Re: Assign group to user from DB
We didn't know at all that about the Scripted SQL connectors, we were following the pull/pushactions examples. On 01/03/17 14:40, Francesco Chicchiriccò wrote: Hi, are you sure that you are using the Scripted SQL connector? The Database Table connector, in fact, only provides support for the __ACCOUNT__ ObjectClass, e.g. only for users, as suggested by the error below. In order to use the Scripted SQL connector, you must also provide the adequate Groovy scripts matching your own database schema; some samples can be found under the core/src/test/resources/scriptedsql directory of your generated Maven project. HTH Regards. On 27/02/2017 17:47, Tech wrote: Hello, coming back to this point: we prepared the code to integrate the group propagation from a DB to Syncope but we encountered some problems. Before integrating the code that we developed, we started to add the concept of Group into our system. * Our database has a column called "role", where the only content is "GroupTest". * We created the group "GroupTest" also in Syncope to have a 1:1 relation. * We created the type "role" and we put it into the "BaseGroup" schema. * We go back to the resources and we Edit provision rules, we add a Group that we map with name:role. Since now on, every Pull, also the one for the Users, will terminate in a FAILURE with the error: org.quartz.JobExecutionException: While pulling from connector [See nested exception: java.lang.IllegalArgumentException: Operation requires an Account ObjectClass.] at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284) at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60) at org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558) at org.apache.syncope.core.provisioning.java.job.AbstractSchedTaskJobDelegate.execute(AbstractSchedTaskJobDelegate.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) Removing the mapping of the group, everything will turn back to normality. Any idea why this could happen? Thanks! On 06/02/17 17:58, Marco Di Sabatino Di Diodoro wrote: Il 06/02/2017 17:41, Marco Di Sabatino Di Diodoro ha scritto: Hi, Il 06/02/2017 17:11, Tech ha scritto: Dear experts, we're pulling information from a database. We want to assign automatically a group to a user. The original table has a format like -- "USERNAME" : "user01" -- "ROLE": "employee" In a pull task is possible to add a template. The template can be used for setting default values on entities during a pull task. To configure a template go to Topology --> select the external resource to pull --> Pull Task and click the Template icon [1 Pull Templates]. [1] https://syncope.apache.org/docs/reference-guide.html#provisioning-pull If a User is associated to a Group in your Database, and you like assign the corresponding User as a member of the corresponding Group in Syncope, you must implement a Pull Action [1]. Connid doesn't implement the assignment of a membership, so to obviate we can use a pull action. [1] https://syncope.apache.org/docs/reference-guide.html#pullactions We want the user being created into Syncope associated to the already existing group "employee", but we don't see how to create this association. Is there any reference that we should check? Thanks -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Creating a virtual schema type ->empty type list
On 01/03/2017 08:29, Mikael Ekblom wrote: Hi, OK, so that was the logic behind it! Now I start to have all the dependencies clear. Tested it and now everything makes sense. That's great to hear. Our deployment is pretty small though. Only 200 + personnel + some 2000 students. But I’ll check the postgress option. The core seems to be configured by default towards the Postgress option. Yes, it is :-) I like the way you can augment Syncope if needed in a strongly typed language. Maybe we’ll even be able to remove the existing php-based “IDM”, which is more of a plain sync engine with no editable business logic capabilities what so ever. Not my production though… It might be that we will end up with a *nix environment in the end. Sorry, I don't get this last point: FYI, Syncope can be deployed and run in Windows environments too. Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* tiistai 28. helmikuuta 2017 17.54 *To:* user@syncope.apache.org *Subject:* Re: Creating a virtual schema type ->empty type list On 28/02/2017 16:26, Mikael Ekblom wrote: Hi, We are currently evaluating Syncopy as a candidate for our future IDM. Hi, glad to hear that :-) We have some choices on the table and we are even considering writing our own IDM from scratch, but that is something I would like to avoid for practical reasons…J I think that would be inventing the wheel again nowadays. Our neighbor Helsinki University is implementing the same solution, so I thought that I will join the community regarding this one. Anyhow, I have a working Syncopy 2.0.2 running on a Windows server 2012 R2 with mysql as the backbone. It is setup and configured via Apache Maven and is running with Tomcat 8.5 as the container. Everything seems to be working. I have managed to create the connector to our AD with the built in/shipped connector. I have also assigned a resource to that connector. Via that resource, we will pull information from our AD as an initial test. The connector reports that it works. Very nice, indeed. One note: while it is perfectly fine for evaluation, I would personally prefer PostgreSQL over MySQL / MariaDB, as some of my customers have been reporting complaints about search performances. We have been constantly providing enhancements and fixes about that, but there have been simply no issues in all the PostgreSQL-based deployments - some of them being very large in numbers. One problem though. I have been able to create all schema types but the virtual one. When I’m supposed to create a virtual schema type for attributes that Syncope will not own and set the ad-resource as the de facto resource, the type drop down list for the virtual schema is empty and just states “Choose one”. What am I missing here? Some schema definition topic missed somewhere? This is not a panic question, as we are just evaluating, but I figure that I might save some time to ask via the mailing list first. I do have my own abstractions to do for our own maybe to come IDM…J I am assuming you are using the Admin UI here. If so, you need first to select a Resource (among the ones available) and then the Type combo will be populated with all the provision rules defined for that Resource. Finally, you will need to provide the external attribute to which the new Virtual Schema's attributes will be linked. More details available at: https://syncope.apache.org/docs/reference-guide.html#virtual HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Dynamic role - the task remains blocked
On 01/03/2017 15:08, Tech wrote: Hello, thank you for your feedback. As described, we stopped already the AS and we restarted, but the process was continuing to turn. And did you check if there was any zombie java process around, after stopping and *before* starting again? The only solution it was to restore the database, but we know that this situation it will repeat for sure, that's why we would like to find a solution As usual, you need to investigate in the logs what is the actual source for the error, possibly trying to isolate as much as possible what makes the system unstable. Regards. On 01/03/17 14:57, Francesco Chicchiriccò wrote: Hi, I am assuming that this e-mail is a duplicate of [1]: correct? See my replies below. Regards. On 01/03/2017 10:35, Tech wrote: Dear experts, we want to report you something we detected in the Syncope-Console. We are importing some information from a database where a column is called "MYGROUP" and the content is "Employee". We created a group into Syncope called MYGROUP and in the group we defined a Dynamic group where the attribute.myrole == Employee, the user is automatically assigned to the group. When we check the users, we can validate that they are correctly assigned to the group MYGROUP. We perform some modification on the Database, we run again the pull, but this time we see that from the Dashboard/Control/Available, we see the pull still running, and also pushing on the Stop, the popup will confirm us that the task has been performed correctly, It seems that the pull task has entered into some kind of error condition that cannot be stopped by the Quartz engine (an example could be some kind of blocking I/O operation). but also restarting Syncope, the task will be still running. This is really odd: please try to 1. stop the Java EE container 2. check with ps if there is any hanging java process and kill -9 if so 3. start again the Java EE container I think the actual problem is, as said above, something that prevents the Java EE container to exit properly. We are not able to run anymore any Pull, and we were forced to run a restore of the database. What should be done to avoid this? [1] https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Dynamic role - the task remains blocked
Hi, I am assuming that this e-mail is a duplicate of [1]: correct? See my replies below. Regards. On 01/03/2017 10:35, Tech wrote: Dear experts, we want to report you something we detected in the Syncope-Console. We are importing some information from a database where a column is called "MYGROUP" and the content is "Employee". We created a group into Syncope called MYGROUP and in the group we defined a Dynamic group where the attribute.myrole == Employee, the user is automatically assigned to the group. When we check the users, we can validate that they are correctly assigned to the group MYGROUP. We perform some modification on the Database, we run again the pull, but this time we see that from the Dashboard/Control/Available, we see the pull still running, and also pushing on the Stop, the popup will confirm us that the task has been performed correctly, It seems that the pull task has entered into some kind of error condition that cannot be stopped by the Quartz engine (an example could be some kind of blocking I/O operation). but also restarting Syncope, the task will be still running. This is really odd: please try to 1. stop the Java EE container 2. check with ps if there is any hanging java process and kill -9 if so 3. start again the Java EE container I think the actual problem is, as said above, something that prevents the Java EE container to exit properly. We are not able to run anymore any Pull, and we were forced to run a restore of the database. What should be done to avoid this? [1] https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Assign group to user from DB
Hi, are you sure that you are using the Scripted SQL connector? The Database Table connector, in fact, only provides support for the __ACCOUNT__ ObjectClass, e.g. only for users, as suggested by the error below. In order to use the Scripted SQL connector, you must also provide the adequate Groovy scripts matching your own database schema; some samples can be found under the core/src/test/resources/scriptedsql directory of your generated Maven project. HTH Regards. On 27/02/2017 17:47, Tech wrote: Hello, coming back to this point: we prepared the code to integrate the group propagation from a DB to Syncope but we encountered some problems. Before integrating the code that we developed, we started to add the concept of Group into our system. * Our database has a column called "role", where the only content is "GroupTest". * We created the group "GroupTest" also in Syncope to have a 1:1 relation. * We created the type "role" and we put it into the "BaseGroup" schema. * We go back to the resources and we Edit provision rules, we add a Group that we map with name:role. Since now on, every Pull, also the one for the Users, will terminate in a FAILURE with the error: org.quartz.JobExecutionException: While pulling from connector [See nested exception: java.lang.IllegalArgumentException: Operation requires an Account ObjectClass.] at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284) at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60) at org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558) at org.apache.syncope.core.provisioning.java.job.AbstractSchedTaskJobDelegate.execute(AbstractSchedTaskJobDelegate.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) Removing the mapping of the group, everything will turn back to normality. Any idea why this could happen? Thanks! On 06/02/17 17:58, Marco Di Sabatino Di Diodoro wrote: Il 06/02/2017 17:41, Marco Di Sabatino Di Diodoro ha scritto: Hi, Il 06/02/2017 17:11, Tech ha scritto: Dear experts, we're pulling information from a database. We want to assign automatically a group to a user. The original table has a format like -- "USERNAME" : "user01" -- "ROLE": "employee" In a pull task is possible to add a template. The template can be used for setting default values on entities during a pull task. To configure a template go to Topology --> select the external resource to pull --> Pull Task and click the Template icon [1 Pull Templates]. [1] https://syncope.apache.org/docs/reference-guide.html#provisioning-pull If a User is associated to a Group in your Database, and you like assign the corresponding User as a member of the corresponding Group in Syncope, you must implement a Pull Action [1]. Connid doesn't implement the assignment of a membership, so to obviate we can use a pull action. [1] https://syncope.apache.org/docs/reference-guide.html#pullactions We want the user being created into Syncope associated to the already existing group "employee", but we don't see how to create this association. Is there any reference that we should check? Thanks -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AD-sync errors
In the sync status i always end up with Users [created/failures]: 0/0 [updated/failures]: 0/0 [deleted/failures]: 0/0 [no operation/ignored]: 0/0 Groups [created/failures]: 0/319 [updated/failures]: 0/0 [deleted/failures]: 0/0 [no operation/ignored]: 0/0 -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709042.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD-sync errors
I followed this same document along with an official document, but no luck, only groups from AD are sync. Thanks, Hari -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709041.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD-sync errors
On 01/03/2017 10:52, g2hari wrote: In between, is there any detailed Active directory sync document available ? I followed the below documentation which was created in 5th June (outdated), https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource There is a pretty clear statement on top of the page that says: Version Warning The content below is for Apache Syncope <= 1.2 - for later versions the Reference Guide is available. I suppose you are using Apache Syncope 2.0, no? Many of them are not covered with the new interface, clarity missing on Internal and external mapping for Active directory attributes. There is no similar documentation yet for 2.0; the only related content (but for LDAP) can be found in http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AD-sync errors
In between, is there any detailed Active directory sync document available ? I followed the below documentation which was created in 5th June (outdated), https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource Many of them are not covered with the new interface, clarity missing on Internal and external mapping for Active directory attributes. Thanks, hari -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709039.html Sent from the syncope-user mailing list archive at Nabble.com.
Dynamic role - the task remains blocked
Dear experts, we want to report you something we detected in the Syncope-Console. We are importing some information from a database where a column is called "MYGROUP" and the content is "Employee". We created a group into Syncope called MYGROUP and in the group we defined a Dynamic group where the attribute.myrole == Employee, the user is automatically assigned to the group. When we check the users, we can validate that they are correctly assigned to the group MYGROUP. We perform some modification on the Database, we run again the pull, but this time we see that from the Dashboard/Control/Available, we see the pull still running, and also pushing on the Stop, the popup will confirm us that the task has been performed correctly, but also restarting Syncope, the task will be still running. We are not able to run anymore any Pull, and we were forced to run a restore of the database. What should be done to avoid this? Thanks
Re: AD-sync errors
Thank you for your reply, There are Mappings created for users is username with Samaccountname, password and email and there is no Object link is created for users. Thanks, Hari -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709037.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD-sync errors
Hi, please be sure you don't any local mandatory attribute to be set. In case, provide mapping them or specify a user template. Further, be sure to have given sync capability to your the AD connector instance. Best regards, F. Il 01/03/2017 09:17, harikrish...@techaspect.com ha scritto: I am not using any filter to retrive users or group, need to pull all resources from AD to syncope I am getting the below errors in connid logs [2017-03-01T03:16:29.306] net.tirasa.connid.bundles.ad.util.ADUtilities Reading passwords not supported Method: getAttributesToGet [2017-03-01T03:16:29.306] net.tirasa.connid.bundles.ldap.schema.LdapSchemaMapping Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute same time Groups are sync to the system with out any errors. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709035.html Sent from the syncope-user mailing list archive at Nabble.com. -- Fabio Martelli https://it.linkedin.com/pub/fabio-martelli/1/974/a44 http://blog.tirasa.net/author/fabio/index.html Tirasa - Open Source Excellence http://www.tirasa.net/ Apache Syncope PMC http://people.apache.org/~fmartelli/
Re: AD-sync errors
I am not using any filter to retrive users or group, need to pull all resources from AD to syncope I am getting the below errors in connid logs [2017-03-01T03:16:29.306] net.tirasa.connid.bundles.ad.util.ADUtilities Reading passwords not supported Method: getAttributesToGet [2017-03-01T03:16:29.306] net.tirasa.connid.bundles.ldap.schema.LdapSchemaMapping Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute same time Groups are sync to the system with out any errors. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709035.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: AD-sync errors
Hi, please be sure you don't any local mandatory attribute to be set. In case, provide mapping them or specify a user template. Further, be sure to have given sync capability to your the AD connector instance. Best regards, F. Il 01/03/2017 09:02, ilgrosso ha scritto: harikrish...@techaspect.com wrote I have already subscribed, dont know why it is not upddated I see this message, so I confirm you are now subscribed. Unfortunately, your original message was sent before subscription, it seems. Let me re-post your message below: harikrish...@techaspect.com wrote I have used AD-sync bundle to sync windows 2008 on ssl, i see the following conn errors in the log [2017-03-01T02:20:42.223] net.tirasa.connid.bundles.ad.util.ADUtilities Reading passwords not supported Method: getAttributesToGet [2017-03-01T02:20:42.223] net.tirasa.connid.bundles.ldap.schema.LdapSchemaMapping Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute Internal attribute External attribute Mandatory Remote KeyPassword Purpose username sAMAccountName 0 0 true password __PASSWORD__ 0 0 true Object-Link is created as 'dn=' + username + ',cn=Domain Users,dc=domain,dc=com' I dont see users are sync with syncope from AD. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709033.html Sent from the syncope-user mailing list archive at Nabble.com. -- Fabio Martelli https://it.linkedin.com/pub/fabio-martelli/1/974/a44 http://blog.tirasa.net/author/fabio/index.html Tirasa - Open Source Excellence http://www.tirasa.net/ Apache Syncope PMC http://people.apache.org/~fmartelli/
Re: AD-sync errors
harikrish...@techaspect.com wrote > I have already subscribed, dont know why it is not upddated I see this message, so I confirm you are now subscribed. Unfortunately, your original message was sent before subscription, it seems. Let me re-post your message below: harikrish...@techaspect.com wrote > I have used AD-sync bundle to sync windows 2008 on ssl, i see the > following conn errors in the log > > [2017-03-01T02:20:42.223] net.tirasa.connid.bundles.ad.util.ADUtilities > Reading passwords not supported Method: getAttributesToGet > [2017-03-01T02:20:42.223] > net.tirasa.connid.bundles.ldap.schema.LdapSchemaMapping > Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP > attribute Method: getLdapAttribute > > > Internal attribute External attribute Mandatory Remote KeyPassword > Purpose > > username sAMAccountName 0 0 true > password __PASSWORD__ 0 0 true > > > > Object-Link is created as > 'dn=' + username + ',cn=Domain Users,dc=domain,dc=com' > > I dont see users are sync with syncope from AD. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-sync-errors-tp5709029p5709033.html Sent from the syncope-user mailing list archive at Nabble.com.