You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by imilosevic <ne...@hotmail.com> on 2017/03/22 13:02:01 UTC
AD Mapping User To Specific Groups
Hi all,
I have an issue that happens when I try to push users to the Active
Directory specific group, they instead are mapped only to the membership of
the connector for that resource.
If I add multiple memberships to the connector, it will provision users to
all groups that are part of it.
I have also tried to do the mapping but with no luck.
What is the right way of provisioning users to the wanted group?
Thank you!
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Yes I did.
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709114.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Hi, yes, I didn't provide user mapping since I was following the previous
tips from you.
Now I have added and users are mapped, *but*, they are not in their
respective AD groups:
Tom -> Finance
Fred -> HR
Mark -> IT
Just to show their configuration on Syncope:
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/u3.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/u2.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/u1.png>
*This is the user mapping: *
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/user1.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/user2.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/user3.png>
This is the result that I get:
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/ad1.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/ad2.png>
_______________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709120/ad3.png>
So *only* Tom is a part of his respective group.
Why are they not only a part of their group?
Thank you
Kind Regards,
IM
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709120.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Thank you so much for your support, I have managed to solve this issue with
your help!
Keep up the good work!
Best Regards,
IM
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709121.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by Fabio Martelli <fa...@gmail.com>.
Hi, you forgot to provide the mapping for users.
Just entity provided with mapping will have a chance to be propagated.
Regards,
F.
Il 24/03/2017 13:33, imilosevic ha scritto:
> Hi, unfortunately it didn't solve the problem. IT group in AD is not
> populated with the user.
>
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/ad.png>
>
> These are configurations of the connector instance, mappings and resource.
>
> Connector:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con1.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con2.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con3.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con4.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con5.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con6.png>
> ___________________________________
>
> Mappings:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map1.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map2.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map3.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map4.png>
> ___________________________________
>
> Resource:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/res1.png>
>
> Thank you for support
>
> Kind Regards,
> IM
>
> --
> View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709118.html
> Sent from the syncope-user mailing list archive at Nabble.com.
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Hi, unfortunately it didn't solve the problem. IT group in AD is not
populated with the user.
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/ad.png>
These are configurations of the connector instance, mappings and resource.
Connector:
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con1.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con2.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con3.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con4.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con5.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/con6.png>
___________________________________
Mappings:
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/map1.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/map2.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/map3.png>
___________________________________
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/map4.png>
___________________________________
Resource:
<http://syncope-user.1051894.n5.nabble.com/file/n5709118/res1.png>
Thank you for support
Kind Regards,
IM
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709118.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by Fabio Martelli <fa...@gmail.com>.
Il 24/03/2017 11:08, imilosevic ha scritto:
> Hello,
>
> I have couple of AD groups and I want to provision different users to each
> of them. My groups on AD are HR, IT and Finance
> My group location on AD for HR is: CN=IT,CN=Users,DC=apache,DC=com
>
> <http://syncope-user.1051894.n5.nabble.com/file/n5709116/Screenshot_2.png>
>
> How can I replicate users(any user) *from Syncope* to that specific group
> which is *IT*?
Hi, please do the following steps.
1. Make sure to have configured a mapping for groups by providing
connector object link expression (last tab of the provisioning rules
for group objects).
It should be something like as *'cn=' + name + ',
CN=Users,DC=apache,DC=com'*.
Usually, into the mapping tab, a map for internal attribute *name*
is enough (i.e. name -> cn)
2. Make sure to have specified LDAPMembershipPropagationActions for
your AD resource (into the resource configuration panel)
3. Create user and assign IT group to it
If you have configured your connector instance correctly Syncope will
propagate users and the specified membership towards AD: memberof
attribute of the new user will be populated with the DN of the IT group
and the member attribute of the group with the DN of the new user.
Provide screenshots of connector instance configuration, mappings and
resource configuration if the problem persists.
Regards,
F.
>
>
> Thank you
>
>
> Regards,
> IM
>
> --
> View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709116.html
> Sent from the syncope-user mailing list archive at Nabble.com.
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Hello,
I have couple of AD groups and I want to provision different users to each
of them. My groups on AD are HR, IT and Finance
My group location on AD for HR is: CN=IT,CN=Users,DC=apache,DC=com
<http://syncope-user.1051894.n5.nabble.com/file/n5709116/Screenshot_2.png>
How can I replicate users(any user) *from Syncope* to that specific group
which is *IT*?
Thank you
Regards,
IM
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709116.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by Fabio Martelli <fa...@gmail.com>.
Did you provide LDAPMembershipPropagationAction?
Il 22 marzo 2017 16:34:42 CET, imilosevic <ne...@hotmail.com> ha scritto:
>Yes, I was referring membership in the connector configuration panel.
>
>I want to propagate users from Apache Syncope into the AD groups that
>already exist.
>
>I created a group in Syncope, that exists in AD, and performed the push
>operation with the matching rule (link)
>It provisions users, but it doesn't place them in groups
>When I open the properties of the group(AD), the members tab is empty.
>
>Could you please tell me what am I missing?
>
>Thank you
>
>Regards,
>IM
>
>--
>View this message in context:
>http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709112.html
>Sent from the syncope-user mailing list archive at Nabble.com.
--
Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità .
Re: AD Mapping User To Specific Groups
Posted by imilosevic <ne...@hotmail.com>.
Yes, I was referring membership in the connector configuration panel.
I want to propagate users from Apache Syncope into the AD groups that
already exist.
I created a group in Syncope, that exists in AD, and performed the push
operation with the matching rule (link)
It provisions users, but it doesn't place them in groups
When I open the properties of the group(AD), the members tab is empty.
Could you please tell me what am I missing?
Thank you
Regards,
IM
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709112.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD Mapping User To Specific Groups
Posted by Fabio Martelli <fa...@gmail.com>.
Il 22/03/2017 14:02, imilosevic ha scritto:
> Hi all,
>
> I have an issue that happens when I try to push users to the Active
> Directory specific group, they instead are mapped only to the membership of
> the connector for that resource.
> If I add multiple memberships to the connector, it will provision users to
> all groups that are part of it.
> I have also tried to do the mapping but with no luck.
>
> What is the right way of provisioning users to the wanted group?
>
> Thank you!
>
> --
> View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105.html
> Sent from the syncope-user mailing list archive at Nabble.com.
Hi, actually I have not got your point.
What are the "memberships" you are speaking of? Are you referring to the
membership you can specify on the connector instance configuration panel?
If you want to perform membership provisioning you have to map active
directory user groups with syncope groups and then use
LDAPMembershipPropagationAction to manage groups and group memberships
propagation.
So, you can
1. configure propagation action for AD resource [1]
2. provide a group mapping [2]
3. create a new group (assign it to AD resource) and check if it is
successfully propagated on AD
4. assign a user to the group and check if it becomes member of the
group on AD
If you need existing AD groups on Syncope you can synchronize them or
replicate them manually and perform a push operation by providing the
right matching rule (link).
Regards,
F.
[1] http://syncope.apache.org/docs/reference-guide.html#propagationactions
[2] http://syncope.apache.org/docs/reference-guide.html#mapping
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/