_mbox/incubator-syncope-dev/201202.mbox/%3C4F47746A.8000808@apache.org%3E
[2] https://issues.apache.org/jira/browse/SYNCOPE-26
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
Hi Fransesco,
On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 16/04/2013 14:26, Martin van Es wrote:
>
>> I was wondering if it's possible to automatically provisioin certain
>> resource for one account based on a condition (attribute) set in the source
>> resource.
>>
>> Hi Martin,
> I've understood that you want to assign upon synchronization role A, B or
> C to users from a CSVDir resource where A has assigned a LDAP resource, B a
> DB resource and C both. Is this correct?
>
> If so, you need to define a SyncJobActionsClass [1] or SyncActionsClass
> [2] (depending on the Syncope version you are running) and implement the
> logic "assign role A, B or C to synchronizing user" in the before() method.
>
>
I was googling on syncope role membership and found this snippet on [1]
> The possible implementations could be:
> 1. I could ignore role/membership attribute mappings during synchronization (this is
the current implementation ---> no issue to open)
> 2. I can try to synchronize these information also:
> a. Role attribute mappings could be used to assign syncope roles dynamically during
synchronization
Example, again: let's suppose we are synchronizing an LDAP user user1
with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope
will try to assign role B (i.e. Syncope role with same value of
"membershipsOnLDAP") to Syncope user matching user1 on LDAP.
This would match my question for conditional resources. Since you
participated in this thread and it's more than a year old, can you
tell me what the status of implementation 2 is? Is it completely off
radar?
Regards,
Martin
[1] http://mail-archives.apache.org/mod_mbox/incubator-syncope-dev/201202.mbox/%3C4F47746A.8000808@apache.org%3E
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 19:05, Martin van Es wrote:
> Hi,
>
> I fixed it. The instructions on the wiki are wrong: The correct
> location for ResourcesPanel.java is
> console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java
Nice catch :-)
I've fixed the path in the wiki page, thanks for reporting.
Regards.
> After I moved the .java file and rebuilt the wars,
> the ResourcesPanel.class was of today and I can add resources to a role.
>
> Regards,
> Martin
>
>
> On Tue, Apr 16, 2013 at 5:38 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 16/04/2013 17:19, Martin van Es wrote:
>> I don't know how to check what version of the Class I'm running,
>> the logs aren't telling me, but I do know I copied the correct
>> files in the correct location.
>> I do see however that the ResourcesPanel.class I find in the
>> target tree of console are dated april 5, which is strange for a
>> build that happened today?
>
> This is clearly your issue.
>
>
>> I do a "mvn clean package -Dlog.directory=/var/lib/tomcat7/logs
>> -Dconnid.location=file:/opt/syncope/bundles", should I do
>> something else instead?
>
> Just this, from the root (e.g. the directory containing core/ and
> console/).
>
> Regards.
>
>
>> On Tue, Apr 16, 2013 at 4:37 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 16/04/2013 16:05, Martin van Es wrote:
>>> Hi Francesco,
>>>
>>> On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò
>>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>>
>>> A couple of bugs have been found in Apache Syncope
>>> 1.1.0, already fixed in 1.1.1-SNAPSHOT, including the
>>> one you are reporting above.
>>> Please take a look at [3] for a workaround until 1.1.1
>>> is released.
>>>
>>>
>>> I applied both hotfixes in [3] and recompiled
>>> syncope/syncope-console but this doesn't fix the resource to
>>> role assignment bug.
>>
>> This is strange: please be sure that you are actually running
>> the ResourcePanel class [4], that differs from the original
>> 1.1.0 because of [5], e.g.
>>
>> new PropertyModel<List<String>>(roleTO, "resources")
>>
>> instead of
>>
>> new ListModel<String>(selectedResources)
>>
>> I have just tested this again and had no problems.
>>
>> Regards.
>>
>> [4]
>> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?view=co&pathrev=1467915
>> [5]
>> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?r1=1464359&r2=1467915&pathrev=1467915&diff_format=h
>>
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
Hi,
I fixed it. The instructions on the wiki are wrong: The correct location
for ResourcesPanel.java is
console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java
After I moved the .java file and rebuilt the wars, the ResourcesPanel.class
was of today and I can add resources to a role.
Regards,
Martin
On Tue, Apr 16, 2013 at 5:38 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 16/04/2013 17:19, Martin van Es wrote:
>
> I don't know how to check what version of the Class I'm running, the logs
> aren't telling me, but I do know I copied the correct files in the correct
> location.
> I do see however that the ResourcesPanel.class I find in the target tree
> of console are dated april 5, which is strange for a build that happened
> today?
>
>
> This is clearly your issue.
>
>
> I do a "mvn clean package -Dlog.directory=/var/lib/tomcat7/logs
> -Dconnid.location=file:/opt/syncope/bundles", should I do something else
> instead?
>
>
> Just this, from the root (e.g. the directory containing core/ and
> console/).
>
> Regards.
>
>
> On Tue, Apr 16, 2013 at 4:37 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 16/04/2013 16:05, Martin van Es wrote:
>>
>> Hi Francesco,
>>
>> On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>>> A couple of bugs have been found in Apache Syncope 1.1.0, already
>>> fixed in 1.1.1-SNAPSHOT, including the one you are reporting above.
>>> Please take a look at [3] for a workaround until 1.1.1 is released.
>>>
>>>
>>> I applied both hotfixes in [3] and recompiled syncope/syncope-console
>> but this doesn't fix the resource to role assignment bug.
>>
>>
>> This is strange: please be sure that you are actually running the
>> ResourcePanel class [4], that differs from the original 1.1.0 because of
>> [5], e.g.
>>
>> new PropertyModel<List<String>>(roleTO, "resources")
>>
>> instead of
>>
>> new ListModel<String>(selectedResources)
>>
>> I have just tested this again and had no problems.
>>
>> Regards.
>>
>> [4]
>> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?view=co&pathrev=1467915
>> [5]
>> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?r1=1464359&r2=1467915&pathrev=1467915&diff_format=h
>>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
If 'but' was any useful, it would be a logic operator
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 17:19, Martin van Es wrote:
> I don't know how to check what version of the Class I'm running, the
> logs aren't telling me, but I do know I copied the correct files in
> the correct location.
> I do see however that the ResourcesPanel.class I find in the target
> tree of console are dated april 5, which is strange for a build that
> happened today?
This is clearly your issue.
> I do a "mvn clean package -Dlog.directory=/var/lib/tomcat7/logs
> -Dconnid.location=file:/opt/syncope/bundles", should I do something
> else instead?
Just this, from the root (e.g. the directory containing core/ and console/).
Regards.
> On Tue, Apr 16, 2013 at 4:37 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 16/04/2013 16:05, Martin van Es wrote:
>> Hi Francesco,
>>
>> On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> A couple of bugs have been found in Apache Syncope 1.1.0,
>> already fixed in 1.1.1-SNAPSHOT, including the one you are
>> reporting above.
>> Please take a look at [3] for a workaround until 1.1.1 is
>> released.
>>
>>
>> I applied both hotfixes in [3] and recompiled
>> syncope/syncope-console but this doesn't fix the resource to role
>> assignment bug.
>
> This is strange: please be sure that you are actually running the
> ResourcePanel class [4], that differs from the original 1.1.0
> because of [5], e.g.
>
> new PropertyModel<List<String>>(roleTO, "resources")
>
> instead of
>
> new ListModel<String>(selectedResources)
>
> I have just tested this again and had no problems.
>
> Regards.
>
> [4]
> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?view=co&pathrev=1467915
> [5]
> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?r1=1464359&r2=1467915&pathrev=1467915&diff_format=h
>
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
I don't know how to check what version of the Class I'm running, the logs
aren't telling me, but I do know I copied the correct files in the correct
location.
I do see however that the ResourcesPanel.class I find in the target tree of
console are dated april 5, which is strange for a build that happened today?
I do a "mvn clean package -Dlog.directory=/var/lib/tomcat7/logs
-Dconnid.location=file:/opt/syncope/bundles", should I do something else
instead?
Martin
On Tue, Apr 16, 2013 at 4:37 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 16/04/2013 16:05, Martin van Es wrote:
>
> Hi Francesco,
>
> On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> A couple of bugs have been found in Apache Syncope 1.1.0, already fixed
>> in 1.1.1-SNAPSHOT, including the one you are reporting above.
>> Please take a look at [3] for a workaround until 1.1.1 is released.
>>
>>
>> I applied both hotfixes in [3] and recompiled syncope/syncope-console
> but this doesn't fix the resource to role assignment bug.
>
>
> This is strange: please be sure that you are actually running the
> ResourcePanel class [4], that differs from the original 1.1.0 because of
> [5], e.g.
>
> new PropertyModel<List<String>>(roleTO, "resources")
>
> instead of
>
> new ListModel<String>(selectedResources)
>
> I have just tested this again and had no problems.
>
> Regards.
>
> [4]
> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?view=co&pathrev=1467915
> [5]
> http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?r1=1464359&r2=1467915&pathrev=1467915&diff_format=h
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Memberhttp://people.apache.org/~ilgrosso/
>
>
--
If 'but' was any useful, it would be a logic operator
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Thanks for the reply Francesco.
I tried my nest but fail to create a group in the ldap server.
I have seen some chatter on this alias of propagating syncope roles
(user assigned) to ldap and using the ApacheDS resource in the syncope
1.1.0 standalone.
- I can easily create a user in syncope and propagate it (uid=titi) to
opendj ldap
below we can see the traffic coming into ldap from syncope
nik@nik-laptop OpenDJ]$ grep conn=194 logs/access
[19/Apr/2013:12:12:08 +0200] CONNECT conn=194 from=10.0.0.123:56715
to=10.0.0.121:1389 protocol=LDAP
[19/Apr/2013:12:12:08 +0200] BIND REQ conn=194 op=0 msgID=1 version=3
type=SIMPLE dn="cn=directory manager"
[19/Apr/2013:12:12:08 +0200] BIND RES conn=194 op=0 msgID=1 result=0
authDN="cn=Directory Manager,cn=Root DNs,cn=config" etime=1
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=1 msgID=2 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=1 msgID=2 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=2 msgID=3 base=""
scope=baseObject filter="(objectClass=*)" attrs="vendorVersion"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=2 msgID=3 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=3 msgID=4
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=3 msgID=4 result=0
nentries=0 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=4 msgID=5
base="ou=groups,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=4 msgID=5 result=0
nentries=0 etime=1
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=5 msgID=6 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=5 msgID=6 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] ADD REQ conn=194 op=6 msgID=7
dn="uid=titi,ou=people,o=usharesoft"
[19/Apr/2013:12:12:08 +0200] ADD RES conn=194 op=6 msgID=7 result=0 etime=8
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=7 msgID=8
base="uid=titi,ou=people,o=usharesoft" scope=baseObject
filter="(objectClass=*)" attrs="uid"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=7 msgID=8 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=8 msgID=9 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=8 msgID=9 result=0
nentries=1 etime=0
[19/Apr/2013:12:12:08 +0200] SEARCH REQ conn=194 op=9 msgID=10
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:12:08 +0200] SEARCH RES conn=194 op=9 msgID=10 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:14 +0200] SEARCH REQ conn=194 op=10 msgID=11 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:13:14 +0200] SEARCH RES conn=194 op=10 msgID=11 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:14 +0200] SEARCH REQ conn=194 op=11 msgID=12
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:13:14 +0200] SEARCH RES conn=194 op=11 msgID=12 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:29 +0200] SEARCH REQ conn=194 op=12 msgID=13 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:12:13:29 +0200] SEARCH RES conn=194 op=12 msgID=13 result=0
nentries=1 etime=1
[19/Apr/2013:12:13:29 +0200] SEARCH REQ conn=194 op=13 msgID=14
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=titi)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:12:13:29 +0200] SEARCH RES conn=194 op=13 msgID=14 result=0
nentries=1 etime=1
[nik@nik-laptop OpenDJ]$
I confirm it is really in the ldap backend.
[nik@nik-laptop OpenDJ]$ bin/ldapsearch -p 1389 -D"cn=directory manager"
-w secret -bou=people,o=usharesoft uid=titi
dn: uid=titi,ou=people,o=usharesoft
userPassword: {SSHA}eWXKXa71VZK5n/MYUMfYBH8k/uQTzVyI5DbGQw==
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
uid: titi
cn: titi
cn: titi@uuss.com
sn: titi
I have some groups already defined in my ldap.
[nik@nik-laptop OpenDJ]$ bin/ldapsearch -p 1389 -D"cn=directory manager"
-w secret -bou=groups,o=usharesoft objectclass=*
dn: ou=Groups,o=usharesoft
ou: Groups
objectClass: organizationalUnit
objectClass: top
dn: cn=generators,ou=Groups,o=usharesoft
uniqueMember: uid=jeff,ou=people,o=usharesoft
cn: generators
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=publisher,ou=Groups,o=usharesoft
uniqueMember: uid=jeff,ou=people,o=usharesoft
cn: publisher
objectClass: groupOfUniqueNames
objectClass: top
[nik@nik-laptop OpenDJ]$
But I would like to create a new group (e.g. using the "secretary" role
from syncope) which should make
an ldap group like:
dn: cn=secretary,ou=Groups,o=usharesoft
uniqueMember: uid=toto,ou=people,o=usharesoft
cn: generators
objectClass: groupOfUniqueNames
objectClass: top
So from what I have been able to work out, so far, is I should create
the syncope user titi using Users->"create new user"
Fill in all the mandatory parts under Details/Attributes tab
Then
select the Resources tab and add my ldap resource from "Available"
to "Selected"
Then
select Roles tab and add the secretary role
and save
looking at the ldap access log I see
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=14 msgID=15 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=14 msgID=15 result=0
nentries=1 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=15 msgID=16
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=15 msgID=16 result=0
nentries=0 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=16 msgID=17
base="ou=groups,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=16 msgID=17 result=0
nentries=0 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=17 msgID=18 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=17 msgID=18 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] ADD REQ conn=194 op=18 msgID=19
dn="uid=toto,ou=people,o=usharesoft"
[19/Apr/2013:13:12:42 +0200] ADD RES conn=194 op=18 msgID=19 result=0
etime=7
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=19 msgID=20
base="uid=toto,ou=people,o=usharesoft" scope=baseObject
filter="(objectClass=*)" attrs="uid"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=19 msgID=20 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=20 msgID=21 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=20 msgID=21 result=0
nentries=1 etime=1
[19/Apr/2013:13:12:42 +0200] SEARCH REQ conn=194 op=21 msgID=22
base="ou=people,o=usharesoft" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=toto)(uid=*))"
attrs="cn,postalAddress,sn,title,uid,userPassword"
[19/Apr/2013:13:12:42 +0200] SEARCH RES conn=194 op=21 msgID=22 result=0
nentries=1 etime=0
[19/Apr/2013:13:12:42 +0200] MODIFY REQ conn=-1 op=1525 msgID=1526
dn="o=usharesoft" type=synchronization
[19/Apr/2013:13:12:42 +0200] MODIFY RES conn=-1 op=1525 msgID=1526
result=0 etime=1
I would expect to see and ADD of the cn=secretary,ou=Groups,o=usharesoft
and something that shows the assignment of toto to this group.
We see success in syncope see image 1.png
Obviously, I have not configured some properly on my resource mapping
(2.png through 5.png) or my connector(6.png through 8.png)
Is there something obviously wrong dear experts?
- I have no idea how/where to add uniqueMember in syncope
Best Regards,
Nik
> On 16/04/2013 18:10, Nik wrote:
>> Hi,
>>
>> I'm new to syncope, but I like what I'm seeing already, this is a
>> nifty open source offering, thanks.
>
> Hi Nik, and welcome to Syncope!
>
>> I have a requirement which no doubt others may have had.
>>
>> Can I create a role in syncope which will be propagated to opendj
>> ldap (group x, y or z)?
>
> Absolutely yes: starting with 1.1.0, role provisioning to external
> resources is fully supported.
>
>> Details:
>> in such a fashion that syncope (role create process) does an ldap add
>> (propagate) of that role to an ldap base group e.g.
>> ou=groups,o=usharesoft, and just for fun be able to add that role (+
>> other roles) to a new user which will be propagated to the ldap at
>> the same time "atomically"?
>>
>> Thinking about it, it could be a 3 step work flow a) create role(s) and
>> b) assign role(s) to user(s)
>> c) send to ldap.
>>
>> I tried to follow the doc but got lost with inputting the "virtual
>> value" for an rvirtualdata. Any tips, clarifications, syncope roles
>> specific blogs or RTFM
>
> Since you are new to Syncope, I'd rather suggest to download [1] the
> 1.1.0 standalone distribution: if you take a look at what is included
> [2], you will notice that there is an LDAP resource provided by
> ApacheDS, fully configured to achieve the goals you report above.
>
> You can take the LDAP configuration of the standalone distribution as
> reference for your own use case with OpenDJ.
>
> I will try in the coming weeks to post something about this with some
> detailed instructions - or barely extend [3] for 1.1.0 - but until
> then I think you'd better take inspiration from the standalone
> distribution's LDAP configuration.
>
> Regards.
>
> [1] http://syncope.apache.org/downloads.html
> [2]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Run+Syncope+standalone+distribution
> [3]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+LDAP+resource
>
Re: Can I create a role in syncope which will be propagated to opendj?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 18:10, Nik wrote:
> Hi,
>
> I'm new to syncope, but I like what I'm seeing already, this is a
> nifty open source offering, thanks.
Hi Nik, and welcome to Syncope!
> I have a requirement which no doubt others may have had.
>
> Can I create a role in syncope which will be propagated to opendj ldap
> (group x, y or z)?
Absolutely yes: starting with 1.1.0, role provisioning to external
resources is fully supported.
> Details:
> in such a fashion that syncope (role create process) does an ldap add
> (propagate) of that role to an ldap base group e.g.
> ou=groups,o=usharesoft, and just for fun be able to add that role (+
> other roles) to a new user which will be propagated to the ldap at the
> same time "atomically"?
>
> Thinking about it, it could be a 3 step work flow a) create role(s) and
> b) assign role(s) to user(s)
> c) send to ldap.
>
> I tried to follow the doc but got lost with inputting the "virtual
> value" for an rvirtualdata. Any tips, clarifications, syncope roles
> specific blogs or RTFM
Since you are new to Syncope, I'd rather suggest to download [1] the
1.1.0 standalone distribution: if you take a look at what is included
[2], you will notice that there is an LDAP resource provided by
ApacheDS, fully configured to achieve the goals you report above.
You can take the LDAP configuration of the standalone distribution as
reference for your own use case with OpenDJ.
I will try in the coming weeks to post something about this with some
detailed instructions - or barely extend [3] for 1.1.0 - but until then
I think you'd better take inspiration from the standalone distribution's
LDAP configuration.
Regards.
[1] http://syncope.apache.org/downloads.html
[2]
https://cwiki.apache.org/confluence/display/SYNCOPE/Run+Syncope+standalone+distribution
[3]
https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+LDAP+resource
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Can I create a role in syncope which will be propagated to opendj?
Posted by Nik <ni...@usharesoft.com>.
Hi,
I'm new to syncope, but I like what I'm seeing already, this is a nifty
open source offering, thanks.
I have a requirement which no doubt others may have had.
Can I create a role in syncope which will be propagated to opendj ldap
(group x, y or z)?
Details:
in such a fashion that syncope (role create process) does an ldap add
(propagate) of that role to an ldap base group e.g.
ou=groups,o=usharesoft, and just for fun be able to add that role (+
other roles) to a new user which will be propagated to the ldap at the
same time "atomically"?
Thinking about it, it could be a 3 step work flow a) create role(s) and
b) assign role(s) to user(s)
c) send to ldap.
I tried to follow the doc but got lost with inputting the "virtual
value" for an rvirtualdata. Any tips, clarifications, syncope roles
specific blogs or RTFM
rgds,
Nik
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 16:05, Martin van Es wrote:
> Hi Francesco,
>
> On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> A couple of bugs have been found in Apache Syncope 1.1.0, already
> fixed in 1.1.1-SNAPSHOT, including the one you are reporting above.
> Please take a look at [3] for a workaround until 1.1.1 is released.
>
>
> I applied both hotfixes in [3] and recompiled syncope/syncope-console
> but this doesn't fix the resource to role assignment bug.
This is strange: please be sure that you are actually running the
ResourcePanel class [4], that differs from the original 1.1.0 because of
[5], e.g.
new PropertyModel<List<String>>(roleTO, "resources")
instead of
new ListModel<String>(selectedResources)
I have just tested this again and had no problems.
Regards.
[4]
http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?view=co&pathrev=1467915
[5]
http://svn.apache.org/viewvc/syncope/branches/1_1_X/console/src/main/java/org/apache/syncope/console/pages/panels/ResourcesPanel.java?r1=1464359&r2=1467915&pathrev=1467915&diff_format=h
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
Hi Francesco,
On Tue, Apr 16, 2013 at 2:59 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> A couple of bugs have been found in Apache Syncope 1.1.0, already fixed
> in 1.1.1-SNAPSHOT, including the one you are reporting above.
> Please take a look at [3] for a workaround until 1.1.1 is released.
>
>
> I applied both hotfixes in [3] and recompiled syncope/syncope-console but
this doesn't fix the resource to role assignment bug.
Regards,
Martin
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 14:49, Martin van Es wrote:
> Hi Franseco,
>
> Thx for the quick reply.
>
> Yes you understood me correctly in the assumption of how I wanted to
> conditionally assign resources. Even if I went ahead and wrote such a
> class (which I doubt I can, but who knows ;) your answer implies that
> the role would contain the assigned resources and this was part of my
> question: I can not assign a resource to a newly created role in
> 1.1.0? The interface lets me do the assignment, but when I inspect the
> result, all resources are still unassigned.
> Is this expected behaviour and if so, how would SyncActionsClass'
> assignment to a role help me if the roles can't contain resources
> assignments?
A couple of bugs have been found in Apache Syncope 1.1.0, already fixed
in 1.1.1-SNAPSHOT, including the one you are reporting above.
Please take a look at [3] for a workaround until 1.1.1 is released.
Regards.
> On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 16/04/2013 14:26, Martin van Es wrote:
>
> I was wondering if it's possible to automatically provisioin
> certain resource for one account based on a condition
> (attribute) set in the source resource.
>
> A hypothetical situation:
>
> A CSVdir synchronisation resource contains all my users, some
> of which initially need to have an LDAP account propagated,
> other a DB account and a lucky few both.
>
> Is there a way to specify a role attribute in the CSVdir
> resource that gets mapped to a role, that assigns the LDAP
> and/or the DB resource for the user? I tried creating two
> roles (LDAP/DB) with mappings to my resources LDAP and DB, but
> in the interface, the assigned resources are not preserved in
> the role definition dialog. Apart from that, would this be a
> possibility in Syncope?
>
>
> Hi Martin,
> I've understood that you want to assign upon synchronization role
> A, B or C to users from a CSVDir resource where A has assigned a
> LDAP resource, B a DB resource and C both. Is this correct?
>
> If so, you need to define a SyncJobActionsClass [1] or
> SyncActionsClass [2] (depending on the Syncope version you are
> running) and implement the logic "assign role A, B or C to
> synchronizing user" in the before() method.
>
> Once defined such class, you will need to associate it to the
> synchronization task and it will be invoked upon synchronization.
>
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/SyncJobActionsClass
> [2]
> https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass
>
[3]
https://cwiki.apache.org/confluence/display/SYNCOPE/Create+a+new+Syncope+project#CreateanewSyncopeproject-Stablereleases
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Conditional resource propagation
Posted by Martin van Es <mr...@gmail.com>.
Hi Franseco,
Thx for the quick reply.
Yes you understood me correctly in the assumption of how I wanted to
conditionally assign resources. Even if I went ahead and wrote such a class
(which I doubt I can, but who knows ;) your answer implies that the role
would contain the assigned resources and this was part of my question: I
can not assign a resource to a newly created role in 1.1.0? The interface
lets me do the assignment, but when I inspect the result, all resources are
still unassigned.
Is this expected behaviour and if so, how would SyncActionsClass'
assignment to a role help me if the roles can't contain resources
assignments?
Best regards,
Martin
On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 16/04/2013 14:26, Martin van Es wrote:
>
>> I was wondering if it's possible to automatically provisioin certain
>> resource for one account based on a condition (attribute) set in the source
>> resource.
>>
>> A hypothetical situation:
>>
>> A CSVdir synchronisation resource contains all my users, some of which
>> initially need to have an LDAP account propagated, other a DB account and a
>> lucky few both.
>>
>> Is there a way to specify a role attribute in the CSVdir resource that
>> gets mapped to a role, that assigns the LDAP and/or the DB resource for the
>> user? I tried creating two roles (LDAP/DB) with mappings to my resources
>> LDAP and DB, but in the interface, the assigned resources are not preserved
>> in the role definition dialog. Apart from that, would this be a possibility
>> in Syncope?
>>
>
> Hi Martin,
> I've understood that you want to assign upon synchronization role A, B or
> C to users from a CSVDir resource where A has assigned a LDAP resource, B a
> DB resource and C both. Is this correct?
>
> If so, you need to define a SyncJobActionsClass [1] or SyncActionsClass
> [2] (depending on the Syncope version you are running) and implement the
> logic "assign role A, B or C to synchronizing user" in the before() method.
>
> Once defined such class, you will need to associate it to the
> synchronization task and it will be invoked upon synchronization.
>
> Regards.
>
> [1] https://cwiki.apache.org/**confluence/display/SYNCOPE/**
> SyncJobActionsClass<https://cwiki.apache.org/confluence/display/SYNCOPE/SyncJobActionsClass>
> [2] https://cwiki.apache.org/**confluence/display/SYNCOPE/**
> SyncActionsClass<https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass>
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
> http://people.apache.org/~**ilgrosso/<http://people.apache.org/~ilgrosso/>
>
>
--
If 'but' was any useful, it would be a logic operator
Re: Conditional resource propagation
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/04/2013 14:26, Martin van Es wrote:
> I was wondering if it's possible to automatically provisioin certain
> resource for one account based on a condition (attribute) set in the
> source resource.
>
> A hypothetical situation:
>
> A CSVdir synchronisation resource contains all my users, some of which
> initially need to have an LDAP account propagated, other a DB account
> and a lucky few both.
>
> Is there a way to specify a role attribute in the CSVdir resource that
> gets mapped to a role, that assigns the LDAP and/or the DB resource
> for the user? I tried creating two roles (LDAP/DB) with mappings to my
> resources LDAP and DB, but in the interface, the assigned resources
> are not preserved in the role definition dialog. Apart from that,
> would this be a possibility in Syncope?
Hi Martin,
I've understood that you want to assign upon synchronization role A, B
or C to users from a CSVDir resource where A has assigned a LDAP
resource, B a DB resource and C both. Is this correct?
If so, you need to define a SyncJobActionsClass [1] or SyncActionsClass
[2] (depending on the Syncope version you are running) and implement
the logic "assign role A, B or C to synchronizing user" in the before()
method.
Once defined such class, you will need to associate it to the
synchronization task and it will be invoked upon synchronization.
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/SyncJobActionsClass
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/