Hello all,
So I just got a chance to work on this again. The fix for preventing users
being moved seems to work (will probably need to do more testing) but I
have set "Custom User Search Filter" to (memberOf=) and it is
still pulling users (contacts in this case) that are not members of the
designated group. Interestingly it doesnt pull *all* users that are not
members of the group - just some.
I have tested the filter with ldapsearch and it seems to work fine. Am I
doing something incorrectly?
Cheers,
Michael.
On Tue, Sep 27, 2022 at 1:55 AM Andrea Patricelli <
andreapatrice...@apache.org> wrote:
> Hi Michael,
> On 26/09/22 12:31, Michael Paxton wrote:
>
> Hi Andrea,
>
> Thanks for getting back to me. What we are trying to achieve (which may be
> a misuse of Syncope - please let me know) is to ensure that all objects in
> a directory (AD) (eg contacts) that are members of a designated group (eg
> "Sync Allowed") are pushed into a designated OU on all other participating
> directories.
>
> This is not a misuse, since Syncope is a provisioning engine, born also to
> perform such pull/push operations.
>
>
> The destination OU seems to be working but the group selection
> (implemented by adding the group DN to the Memberships configuration item)
> seems to work in some instances but not others.
>
>
> When you say "LDAP Filter for Retrieving Accounts" the only similar field
> I see is "Custom User Search Filter". Is this what you are referring to? I
> did try it earlier (using a memberof filter in version 2.1.11) with no
> success but will try again.
>
> Yes, on Active Directory connector the configuration parameter is the one
> you addressed.
>
> I have separated push and pull into separate connectors so that I can
> configure them separately - OU DNs, etc). Is this an error? should it be
> one connector with two resources (one for pull, one for push) with
> different connobjectlink? Could this be the cause of it moving an object
> from the source OU to the destination OU in the same directory?
>
> I do not think so, you can even use two different connectors with separate
> resources, what makes the difference is how you build the object sent to
> the destination Active Directory.
>
> Bear also in mind that if you perform an update on a specific user
> assigned to a specific resource (say source Active Directory) also a
> propagation will be triggered, this is why you find entries propagated to
> the source Active Directory. If you're not interested in propagating on the
> source, when configuring the pull task you should set pull mode
> FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get
> users on Syncope, but not assigned to the source Active Directory resource.
>
>
> I will check out the references you provided now - many thanks for that!
>
> I suppose one other question would be, is it possible to remove objects
> from Syncope (eg get rid of objects that shouldn't have been pulled)? I
> made the mistake of Deleting them and removing them from AD as well :)
>
> Yes, when deleting on Syncope, in order not to fire a DELETE propagation
> towards Active Directory, just UNLINK these users from the resource and
> delete or simply remove DELETE capability from Active Directory
> connector(s).
>
>
> Cheers,
> michael.
>
> HTH,
> Andrea
>
>
>
>
>
>
> On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli <
> andreapatrice...@apache.org> wrote:
>
>> Hi Michael,
>>
>> On 25/09/22 12:23, Michael Paxton wrote:
>> > Hello all,
>> >
>> > I have a configuration where I have two directories (AD) and want to
>> > synchronise
>> > certain objects between them.
>> >
>> > I want to only synch objects that are members of SynchGroup
>> >
>> > I want to pull objects from SourceOU in each directory and to push
>> > objects to DestinationOU in each directory. This will keep local
>> > objects separated from synchronised objects
>> >
>> > To do this I have done the following:
>> > - created a connector for each directory dedicated to PULLing. This is
>> > configured to look at SourceOU and has Memberships set to the DN of
>> > SynchGroup
>> > - created a connector for each directory dedicated to PUSHing. This is
>> > configured to look at DestinationOU
>> >
>> > This works, in a fashion, but the following things are occurring:
>> > - It pulls (and then subsequently pushes) objects that aren't a member
>> > of SynchGroup
>>
>> In order to pull only specific users you can run a Filtered
>> reconciliation [1] or set a LDAP filter directly on the connector in the
>> "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity
>> stores, synchronize means "pulling only the latest changes" based on the
>> changelog, is this what you're looking for?
>>
>> > - It sporadically moves (i assume, by UPDATE?) local objects from
>> > SourceOU to DestinationOU in the same directory
>>
>> In order to make Syncope write an object in a specific LDAP subtree you
>> need to properly configure the mapping [2] and especially
