Re: Question about configuration for object synch between directories

[Andrea Patricelli]

You're welcome.

Best regards,
Andrea

On 27/09/22 13:41, Michael Paxton wrote:

Thanks Andrea,

I will try the configurations you recommended.

Thanks for the guidance!

Cheers
Michael

On Tue, 27 Sep 2022, 01:55 Andrea Patricelli, 
 wrote:


Hi Michael,

On 26/09/22 12:31, Michael Paxton wrote:

Hi Andrea,

Thanks for getting back to me. What we are trying to achieve
(which may be a misuse of Syncope - please let me know) is to
ensure that all objects in a directory (AD) (eg contacts) that
are members of a designated group (eg "Sync Allowed") are pushed
into a designated OU on all other participating directories.

This is not a misuse, since Syncope is a provisioning engine, born
also to perform such pull/push operations.


The destination OU seems to be working but the group selection
(implemented by adding the group DN to the Memberships
configuration item) seems to work in some instances but not others.

When you say "LDAP Filter for Retrieving Accounts" the only
similar field I see is "Custom User Search Filter". Is this what
you are referring to? I did try it earlier (using a memberof
filter in version 2.1.11) with no success but will try again.

Yes, on Active Directory connector the configuration parameter is
the one you addressed.

I have separated push and pull into separate connectors so that I
can configure them separately - OU DNs, etc). Is this an error?
should it be one connector with two resources (one for pull, one
for push) with different connobjectlink? Could this be the cause
of it moving an object from the source OU to the destination OU
in the same directory?


I do not think so, you can even use two different connectors with
separate resources, what makes the difference is how you build the
object sent to the destination Active Directory.

Bear also in mind that if you perform an update on a specific user
assigned to a specific resource (say source Active Directory) also
a propagation will be triggered, this is why you find entries
propagated to the source Active Directory. If you're not
interested in propagating on the source, when configuring the pull
task you should set pull mode FULL_RECONCILIATION and
unmatching_rule: PROVISION: this way you'll get users on Syncope,
but not assigned to the source Active Directory resource.



I will check out the references you provided now - many thanks
for that!

I suppose one other question would be, is it possible to remove
objects from Syncope (eg get rid of objects that shouldn't have
been pulled)? I made the mistake of Deleting them and removing
them from AD as well :)

Yes, when deleting on Syncope, in order not to fire a DELETE
propagation towards Active Directory, just UNLINK these users from
the resource and delete or simply remove DELETE capability from
Active Directory connector(s).


Cheers,
michael.

HTH,
Andrea






On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli
 wrote:

Hi Michael,

On 25/09/22 12:23, Michael Paxton wrote:
> Hello all,
>
> I have a configuration where I have two directories (AD)
and want to
> synchronise
> certain objects between them.
>
> I want to only synch objects that are members of SynchGroup
>
> I want to pull objects from SourceOU in each directory and
to push
> objects to DestinationOU in each directory. This will keep
local
> objects separated from synchronised objects
>
> To do this I have done the following:
> - created a connector for each directory dedicated to
PULLing. This is
> configured to look at SourceOU and has Memberships set to
the DN of
> SynchGroup
> - created a connector for each directory dedicated to
PUSHing. This is
> configured to look at DestinationOU
>
> This works, in a fashion, but the following things are
occurring:
> - It pulls (and then subsequently pushes) objects that
aren't a member
> of SynchGroup

In order to pull only specific users you can run a Filtered
reconciliation [1] or set a LDAP filter directly on the
connector in the
"LDAP Filter for Retrieving Accounts" field. BTW for LDAP
identity
stores, synchronize means "pulling only the latest changes"
based on the
changelog, is this what you're looking for?

> - It sporadically moves (i assume, by UPDATE?) local
objects from
> SourceOU to DestinationOU in the same directory

In order to make Syncope write an object in a specific LDAP
s

Re: Question about configuration for object synch between directories

[Andrea Patricelli]

Hi Michael,

On 26/09/22 12:31, Michael Paxton wrote:

Hi Andrea,

Thanks for getting back to me. What we are trying to achieve (which 
may be a misuse of Syncope - please let me know) is to ensure that all 
objects in a directory (AD) (eg contacts) that are members of a 
designated group (eg "Sync Allowed") are pushed into a designated OU 
on all other participating  directories.
This is not a misuse, since Syncope is a provisioning engine, born also 
to perform such pull/push operations.


The destination OU seems to be working but the group selection 
(implemented by adding the group DN to the Memberships configuration 
item) seems to work in some instances but not others.


When you say "LDAP Filter for Retrieving Accounts" the only similar 
field I see is "Custom User Search Filter". Is this what you are 
referring to? I did try it earlier (using a memberof filter in version 
2.1.11) with no success but will try again.
Yes, on Active Directory connector the configuration parameter is the 
one you addressed.
I have separated push and pull into separate connectors so that I can 
configure them separately - OU DNs, etc). Is this an error? should it 
be one connector with two resources (one for pull, one for push) with 
different connobjectlink? Could this be the cause of it moving an 
object from the source OU to the destination OU in the same directory?


I do not think so, you can even use two different connectors with 
separate resources, what makes the difference is how you build the 
object sent to the destination Active Directory.


Bear also in mind that if you perform an update on a specific user 
assigned to a specific resource (say source Active Directory) also a 
propagation will be triggered, this is why you find entries propagated 
to the source Active Directory. If you're not interested in propagating 
on the source, when configuring the pull task you should set pull mode 
FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get 
users on Syncope, but not assigned to the source Active Directory resource.




I will check out the references you provided now - many thanks for that!

I suppose one other question would be, is it possible to remove 
objects from Syncope (eg get rid of objects that shouldn't have been 
pulled)? I made the mistake of Deleting them and removing them from AD 
as well :)
Yes, when deleting on Syncope, in order not to fire a DELETE propagation 
towards Active Directory, just UNLINK these users from the resource and 
delete or simply remove DELETE capability from Active Directory 
connector(s).


Cheers,
michael.

HTH,
Andrea






On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli 
 wrote:


Hi Michael,

On 25/09/22 12:23, Michael Paxton wrote:
> Hello all,
>
> I have a configuration where I have two directories (AD) and
want to
> synchronise
> certain objects between them.
>
> I want to only synch objects that are members of SynchGroup
>
> I want to pull objects from SourceOU in each directory and to push
> objects to DestinationOU in each directory. This will keep local
> objects separated from synchronised objects
>
> To do this I have done the following:
> - created a connector for each directory dedicated to PULLing.
This is
> configured to look at SourceOU and has Memberships set to the DN of
> SynchGroup
> - created a connector for each directory dedicated to PUSHing.
This is
> configured to look at DestinationOU
>
> This works, in a fashion, but the following things are occurring:
> - It pulls (and then subsequently pushes) objects that aren't a
member
> of SynchGroup

In order to pull only specific users you can run a Filtered
reconciliation [1] or set a LDAP filter directly on the connector
in the
"LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity
stores, synchronize means "pulling only the latest changes" based
on the
changelog, is this what you're looking for?

> - It sporadically moves (i assume, by UPDATE?) local objects from
> SourceOU to DestinationOU in the same directory

In order to make Syncope write an object in a specific LDAP
subtree you
need to properly configure the mapping [2] and especially the
"connObjectLink", a configuration field used as rule to build the
DN of
an entry by LDAP connectors. Please take a look at the shared doc
and at
the playground env here [3] (ApacheDS connector and resource-ldap
resource).

If you have to perform more complex computations while propagating,
consider to implement your own Propagation actions class [4] to
"hack"
the attributes sent to the connector.

>
> I am relatively new to Syncope. I initially configured the tasks
 

Re: Question about configuration for object synch between directories

[Andrea Patricelli]

Hi Michael,

On 25/09/22 12:23, Michael Paxton wrote:

Hello all,

I have a configuration where I have two directories (AD) and want to 
synchronise

certain objects between them.

I want to only synch objects that are members of SynchGroup

I want to pull objects from SourceOU in each directory and to push 
objects to DestinationOU in each directory. This will keep local 
objects separated from synchronised objects


To do this I have done the following:
- created a connector for each directory dedicated to PULLing. This is 
configured to look at SourceOU and has Memberships set to the DN of 
SynchGroup
- created a connector for each directory dedicated to PUSHing. This is 
configured to look at DestinationOU


This works, in a fashion, but the following things are occurring:
- It pulls (and then subsequently pushes) objects that aren't a member 
of SynchGroup


In order to pull only specific users you can run a Filtered 
reconciliation [1] or set a LDAP filter directly on the connector in the 
"LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity 
stores, synchronize means "pulling only the latest changes" based on the 
changelog, is this what you're looking for?


- It sporadically moves (i assume, by UPDATE?) local objects from 
SourceOU to DestinationOU in the same directory


In order to make Syncope write an object in a specific LDAP subtree you 
need to properly configure the mapping [2] and especially the 
"connObjectLink", a configuration field used as rule to build the DN of 
an entry by LDAP connectors. Please take a look at the shared doc and at 
the playground env here [3] (ApacheDS connector and resource-ldap resource).


If you have to perform more complex computations while propagating, 
consider to implement your own Propagation actions class [4] to "hack" 
the attributes sent to the connector.




I am relatively new to Syncope. I initially configured the tasks with 
a highly conflicting schedule which may have causedrace conditions or 
other unusual behaviour but the issues seem to persist even after 
staggering the schedule more sensibly.


Apologies if the above seems overly convoluted. Any advice would be 
greatly appreciated.


Don't worry ;)

Best regards,
Andrea



Cheers,
Michael.


[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull


[2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping

[3] https://syncope-vm2.apache.org/syncope-console

[4] 
https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

2-factor authentication on Syncope

[Andrea Patricelli]

Hi Avetik,

Please let's change the object of the thread, otherwise all mails will 
be added as comments to Jira issue SYNCOPE-1695.


BTW

If I well understood your question you want to login to Syncope console 
with 2FA, am I right?


If so, Syncope does not provide 2-factor auth OOTB, but you can 
configure it to integrate with an external IdP through SAML [1] or OIDC 
[2] that provides such authetication features, i.e. an Access Manager, 
for example Apereo CAS [3].


Let me also point out that Syncope 3, currently at M0 release, provides 
OOTB a Web Access [4] module that is effectively an AM based on Apereo 
CAS project.


Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider


[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client


[3] https://apereo.github.io/cas/6.6.x/index.html

[4] 
https://nightlies.apache.org/syncope/master/reference-guide.html#web-access


On 19/09/22 14:58, avetik.yessa...@ihost.am wrote:

Dear Colleagues,

Appreciate if you may advise about who can help us to get a 
configuration file example for 2-Factor Authentication for Apache 
Syncope?


Best regards,
Avetik


On 2022-09-19 16:22, Andrea Patricelli wrote:

Dear Avetik,

Glad to hear about your interest in Apache Syncope project, but such
kind of requests should be done on the appropriate mailing list here
[1].

Please use the user@syncope.apache.org ML to ask for what you're 
looking for.


Thanks and regards!

[1] https://syncope.apache.org/mailing-lists

On 19/09/22 14:09, avetik.yessa...@ihost.am.INVALID wrote:

Dear Andrea,

Appreciate if you can advise who can provide 2-Factor Authentication 
configuration sample for Apache Syncope.


Best regards,
Avetik


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: how and where to provide elastic search cluster credentials to connect in the elasticsearchClientContext.xml

[Andrea Patricelli]

Glad to hear this.


Nice catch!


You're welcome and best regards,
Andrea


On 03/03/22 17:48, Vinay Kavala wrote:

Hi Andrea,

Thanks for that. However, the elastic extension jar from 2.1.9 syncope 
installation does not have proper bean setter methods to pass in the 
parameters.


So we have upgraded from 2.1.9 to 2.1.10 according to this document 
https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.9+to+2.1.10


and deployed both the syncope-console and syncope-core war files and 
it worked!!


Thanks a lot Andrea!!!

Regards,
Vinay

*From:* Andrea Patricelli 
*Sent:* Thursday, March 3, 2022 4:50 AM
*To:* user@syncope.apache.org 
*Subject:* Re: how and where to provide elastic search cluster 
credentials to connect in the elasticsearchClientContext.xml

[CAUTION: EXTERNAL SENDER]

Hi Vinay,


Please try with this here [1]


class="org.apache.syncope.ext.elasticsearch.client.ElasticsearchClientFactoryBean"> 

  
 name="apiKeyId" value="myApiKeyId"/> value="myApiKeySecret"/> 


and let us know.


Best regards,
Andrea


[1] 
https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml 
<https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml>



On 01/03/22 19:45, Vinay Kavala wrote:

Hi Team,

In the documentation 
https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core 
<https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core> it 
is mentioned that we need to configure the 
elasticSearchClientContext.xml to connect to the ES Cluster.


How do we pass on the username and password as credentials to the 
ElasticsearchClientFactoryBean?



I have added the below in the xml file..

   value="51cef73639d747b081088788c3ad3323.ip.es.odplabs.com"/>

   
   
  

How(and where) do I need to pass in the credentials to connect to the 
ES Cluster?


Thanks,
Vinay

--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/  <http://www.tirasa.net/>

Member at The Apache Software Foundation
Syncope


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

PMC Member at The Apache Software Foundation
Syncope

Re: how and where to provide elastic search cluster credentials to connect in the elasticsearchClientContext.xml

[Andrea Patricelli]

Hi Vinay,


Please try with this here [1]


class="org.apache.syncope.ext.elasticsearch.client.ElasticsearchClientFactoryBean"> 

  
 name="apiKeyId" value="myApiKeyId"/> value="myApiKeySecret"/> 


and let us know.


Best regards,
Andrea


[1] 
https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml



On 01/03/22 19:45, Vinay Kavala wrote:

Hi Team,

In the documentation 
https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core 
<https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core> it 
is mentioned that we need to configure the 
elasticSearchClientContext.xml to connect to the ES Cluster.


How do we pass on the username and password as credentials to the 
ElasticsearchClientFactoryBean?



I have added the below in the xml file..

   value="51cef73639d747b081088788c3ad3323.ip.es.odplabs.com"/>

   
   
  

How(and where) do I need to pass in the credentials to connect to the 
ES Cluster?


Thanks,
Vinay


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: Elastic Search extension usage and the impacted API's

[Andrea Patricelli]

Hi Vinay,


More than a cache is a parallel persistence that stores only some 
information to better index searches.


Please read my responses inline.


On 11/02/22 16:47, Vinay Kavala wrote:

Hi Team,

I have couple of questions related to Elastic Search extension.

 1. I just wanted to understand which API's are returning the cached
attributes/results from the elastic search, after a successful
elastic search extension configuration with Syncope Core.
 1. for example - I assume the below API's fetch results from the
elastic search cache, correct me if I am wrong. Are there any
other API's which are returning the cached response? Where do
I find the list of API's being served from elastic cache?
 2. /users
/users/{key}

/anyObjects
/anyObjects/{key}

/schemas
/schemas/{type}



ATM only searches are performed through the Elasticsearch extension, 
here is the code [1]. So we can assume that only


 * GET /users
 * GET /groups
 * GET /anyObjects

search APIs use the Elasticsearch "cache".



1.



 1. Is there a way to turn off the elastic search cache on syncope
after configuration? Is there a toggle to turn on/off the cache?
Or do I need entirely revert all the configuration changes in
order to turn off the cache?




Basically you should revert all changes described here [2] (Enable the 
Elasticsearch extension) to return to a "clean" situation. But the most 
important change is to update this line [3] in your specific project 
configuration folder and restart the application server. The property 
any.search.dao leverages the search DAO bean to use, the default value 
is at [4].




Thanks,
Vinay





HTH,
Andrea


[1] 
https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/ElasticsearchAnySearchDAO.java


[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core


[3] 
https://github.com/apache/syncope/blob/syncope-2.1.10/ext/elasticsearch/persistence-jpa/src/main/resources/persistence.properties#L22


[4] 
https://github.com/apache/syncope/blob/syncope-2.1.10/core/persistence-jpa/src/main/resources/persistence.properties#L22



--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: Apache syncope integration with Active Directory

[Andrea Patricelli]

Hi Marius,

Il 16/09/20 10:38, Marius ha scritto:

Hello,

we are trying to get apache syncope to integrate/communicate with an active
directory, we have a maven installation and have created the AD resource
connector using the connector from the bundle directory and everything seems
to be ok so far, the problem is that apache syncope does not seem to be
communicating with the active directory.

I found this guide online
https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory, and I
tried to create a new resource under the AD resource connector but I seem to
be missing the "LDAPMembershipPropagationActions" action class under the
resource when I try to create it, in fact I miss the other 2 too that he
seems to have under the "Propagation Actions" menu.

Now my question is how do I get on about having those classes available for
usage? do I need to modify something with the sample he provided in the
beginning of the post and then have to re-deploy everything? or is there an
easier way of doing this. Thank you in advance for this

Since Syncope 2.1.X implementations [1] have been introduced.
In order to define a cutom propagation actions class you have to create 
your own implementation (from Configuration menu) and then you'll see it 
available under the "Propagation Actions" menu.

I would like to ask you one more thing, in a working integration of apache
syncope and AD, if I create a user using the apache syncope console does it
get replicated automatically into the AD or do I have to do some additional
configurations?
No, if the connector and the external resource are conrrectly configured 
you only need to assign AD to the user while creating/updating him in 
console.


Thank you very much in advance.

Welcome and best regards,
Andrea


--
Sent from:http://syncope-user.1051894.n5.nabble.com/

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Fwd: How to generate swagger documentation

[Andrea Patricelli]

Sorry, my bad.
The correct swagger url is

[protocol]://[host]:[port]/syncope/swagger/

Best regards,
Andrea

Il 25/06/20 11:30, Andrea Patricelli ha scritto:


Hi Anmol

Il 24/06/20 18:22, Anmol Sharma ha scritto:

Hi,

I'm a new user exploring the Maven project workflow for Apache 
Syncope. I tried to use the `syncope-ext-swagger-ui` to generate the 
swagger documentation.


When I run mvn clean package in the core module, I do not see 
swagger-ui docs or config generated. I also ran the build with the 
`all` profile but it did not notice any difference.


I'm wondering if you could point me to some documentation on how to 
enable / generate swagger docs for a standalone deployment of the 
core module?
Her you can find some docs about building Syncope in general [1]. To 
enable the swagger extension please follow [2], "Enable the Swagger 
extension" section. You can find swagger docs available at 
[protocol]://[host]:[port]/syncope-swagger/


Thanks
anmol


HTH,
Andrea

[1] https://syncope.apache.org/building

[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core





--
- Anmol

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Fwd: How to generate swagger documentation

[Andrea Patricelli]

Hi Anmol

Il 24/06/20 18:22, Anmol Sharma ha scritto:

Hi,

I'm a new user exploring the Maven project workflow for Apache 
Syncope. I tried to use the `syncope-ext-swagger-ui` to generate the 
swagger documentation.


When I run mvn clean package in the core module, I do not see 
swagger-ui docs or config generated. I also ran the build with the 
`all` profile but it did not notice any difference.


I'm wondering if you could point me to some documentation on how to 
enable / generate swagger docs for a standalone deployment of the core 
module?
Her you can find some docs about building Syncope in general [1]. To 
enable the swagger extension please follow [2], "Enable the Swagger 
extension" section. You can find swagger docs available at 
[protocol]://[host]:[port]/syncope-swagger/


Thanks
anmol


HTH,
Andrea

[1] https://syncope.apache.org/building

[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core





--
- Anmol


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Problem implementing First test Syncope pull action

[Andrea Patricelli]

I never followed this way and is quite unusual to apply such 
customizations. Please follow the approach that I suggested: add the 
class to the archetype codebase , build Syncope and redeploy the whole 
war of the core.
Alternatively, if you're runing a 2.1.X version, you could add at 
runtime LDAPPasswordPullActions as a groovy implementation [1] and so 
you do not need to rebuild and restart at all.


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

Il 04/05/20 08:49, oh...@yahoo.com ha scritto:

Hi,

No.

I was able to build the LDAPPasswordPullActions.java separately, in 
Eclipse, using JARs from the Syncope installation. That got me the 
LDAPPasswordPullActions.class file in 
./org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class. 



Then, I ran:

jar uf 
/webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar 
./org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class


to add the LDAPPasswordPullActions.class to the 
yncope-core-provisioning-java-2.1.5.jar.


Now, "tar tvf" shows:

jar tvf syncope-core-provisioning-java-2.1.5.jar | grep 
LDAPPasswordPullAction
7975 Sun May 03 15:56:42 UTC 2020 
org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class


Then, I bounced the Tomcat, and went to the Syncope admin web app to 
Configuration ==> Implementations and tried to add the PULL_ACTIONS, 
but the LDAPPasswordPullActions does NOT appear there.


What else do I need to do to make the pull action available? Is there 
a MANIFEST.MF that needs to be modified also?


Thanks,
Jim

On Monday, May 4, 2020, 02:08:00 AM EDT, Andrea Patricelli 
 wrote:



Hi Jim,

Il 03/05/20 18:14, oh...@yahoo.com <mailto:oh...@yahoo.com> ha scritto:
> Hi,
>
> I wanted to test pull actions, so I am trying to build and deploy 
the LDAPPasswordPullActions example:

>
> 
https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.java

>
> I was able compile that class cleanly and I added that class to the 
/webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar 
and then I bounced the Tomcat server.

Do you mean that you added the class to the codebase of your archetype,
rebuilt the whole core module and deployed it into the Tomcat, right?

>
> However, when I go into the Syncope admin web app and check under 
Implementations ==> PULL_ACTIONS, I don't see any pull actions appearing.

>
> Did I add the new class file to the correct JAR file?
>
> If so, what else would cause the new PULL ACTION to not appear?
>
> Thanks,
> Jim


Best regards,
Andrea

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Problem implementing First test Syncope pull action

[Andrea Patricelli]

Hi Jim,

Il 03/05/20 18:14, oh...@yahoo.com ha scritto:

Hi,

I wanted to test pull actions, so I am trying to build and deploy the 
LDAPPasswordPullActions example:

https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.java

I was able compile that class cleanly and I added that class to the 
/webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar 
and then I bounced the Tomcat server.
Do you mean that you added the class to the codebase of your archetype, 
rebuilt the whole core module and deployed it into the Tomcat, right?


However, when I go into the Syncope admin web app and check under Implementations 
==> PULL_ACTIONS, I don't see any pull actions appearing.

Did I add the new class file to the correct JAR file?

If so, what else would cause the new PULL ACTION to not appear?

Thanks,
Jim


Best regards,
Andrea

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to retrieve previous/historical attribute data

[Andrea Patricelli]

Hi Glenn

Il 28/03/20 07:46, Glenn Roe ha scritto:

Great news. Thanks, Andrea!

Would you happen to know if the audit feature will be log or database 
driven?


By default it is database driven, but you can provide to Syncope your 
own implementation and make Syncope use it by defining a custom 
implementation of [1] and [2] and chaning the *logger.dao* property in 
this [3] file (of the generated archetype).


For other audit features (not directly related to data versioning) you 
can specify your own appender through Log4j2 features [4].




Also, do you happen to have a timeline for the 2.1.6 release?

I'm not able to define a date, but will be released soon ;)



Thanks again,

Welcome and best regards,

Andrea

[1] 
https://github.com/apache/syncope/blob/2_1_X/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/dao/LoggerDAO.java


[2] 
https://github.com/apache/syncope/blob/2_1_X/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/Logger.java


[3] 
https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/resources/persistence.properties


[4] https://syncope.apache.org/docs/2.1/reference-guide.html#audit-appenders



Glenn



On Friday, March 27, 2020, 3:32:14 AM EDT, Andrea Patricelli 
 wrote:



Hi Glenn,

since 2.1.6 version, not yet released, you will have the possibility 
to see the whole history of an user, group or any object by going to 
Realms -> USER -> manage history.


To enable this feature you have to setup the audit [1] in order to 
track events like [LOGIC]:[UserLogic]:[]:[update]:[SUCCESS].


You can see this feature in action on the playground env at [2].

Best regards,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit

[2] https://syncope-vm2.apache.org/syncope-console

Il 26/03/20 13:45, Glenn Roe ha scritto:
Hello,

 I'm trying to figure out a way in Syncope to view a processed 
record's (via pull or push operation) previous or even historical 
attribute values.  Is this possible within Syncope by either an API or 
other means?  I'm trying to create a capability to view a record's 
historical attribute values in order to track bad data being processed.



Thank you,

Glenn
--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to retrieve previous/historical attribute data

[Andrea Patricelli]

Hi Glenn,

since 2.1.6 version, not yet released, you will have the possibility to 
see the whole history of an user, group or any object by going to Realms 
-> USER -> manage history.


To enable this feature you have to setup the audit [1] in order to track 
events like [LOGIC]:[UserLogic]:[]:[update]:[SUCCESS].


You can see this feature in action on the playground env at [2].

Best regards,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit

[2] https://syncope-vm2.apache.org/syncope-console

Il 26/03/20 13:45, Glenn Roe ha scritto:

Hello,

 I'm trying to figure out a way in Syncope to view a processed 
record's (via pull or push operation) previous or even historical 
attribute values. Is this possible within Syncope by either an API or 
other means?  I'm trying to create a capability to view a record's 
historical attribute values in order to track bad data being processed.



Thank you,

Glenn


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: invalidmapping [only propagation allowed for derived]

[Andrea Patricelli]

Hi Arnold,

Since derived attributes' values are generated, you can only propagate 
them (towards the resource, i.e. identity-store). You cannot pull from 
the identity-store the value of a derived attribute simply because its 
values are derived from other (plain) attributes ones. If you are 
pushing data towards a resource, i.e. execute a propagation task, you 
have to define the mapping for the derived attribute(s) as propagation 
only (->). Please refer to 1, 2 and 3.


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#propagation

[2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping

[3] https://syncope.apache.org/docs/2.1/reference-guide.html#derived

Il 25/03/20 00:58, Arnold Miller ha scritto:

Hi there!
I'm trying to sync first and last names to a single full name to an 
identity store by using a push task, so I created a derived schema 
with the combination of both; however, when I try to map this the 
system says:

invalidmapping [only propagation allowed for derived]
Does anybody know what to do in this case? Thank you!

Best Regards,

Arnold Miller


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: More problems provisioning problems w/somewhat larger user base - Connection already closed

[Andrea Patricelli]

Hi jim,

Which DBMS are you using?

Generally speaking Syncope can manage several thousands of users, much 
more than 50k, without any problem.


Maybe your issue is related to configuration of datasource pools. If you 
are using default Hikari datasource [1] you can act on Hikari pool 
configuration params [2] and [3], mainly the ones related to connection 
timeout.


If you are using tomcat jdbc datasource [4] you have to manage connetion 
configuration directly on the tomcat configuration.


Best regards,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/resources/domains/MasterDomain.xml#L48-L58


[2] https://github.com/brettwooldridge/HikariCP/wiki/About-Pool-Sizing

[3] https://github.com/brettwooldridge/HikariCP#configuration-knobs-baby

Il 19/02/20 04:57, oh...@yahoo.com ha scritto:

Hi,

I am continuing to test Syncope, trying to increase the number of 
users.  So I started with a clean start, with only a few test users in 
Syncope and clean logs.  I have a CSV file with 500 users and when I 
attempted to process this file with Syncope, I saw the following in 
the core.log (this is just a snippet of the log):


03:45:48.560 INFO  hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose 
start
03:45:48.560 INFO  hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose 
synched
03:45:48.611 INFO  hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose 
script done

03:45:48.615 INFO  hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose end
03:46:11.350 ERROR 
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler 
- Could not create USER Auid00290
org.apache.openjpa.persistence.PersistenceException: Connection has 
already been closed. {SELECT dynRealm_id FROM DynRealmMembers WHERE 
any_id=?} [code=0, state=null]
    at 
org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:5250) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:5210) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:134) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:107) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:59) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.jdbc.kernel.SQLStoreQuery$SQLExecutor.executeQuery(SQLStoreQuery.java:248) 
~[openjpa-jdbc-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:1060) 
~[openjpa-kernel-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:912) 
~[openjpa-kernel-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:843) 
~[openjpa-kernel-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.kernel.DelegatingQuery.execute(DelegatingQuery.java:601) 
~[openjpa-kernel-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.persistence.QueryImpl.execute(QueryImpl.java:297) 
~[openjpa-persistence-3.1.0.jar:3.1.0]
    at 
org.apache.openjpa.persistence.QueryImpl.getResultList(QueryImpl.java:314) 
~[openjpa-persistence-3.1.0.jar:3.1.0]
    at 
org.apache.syncope.core.persistence.jpa.dao.AbstractAnyDAO.findDynRealms(AbstractAnyDAO.java:536) 
~[syncope-core-persistence-jpa-2.1.5.jar:2.1.5]
    at sun.reflect.GeneratedMethodAccessor280.invoke(Unknown 
Source) ~[?:?]
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:1.8.0_222]

    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222]
    at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343) 
~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) 
~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) 
~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295) 
~[spring-tx-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) 
~[spring-tx-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) 
~[syncope-core-persistence-jpa-2.1.5.jar:2.1.5]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) 
~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE]
    at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) 

Re: Connector issue

[Andrea Patricelli]

Hi Steven,

glad to hear this.

Best regards,
Andrea

Il 28/11/19 16:15, Steven van der Merwe ha scritto:

Hi Andrea

Thank you very much - You are spot on.

It was the fact that it was expecting an array but I was accidentally 
passing back an array of arrays


It seems that it is all working now and propagating correctly.

Thank you all very much for your help, it is very much appreciated

Regards
Steve




On Thu, Nov 28, 2019 at 12:02 PM Andrea Patricelli 
mailto:andreapatrice...@apache.org>> wrote:


Hi Steven,

the error that you are experiencing is quite generic. But usually
means that the key that you passed from Syncope is not matching
the key of the object that the connector framework retrieved with
the query method. As "not matching" I mean that the EqualsFilter
[1] (or EqualsIgnoreCaseFilter [2]) is not accepting the two
objects passed, i.e. the equals of the two objects in accept
method returns false.

Usually this depends on the mapping in Syncope or on the type of
the key returned by the connector, that is not matching the key
passed from Syncope.

Best regards,
Andrea

[1]

https://github.com/Tirasa/ConnId/blob/connid-1.5.0.1/java/connector-framework/src/main/java/org/identityconnectors/framework/common/objects/filter/EqualsFilter.java
[2]

https://github.com/Tirasa/ConnId/blob/connid-1.5.0.1/java/connector-framework/src/main/java/org/identityconnectors/framework/common/objects/filter/EqualsIgnoreCaseFilter.java

Il 26/11/19 16:19, Steven van der Merwe ha scritto:

Hi

I managed to work out why it was not propagating the __UID__ - It
turns out I had the config for the "mapping" the wrong way around.

I have now moved a bit further forward but I am stuck on the
following

java.lang.IllegalStateException: Object {Uid=Attribute:
{Name=__UID__, Value=[[db1c50ed-5224-46e7-8bf1-89934c50852c]]},
ObjectClass=ObjectClass: __GROUP__, Attributes=[Attribute:
{Name=__NAME__, Value=[KinesisName]}, Attribute: {Name=__UID__,
Value=[[db1c50ed-5224-46e7-8bf1-89934c50852c]]}, Attribute:
{Name=realm, Value=[/]}, Attribute: {Name=name, Value=[name]}],
Name=Attribute: {Name=__NAME__, Value=[KinesisName]}} was
returned by the connector but failed to pass the framework
filter. This seems like wrong implementation of the filter in the
connector.
at

org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82)
~[connector-framework-internal-1.5.0.1.jar:?]

I found someone else on the forums with the same issue and I have
ensured that all of the attributes are there however it doesnt
seem to work

Regards
Steve


On Tue, Nov 26, 2019 at 9:01 AM Steven van der Merwe
mailto:stevevanderme...@gmail.com>>
wrote:

Hi

I am still a little confused for the following reason. In my
search method there is no __UID__ anywhere am I missing
something?

For context my executeQuery looks like this (my log function
uses recursion to print out all of the values)

@Override public void executeQuery( final ObjectClass objectClass, final Filter filter, final ResultsHandler handler, final OperationOptions options) { 
PropagationDto propagationDto =new PropagationDto.Builder() .objectClass(objectClass) .query(filter) .options(options) .operation(PropagationDto.Operation.QUERY) 
.build(); sendDetails("executeQuery", propagationDto, true); try { Attribute key = getKeyFromFilter(filter); log("Key = ", key); 
ConnectorObjectBuilder bld =new ConnectorObjectBuilder(); bld.setUid(key.getValue().toString()); bld.setName(key.getName()); ConnectorObject ret = bld.build(); 
handler.handle(ret); }catch (UnsupportedOperationException uoe){ log("Search operation problem :" + uoe.getMessage()); } log("Search parameters: 
ObjectClass -", objectClass); log("Search parameters: Options -", options); log("Search parameters: Results -", handler); log("Search 
parameters: query -", filter); } AttributegetKeyFromFilter(Filter filter) { Attribute key =null; if (filterinstanceof EqualsFilter) { key =((EqualsFilter) 
filter).getAttribute(); if (keyinstanceof Uid) { log("Key is Uid"); } }else { throw new UnsupportedOperationException("Not yet supported"); } return 
key; }



And my FilterTranslator like so

@Override public FilterTranslator createFilterTranslator(final ObjectClass objectClass, final 
OperationOptions options) { return new FilterTranslator() { @Override public List translate(Filter 
filter) {//Just log for now log("Filter ObjectClass -", objectClass); log("Filter options -", options); 
log("Filter filter -", filter); return CollectionUtil.newList(filter); } }; }


As you can 

Re: Connector issue

[Andrea Patricelli]

   - no object link

When I test it does the following:
- Create group : works and calls my connector
- Delete group : does not call my connector (In the
propagation task log it says NOT_ATTEMPTED) -> I
have implemented all of the needed methods in my
connector I think?

Please could someone point me in the right direction
as this is driving me crazy

Regards
Steve


-- 
Francesco Chicchiriccò


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/



-- 
Steve van der Merwe

Blog : http://www.stevevandermerwe.co.za
+27 84 978 3817



    -- 
Steve van der Merwe

Blog : http://www.stevevandermerwe.co.za
+27 84 978 3817



--
Steve van der Merwe
Blog : http://www.stevevandermerwe.co.za
+27 84 978 3817


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: ItemTransformer and PullAction questions

[Andrea Patricelli]

Hi Stephen,

the ItemTransformer works only on the value of the attribute which it is 
mapped to, so, on my opinion, it isn't the right choice for you use case.


You should work in your PullActions implementation, especially 
implementing beforeUpdate [1] method in order to update the value of the 
generated attribute.


Alternatively you could consider defining the generated attribute as 
derived [2] and so let Syncope create its value for you based on JEXL 
expressions that takes the values of the two plain attributes (source).


[1] 
https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/TestPullActions.java#L71-L94


[2] https://syncope.apache.org/docs/2.1/reference-guide.html#derived

Il 26/11/19 00:05, Farrell, Stephen R. ha scritto:


Hello,

I have a use case where I am getting attributes from my trusted source 
but need to create a new attribute based on a lookup table. This 
lookup table takes the values of 2 existing attributes to find the 
value of the newly created attribute. I have accomplished the use case 
partially with a Pull Action implementation but it only works for user 
creation, not updating. When one of the source attributes change the 
value of the new attribute should also change but I cannot trigger 
such a change with my current Pull Action implementation and am asking 
for some advice. I tried to create the same logic as an 
ItemTransformer but I cannot seem to access the values of other 
attributes in the beforePropogation method.


Thanks,

Stephen


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.2 question

[Andrea Patricelli]

Hi,

please read my responses inline.

Il 14/11/19 19:26, lfinch ha scritto:

Andrea - we're still working with scim connector.  We are trying to send a
number of attributes, and they are showing up in the propagation task, but
not all are showing up at the external resource.

This is what the external resource receives.

{ userName: 'queenie.arias@hcahealthcare.scrub',
   name: { familyName: 'Arias', givenName: 'Queenie' },
   displayName: 'Queenie B Arias',
   emails: [ { value: 'queenie.arias@hcahealthcare.scrub', type: 'work' } ],
   schemas: [ 'urn:scim:schemas:core:1.0' ] }


It’s missing:
Internal Schema External Attribute

__PASSWORD__password
Status  active
RelationshipToOrganization  userType
usernameid
Emailprimaryemails.work.primary scim1114.docx
<http://syncope-user.1051894.n5.nabble.com/file/t339125/scim1114.docx>
User_Id externalId

I've attached some of the core.log and core-connid.log.  Is there something
else we should be looking for?  Any thoughts on why these values aren't
being received at the external resource?  Thanks!


In order to see details about the propagation task:

1. Set propagation trace level to ALL from resource configuration.
2. Check data sent to the SCIMV1.1 external resource by clicking on 
"Propagation tasks" from resource toggle menu or directly on user toggle 
menu (from Realm -> USER section). Click on the propagation task then on 
propagation task and then on details. Moreover you can also check the 
outcome logs of the execution (a part of what is logged in 
core-connid.log file) by clicking on propagation task -> view -> click 
on execution -> view.
3. Check mapping of the resource and attribute values on Syncope, for 
example I see from logs


{\"name\":\"userType\",\"value\":null}

this means that Syncope is sending a null value to the resource.

From the logs I also see that there are errors given by the create 
method of the SCIMV1.1 connector. Please check if there are other useful 
logs and start from the task execution.




--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.2 question

[Andrea Patricelli]

Hi,

which calls are you referring to? If you set net.tirasa.connid logs to 
TRACE it will log, on core-connid.log file, all information about 
interaction between Syncope and ConnID framework to send/receive data 
to/from external resources. Included String representation of objects.


If you want to see payload and objects consider enabling debug mode like 
explained here [1] (search for JPDA Debug in Embedded Mode).


Best regards,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization

Il 11/11/19 23:29, lfinch ha scritto:

Thank you, Andrea - we will try the logic action and the propagation action.

My developer wants to see the actual calls being made.  I have logging set
to trace on connid, do I need to increase to all?  Any other logs I should
be examining?  He wants to see the commands generated and how the data is
being presented (over and above looking at the propagation task).  Thank
you.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.2 question

[Andrea Patricelli]

Hi Anita,

derived schemas are considered as strings by Syncope, please consider 
not to use them. You could use:


1. A custom logic action [1] (assigned to the realm containing users)
   that assigns the value to the Syncope attribute "active" while
   creating/updating the user through console or via REST. This
   approach needs you to create a PLAIN schema of type *Boolean* named
   "active".
2. A custom propagation action [2]  that injects the Boolean value
   among the attributes sent to the external resource, without the need
   of mapping it to a Syncope attribute. Take this [3] as an example of
   what I'm referring to.

Moreover consider that the SCIM connector also supports status 
management, so you can use ConnID special attribute __ENABLE__ in your 
mapping (if choosing solution 1). E.g. "active" -> __ENABLED__


Best regards,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#logicactions

[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions


[3] 
https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java#L105-L134


Il 08/11/19 21:51, anita.fi...@cerecore.net ha scritto:


Hello!

I am using SCIM 1.1 connector and I need to pass a Boolean value from 
a derived schema.


Here’s an example that works.

{

"schemas":["urn:scim:schemas:core:1.0"],

"userName":"msbradjensen@hcahealthcare.scrub",

 "externalId":"bjensen",

 "name":{

   "formatted":"Ms. Barbara J Jensen III",

   "familyName":"Jensen",

   "givenName":"Barbara"

 },

 "emails": [

    {

    "value": "msbradjensen@hcahealthcare.scrub",

    "type": "work",

"primary": true

    }

    ],

"active": true

}

Here’s the propagation detail from Syncope:

[ {

  "name" : "schemas",

  "value" : [ "urn:scim:schemas:core:1.0" ]

}, {

"name" : "active",

  "value" : [ "true" ]

}, {

  "name" : "name.givenName",

  "value" : [ "Queenie" ]

}, {

  "name" : "username",

  "value" : [ "queenie.arias@hcahealthcare.scrub" ]

}, {

  "name" : "__NAME__",

  "value" : [ null ]

}, {

  "name" : "name.familyName",

  "value" : [ "Arias" ]

}, {

"name" : "emails.work.primary",

  "value" : [ "true" ]

}, {

  "name" : "externalId",

  "value" : [ "QBA3106" ]

}, {

  "name" : "emails.work.value",

  "value" : [ "queenie.arias@hcahealthcare.scrub" ]

} ]

Here’s my error message:

Users failed to create: CREATE FAILURE (key/name): 
415183bf-4946-4069-9183-bf4946006945/QBA3106 with message: While 
executing request: {"Errors":[{"description":"The new user must be 
created in \u0027active\u0027 status for user with userName 
queenie.arias@hcahealthcare.scrub","code":"400"}]}


It appears that the values would be accepted if they didn’t have 
double quotes.


Here’s where the derived attributes are defined in schema

Any suggestions?

Thank you!

Lynn Finch

P: 615-236-3781 | M: 615-454-7925


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: syncope-console HTTP Status 500 – Internal Server Error

[Andrea Patricelli]

Il 17/10/19 15:09, vesco ha scritto:

Yeah i did follow [1] in facts all files that must be modified:
- provisioning.properties
- domains/Master.properties
Were already ok, i mean i didn't have to edit nothing.

My Postgre version is 12 cause in the reference it's written: "Apache
Syncope 2.1.5 is verified with PostgreSQL server >= 10.3 and JDBC driver >=
42.2.6."

So my PostgreSQL version is 12 ... ( 12 > 10.3 ;) )

Touchè, you're right :)

And my JDBC is postgresql-42.2.8
[2] indeed fails;

Thanks for the answer!

Welcome,

BTW IT tests are run against 11.5 version.

I meant: maybe something has changed in PostgreSQL configuration from 10 
to 12 version that causes tables creation failure? Does something change 
with a later version?


Best regards,
Andrea



--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: syncope-console HTTP Status 500 – Internal Server Error

[Andrea Patricelli]

n$4.notify(RequestCycleListenerCollection.java:126)
 at
org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122)
 at
org.apache.wicket.util.listener.ListenerCollection.notify(ListenerCollection.java:80)
 at
org.apache.wicket.request.cycle.RequestCycleListenerCollection.onException(RequestCycleListenerCollection.java:121)
 at
org.apache.wicket.request.cycle.RequestCycle.handleException(RequestCycle.java:368)
 at
org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:314)
 at
org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:259)
 at
org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:221)
 at
org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70)
 at
org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:206)
 at
org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:299)
 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
 at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
 at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
 at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
 at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
 at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
 at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
 at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
 at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
 at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
 at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
 at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
 at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Thread.java:748)
 Caused by: java.lang.reflect.InvocationTargetException
 at
sun.reflect.GeneratedConstructorAccessor551.newInstance(Unknown Source)
 at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
 at
org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:117)
 ... 38 more
 Caused by: org.apache.syncope.common.lib.SyncopeClientException:
Unknown
[NullPointerException: ]
 at
org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37)
 at
org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:143)
 at
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
 at
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
 at
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:375)
 at
org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:951)
 at
org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:857)
 at
org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:298)
 at com.sun.proxy.$Proxy1256.platform(Unknown Source)
 at
org.apache.syncope.client.console.SyncopeConsoleSession.(SyncopeConsoleSession.java:103)
 ... 42 more

--
Sent from: http://syncope-user.1051894.n5.nabble.com/



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Vial

Re: 2 versions of Syncope?

[Andrea Patricelli]

Hi Jim,

Basically 2.1 is the new stable release, while th 2.0 is the old stable 
that goes on with bugfixes only, to support actual installations.
They differ by some features added to 2.1, but they share almost all 
bugfixes.


In order to know what's new in Syncope 2.1 respect to 2.0 please refer 
to [1].


Best regards,
Andrea

[1] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Fusion#Fusion-2.1.0(June5th,2018)


Il 16/09/19 18:44, oh...@yahoo.com ha scritto:

Hi,

I just saw that there were two release announcements, for:

- Apache Syncope 2.0.14

- Apache Syncope 2.1.5

My apologies that I haven't been keeping up too closely, but what are 
the differences between the 2 versions?


Thanks,
Jim


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope trying to deploy using Maven and not getting login

[Andrea Patricelli]

.MetaData - Found duplicate metadata or mapping for "class 
org.apache.syncope.core.persistence.jpa.entity.conf.JPACPlainAttrUniqueValue".  
Ignoring.
07:53:22.653 INFO  org.springframework.scheduling.quartz.SchedulerFactoryBean - 
Shutting down Quartz Scheduler
07:53:22.653 INFO  org.quartz.core.QuartzScheduler - Scheduler 
ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 shutting down.
07:53:22.653 INFO  org.quartz.core.QuartzScheduler - Scheduler 
ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 paused.
07:53:22.857 INFO  org.quartz.core.QuartzScheduler - Scheduler unregistered 
from name 
'quartz:type=QuartzScheduler,name=ClusteredScheduler,instance=gluu-prs9.mdtsoft.com1568289195837'
 in the local MBeanServer.
07:53:22.857 INFO  org.quartz.core.QuartzScheduler - Scheduler 
ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 shutdown complete.
07:53:22.859 INFO  
org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor - Shutting 
down ExecutorService
07:53:22.869 INFO  
org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor - Shutting 
down ExecutorService

I get clean logs with no errors.

my config directory is




--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003


From: Andrea Patricelli 
Sent: Friday, September 6, 2019 4:20
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Hi Philip,

in order to make a correct deploy on your application server follow [2].

As the warning in the doc states:

Be sure to put the corresponding JDBC driver JAR file under $CATALINA_HOME/lib 
for each datasource defined.

You should provide postgres driver to Syncope by putting it into Tomcat lib 
folder.

About the maven buld error: did you give the correct r/w permissions to 
/opt/syncope/buldles directory? If you want more info about the build please 
add the -X option to your maven build command.

Best regards,
Andrea

[2] https://syncope.apache.org/docs/2.1/reference-guide.html#apache-tomcat-9

Il 05/09/19 16:38, Dalrymple, Philip ha scritto:

OK I had one issue in that to make it work my build script needed to look like

#!/bin/bash

cd syncope

sudo mkdir -p /opt/syncope/bundles
sudo mkdir -p /opt/syncope/log
sudo chmod 0777 /opt/syncope/log
sudo mkdir -p /opt/syncope/conf

# mvn clean verify \
#   -Dconf.directory=/opt/syncope/conf \
#   -Dbundles.directory=/opt/syncope/bundles \
#   -Dlog.directory=/opt/syncope/log

  mvn clean verify \
-Dconf.directory=/opt/syncope/conf \
-Dlog.directory=/opt/syncope/log


sudo cp core/target/classes/*properties /opt/syncope/conf
sudo cp console/target/classes/*properties /opt/syncope/conf
sudo cp enduser/target/classes/*properties /opt/syncope/conf
sudo cp enduser/target/classes/customFormAttributes.json /opt/syncope/conf
sudo cp enduser/target/classes/customTemplate.json /opt/syncope/conf

i.e. not changing the bundles directory (which I want to do as I want to build 
in
the bundles into the war files).

When I do that I DO get logs (in /opt/syncope/log) Looks like I don't have the 
postgres dirver.
I checked and the
core/target/classes/provisioning.properties

already had the changes for postgres

➜  syncope git:(master) ✗ more /opt/syncope/log/core.log
10:22:58.367 INFO  org.springframework.security.core.SpringSecurityCoreVersion 
- You are running with Spring Security Core 5.1.5.RELEASE
10:22:58.370 INFO  org.springframework.security.config.SecurityNamespaceHandler 
- Spring Security 'config' module version is 5.1.5.RELEASE
10:22:58.391 INFO  
org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser
 - Expressions were enabled for method security but no SecurityExpressionHandle
r was configured. All hasPermision() expressions will evaluate to false.
10:22:58.437 INFO  
org.springframework.security.config.http.HttpSecurityBeanDefinitionParser - 
Checking sorted filter chain: [Root bean: class 
[org.springframework.security.web.cont
ext.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; 
autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; 
factoryBeanName=null; factor
yMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, 
Root bean: class 
[org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; 
autowireCandidate=true; primary=false; factoryBeanName=null; 
factoryMethodName=null; initMethodName=nul
l; destroyMethodName=null, order = 400, , order

Re: Syncope trying to deploy using Maven and not getting login

[Andrea Patricelli]

4.3.jar -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e 
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please 
read the following articles:
[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn  -rf :syncope-core





--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003

________
From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 10:07
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

P.S.

About the attached link: please take care to the doc starting from
documentation at "Deployment directories" section.

Il 05/09/19 16:04, Dalrymple, Philip ha scritto:

OK I will give that a go.


--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003

________
From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 10:03
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Ok, maybe I got your first problem.

Please follow this [1]. Basically, in order to do a correct deploy, you
should build with a special mvn command specifying bundles, logs and
conf directories and, moreover, in order to let Syncope take correct
configuration parameters (like for the jdbc connection) copy some of the
properties files in sources under the specific conf directory.

HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization

Il 05/09/19 15:56, Dalrymple, Philip ha scritto:

OK this is weird

I did a

sudo find / -name "*core*.log*" -print

and only find the logs from my first try using docker.
(was not able to customize well enough and switched to
maven deleting the docker images)

I will keep looking.


--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003


From: Dalrymple, Philip 
Sent: Thursday, September 5, 2019 9:53
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login


OK I need to find where the logs are.

--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003


From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 9:52
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Hi Philip,

you should check core.log, core-rest.log, core-persistence.log and
core-connid.log files in order to understand what is the problem.
The NOT FOUND error in console simply means that core is unavailable,
probably because it failed to start.

Please check for exceptions in core*.log files and attach it into this
thread.

Best regards,
Andrea

Il 05/09/19 15:32, Dalrymple, Philip ha scritto:

I am trying to deploy Syncope using the Maven method. I have followed the
instructions in

http://syncope.apache.org/docs/2.1/getting-started.html#maven-project

and then edited core/src/main/resources/domains/Master.properties

to have the correct postgres password, I re-did the mvn clean install
and placed the war files in my tomcat/webapps directory, they deployed
without me restarting tomcat.

When I got to http://X:8080/syncope-console I get a 500 erro

Re: Syncope trying to deploy using Maven and not getting login

[Andrea Patricelli]

Ok, maybe I got your first problem.

Please follow this [1]. Basically, in order to do a correct deploy, you 
should build with a special mvn command specifying bundles, logs and 
conf directories and, moreover, in order to let Syncope take correct 
configuration parameters (like for the jdbc connection) copy some of the 
properties files in sources under the specific conf directory.


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization

Il 05/09/19 15:56, Dalrymple, Philip ha scritto:

OK this is weird

I did a

sudo find / -name "*core*.log*" -print

and only find the logs from my first try using docker.
(was not able to customize well enough and switched to
maven deleting the docker images)

I will keep looking.


--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003


From: Dalrymple, Philip 
Sent: Thursday, September 5, 2019 9:53
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login


OK I need to find where the logs are.

--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003

____
From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 9:52
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Hi Philip,

you should check core.log, core-rest.log, core-persistence.log and
core-connid.log files in order to understand what is the problem.
The NOT FOUND error in console simply means that core is unavailable,
probably because it failed to start.

Please check for exceptions in core*.log files and attach it into this
thread.

Best regards,
Andrea

Il 05/09/19 15:32, Dalrymple, Philip ha scritto:

I am trying to deploy Syncope using the Maven method. I have followed the
instructions in

http://syncope.apache.org/docs/2.1/getting-started.html#maven-project

and then edited core/src/main/resources/domains/Master.properties

to have the correct postgres password, I re-did the mvn clean install
and placed the war files in my tomcat/webapps directory, they deployed
without me restarting tomcat.

When I got to http://X:8080/syncope-console I get a 500 error (see below)
when I got to .../syncope or .../syncope/index.html or .../syncope-enduser I 
get a 404 error.

I checked in WEB-INF/classes/persistence.properties  (in syncope) and it had the
correct DB user, host, and password info and I verified that I could connect to 
the DB BUT
the DB was empty.

the stack trace on the syncope-console


type Exception report

message Unable to instantiate web session class 
org.apache.syncope.client.console.SyncopeConsoleSession

description The server encountered an internal error that prevented it from 
fulfilling this request.

exception

org.apache.wicket.WicketRuntimeException: Unable to instantiate web session 
class org.apache.syncope.client.console.SyncopeConsoleSession
   
org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:121)
   
org.apache.wicket.Application.fetchCreateAndSetSession(Application.java:1555)
   org.apache.wicket.Session.get(Session.java:176)
   
org.apache.syncope.client.console.SyncopeConsoleSession.get(SyncopeConsoleSession.java:91)
   
org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener.onException(SyncopeConsoleRequestCycleListener.java:80)
   
org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:126)
   
org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122)
   
org.apache.wicket.util.listener.ListenerCollection.notify(ListenerCollection.java:80)
   
org.apache.wicket.request.cycle.RequestCycleListenerCollection.onException(RequestCycleListenerCollection.java:121)
   
org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:126)
   
org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122)
   
org.apache.wicket.util.listener.ListenerCollection.notify(List

Re: Syncope trying to deploy using Maven and not getting login

[Andrea Patricelli]

P.S.

About the attached link: please take care to the doc starting from 
documentation at "Deployment directories" section.


Il 05/09/19 16:04, Dalrymple, Philip ha scritto:

OK I will give that a go.


--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003

________
From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 10:03
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Ok, maybe I got your first problem.

Please follow this [1]. Basically, in order to do a correct deploy, you
should build with a special mvn command specifying bundles, logs and
conf directories and, moreover, in order to let Syncope take correct
configuration parameters (like for the jdbc connection) copy some of the
properties files in sources under the specific conf directory.

HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization

Il 05/09/19 15:56, Dalrymple, Philip ha scritto:

OK this is weird

I did a

sudo find / -name "*core*.log*" -print

and only find the logs from my first try using docker.
(was not able to customize well enough and switched to
maven deleting the docker images)

I will keep looking.


--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003


From: Dalrymple, Philip 
Sent: Thursday, September 5, 2019 9:53
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login


OK I need to find where the logs are.

--
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email in error,
please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>.

3480 Preston Ridge Road
Suite 450
Alpharetta, GA 30005

Philip W. Dalrymple III 
MDT Software - Automation Management Company
+1 678 297 1001
Fax +1 678 297 1003

________
From: Andrea Patricelli 
Sent: Thursday, September 5, 2019 9:52
To: user@syncope.apache.org
Subject: Re: Syncope trying to deploy using Maven and not getting login

Hi Philip,

you should check core.log, core-rest.log, core-persistence.log and
core-connid.log files in order to understand what is the problem.
The NOT FOUND error in console simply means that core is unavailable,
probably because it failed to start.

Please check for exceptions in core*.log files and attach it into this
thread.

Best regards,
Andrea

Il 05/09/19 15:32, Dalrymple, Philip ha scritto:

I am trying to deploy Syncope using the Maven method. I have followed the
instructions in

http://syncope.apache.org/docs/2.1/getting-started.html#maven-project

and then edited core/src/main/resources/domains/Master.properties

to have the correct postgres password, I re-did the mvn clean install
and placed the war files in my tomcat/webapps directory, they deployed
without me restarting tomcat.

When I got to http://X:8080/syncope-console I get a 500 error (see below)
when I got to .../syncope or .../syncope/index.html or .../syncope-enduser I 
get a 404 error.

I checked in WEB-INF/classes/persistence.properties  (in syncope) and it had the
correct DB user, host, and password info and I verified that I could connect to 
the DB BUT
the DB was empty.

the stack trace on the syncope-console


type Exception report

message Unable to instantiate web session class 
org.apache.syncope.client.console.SyncopeConsoleSession

description The server encountered an internal error that prevented it from 
fulfilling this request.

exception

org.apache.wicket.WicketRuntimeException: Unable to instantiate web session 
class org.apache.syncope.client.console.SyncopeConsoleSession

org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:121)

org.apache.wicket.Application.fetchCreateAndSetSession(Application.java:1555)
org.apache.wicket.Session.get(Session.java:176)

org.apache.syncope.client.console.SyncopeConsoleSession.get(SyncopeConsoleSession.java:91)

org.apache.syncope.client.console.SyncopeC

Re: Syncope trying to deploy using Maven and not getting login

[Andrea Patricelli]

78 297 1001
Fax +1 678 297 1003


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: demo problem

[Andrea Patricelli]

Hi

now playground enduser is working fine. Maybe you tried to connect 
during the daily build and deploy.


Best regards,
Andrea

Il 03/09/19 16:25, Гололобов Никита ha scritto:

https://syncope-vm.apache.org/syncope-enduser/ don't work.
Error text:
"Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: Error reading from remote server"


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope Feasibility Questions

[Andrea Patricelli]

Hi Naaman,

Il 21/08/19 13:15, Naaman Hart ha scritto:


Hey Syncope,

We're looking at a way of provisioning identities into a cloud based 
PaaS that's under development. The application we're going to host is 
LDAP only so we're thinking of hosting an AWS managed AD within and 
then using Syncope (installed on customer site) to pull from their AD 
and push to ours.  Thereby giving us identities that we could refer to 
when we provide SAML SSO via their IDP.


Questions are basically the below.

 1. Is Syncope the right tool to be used as a collection/sync 'agent'
for this purpose.


Short answer: Yes.

Long answer: As far as I understood you need to migrate users (and also 
groups?) from one AD to another. You can easily do this by configuring 
two AD resources [1], and, with a pull operation [2], provision them to 
Syncope and to destination AD (on AWS). In order to do this you can also 
consider to add custom logic (to make some intermediate data 
elaboration) to the pull operation by developing a custom pull action in 
Java or Groovy [3].


1.


 2. Can we slim Syncope down sufficiently that we can give it to a
customer with specific instructions to allow them to use it for
syncing.  We want it fairly simple because there's no guarantee of
the level of experience we'd meet on the customer end. A barebones
install also would mean greater flexibility in asking the customer
to host this for us.  If it’s too intensive then they may push
back on hosting it.


Do you mean to have a barebone installation of the UI, i.e. admin console?
If so, actual console is the reference implementation; it can be easily 
customized since it has been developed using Apache Wicket, an 
extensible Java framework for frontends [4]. In other words you can 
"shrink to the bone" the actual admin console in order to expose only 
some functionalities.
Moreover, if console does not fit your needs, you can consider 
developing a custom frontend application that interacts with Syncope. 
This is easily doable since Syncope core exposes REST APIs, take a look 
at [5] and [6].


Thanks in advance for having a look at this.  Any guidance is greatly 
appreciated.


Cheers,


Glad to hear about your interest in Syncope :)

Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#external-resources
[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull

[3] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions
_[4]_ https://wicket.apache.org/
_[5] _ 
<https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions>https://syncope.apache.org/docs/2.1/reference-guide.html#architecture
[6] 
<https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions>https://syncope.apache.org/docs/2.1/reference-guide.html#rest



**

*Naaman Hart*

Cloud DevOps Architect, Strategic Programs

Mobile: +44 (0) 7733 107459

_<https://www.alfresco.com/>_<https://twitter.com/alfresco>__<https://www.facebook.com/alfrescosoftware/>__<https://www.linkedin.com/company/alfresco>__<https://www.youtube.com/c/alfresco>__<https://www.glassdoor.co.uk/Overview/Working-at-Alfresco-Software-EI_IE404506.11,28.htm>_

_


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to user item_transformers

[Andrea Patricelli]

P.S.

sorry, I missed the link :)

[4] https://syncope.apache.org/docs/2.1/getting-started#maven-project

Il 31/07/19 14:18, Andrea Patricelli ha scritto:


Syncope docker images are harder to customize respect to the simple 
java artifacts generated with the "preferred method" for installation 
[4]. For this reason if you want to customize Syncope though Java 
classes, I suggest to you to get Syncope from archetype and deploy 
wars on your preferred application server.


Another solution, in order to continue working on docker, would be to 
implement your transformer (like other implementations) in Groovy that 
allows you to plugin scripts at runtime. So consider using a Groovy 
implementation for your transformer. The code is likely to be the 
identical to the Java one.


Best regards,
Andrea

Il 31/07/19 13:39, Noah Hansen . ha scritto:
We were able to get the class created but we are still struggling 
with finding where org.apache.syncope.core.provisioning.java.data is 
properly located within the docker instance.

Some help would be greatly appreciated

thanks,
-Noah

On Tue, Jul 30, 2019 at 10:45 AM Andrea Patricelli 
mailto:andreapatrice...@apache.org>> wrote:


You should create your own transformer class and place it in your
sources in the right path (class package). Like described here [2]:

/"transformers -//JEXL
<http://commons.apache.org/proper/commons-jexl/>//expression or
Java class implementing//ItemTransformer

<https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java>//;
the purpose is to transform values before they are sent to or
received from the underlying connector"
/

So basically you need to implement the interface [3] with your
custom transformer and place it under
org.apache.syncope.core.provisioning.java.data

Best regards,
Andrea
//

[2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping

[3]

https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java

Il 30/07/19 16:28, Noah Hansen . ha scritto:

There are no classes showing up while creating it. That's the
problem I'm having
-Noah

On Tue, Jul 30, 2019 at 10:03 AM Andrea Patricelli
mailto:andreapatrice...@apache.org>> wrote:

Hi Noah,

if you are using 2.1.X version you should first create an
implementation
[1] of ITEM_TRANSFORMER and while creating the
implementation you will
be asked for the class. Then you can use the just created
implementation
into item transformer field while editing provisioning rules.

HTH,
Andrea

[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

Il 30/07/19 15:55, Noah Hansen . ha scritto:
> Hi All,
>
> I'm trying to user item_transformers in the implementation
section and
> can't figure out how? When I try to create a new
transformer it won't
> let me choose a class. How do I add a class?
>
    > Thanks
> -Noah

-- 
Dott. Andrea Patricelli

Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

    Apache Syncope PMC Member

-- 
Dott. Andrea Patricelli

Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to user item_transformers

[Andrea Patricelli]

Syncope docker images are harder to customize respect to the simple java 
artifacts generated with the "preferred method" for installation [4]. 
For this reason if you want to customize Syncope though Java classes, I 
suggest to you to get Syncope from archetype and deploy wars on your 
preferred application server.


Another solution, in order to continue working on docker, would be to 
implement your transformer (like other implementations) in Groovy that 
allows you to plugin scripts at runtime. So consider using a Groovy 
implementation for your transformer. The code is likely to be the 
identical to the Java one.


Best regards,
Andrea

Il 31/07/19 13:39, Noah Hansen . ha scritto:
We were able to get the class created but we are still struggling with 
finding where org.apache.syncope.core.provisioning.java.data is 
properly located within the docker instance.

Some help would be greatly appreciated

thanks,
-Noah

On Tue, Jul 30, 2019 at 10:45 AM Andrea Patricelli 
mailto:andreapatrice...@apache.org>> wrote:


You should create your own transformer class and place it in your
sources in the right path (class package). Like described here [2]:

/"transformers -//JEXL
<http://commons.apache.org/proper/commons-jexl/>//expression or
Java class implementing//ItemTransformer

<https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java>//;
the purpose is to transform values before they are sent to or
received from the underlying connector"
/

So basically you need to implement the interface [3] with your
custom transformer and place it under
org.apache.syncope.core.provisioning.java.data

Best regards,
Andrea
//

[2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping

[3]

https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java

Il 30/07/19 16:28, Noah Hansen . ha scritto:

There are no classes showing up while creating it. That's the
problem I'm having
-Noah

On Tue, Jul 30, 2019 at 10:03 AM Andrea Patricelli
mailto:andreapatrice...@apache.org>> wrote:

Hi Noah,

if you are using 2.1.X version you should first create an
implementation
[1] of ITEM_TRANSFORMER and while creating the implementation
you will
be asked for the class. Then you can use the just created
implementation
into item transformer field while editing provisioning rules.

HTH,
Andrea

[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

Il 30/07/19 15:55, Noah Hansen . ha scritto:
> Hi All,
>
> I'm trying to user item_transformers in the implementation
section and
> can't figure out how? When I try to create a new
transformer it won't
> let me choose a class. How do I add a class?
>
    > Thanks
> -Noah

-- 
Dott. Andrea Patricelli

Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

    Apache Syncope PMC Member

-- 
Dott. Andrea Patricelli

Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to user item_transformers

[Andrea Patricelli]

Hi Noah,

if you are using 2.1.X version you should first create an implementation 
[1] of ITEM_TRANSFORMER and while creating the implementation you will 
be asked for the class. Then you can use the just created implementation 
into item transformer field while editing provisioning rules.


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations

Il 30/07/19 15:55, Noah Hansen . ha scritto:

Hi All,

I'm trying to user item_transformers in the implementation section and 
can't figure out how? When I try to create a new transformer it won't 
let me choose a class. How do I add a class?


Thanks
-Noah


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Update user info in Active Directory from SQL Server

[Andrea Patricelli]

P.S.

Sorry, the link [1] is referring to the first row of the response ;)
" Syncope can do the work for you if rightly setup and configured."

Best regards,
Andrea

Il 26/07/19 09:40, Andrea Patricelli ha scritto:


Hi Ramón González,

Definitely what Tavernt said. Syncope can do the work for you if 
rightly setup and configured.


Here are some references:
- To setup a Syncope environment [2]
- To configure a (source) SQL server connector and resource through 
Database table or Scripted SQL connector [3] [4] and an Active 
Directory (destination) connector and resource [5].


Once configured resources, you have to pull [6] users into Syncope and 
define some logic in Java or Groovy (the business rules addressed by 
Tavernt), i.e. [7], if you need to make so processing before sending 
users to AD resource. While pulling you can automatically assign, in 
different ways, users to AD and link Syncope users to SQL server and AD.
Moreover, once users have assigned AD and SQL server resources, at 
each change, Syncope takes care of synchronizing entities towards 
resources. To have an idea of what a pull  task is and how to 
configure (also scheduling) it, please take a look at [8].


Thanks also to Tavernt for the precise overview of the whole flow.

Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#identity-stores
[2] 
https://syncope.apache.org/docs/2.1/getting-started#obtain-apache-syncope
[3] 
https://syncope.apache.org/docs/2.1/reference-guide.html#connector-bundles

[4] https://connid.atlassian.net/wiki/spaces/BASE/pages/5570562/Database
[5] 
https://connid.atlassian.net/wiki/spaces/BASE/pages/360482/Active+Directory+JNDI
[6] 
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull

[7] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions
[8] https://syncope.apache.org/docs/2.1/reference-guide.html#tasks-pull

Il 26/07/19 09:13, Tavernt Muchenje ha scritto:


Hi RG,

Yes, that’s the role of IdM to provision users/account to downstream 
systems (AD in this case).


Apache Syncope can easily be configured to read and pull users from 
SQL server DB and apply some business rules before creating the users 
in AD.


In addition you can schedule how often you need to check for user 
changes in SQL.


Cheers

---

signature_1995866963



Tavernt J. Muchenje (MBA, CCSP, CISSP)

Managing Director | Enterprise Security Architect

I’CURITY SOLUTIONS (PTY) LTD

M: +27 (0)72 727 8371

W: www.icurity.co.za <http://www.icurity.co.za>

BEE: Level 1

*From: *Ramón González 
*Reply-To: *
*Date: *Friday, 26 July 2019 at 02:32
*To: *
*Subject: *Update user info in Active Directory from SQL Server

Hello,

An HR department uses an app to manage employee info such as manager, 
position, phone number, cellphone, birthday, emergency contact, etc. 
This info is stored in *SQL Server.*


Is it possible to update user info in *Active Directory (AD)* from 
SQL Server?


Right now, user info is updated in SQL Server but is outdated in AD.

Thanks in advance.

Regards,

RG


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Update user info in Active Directory from SQL Server

[Andrea Patricelli]

Hi Ramón González,

Definitely what Tavernt said. Syncope can do the work for you if rightly 
setup and configured.


Here are some references:
- To setup a Syncope environment [2]
- To configure a (source) SQL server connector and resource through 
Database table or Scripted SQL connector [3] [4] and an Active Directory 
(destination) connector and resource [5].


Once configured resources, you have to pull [6] users into Syncope and 
define some logic in Java or Groovy (the business rules addressed by 
Tavernt), i.e. [7], if you need to make so processing before sending 
users to AD resource. While pulling you can automatically assign, in 
different ways, users to AD and link Syncope users to SQL server and AD.
Moreover, once users have assigned AD and SQL server resources, at each 
change, Syncope takes care of synchronizing entities towards resources. 
To have an idea of what a pull  task is and how to configure (also 
scheduling) it, please take a look at [8].


Thanks also to Tavernt for the precise overview of the whole flow.

Best regards,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#identity-stores
[2] 
https://syncope.apache.org/docs/2.1/getting-started#obtain-apache-syncope
[3] 
https://syncope.apache.org/docs/2.1/reference-guide.html#connector-bundles

[4] https://connid.atlassian.net/wiki/spaces/BASE/pages/5570562/Database
[5] 
https://connid.atlassian.net/wiki/spaces/BASE/pages/360482/Active+Directory+JNDI
[6] 
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull

[7] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions
[8] https://syncope.apache.org/docs/2.1/reference-guide.html#tasks-pull

Il 26/07/19 09:13, Tavernt Muchenje ha scritto:


Hi RG,

Yes, that’s the role of IdM to provision users/account to downstream 
systems (AD in this case).


Apache Syncope can easily be configured to read and pull users from 
SQL server DB and apply some business rules before creating the users 
in AD.


In addition you can schedule how often you need to check for user 
changes in SQL.


Cheers

---

signature_1995866963



Tavernt J. Muchenje (MBA, CCSP, CISSP)

Managing Director | Enterprise Security Architect

I’CURITY SOLUTIONS (PTY) LTD

M: +27 (0)72 727 8371

W: www.icurity.co.za <http://www.icurity.co.za>

BEE: Level 1

*From: *Ramón González 
*Reply-To: *
*Date: *Friday, 26 July 2019 at 02:32
*To: *
*Subject: *Update user info in Active Directory from SQL Server

Hello,

An HR department uses an app to manage employee info such as manager, 
position, phone number, cellphone, birthday, emergency contact, etc. 
This info is stored in *SQL Server.*


Is it possible to update user info in *Active Directory (AD)* from SQL 
Server?


Right now, user info is updated in SQL Server but is outdated in AD.

Thanks in advance.

Regards,

RG


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Log events

[Andrea Patricelli]

Good morning,

Please take a look at [1] and [2] (playground environment based on 
latest 2.1.5-SNAPSHOT version) in order to understand if current 
auditing features fit your needs.


More specifically, what kind of improvements and features about audit do 
you need?


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit
[2] http://syncope-vm.apache.org:9080/syncope-console

Il 14/06/19 20:56, lfinch ha scritto:

Dear Ernst Developer

I'm working with a new implementation of Syncope 2

I was asked today to develop more robust auditing features, very similar to
what you were posting about back in 2012.  Were you able to develop
something, and would you mind sharing?

Thanks!
Lynn

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: New to Syncope - send notifications from user to admin

[Andrea Patricelli]

Hi Jan,

ok now I understood your need.

In Syncope user's lifecycle (also groups and any objects) is leveraged 
by a workflow, managed by the workflow layer. Besides the default 
workflow implementation [1] you can configure Syncope to use Flowable 
BPMN engine; thus configure a BPMN workflow definition that fits your 
needs (go to approval on user self update). Please take a look at [2].


Take a look at [3] to have an idea of workflow definition with approval 
steps. For example if you run Syncope in embedded mode [4] and try to 
update a sample user (say puccini) by adding a group from enduser, you 
can see an approval request in console (accessible from shaking hands icon).


HTH,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_1_X/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java

[2] https://syncope.apache.org/docs/2.1/reference-guide.html#workflow-layer

[3] 
https://github.com/apache/syncope/blob/2_1_X/ext/flowable/flowable-bpmn/src/main/resources/userWorkflow.bpmn20.xml

[4] http://syncope.apache.org/docs/getting-started.html#embedded-mode

Il 13/06/19 14:05, Jan ha scritto:

The post I made probably wasnt clear enough. The end user can change their
password, groups, rosources etc...  The changes the end user does is seen in
the admin console.

What I basically need is, that the end user changes the stuff he needs, this
gives me a notification in my admin console, where I will be making the
changes after checking them.

Thank you

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: New to Syncope - send notifications from user to admin

[Andrea Patricelli]

Hi,

please read my responses inline.

Il 10/06/19 15:14, Jan ha scritto:

Dear Syncope,

I am new to Syncope and Im trying to get it working as an end-user
governance system. Ill just try to post a model situation how I would like
it to work :-) Is it even possible?

1) I am the admin, who would work in the admin console (I already have a
fully functional AD connector, with push pull commands - Ive got all the
users from the AD in Syncope) All the governance would be made here

Nice, this step is not trivial :)


2) One of the HR employees would like to send me a notification through
syncope to create an account: John Smith, which department he is located in,
which data storage he should have access to.

3) This notification would be recieved in both Syncope and my mailbox, I
would just create the account in syncope, set the priviledges and push it
into AD

Here are a few problems that I encountered:

So far I got my end user registering module working with a security
question. Right now I can create new users through the syncope enduser
system

<http://syncope-user.1051894.n5.nabble.com/file/t339126/syncope_enduser.png>

The biggest problem is, that I cannot login via the end-user login screen,
so I have no idea what I can do there :) See picture below. All I can do is
keep clicking next next and when I click finish, nothing happens
The same goes with password reset. I can click on password reset, enter
security question, Syncope tells me that "user xx has been successfully
updated" - I have no Idea what was updated, because the old password heeps
working.

<http://syncope-user.1051894.n5.nabble.com/file/t339126/enduser_syncope2.png>

If anyone would help me, I would be extremely grateful :)


From the screenshots I see that you're using 2.1 version. If you're 
using User Requests please consider to use latest snapshot version 
2.1.5-SNAPSHOT since some bugfixes and improvements have been made in [1].


What happens on Syncope depends on the workflow that you're using. 
Basically you receive the "green notification" on user create and 
password reset this means that enduser successfully sent the request to 
Syncope core.
Logging to console as admin, do you see any request in the top right bar 
(shaking hands icon)? What is the status of the user created through the 
enduser?
Did you check logs of the application? I suggest to you to check for 
errors in core.log, core-persistence.log, core-rest.log and 
core-connid.log.


Best regards,
Andrea

[1] https://issues.apache.org/jira/projects/SYNCOPE/issues/SYNCOPE-1462




--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Flowable modeler configuration

[Andrea Patricelli]

Hi Adam

Il 30/04/19 06:36, Adam Levine ha scritto:

Franceso:
  Thank you so much for this information!  It was the guide I 
was looking for.


  And, I think I broke it.


  I was using the demo site, admin and bellini.


- (admin) Created a new flow using the assignPrinterRequest you referenced
- (user) Created a request using the +, but did not fill in the form

Did you perform this from enduser right?

- (admin) claimed the unfilled request
- (user) tried to fill out the form, could only delete it at that point

What do you mean with "could only delete it"? From enduser or console?

- (admin) saw I could fill the form, but cancelled
- (admin) unclaimed request

And I got this: https://pastebin.com/CzmJNK7M
The error is unclear unfortunately. To understand we need more details. 
After unclaiming did you click on some other link?



Also, 1 question and 1 comment

Q1:  I've noticed this behaviour in the past, and it still seems to 
happen, both on my local and demo.  When I'm logged in as the admin 
account, it will randomly log me out.  I'm not inactive for any amount 
of time, haven't been logged in for very long, and.. boom.  Different 
browsers, different machines, different times, different installs.  
 It happens when I'm logged in as only the admin, or when logged in as 
both user and admin.  I do recall a few random logouts on the user 
app, too.

 - Is this a known issue?
This could happen if you have multiple sessions (on console) on 
different tabs of browsers logged in with the same user. It is not 
considered a bug.


C1:  On the enduser app, the links for compressed and darkmode are 
strangely obscured. I wasn't sure what they were until I clicked on 
them. And, the changes I made on the enduser app spilled over to the 
console app.

   See attached image.

Did you perform some changes to the enduser CSS? It seems that the 
container of the wizard is larger than usual. Or maybe browser zoom or 
screen resolution are influencing the view.


 Thank you again for your endless help and patience  :)



You're welcome, best regards,
Andrea






On Fri, Apr 26, 2019 at 4:49 AM Francesco Chicchiriccò 
mailto:ilgro...@apache.org>> wrote:


Hi,
generally speaking, Flowable is not used "as-is" with all its
features,
but embedded through an extension.

In particular, Flowable Forms are not used as standalone entities,
but
rather as they used to work since the time of Activiti, e.g.
embedded in
the BPMN process definition.
Also the Flowable Modeler is embedded with only the capabilities
relevant to Syncope.

If you want to see a working sample of user request (with forms),
create
new user requests from Admin Console, name it
"assignPrinterRequest" and
paste the content of


https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/resources/assignPrinterRequest.bpmn20.xml

or create another, name it "directorGroupRequest" and paste the
content of


https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/resources/directorGroupRequest.bpmn20.xml

Once defined, user requests can be managed either via REST or Admin
Console (for approval) / Enduser UI (for starting / canceling /
checking
status / etc.)

Hope this clarifies.
Regards.

On 25/04/19 06:58, Adam Levine wrote:
> On my maven build, and on the publicly hosted demo, I am unable
to do
> anything with forms inside the flowable modeler.
>
>  (extensions -> flowable -> select item from table -> flowable
modeler)
>
>  - When selecting an event, like the start event, and clicking on
> "form reference", an error is displayed:
> There was an error loading the forms. Try again later
> Also, the only enabled button is "Cancel".
>
> I ran the Flowable all-in-one to try and find a configuration
> difference.   In this app, all the buttons are enabled, and no
error
> message is shown.  And, there is an entire menu bar up top
(Processes,
> Case Models, Forms, Decision Tables, Apps) that is displayed. 
 That
> menu bar is present on my syncope install when I open up the
developer
> tools, but it's just not visible.
>
> Is this a matter of configuration?  Does Flowable need to be
running
> in parallel with syncope for form design?
>
> Thank you for any guidance you can provide.

-- 
Francesco Chicchiriccò


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Custom Task/ Scheduled Tasks

[Andrea Patricelli]

Hi Phil,

please read inline

Il 15/01/19 22:57, pcrowder ha scritto:

How do you configure custom tasks to execute at a scheduled interval? It
looks like you can only specify the key and class for a TaskJob_Delegate ie
no scheduling information.  Is that done somewhere else?
This kind of information are in the first part of the wizard, which (in 
the second step) asks you about scheduling.

There are jobs listed under the Control tab in the Dashboard but there
doesn't appear to be a way to add a job.
This section has the only purpose to show jobs scheduled by Syncope and 
associated to some task (previously created and scheduled), and, in case 
manage them. You should create custom tasks from: Topology -> click on 
Syncope green node -> custom tasks -> button "+".

Thank you,


HTH,
Andrea


Phil

--
Sent from:http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.0.11 installation issue - Using Maven

[Andrea Patricelli]

)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
at
com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at
org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
at
org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
at
org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:115)
... 47 more
Caused by: org.apache.syncope.common.lib.SyncopeClientException: Unknown
[NullPointerException: ]
at
org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37)
at
org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:143)
at
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
at
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
at
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313)
at
org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876)
at
org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789)
at
org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235)
at com.sun.proxy.$Proxy1065.platform(Unknown Source)
at
org.apache.syncope.client.console.SyncopeConsoleSession.(SyncopeConsoleSession.java:103)

Could someone please help to solve this issue?

Thanks in advance,
Indhu


--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Create a user from postman in Standalone distribution:

[Andrea Patricelli]

Hi Juan,

You request is giving an error because you are sending values that 
aren't meaningful for Syncope, you cannot send "string" value for 
auxClasses, resource, attribute schemas, etc.
Those properties refer to other entities that should exist on Syncope 
(resources, any type classes, schemas, etc.).


In your specific case the error returned by Syncope means that you are 
not sending some required (see related schema definition) attributes, 
like *fullname*, *surname* and *userId*.


Here is an working example done on [1].

{
  "@class": "org.apache.syncope.common.lib.to.UserTO",
  "realm": "/",

  "plainAttrs": [
    {
  "schema": "fullname",
  "values": [
    "donizzetti donizzetti"
  ]
    },
    {
  "schema": "firstname",
  "values": [
    "donizzetti"
  ]
    },
    {
  "schema": "userId",
  "values": [
    "donizze...@apache.org"
  ]
    },
    {
  "schema": "surname",
  "values": [
    "donizzetti"
  ]
    }
  ],
  "username": "donizzetti",
  "password": "Password123"
    }
  ]
}

Please take also a look at [2]

HTH,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope-console
[2] https://syncope.apache.org/docs/2.1/reference-guide.html#type-management

Il 06/12/18 13:02, Juan Medina ha scritto:

I'm traying to create a user from postman in Standalone distribution:

I try with

Post to: http://localhost:9080/syncope/rest/users
Body (JSON from the http://localhost:9080/syncope/swagger/):

{
  "@class": "org.apache.syncope.common.lib.to.UserTO",
  "realm": "/",
  "auxClasses": [
    "string"
  ],
  "plainAttrs": [
    {
      "schema": "string",
      "values": [
        "string"
      ]
    }
  ],
  "derAttrs": [
    {
      "schema": "string",
      "values": [
        "string"
      ]
    }
  ],
  "virAttrs": [
    {
      "schema": "string",
      "values": [
        "string"
      ]
    }
  ],
  "resources": [
    "string"
  ],
  "username": "string",
  "password": "string",
  "securityQuestion": "string",
  "securityAnswer": "string",
  "roles": [
    "string"
  ],
  "privileges": [
    "string"
  ],
  "relationships": [
    {
      "type": "string",
      "otherEndType": "string",
      "otherEndKey": "string",
      "otherEndName": "string"
    }
  ],
  "memberships": [
    {
      "groupKey": "string",
      "groupName": "string",
      "plainAttrs": [
        {
          "schema": "string",
          "values": [
            "string"
          ]
        }
      ],
      "derAttrs": [
        {
          "schema": "string",
          "values": [
            "string"
          ]
        }
      ],
      "virAttrs": [
        {
          "schema": "string",
          "values": [
            "string"
          ]
        }
      ]
    }
  ]
}

But the response is:

{
    "status": 400,
    "type": "RequiredValuesMissing",
    "elements": [
        "surname",
        "fullname",
        "userId"
    ]
}

I try to add it but the request header throw a 
x-application-error-info says:
Unknown:UnrecognizedPropertyException: Unrecognized field "surname" 
(class org.apache.syncope.common.lib.to.UserTO), not marked as ignorable


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.1 for Docker Issues

[Andrea Patricelli]

Hi Andrew,

Il 15/11/18 18:00, Andrew Waterson ha scritto:


Unsure why it wasn’t working.  I haven’t tried a fresh 2.1.2 image 
yet, but upgrading a working 2.1.1 to 2.1.2 seems to be running fine 
after I made the /etc/apache-syncope directory persistent.



Glad to hear that now is working.

I guess that this way maybe worked because making */etc/apache-syncope* 
persitent is like starting from a fresh installation, because mounting a 
volume on local machine fresh new directory "empties" the target dir on 
docker environment.


Best regards,
Andrea



*From:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Sent:* Wednesday, November 14, 2018 10:31 AM
*To:* user@syncope.apache.org
*Subject:* Re: Syncope 2.1.1 for Docker Issues

Hi Andrew,

I'm not able to reproduce your issue; I've just tested with the docker 
compose taken from [1] with version 2.1.2 and it works fine.


It seems that your *workflow.properties* is missing *historyLevel* 
property, please try again with fresh new 2.1.2 images taken from 
docker hub.


Best regards,
Andrea

Il 13/11/18 17:34, Andrew Waterson ha scritto:

When running a docker-compose for 2.1.2, syncope-core will not
initialize.  Receiving the below error.  However, 2.1.1 works fine
in Docker.

syncope_1_949d5739a0e5 | 12-Nov-2018 23:00:24.611 SEVERE
[localhost-startStop-1]
org.apache.catalina.core.StandardContext.listenerStart Exception
sending context initialized event to listener instance of class
org.springframework.web.context.ContextLoaderListener

syncope_1_949d5739a0e5 |
org.springframework.beans.factory.BeanDefinitionStoreException:
Invalid bean definition with name

'org.apache.syncope.core.flowable.support.DomainProcessEngineConfiguration#0'
defined in URL

[jar:file:/var/lib/tomcat8/webapps/syncope/WEB-INF/lib/syncope-ext-flowable-bpmn-2.1.2.jar!/workflowFlowableContext.xml]:
Could not resolve placeholder 'historyLevel' in value
"${historyLevel}"; nested exception is
java.lang.IllegalArgumentException: Could not resolve placeholder
'historyLevel' in value "${historyLevel}"

syncope_1_949d5739a0e5 |    at

org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:228)

--
Dott. Andrea Patricelli
Tel. +39 3204524292
Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net
Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.1 for Docker Issues

[Andrea Patricelli]

Hi Andrew,

I'm not able to reproduce your issue; I've just tested with the docker 
compose taken from [1] with version 2.1.2 and it works fine.


It seems that your *workflow.properties* is missing *historyLevel* 
property, please try again with fresh new 2.1.2 images taken from docker 
hub.


Best regards,
Andrea

Il 13/11/18 17:34, Andrew Waterson ha scritto:


When running a docker-compose for 2.1.2, syncope-core will not 
initialize.  Receiving the below error. However, 2.1.1 works fine in 
Docker.


syncope_1_949d5739a0e5 | 12-Nov-2018 23:00:24.611 SEVERE 
[localhost-startStop-1] 
org.apache.catalina.core.StandardContext.listenerStart Exception 
sending context initialized event to listener instance of class 
org.springframework.web.context.ContextLoaderListener


syncope_1_949d5739a0e5 | 
org.springframework.beans.factory.BeanDefinitionStoreException: 
Invalid bean definition with name 
'org.apache.syncope.core.flowable.support.DomainProcessEngineConfiguration#0' 
defined in URL 
[jar:file:/var/lib/tomcat8/webapps/syncope/WEB-INF/lib/syncope-ext-flowable-bpmn-2.1.2.jar!/workflowFlowableContext.xml]: 
Could not resolve placeholder 'historyLevel' in value 
"${historyLevel}"; nested exception is 
java.lang.IllegalArgumentException: Could not resolve placeholder 
'historyLevel' in value "${historyLevel}"


syncope_1_949d5739a0e5 |    at 
org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:228)



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Java Rest Endpoint entityManager problem

[Andrea Patricelli]

Hi Ben,

please take [1] and [2] as reference to have a working reference example.

Please notice the use of @Transactional annotations on UserLogic class.

HTH,
Andrea

Il 29/10/18 14:45, Ben.H ha scritto:

I did create the endpoint, and it all wires up correctly.  It even works when
I use the methods from the base DAO class (e.g. using the find method with
the id as opposed to the findByUsername method).  I have been able to work
around this problem using the Id.  I didn't think it was available to me at
that point, but we were able to work.
However, I still am curious why the base class could find the entitymanager
and the UserDao could not...

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


[1] 
https://github.com/apache/syncope/blob/syncope-2.0.10/core/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/UserServiceImpl.java
[2] 
https://github.com/apache/syncope/blob/syncope-2.0.10/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Java Rest Endpoint entityManager problem

[Andrea Patricelli]

Hi Ben,

I guess that you put the bean in the wrong package, it seems that spring 
is not finding the entity manager bean.


How have you added the rest endpoint? Could you please list steps, 
classes and packages?


Best regards,
Andrea

Il 23/10/18 15:26, Ben.H ha scritto:

I'm trying to create a rest endpoint in java.  I can hit the endpoint, which
has an autowired UserDAO on it, no exception is thrown when the UserDAO is
autowired but when I go to do a findByUsername I get an
IllegalStateException stating; Could not find EntityManager for domain
Master.

Should I be using the UserDAO or should I be using some other component?
And why won't it autowire correctly?

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Modify Console 'Edit USER' modal

[Andrea Patricelli]

Hi,

you can customize wizard shape by editing wizard layout for a specific role.
Go to Configuration -> Security -> Roles; define a role and edit its 
JSON layout configuration. Only users with that role will see the 
customized form.


If you want to perform deeper customizations you have to override some 
administration console Java classes.


Best regards,
Andrea


Il 10/10/2018 18:50, pcrowder ha scritto:

Hello,

Where can I override the 'Edit USER' and 'New USER' wizards in the admin
console.

1. I would like to remove the 'Auxiliary classes' panel for both ie an admin
user cannot edit this.
2. Also, I have had a request to change the display order of the 'Plain
Attributes'.

Thank you,
Phil



--
Sent from:http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Action whenever AnyObject is created/updated/deleted

[Andrea Patricelli]

Hi Hernâni Borges,

You should use "logic actions".

Please refer to documentation at [1] (switch version according to your 
current Syncope version). At [2] there's a sample implementation.


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.0/reference-guide.html#logicactions
[2] 
https://github.com/apache/syncope/blob/syncope-2.0.10/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/DoubleValueLogicActions.java



Il 08/10/2018 14:25, Hernâni Borges de Freitas ha scritto:

Hello,

We are interested in having an action that calls an http endpoint to flush 
caches whenever an AnyObject is created/updated/deleted.

What’s the easiest way to achieve this functionality?

Thanks

Hernani


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Ldap pull task fail if one or more of ldap users have uid like this "Na\\\me" or "Na\me"

[Andrea Patricelli]

r.java:136) 


 at
net.tirasa.connid.bundles.ldap.LdapConnector.executeQuery(LdapConnector.java:57) 


 at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:171) 


 at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130) 


 at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 


 at java.lang.reflect.Method.invoke(Method.java:498)
 at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) 


 at com.sun.proxy.$Proxy389.search(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 


 at java.lang.reflect.Method.invoke(Method.java:498)
 at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) 


 at com.sun.proxy.$Proxy389.search(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 


 at java.lang.reflect.Method.invoke(Method.java:498)
 at
org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165) 




--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: AW: AW: Syncope Console realms listing

[Andrea Patricelli]

Hi Maria,

no problem.

Since Syncope Docker images are generate from .deb packages you should 
extend the original Docker image of the console and manually replace the 
file in the compiled sources.


Otherwise you should build your own Docker image of the console starting 
from the war generated by your customized sources and use it in the 
compose file. To do this for sure you need a new Dockerfile and to work 
with maven docker plugin.


Best regards,
Andrea

Il 13/09/2018 11:59, Maria Barth ha scritto:


Hello Andrea,

sorry to bother you again J

Could you please advice, how I can deploy the new syncope-console.war 
to the syncope-console docker container?


I am using the Docker Compose tool.

Thank you and regards,

Maria

*Von:*Maria Barth [mailto:mba...@cad-schroer.de]
*Gesendet:* Mittwoch, 12. September 2018 16:34
*An:* *Betreff:* AW: AW: Syncope Console realms listing

Hi Andrea,

thank you very much, it worked fine for my embedded Syncope.

I only had to add

@Override

*public**boolean*isVisible() {

*return*availableRealms.stream().

anyMatch(availableRealm -> 
realmTO.getFullPath().startsWith(availableRealm));


}

in RealmChoicePanel.java

Best regards,

Maria

*Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Gesendet:* Dienstag, 11. September 2018 09:41
*An:* user@syncope.apache.org
*Betreff:* Re: AW: Syncope Console realms listing

Hi,

please take a look to the class at [1]. You should toggle visibility 
of the component that displays the realm list to false instead of 
simply disabling the component row.


N.B. In order to override classes you should use a Syncope archetype 
project [2].


Best regards,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_1_X/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
[2] 
https://syncope.apache.org/docs/2.1/getting-started.html#create-project


Il 10/09/2018 11:24, Maria Barth ha scritto:

Hi  Andrea,

thank you for the quick responce.

I am using the version 2.1.1.

Could you give me some hints about the console customization,
nesseccary to hide not allowed realms?

Best regards,

Maria

*Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Gesendet:* Montag, 10. September 2018 11:06
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: Syncope Console realms listing

Hi Maria,

Could you please specify which version of Syncope are you using?

The current implementation of the console shows all other realms,
but disables the ones on which the admin user does not have
permission (you should see a "not allowed" icon on realms
different than "Firma1").
in order to hide not allowed realms you should make a
customization to the current console implementation.

HTH,
Andrea

Il 10/09/2018 10:23, Maria Barth ha scritto:

Hello,

my requirement is to have a user in Syncope, who is able to
administrate other users in the same realm, but who may not
see the list of other realms.

Is it possible?

I have configured a role, with following entitlements on the
realm:

"entitlements":[

    "ACCESS_TOKEN_LIST",

    "ANYTYPE_LIST",

        "ANYTYPE_READ",

"ANYTYPECLASS_LIST",

     "ANYTYPECLASS_READ",

    "DOMAIN_READ",

     "GROUP_DELETE",

     "GROUP_UPDATE",

     "GROUP_CREATE",

     "GROUP_LIST",

     "GROUP_READ",

     "GROUP_SEARCH",

     "MEMBERSHIP_DELETE",

     "MEMBERSHIP_UPDATE",

     "MEMBERSHIP_CREATE",

     "MEMBERSHIP_LIST",

     "MEMBERSHIP_READ",

    "REALM_LIST",

"RELATIONSHIPTYPE_LIST",

 "RELATIONSHIPTYPE_READ",

    "ROLE_DELETE",

     "ROLE_UPDATE",

     "ROLE_CREATE",

      "ROLE_LIST",

      "ROLE_READ",

      "SCHEMA_LIST",

      "USER_SEARCH",

    "USER_DELETE",

    "USER_CREATE",

    "USER_UPDATE",

    "USER_READ"],

  "realms":["/Firma1"],

But if the user having this role 

Re: Update Plain schema attribute for a realm

[Andrea Patricelli]

Hi Indhupriya,


Il 07/09/2018 15:57, indhupriya ha scritto:

Hi,

I have a requirement to update a Plain schema attribute for a realm to a
constant value.

i.e. I've ~2K users in a /test realm (totally ~10k from other realms too)
and these users have an attribute "location". For all these ~2K users in
"/test" realm we need to update the "location" value say as "test1".

We know it is possible to update attribute for each users separately using
userID or unique ID. But is there any way to update for all the users using
REST API? or by updating the field in Syncope MySQL table?
The best solution is to stop your Syncope instance, update manually 
MySQL UPlainAttrValue table and restart.




We are using syncope 2.0.2, MySQL and glassfish server
BTW I warmly suggest to upgrade to latest Syncope version, currently 
2.0.10. Please refer to [1].


Thanks in advance,
Indhupriya.S

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


Best regards,
Andrea

[1] https://cwiki.apache.org/confluence/display/SYNCOPE/Jazz

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: AW: Syncope Console realms listing

[Andrea Patricelli]

Hi,

please take a look to the class at [1]. You should toggle visibility of 
the component that displays the realm list to false instead of simply 
disabling the component row.


N.B. In order to override classes you should use a Syncope archetype 
project [2].


Best regards,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_1_X/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java

[2] https://syncope.apache.org/docs/2.1/getting-started.html#create-project


Il 10/09/2018 11:24, Maria Barth ha scritto:


Hi  Andrea,

thank you for the quick responce.

I am using the version 2.1.1.

Could you give me some hints about the console customization, 
nesseccary to hide not allowed realms?


Best regards,

Maria

*Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Gesendet:* Montag, 10. September 2018 11:06
*An:* user@syncope.apache.org
*Betreff:* Re: Syncope Console realms listing

Hi Maria,

Could you please specify which version of Syncope are you using?

The current implementation of the console shows all other realms, but 
disables the ones on which the admin user does not have permission 
(you should see a "not allowed" icon on realms different than "Firma1").
in order to hide not allowed realms you should make a customization to 
the current console implementation.


HTH,
Andrea

Il 10/09/2018 10:23, Maria Barth ha scritto:

Hello,

my requirement is to have a user in Syncope, who is able to
administrate other users in the same realm, but who may not see
the list of other realms.

Is it possible?

I have configured a role, with following entitlements on the realm:

"entitlements":[

    "ACCESS_TOKEN_LIST",

    "ANYTYPE_LIST",

        "ANYTYPE_READ",

"ANYTYPECLASS_LIST",

     "ANYTYPECLASS_READ",

    "DOMAIN_READ",

     "GROUP_DELETE",

     "GROUP_UPDATE",

     "GROUP_CREATE",

     "GROUP_LIST",

     "GROUP_READ",

     "GROUP_SEARCH",

     "MEMBERSHIP_DELETE",

     "MEMBERSHIP_UPDATE",

     "MEMBERSHIP_CREATE",

     "MEMBERSHIP_LIST",

     "MEMBERSHIP_READ",

    "REALM_LIST",

    "RELATIONSHIPTYPE_LIST",

    "RELATIONSHIPTYPE_READ",

    "ROLE_DELETE",

     "ROLE_UPDATE",

     "ROLE_CREATE",

      "ROLE_LIST",

      "ROLE_READ",

      "SCHEMA_LIST",

      "USER_SEARCH",

    "USER_DELETE",

    "USER_CREATE",

    "USER_UPDATE",

    "USER_READ"],

  "realms":["/Firma1"],

But if the user having this role and being defined on the realm
„/Firma1“ enters the „Realms“ in the console, he is able to see
the list of all realms:

Thank you for your help and regards,

Maria Barth


Unsere neusten Aktionen rund um unsere Produkte finden Sie unter:
News & Events <http://www.cad-schroer.ch/emailaction/>



*CAD Schroer GmbH*





*Geschaeftsfuehrer:*





*Tel.:*+49 2841-9184-0

Fritz-Peters-Strasse 11





Michael Schroer



    

*Fax: *+49 2841-9184-44

47447 Moers





Thomas Schubert





*E-Mail:*i...@cad-schroer.de <mailto:i...@cad-schroer.de>

Deutschland

    

    

Amtsgericht Kleve HRB 5339





*Web:*www.cad-schroer.de
<../dereferrer?redirectUrl=http%3A%2F%2Fwww.cad-schroer.de>

--
Dott. Andrea Patricelli
Tel. +39 3204524292
Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net
Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope administrator create realms

[Andrea Patricelli]

Hi Maria,

Your problem is related to entitlements REALM_DELETE, REALM_UPDATE and 
REALM_CREATE. If you want to enable realm read/editing you need to add 
also other entitlements, otherwise remove those three entitlements.

This set for example should work:

RESOURCE_READ, RELATIONSHIPTYPE_READ, IMPLEMENTATION_READ, 
REMEDIATION_LIST, TASK_LIST, RELATIONSHIPTYPE_LIST, IMPLEMENTATION_LIST, 
USER_CREATE, GROUP_SEARCH, RESOURCE_LIST, ANYTYPE_READ, USER_SEARCH, 
ACCESS_TOKEN_LIST, CONFIGURATION_LIST, ANYTYPECLASS_READ, ROLE_LIST, 
ANYTYPECLASS_LIST, USER_READ, ROLE_READ, REALM_DELETE, SCHEMA_LIST, 
USER_DELETE, REALM_UPDATE, SECURITY_QUESTION_READ, REALM_CREATE, 
ANYTYPE_LIST, USER_UPDATE, POLICY_READ, GROUP_READ, POLICY_LIST, 
REALM_LIST, TASK_READ, DOMAIN_READ, DYNREALM_READ


Best regards,
Andrea

Il 10/09/2018 12:03, Maria Barth ha scritto:


Hello,

I am evalueting Syncope as a possible IDM-system for integrating in a 
new product.


One of the requirements is to have an administrator role allowing to 
perform all actions with all realms, users, groups, roles and able to 
view access tokens.


I have configured a role as following:

"entitlements":[

    "ACCESS_TOKEN_LIST",

    "ANYTYPE_LIST",

   "ANYTYPE_READ",

      "ANYTYPECLASS_LIST",

  "ANYTYPECLASS_READ",

 "DOMAIN_READ",

     "GROUP_DELETE",

 "GROUP_UPDATE",

 "GROUP_CREATE",

 "GROUP_LIST",

 "GROUP_READ",

     "GROUP_SEARCH",

     "MEMBERSHIP_DELETE",

 "MEMBERSHIP_UPDATE",

"MEMBERSHIP_CREATE",

"MEMBERSHIP_LIST",

"MEMBERSHIP_READ",

    "POLICY_READ",

    "REALM_LIST",

    "REALM_CREATE",

    "REALM_DELETE",

    "REALM_UPDATE",

    "RELATIONSHIPTYPE_LIST",

    "RELATIONSHIPTYPE_READ",

    "RESOURCE_LIST",

    "RESOURCE_READ",

    "ROLE_DELETE",

"ROLE_UPDATE",

"ROLE_CREATE",

"ROLE_LIST",

"ROLE_READ",

    "USER_SEARCH",

    "USER_DELETE",

    "USER_CREATE",

    "USER_UPDATE",

    "USER_READ" ],

  "realms":["/"],

It seems I am still missing some entitlements, because the user needs 
to login again as soon as he hits


-the „Realms“ item on the left

-the „Details“ tab after hitting „Dashboard“ – „Users“ (see the 
attachment)


-one of the leaves of the realm tree in the right corner after hitting 
„Dashboard“ – „Users“.


Thank you and regards,

Maria Barth


Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: 
http://www.cad-schroer.de/emailaction/ 
---------- 
CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers 
Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve 
HRB 5339 Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44 
--Website: 
http://www.cad-schroer.de 


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope Console realms listing

[Andrea Patricelli]

Hi Maria,

Could you please specify which version of Syncope are you using?

The current implementation of the console shows all other realms, but 
disables the ones on which the admin user does not have permission (you 
should see a "not allowed" icon on realms different than "Firma1").
in order to hide not allowed realms you should make a customization to 
the current console implementation.


HTH,
Andrea

Il 10/09/2018 10:23, Maria Barth ha scritto:


Hello,

my requirement is to have a user in Syncope, who is able to 
administrate other users in the same realm, but who may not see the 
list of other realms.


Is it possible?

I have configured a role, with following entitlements on the realm:

"entitlements":[

    "ACCESS_TOKEN_LIST",

    "ANYTYPE_LIST",

        "ANYTYPE_READ",

"ANYTYPECLASS_LIST",

     "ANYTYPECLASS_READ",

    "DOMAIN_READ",

     "GROUP_DELETE",

     "GROUP_UPDATE",

     "GROUP_CREATE",

     "GROUP_LIST",

     "GROUP_READ",

     "GROUP_SEARCH",

     "MEMBERSHIP_DELETE",

     "MEMBERSHIP_UPDATE",

     "MEMBERSHIP_CREATE",

     "MEMBERSHIP_LIST",

     "MEMBERSHIP_READ",

    "REALM_LIST",

    "RELATIONSHIPTYPE_LIST",

    "RELATIONSHIPTYPE_READ",

    "ROLE_DELETE",

     "ROLE_UPDATE",

     "ROLE_CREATE",

      "ROLE_LIST",

      "ROLE_READ",

      "SCHEMA_LIST",

      "USER_SEARCH",

    "USER_DELETE",

    "USER_CREATE",

    "USER_UPDATE",

    "USER_READ"],

  "realms":["/Firma1"],

But if the user having this role and being defined on the realm 
„/Firma1“ enters the „Realms“ in the console, he is able to see the 
list of all realms:


Thank you for your help and regards,

Maria Barth


Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: News 
& Events <http://www.cad-schroer.ch/emailaction/>




*CAD Schroer GmbH*  *Geschaeftsfuehrer:*    *Tel.:* +49 
2841-9184-0
Fritz-Peters-Strasse 11 Michael Schroer *Fax: 
*+49 2841-9184-44
47447 Moers Thomas Schubert *E-Mail:* 
i...@cad-schroer.de
Deutschland 		Amtsgericht Kleve HRB 5339 		*Web:* www.cad-schroer.de 
<../dereferrer?redirectUrl=http%3A%2F%2Fwww.cad-schroer.de>



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli]

Hi


Il 28/08/2018 17:22, Hernâni Borges de Freitas ha scritto:

Assuming that I have a structure of
/
  /application-a
  /application-b

With roles and managers assigned to realms /application-a and /application-b 
and several AnyObjects defined in /.

Would it be possible for a user manager in /application-a to assign the 
AnyObject X defined in / to a group that only exists in /application-a ? Would 
be possible for another user manager in /application-b to the same for the same 
AnyObject defined in / ? Bear in mind that we are talking about the same 
AnyObject and it only exists in the parent realm not in the realm of any of the 
applications.


Yes, it is possible to assign groups in /application-a to objects in /. 
According to documentation "/A User or an Any Object can be members of 
Groups in the same realm or in one of the parent realms./"


But, _if the manager user has assigned a role on realm /application-a_, 
*no* is not possible for that user a to manage objects in /. You should 
assign to the manager a role that gives entitlements on realm /.
Or use delegated administration through dynamic realms, describe here 
[1]. But I think ou should use delegation only if there isn't any other 
chance to implement your scenario.

Thanks so much again

Hernani


Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/2.0/reference-guide.html#delegated-administration



On 28 Aug 2018, at 15:43, Andrea Patricelli  wrote:



Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto:

Hi Andrea,

Thanks for you fast answer.

I thought about using a new AnyObject instead of the user directly because our 
usage for users will be somehow special without having passwords for them for 
instance, but just some metadata associated which we can leave not associated 
with users but to this new anyObject.

Only a tip about this: password propagation and storing is optional, so you can 
create users without managing their passwords.


About the mapping you are suggesting: what is still confusing me is how to 
allow a user to be present in more than one realm and still only allow managers 
of those realms to assign the users to the groups they can control. For user X 
I need that managers of realm /a are able to assign it to groups inside /a and 
managers of /b to assign it to groups inside /b.

Ok, now I got.
If you assign to USER with, for example, username "manager-a" the role 
"manager-role-application-a" (assigned to realm /a) with entitlements to update user or 
anyobject, you can manage groups of anyobjects in realm /a and all its children.

Best regards,
Andrea


Hernani


On 28 Aug 2018, at 15:21, Andrea Patricelli  wrote:

Hi Hernâni,


Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:

Hello

I am  trying to map an organization composed by the same user base that uses 
different applications and have different roles in those applications to Apache 
Syncope. We are only using syncope to provide authorisation to the 
applications, not authentication. Those applications will consume authorisation 
for different members via Syncope REST API.

Syncope has the following realms:
/
/application-a
/application-b
/application-x

- We are using apache syncope to manage membership to groups in different 
applications. Those different applications have their own managers who can 
define groups and memberships under their realms in syncope.
- All members belong to the same organization and are shared by different 
applicatinos. They can be members of different groups in different applications.
- Each application is defined by a realm and managers of those applications 
have roles with entitlements in those realms that allow to define groups. They 
can only define membership in groups in their realms and not in other realms.
- As far as I understand, objects in syncope can only belong to a realm, so it 
is not possible to have them in different realms and have managers able to edit 
memberships only for groups in their realm. To avoid this I created a new 
AnyObject of a new AnyType which maps our members in different realms. For each 
application where our members are, there is an AnyObject in the correspondent 
realms. If member A is in Application A and Application B there will be two 
AnyObjects for it, one in /application-a realm and another one in 
/application-b realm. Managers of those realms can edit AnyObjects in their 
realm without problems.

Why you do not use USER to map members into realms? Why did you create a new 
ANY_OBJECT?

I would like to know if there simpler ways to map this hierarchy in syncope 
specially without the need to replicate the members in different anyobjects 
that are editable in the different realms and I would like to understand if 
there is a better way to organize realms, groups and objects than the one I am 
planning to use.

You can define roles and map the role to a specific realm, for example:

manager-role-application-a -&g

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli]

Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto:

Hi Andrea,

Thanks for you fast answer.

I thought about using a new AnyObject instead of the user directly because our 
usage for users will be somehow special without having passwords for them for 
instance, but just some metadata associated which we can leave not associated 
with users but to this new anyObject.


Only a tip about this: password propagation and storing is optional, so 
you can create users without managing their passwords.




About the mapping you are suggesting: what is still confusing me is how to 
allow a user to be present in more than one realm and still only allow managers 
of those realms to assign the users to the groups they can control. For user X 
I need that managers of realm /a are able to assign it to groups inside /a and 
managers of /b to assign it to groups inside /b.


Ok, now I got.
If you assign to USER with, for example, username "manager-a" the role 
"manager-role-application-a" (assigned to realm /a) with entitlements to 
update user or anyobject, you can manage groups of anyobjects in realm 
/a and all its children.


Best regards,
Andrea



Hernani


On 28 Aug 2018, at 15:21, Andrea Patricelli  wrote:

Hi Hernâni,


Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:

Hello

I am  trying to map an organization composed by the same user base that uses 
different applications and have different roles in those applications to Apache 
Syncope. We are only using syncope to provide authorisation to the 
applications, not authentication. Those applications will consume authorisation 
for different members via Syncope REST API.

Syncope has the following realms:
/
/application-a
/application-b
/application-x

- We are using apache syncope to manage membership to groups in different 
applications. Those different applications have their own managers who can 
define groups and memberships under their realms in syncope.
- All members belong to the same organization and are shared by different 
applicatinos. They can be members of different groups in different applications.
- Each application is defined by a realm and managers of those applications 
have roles with entitlements in those realms that allow to define groups. They 
can only define membership in groups in their realms and not in other realms.
- As far as I understand, objects in syncope can only belong to a realm, so it 
is not possible to have them in different realms and have managers able to edit 
memberships only for groups in their realm. To avoid this I created a new 
AnyObject of a new AnyType which maps our members in different realms. For each 
application where our members are, there is an AnyObject in the correspondent 
realms. If member A is in Application A and Application B there will be two 
AnyObjects for it, one in /application-a realm and another one in 
/application-b realm. Managers of those realms can edit AnyObjects in their 
realm without problems.

Why you do not use USER to map members into realms? Why did you create a new 
ANY_OBJECT?

I would like to know if there simpler ways to map this hierarchy in syncope 
specially without the need to replicate the members in different anyobjects 
that are editable in the different realms and I would like to understand if 
there is a better way to organize realms, groups and objects than the one I am 
planning to use.

You can define roles and map the role to a specific realm, for example:

manager-role-application-a -> map it to /application-a realm and assign 
entitlements to update users (only in /application-a realm and children).
manager-role-application-b -> map it to /application-b realm and assign 
entitlements to update users (only in /application-b realm and children).
manager-role-application-x -> map it to /application-x realm and assign 
entitlements to update users (only in /application-x realm and children).

With children I mean inner realms like /application-a/child-a/ or 
application-x/child-x

Bear in mind that realms entitlements are applied from the current realm to the 
inner ones, please refer to documentation at [1].

HTH,
Andrea

[1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms


Thanks

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli]

Hi Hernâni,


Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:

Hello

I am  trying to map an organization composed by the same user base that uses 
different applications and have different roles in those applications to Apache 
Syncope. We are only using syncope to provide authorisation to the 
applications, not authentication. Those applications will consume authorisation 
for different members via Syncope REST API.

Syncope has the following realms:
/
/application-a
/application-b
/application-x

- We are using apache syncope to manage membership to groups in different 
applications. Those different applications have their own managers who can 
define groups and memberships under their realms in syncope.
- All members belong to the same organization and are shared by different 
applicatinos. They can be members of different groups in different applications.
- Each application is defined by a realm and managers of those applications 
have roles with entitlements in those realms that allow to define groups. They 
can only define membership in groups in their realms and not in other realms.
- As far as I understand, objects in syncope can only belong to a realm, so it 
is not possible to have them in different realms and have managers able to edit 
memberships only for groups in their realm. To avoid this I created a new 
AnyObject of a new AnyType which maps our members in different realms. For each 
application where our members are, there is an AnyObject in the correspondent 
realms. If member A is in Application A and Application B there will be two 
AnyObjects for it, one in /application-a realm and another one in 
/application-b realm. Managers of those realms can edit AnyObjects in their 
realm without problems.
Why you do not use USER to map members into realms? Why did you create a 
new ANY_OBJECT?


I would like to know if there simpler ways to map this hierarchy in syncope 
specially without the need to replicate the members in different anyobjects 
that are editable in the different realms and I would like to understand if 
there is a better way to organize realms, groups and objects than the one I am 
planning to use.

You can define roles and map the role to a specific realm, for example:

manager-role-application-a -> map it to /application-a realm and assign 
entitlements to update users (only in /application-a realm and children).
manager-role-application-b -> map it to /application-b realm and assign 
entitlements to update users (only in /application-b realm and children).
manager-role-application-x -> map it to /application-x realm and assign 
entitlements to update users (only in /application-x realm and children).


With children I mean inner realms like /application-a/child-a/ or 
application-x/child-x


Bear in mind that realms entitlements are applied from the current realm 
to the inner ones, please refer to documentation at [1].


HTH,
Andrea

[1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms


Thanks


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How do export users, groups and membership from syncope to extern DB?

[Andrea Patricelli]

Hi,

please add a mapping for the USER password in the (flag the field as 
password attribute).


Moreover assign DBPasswordPropagationActions to the resource sued to 
propagate users. Then you should find "password" variable populated in 
the groovy scripts.


Best regards,
Andrea


Il 12/08/2018 06:57, d.cheremnov ha scritto:

Thank you!


Please take a look at [1]. Especially to commented description:
"password: password string, clear text".
N.B. If you want to enable cleartext passwords please flag
clearTextPasswordToScript in connector configuration.

0)
Parameter
password.cipher.algorithm = [BCRYPT]

https://gyazo.com/d25dc0e11c788ad004f8bb2a483b5c02

1)
Connector (scriptedsql):

https://gyazo.com/34ed370b64e9eb21581c32d6c3622357

2)
Resource:

https://gyazo.com/8394ce3f9a4dc7310cd1cfa853d2c013

3)
User provision:

https://gyazo.com/6fd7a2100c5479064e338c1adced4989

4)
Push task:

https://gyazo.com/b2da710a39aad58611942bedd529f2ae

5)
ActivitiCreateScript.groovy:

log.info("Entering " + action + " Script. attributes: " + attributes);
def sql = new Sql(connection);
def firstnameAttributes = attributes.get("FIRST_");
def lastnameAttributes = attributes.get("LAST_");
def emailAttributes = attributes.get("EMAIL_");
//def pwdAttributes = attributes.get("__HASHED_PASSWORD__");

switch ( objectClass ) {
case "__ACCOUNT__":
   sql.execute("INSERT INTO act_id_user (ID_,REV_,FIRST_,LAST_,EMAIL_,PWD_)
values (?,?,?,?,?,?)",
 [
   id,
   1,
   firstnameAttributes.isEmpty() ? null : firstnameAttributes.get(0),
   lastnameAttributes.isEmpty() ? null : lastnameAttributes.get(0),
   emailAttributes.isEmpty() ? null : emailAttributes.get(0),
   password
 ])
   break

case "__GROUP__":
   log.info("Create new group...");
   break

default:
   id;
}
return id;

6) Result of push task:

https://gyazo.com/b7c677f7c5f708cdc3f28af7fbe10a91

https://gyazo.com/7bcbf9a34383ffb761a0556881f5fa96

but password and PWD_ = null




--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How do export users, groups and membership from syncope to extern DB?

[Andrea Patricelli]

Hi,

Do you want to propagate users to an external SQL database right?
Which version of Syncope are you running?


Il 10/08/2018 11:52, d.cheremnov ha scritto:

Hi!

1.
Activiti DataBase:

CREATE TABLE IF NOT EXISTS `act_id_user` (
   `ID_` varchar(64) COLLATE utf8_bin NOT NULL,
   `REV_` int(11) DEFAULT NULL,
   `FIRST_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   `LAST_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   `EMAIL_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   `PWD_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   `PICTURE_ID_` varchar(64) COLLATE utf8_bin DEFAULT NULL,
   PRIMARY KEY (`ID_`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

CREATE TABLE IF NOT EXISTS `act_id_group` (
   `ID_` varchar(64) COLLATE utf8_bin NOT NULL,
   `REV_` int(11) DEFAULT NULL,
   `NAME_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   `TYPE_` varchar(255) COLLATE utf8_bin DEFAULT NULL,
   PRIMARY KEY (`ID_`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;


CREATE TABLE IF NOT EXISTS `act_id_membership` (
   `USER_ID_` varchar(64) COLLATE utf8_bin NOT NULL,
   `GROUP_ID_` varchar(64) COLLATE utf8_bin NOT NULL,
   PRIMARY KEY (`USER_ID_`,`GROUP_ID_`),
   KEY `ACT_FK_MEMB_GROUP` (`GROUP_ID_`),
   CONSTRAINT `ACT_FK_MEMB_GROUP` FOREIGN KEY (`GROUP_ID_`) REFERENCES
`act_id_group` (`ID_`),
   CONSTRAINT `ACT_FK_MEMB_USER` FOREIGN KEY (`USER_ID_`) REFERENCES
`act_id_user` (`ID_`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

2.
ActivitiUserDBConnector (users, 'table' connector):

https://gyazo.com/e13dda814cf587deb116a4a344faffe1

3. __ACCOUNT__ provision rules (users resource):

https://gyazo.com/387f96a1a4ef597fdb67bc2859d0451e

4.

I added 2 users on the syncode and do Push:

https://gyazo.com/421bdd80f3089c14d8856c4e4f7f8bfb



Question:

1. How to export 'password' field to `act_id_user` table ?
Please take a look at [1]. Especially to commented description: 
"password: password string, clear text".
N.B. If you want to enable cleartext passwords please flag 
clearTextPasswordToScript in connector configuration.




2. Exists groups. I can export the groups to `act_id_group` table, use
'scriptedsql' connector?


Yes you can. By properly managing objectClass in Groovy script.



3. How to export an 'user-group' membership to `act_id_membership` table?


You need a custom PropagationActions, something like [2].
In this custom action you have to implement the "before" method where 
you can, for example, create your own connid attribute to pass to groovy 
scripts, say __MEMBERSHIPS__. In __MEMBERSHIPS__ you can pass list of 
the groups of the user and then use this attribute in the groovy script 
(see examples in the code at [1]) in order to populate act_id_membership 
table.




--
Sent from: http://syncope-user.1051894.n5.nabble.com/

HTH,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_0_X/fit/core-reference/src/test/resources/scriptedsql/CreateScript.groovy
[2] 
https://github.com/apache/syncope/blob/2_0_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: REST connector examples

[Andrea Patricelli]

Hi Wyllys,

please check [1]. This playground environment is based on Syncope 
2.1.1-SNAPSHOT. You can find in the Topology page REST connector with 
rest-target-resource.
Moreover to have a reference implementation for groovy scripts used by 
the connector please refer to [2].


HTH,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope-console
[2] 
https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/rest



On 2018/08/07 21:37:30, Wyllys Ingersoll wrote:
> Are there examples of configuring the REST connector bundle using the
> console UI? I want to configure a simple REST service to receive
> updates when a user is created/deleted/updated but Im not sure how to
> setup the connector parameters to send the data to my service.
>
> thanks,
> Wyllys Ingersoll
>

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Kubernetes (Syncope Cannot talk to Postgres)

[Andrea Patricelli]

Hi Craig,


Il 07/08/2018 08:30, Francesco Chicchiriccò ha scritto:

On 07/08/2018 00:03, craig wrote:
I am setting up syncope in Kubernetes.   I will be happy to 
contribute my

yamls once I get it running as it doesn't seem to be a common setup for
Syncope.


This sounds great, it would be a great addition, maybe to place right 
after


https://syncope.apache.org/docs/getting-started.html#docker-compose-samples 




I am new to Syncope and I am having some issues.

I was able to get the docker-compose examples working just fine but 
having
connectivity issues when running in K8s.   Without knowing Syncope 
(or even

postgres) that well I am struggling on where to start.

Issue:   Syncope cannot connect to postgres:5432

20:49:13.640 ERROR
org.flowable.common.engine.impl.AbstractEngineConfiguration - Exception
while initializing Database connection
org.postgresql.util.PSQLException: Connection to postgres:5432 refused.
Check that the hostname and port are correct and that the postmaster is
accepting TCP/IP connections.
[...]


Did you set a password for the user "syncope" like explained at [1]?

Is connectivity on protocol TCP allowed on your postgres instance?
BTW I found something (maybe) useful for you at [2].



Were the Syncope tables (SyncopeUser, for example) created, in the 
database? Were the Flowable (e.g. ACT_*) and Quartz (e.g. QRTZ_*) 
created as well?


Did you setup any connection control on the postgresql container?


Things that I did:

1)  Connect to database directly from postgres container command line 
"psql

-U syncope"
2)  Connect to database from syncope container command line "psql -U 
syncope

-h postgres"


Since this works, I cannot figure out why you get the exception above...


3)  Confirm that the port 5432 is open by running the command "telnet
postgres 5432" and it was open
4)  Confirm that both a database named "syncope" and user named 
"syncope"

exist in the postgres database
5)  Confirmed the configuration of K8s looks correct.   The port 
appears to

be up, the replica sets look correct

Any help or guidance on things to look at would be helpful.

Craig




HTH,
Andrea

[1] https://syncope.apache.org/docs/reference-guide.html#postgresql
[2] 
https://blog.bigbinary.com/2016/01/23/configure-postgresql-to-allow-remote-connection.html


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 2.1.0,using maven archetype: Where are default PasswortRules?

[Andrea Patricelli]

Hi,

We are improving documentation here [1]. You should login to console UI, 
go to COonfiguration -> Implementations and select PASSWORD_RULE. Then 
click on "+" button and add an JAVA implementation; give it a name and 
select DefaultPasswordRuleConf for example. Then go to Configuration -> 
Policyes -> Password and repeat steps that you did, now you should find 
the rule that you configured previously based on default one.


Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/reference-guide.html#default-password-rule


Il 30/07/2018 15:37, gatherer ha scritto:

Hi,

short version:
https://syncope.apache.org/docs/reference-guide.html#policies-password
talks about Default Password Rule

"The default password rule (enforced by DefaultPasswordRule and
configurable via DefaultPasswordRuleConf) contains the
following controls:"

I created an new "DefaultPasswordPolicy" under Configuration -> Policies
-> Password.
If I click on my new created policy, I can choose between
"edit/clone/rules/delete". I click rules, than "the plus sign":

Problem:
I cannot create a new rule because the combobox is empty (Only Showing
"Choose One".)

Shouldn't there be some predefined rules?
Like
https://github.com/apache/syncope/blob/syncope-2.1.0/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultPasswordRule.java

How to define some? How to get some?



Long story:

* Postgresql an tomcat installed.
* jdbc Datasource defined, up, running
* openjdk version "1.8.0_171"
* Apache Tomcat/8.5.14 (Debian)

I used the following mvn:

mvn archetype:generate \
-DarchetypeGroupId=org.apache.syncope \
-DarchetypeArtifactId=syncope-archetype \
-DarchetypeRepository=http://repo1.maven.org/maven2 \
-DarchetypeVersion=2.1.0

Created the following directories

$ sudo mkdir /opt/syncope/bundles
$ sudo mkdir /opt/syncope/log
$ sudo mkdir /opt/syncope/conf

After fixing the "junit version missing in the console pom", I build it
using:

mvn clean verify \
-Dconf.directory=/opt/syncope/conf \
-Dbundles.directory=/opt/syncope/bundles \
 -Dlog.directory=/opt/syncope/log
cp core/target/classes/*properties /opt/syncope/conf
cp console/target/classes/*properties /opt/syncope/conf
cp enduser/target/classes/*properties /opt/syncope/conf
cp enduser/target/classes/customForm.json /opt/syncope/conf

Then deployed the webapps using:

for I in `find .| grep war$`; do cp $I /opt/syncope/tomcat8/webapps/;
done

This blog shows the configuration combobox (using 2.0.9) which is empty
in my version.

http://blog.tirasa.net/configure-syncope-to-check-for-pwned-passwords.html
( http://blog.tirasa.net/gallery/tirasa/blog/hibp_2.png)

Thanks for your help,
gatherer


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: 'Null' External fields are not updating in syncope during PULL task

[Andrea Patricelli]

Hi,

FYI [1] have been solved.

Best regards,
Andrea

[1] https://issues.apache.org/jira/browse/SYNCOPE-1345

Il 24/07/2018 13:09, Andrea Patricelli ha scritto:

Hi,

thanks for all the info provided. I confirm that there is a bug in the 
application.


I opened an issue about this [1].

Best regards,
Andrea

[1] https://issues.apache.org/jira/browse/SYNCOPE-1343


Il 24/07/2018 11:42, indhupriya ha scritto:

Hi Andrea,

I am using db-table connector for connecting to MySQL and 'ad' 
connector for

active directory connection.
The same issue exist in both cases.

Thanks,
Indhupriya.S

--
Sent from: http://syncope-user.1051894.n5.nabble.com/



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: 'Null' External fields are not updating in syncope during PULL task

[Andrea Patricelli]

Hi,

thanks for all the info provided. I confirm that there is a bug in the 
application.


I opened an issue about this [1].

Best regards,
Andrea

[1] https://issues.apache.org/jira/browse/SYNCOPE-1343


Il 24/07/2018 11:42, indhupriya ha scritto:

Hi Andrea,

I am using db-table connector for connecting to MySQL and 'ad' connector for
active directory connection.
The same issue exist in both cases.

Thanks,
Indhupriya.S

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: 'Null' External fields are not updating in syncope during PULL task

[Andrea Patricelli]

Ok,

thanks for the info. Which connector are you using? db-scripted or db-table?

Best regards,
Andrea


Il 24/07/2018 08:25, indhupriya ha scritto:

Hi Andrea,

Thanks for the quick turn around.

The syncope version we are using is 2.0.2 and Yes, We have confirmed that
the other modified fields (with values) are updated in Syncope and only the
fields which are modified as 'NULL' is not getting updated during PULL task
from external resource.

And also we noted that, if we use PUSH task (after the fields are modified
as Null in syncope) the fields are getting updated to Null in external
resources (say MySQL).

Hence, only during PULL task this issue is happening.

Additionally, this is the configuration existing in both PUSH and PULL task.
<http://syncope-user.1051894.n5.nabble.com/file/t339059/syncope.png>

Thanks in Advance,
Indhupriya



--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: 'Null' External fields are not updating in syncope during PULL task

[Andrea Patricelli]

Hi Indhupriya,

which version of Syncope are you running?

Do you confirm that other fields (with values) are correctly updated?

Best regards,
Andrea

Il 23/07/2018 15:10, indhupriya ha scritto:

Hi,

When an existing field is updated as "Null" in external resource such as
"LDAP or MySQL", PULL task is not changing the field as 'NULL' in Syncope
and retain the deleted field content. But, when a field is edited to some
other value, the changed value is updated. Is there a way to update the
"Null" field in Syncope?

For Example:
Lets say MySQL has initial fields: "id:1, email:t...@testmail.com,
number:24"
After Pull task is executed, Syncope has fields: "id:1,
email:t...@testmail.com, number:24"

After that, MySQL fields are changed as: "id:1, email:*NULL*, number:*30*"
When PULL task is executed again (Scheduled run), Syncope has fields:
"id:1, email:*t...@testmail.com*, number:*30*"

i.e, the value of email retains even when the value is changed as Null in
MySQL, whereas the value for the "number" field is updated to '30'.

Thanks in advance,
Indhupriya.S




--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Avoid any propagation to external resources during the night

[Andrea Patricelli]

Hi Alireza,

Your code unfortunately does not work because it does not really update 
conninstance capabilities.


The fastest way to achieve your goal is to throw an 
IgnoreProvisionException [1] in the if body.


HTH,
Andrea

Best regards,
Andrea

[1] 
https://github.com/apache/syncope/blob/2_0_X/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/IgnoreProvisionException.java



Il 23/07/2018 15:20, alireza ranjbaran ha scritto:

Hi dears,

Based on our user management policy nothing should be changed at night 
(00:00 ~ 6:00) in the Active Directory.
I tried below code in PropagationActions to implement that in syncope 
but it does not worked. Could you please give me any hint ?



@Override
    public void before(final PropagationTask task, final 
ConnectorObject beforeObj) {


        ConnInstance connInstance = task.getResource().getConnector();
        //ConnInstanceTO connInstanceTO = 
connInstanceDataBinder.getConnInstanceTO(connInstance);



        if (night() && 
connInstance.getCapabilities().contains(ConnectorCapability.UPDATE)) {

connInstance.getCapabilities().remove(ConnectorCapability.UPDATE);
        }
        else {
connInstance.getCapabilities().add(ConnectorCapability.UPDATE);
        }
    }



--
/Best Regards,/
/Alireza Ranjbaran
/
/IT Security Engineer/
/

/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Active Directory Connector - Delete User Not Working

[Andrea Patricelli]

Moreover, please flag "Retrieve deleted users" in connector configuration.

Best regards,
Andrea

Il 22/06/2018 10:21, Andrea Patricelli ha scritto:


Hi Sudeesh,

Your configuration seems good.

Please read inline.

Best regards,
Andrea


Il 21/06/2018 16:49, Sudeesh Kumar P ha scritto:


Hi Andrea ,

I have attached the logs below: I have tried in Active directory 2012 
& 2016. In both Iam facing the same issue.


AD Connector:

{"key":"0d35158b-4747-400b-b515-8b4747100bd3","adminRealm":"/","location":"file:/C:/javasoftwares/syncopeWithActiveDirectory-master/core/target/bundles/","connectorName":"net.tirasa.connid.bundles.ad.ADConnector","bundleName":"net.tirasa.connid.bundles.ad","version":"1.3.4","displayName":"AD_teak","connRequestTimeout":10,"poolConf":null,"conf":[{"schema":{"name":"host","displayName":"Server 
hostname","helpMessage":"Insert 
hostname","type":"java.lang.String","required":true,"order":1,"confidential":false,"defaultValues":[]},"overridable":false,"values":["TESTAD"]},{"schema":{"name":"ssl","displayName":"SSL","helpMessage":"User 
SSL to perform password 
provisioning","type":"boolean","required":false,"order":1,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"memberships","displayName":"Memberships","helpMessage":"Specify 
memberships","type":"[Ljava.lang.String;","required":false,"order":1,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"retrieveDeletedUser","displayName":"Retrieve 
deleted users","helpMessage":"Specify TRUE to retrieve deleted users 
also. The default is 
\"true\".","type":"boolean","required":false,"order":2,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"port","displayName":"Server 
port","helpMessage":"Insert port. The default is 
636.","type":"int","required":false,"order":2,"confidential":false,"defaultValues":[636]},"overridable":false,"values":["389"]},{"schema":{"name":"retrieveDeletedGroup","displayName":"Retrieve 
deleted groups","helpMessage":"Specify TRUE to retrieve deleted 
groups 
also","type":"boolean","required":false,"order":3,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"trustAllCerts","displayName":"Trust 
all certs","helpMessage":"Specify TRUE to trust all certs. The 
default is 
\"false\".","type":"boolean","required":false,"order":4,"confidential":false,"defaultValues":[false]},"overridable":false,"values":["true"]},{"schema":{"name":"failover","displayName":"Failover","helpMessage":"Failover 
host:port","type":"[Ljava.lang.String;","required":false,"order":4,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"principal","displayName":"Principal","helpMessage":"Insert 
DN of a user with administration 
capabilities","type":"java.lang.String","required":false,"order":5,"confidential":false,"defaultValues":[]},"overridable":false,"values":["CN=Administrator,CN=Users,DC=DELL,DC=COM"]},{"schema":{"name":"membershipsInOr","displayName":"Verify 
memberships in OR","helpMessage":"Specify TRUE if you want to verify 
memberships using OR logical operator. The default is 
\"false\".","type":"bool

Re: Active Directory Connector - Delete User Not Working

[Andrea Patricelli]

.String;","required":false,"order":13,"confidential":false,"defaultValues":[]},"overridable":false,"values":["OU=SYNCOPE,DC=DELL,DC=COM"]},{"schema":{"name":"groupMemberReferenceAttribute","displayName":"Group 
members reference attribute ","helpMessage":"Group attribute 
referencing (by DN) the users members of a 
group","type":"java.lang.String","required":false,"order":14,"confidential":false,"defaultValues":["member"]},"overridable":false,"values":["member"]},{"schema":{"name":"groupOwnerReferenceAttribute","displayName":"Group 
owner reference attribute","helpMessage":"Group attribute name 
referencing (by DN) the 
owner","type":"java.lang.String","required":false,"order":15,"confidential":false,"defaultValues":["managedBy"]},"overridable":false,"values":["managedBy"]},{"schema":{"name":"startSyncFromToday","displayName":"Null 
token is the latest","helpMessage":"Reset null token value to the 
latest (sync with null token will not return any result). The default 
is 
\"true\".","type":"boolean","required":false,"order":16,"confidential":false,"defaultValues":[true]},"overridable":false,"values":[true]},{"schema":{"name":"pwdUpdateOnly","displayName":"Permit 
password update only","helpMessage":"Specify TRUE if you want to 
permit password update only: create/delete operation will be denied 
while other attributes update requests will be 
ignored.","type":"boolean","required":true,"order":17,"confidential":false,"defaultValues":[false]},"overridable":false,"values":[false]},{"schema":{"name":"membershipConservativePolicy","displayName":"Conservative 
membership policy","helpMessage":"Conservative managing and assignment 
of groups to user. The groups already assigned will not be 
removed.","type":"boolean","required":false,"order":18,"confidential":false,"defaultValues":[false]},"overridable":false,"values":[false]},{"schema":{"name":"defaultIdAttribute","displayName":"Default 
Uid","helpMessage":"The name of the attribute which is mapped to the 
id attribute in case of object different from account and group. 
Default is 
\"cn\".","type":"java.lang.String","required":false,"order":19,"confidential":false,"defaultValues":["cn"]},"overridable":true,"values":["cn"]},{"schema":{"name":"uidAttribute","displayName":"Uid 
Attribute","helpMessage":"The name of the attribute which is mapped to 
the Uid attribute. Default is 
\"sAMAccountName\".","type":"java.lang.String","required":false,"order":21,"confidential":false,"defaultValues":["sAMAccountName"]},"overridable":true,"values":["cn"]},{"schema":{"name":"gidAttribute","displayName":"Uid 
Attribute for groups","helpMessage":"The name of the attribute which 
is mapped to the Uid attribute for groups. Default is 
\"sAMAccountName\".","type":"java.lang.String","required":false,"order":22,"confidential":false,"defaultValues":["sAMAccountName"]},"overridable":false,"values":["sAMAccountName"]},{"schema":{"name":"objectClassesToSynchronize","displayName":"Object 
classes to synchronize","helpMessage":"Specify object classes to 
identify entry to 
synchronize","type":"[Ljava.lang.String;","required":false,"order":25,"confidential":false,"defaultValues":["user"]},"overridable":false,"values":["user","organizationalUnit"]}],"capabilities":["CREATE","UPDATE","DELETE","SEARCH","SYNC"]}


AD_Resource:

{"key":"AD_users_groups","

Re: Active Directory Connector - Delete User Not Working

[Andrea Patricelli]

Hi Sudeesh,


Il 20/06/2018 14:37, Sudeesh Kumar P ha scritto:


Hi,

  I have setup the Apache Syncope project 2.0.5 which was obtained from (https://github.com/Tirasa/syncopeWithActiveDirectory.git 
<http://github.com/Tirasa/syncopeWithActiveDirectory.git>). I have connected my Active directory server through AD connector. I can import user to Apache Syncope through the connector. If I delete a user in Active directory it is not getting removed from Apache Syncope. I can also see that the user is removed from the AD_resource. I used Full_Reconciliation pull task and also enabled delete option in both connector side and resource side.

If I use Incremental option for Pull Task, I can see the user getting imported 
to the AD connector resource but the user is not getting created in Apache 
Syncope.
Versions tried – 2.0.5,2.0.8,2.0.9
If there is any working project with the above scenario please share it.
This one should work, but sometimes configuration should be tuned in 
order to let Syncope work as expected.


Which version of Active Directory are you using?
Do you see any errors in core.log and core-connid.log files?

Please share your connector and resource configuration.
You can get them by running:
curl -X GET 
"http://syncope-vm.apache.org:9080/syncope/rest/connectors/*my-conn-key*; 
-H "accept: application/json" -H "X-Syncope-Domain: Master"

and
curl -X GET 
"http://syncope-vm.apache.org:9080/syncope/rest/resources/*my-resource-key*; 
-H "accept: application/json" -H "X-Syncope-Domain: Master"


or using swagger extension [1]

Best regards,
Andrea

[1] https://syncope.apache.org/docs/reference-guide.html#swagger

Regards
Sudeesh Kumar


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope 'Task' table is very large / Too big. How to reduce it?

[Andrea Patricelli]

Hi indhupriya,

In order to prevent uncontrolled "Task" size increment you should 
properly set the trace level of the resource, for propagation and pull 
operations.


You can do this in console by editing the resource (click on resource 
and the on "Edit resource") and moving trace level from ALL to another 
value among:

- NONE: no tasks are stored.
- SUMMARY: only a small recap of the whole execution is stored for each 
task.

- FAILURES: only failed tasks are stored.

You can also do this by updating resource information through Syncope 
endpoint:


http://[host]:[port]/syncope/rest/resources

Moreover also notification tasks have a specific trace level and 
contribute to fill "Task" table. You can setup trace level also for them.


In order to solve your current problems you should clean your "Task" 
table; the drawback is that you'll loose information about 
propagation/pull tasks run on the resource.


HTH,
Andrea

Il 12/06/2018 10:58, indhupriya ha scritto:

Hi,

We are facing connection slowness in syncope 2.0.2 version and sometimes we
are not even able to log into syncope because of it.
When we did further analysis, we found that the Task.idb file in MySQL
Database is too big and when we tried to optimize the table, we in-turn
found that the size of "Task" table is too large too.

Could some one help us on a possible solution to resolve the issue and how
to prevent it from future occurrence?

Thanks in Advance,
Indhu

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Provisioning Realms

[Andrea Patricelli]

Hi Martin,

first of all I suggest to refer to this blog post [1] to have a 
reference on how con configure (also) mapping for realm provisioning.



Il 03/05/2018 12:14, Martin van Es ha scritto:

Hi,

This is related to my earlier question about creating Realms based on
dynamic VO's (organized as o= entities in LDAP).

I'm trying to get FULL RECONCILIATION working, which succeeds for the first
time, but results in unique "u_realm_name" constraint violations on second
attempt, even though I have set matching rule to ignore. So, it seems
syncope has no way of understand what realms are allready provisioned and
this is intended as a one-time provision action?

Not at all.


The setup uses the __ACCOUNT__ objectclass, because that's the only way I
got the search code to apply my object filter (I don't want objects of
objectClass=dcObject). Mapping to organization only doesn't apply this
filter.

In the mapping, I assign internal 'name' to  external 'o' (Remote Key,
purpose: <-) and use Object link 'o='+name+',dc=scz,dc=vnet'.

I set the resource Account objectClass to organization and LDAP Filter for
Retrieving Accounts to (!(objectClass=dcObject)). I can see this working
correctly when I explore the resource.

First time pull results in these succeful actions:
Realms [created/failures]: 3/0 [updated/failures]: 0/0 [deleted/failures]:
0/0 [no operation/ignored]: 0/0

Realms created in the root realm:
CREATE SUCCESS (key/name): 3a3370df-3aa2-4787-b370-df3aa2278786///Foobar
CREATE SUCCESS (key/name): 38d90785-ab9c-4fc8-9907-85ab9c2fc8e4///Foobar2
CREATE SUCCESS (key/name): b3c86117-400b-457d-8861-17400bf57d5d///Foobar3

Please check if realm path is correctly created on Syncope.


But all succesive attempts result in these exceptions in the
core-connid.log (abbreviated for readability):

org.apache.openjpa.persistence.EntityExistsException: The transaction has
been rolled back.  See the nested exceptions for details on the errors that
occurred.

Caused by: org.apache.openjpa.persistence.EntityExistsException: ERROR:
duplicate key value violates unique constraint "u_realm_name"
   Detail: Key (name, parent_id)=(Foobar,
ea696a4f-e77a-4ef1-be67-8f8093bc8686) already exists. {prepstmnt 220401755
INSERT INTO Realm (id, name, ACCOUNTPOLICY_ID, PARENT_ID,
PASSWORDPOLICY_ID) VALUES (?, ?, ?, ?, ?)} [code=0, state=23505]
While pulling realms you need to correctly manage the realm matching, 
please refer to the blog post to correctly configure realms pull 
(§Advanced: Pull Organizational Units as Syncope Realms).

If I set matching policy to update, this should never result in an INSERT,
so it's clear there is no match and the provisioner tries to "provision".

Best regards,
Martin

HTH,
Andrea

[1] http://blog.tirasa.net/syncope-basics-manage-active-directory.html

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How share spring bean data about connector in high available environment?

[Andrea Patricelli]

Hi Elena,

What do you exactly mean  with "in memory"?
If I correctly got your observation I can suggest that: Syncope, indeed, 
saves relevant data on database and does not maintain them in memory.
You should configure properly your Syncope cluster in order to avoid 
such problems, especially jpa persistence layer through openjpa remote 
commit provider.

Wich version are you using?
If you're on 2.0, please refer to [1].

HTH,
Andrea

[1] https://syncope.apache.org/docs/reference-guide.html#high-availability


Il 02/04/2018 04:03, Elena Hong ha scritto:


How can each syncope servers in high available environment share 
connector which saved as spring bean at inmemory?


* My environment.

I set high available with two syncope servers called A, B and nginx.

* My problem

1. I call connector update api to nginx.

2. nginx call syncope server A, and update connector 'new' data in DB 
and spring bean.


3. I call connector read api to nginx.

4. nginx call syncope server B, then B returned 'old' data at spring bean.

How can I solved it..?
give me a tip please..


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to make sql queries on a authentication groovy script

[Andrea Patricelli]

Ok now I got.

You do not need to read Syncope mapping, or anything by Syncope, but 
options and objectClass.
You only have to return the value of the email attribute read from the 
REST WS response. The name of the external attribute you should already 
know, it is static, because is the one used in the mapping.


Best regards,
Andrea


Il 28/02/2018 13:21, HugoCerdeira ha scritto:

Thanks once again for the quick reply,

Setting the mapping as bidirectional, did not work.

Using the command "this.binding.variables.each {k,v -> map[k]=v}"
on my groovy script, to check what it actually has I get the following map:

[password:authPassword,
log:org.identityconnectors.common.logging.Log@2d9ed949,
objectClass:__ACCOUNT__, options:[:],
client:org.apache.cxf.jaxrs.client.WebClient@2adc36e6, action:AUTHENTICATE,
username:authUsername]

Its like the mapping is being ignored.

Cheers,
Hugo Cerdeira.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to make sql queries on a authentication groovy script

[Andrea Patricelli]

Il 28/02/2018 13:08, HugoCerdeira ha scritto:

Hi,
Thanks for your quick answers,

After mapping the email on the resource, I cant access it on the
groovyscript.

This is my mapping:
<http://syncope-user.1051894.n5.nabble.com/file/t338967/Screen_Shot_2018-02-28_at_12.png>

If I use the external_email on the groovyscript, my script just fails to
execute.
Any idea on whats going on?
Please try to set the mapping as bidirectional: double arrow icon in 
mapping tab.


Cheers,
Hugo Cerdeira.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/

Best regards,
Andrea

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to make sql queries on a authentication groovy script

[Andrea Patricelli]

Il 28/02/2018 11:31, HugoCerdeira ha scritto:

Hi,

Well that helps, but what if I need to get the user email in order to make
the external authentication work?
its seems like I cant access the email, even if I map it on the resource.
Use email as remote key and add mapping on Syncope: email -> 
external_email. In groovy script you just need to return external_email 
value and add the previous mapping to Syncope.


Thanks for your help,
Hugo Cerdeira.

Best regards,
Andrea


--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: How to make sql queries on a authentication groovy script

[Andrea Patricelli]

Good morning,


Il 27/02/2018 17:59, HugoCerdeira ha scritto:

Hi,

I'm making an authentication groovy script my goal is the following flow:

1. Script makes a request to a service sending the user and password.
2. If the request response is successful query the syncope db for the user
id, using the username.
3. Return the user id.

The problem is, since the resource is configured as a REST resource, how can
execute sql queries from the script? is it possible to do that without
having to hardcode the sql connection config into my groovy script?
You do not need to query Syncope database to look for id on Syncope. 
Because you only need to return the value of the attribute that, on 
Syncope, is mapped as remote key. I mean: if your mapping for remote key 
looks like "username -> idattribute" (syncope -> REST resource) you only 
need to return the value of idattribute on REST resource. Syncope will 
take care of look (on the REST resource) if id is correct by using the 
mapping.


P.S. if you need to look for an user on Syncope always prefer rest apis 
[1] to db client ;)


Thanks,
Hugo Cerdeira.

--
Sent from: http://syncope-user.1051894.n5.nabble.com/

Best regards,
Andrea

[1] https://syncope.apache.org/docs/reference-guide.html#rest

--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Pass-throught authentication

[Andrea Patricelli]

erInternal(FilterChainProxy.java:214)

org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)/


 From the example on git  here
<https://github.com/apache/syncope/blob/master/fit/core-reference/src/test/resources/rest/AuthenticateScript.groovy>
, I concluded that in order to the script succeed authenticating the user it
must return a valid user Id, so my script (for testing purposes) literally
returns an id from an user:

return "random id";

My configs


Resource config

<http://syncope-user.1051894.n5.nabble.com/file/t338967/1.png>
<http://syncope-user.1051894.n5.nabble.com/file/t338967/2.png>
<http://syncope-user.1051894.n5.nabble.com/file/t338967/3.png>
<http://syncope-user.1051894.n5.nabble.com/file/t338967/4.png>

Policy

<http://syncope-user.1051894.n5.nabble.com/file/t338967/pol.png>


Any help is greatly appreciated, thanks,
Hugo Cerdeira.




--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope Installation problem

[Andrea Patricelli]

Hi Jayamal,

you may have some errors while starting Syncope standalone.

Do you see some errors in log files? You can find them in 
apache-tomcat*/logs directory and should check especially core.log and 
catalina.out.


Best regards,
Andrea


Il 23/02/2018 08:07, Jayamal Jayamaha ha scritto:

hey

when I try to connect using above username and password, I got 
following error. Any idea about this. Any help would be appreciated


Login failed: java.net.ConnectException: ConnectException invoking 
http://localhost:9080/syncope/rest/platform: Connection refused: connect


On Thu, Feb 22, 2018 at 1:35 PM, Francesco Chicchiriccò 
<ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote:


On 22/02/2018 06:16, Jayamal Jayamaha wrote:

Hey
I have successfully installed the standalone version and now I
want the user name and password to log to the end-user/app. can I
know what is the user name and password or should I create a new
user account?


Short answer: admin / password

Long answer: keep reading the getting started guide:


https://ci.apache.org/projects/syncope/master/getting-started.html#paths-and-components

<https://ci.apache.org/projects/syncope/master/getting-started.html#paths-and-components>

That's everything you've got now.

Regards.


On Wed, Feb 21, 2018 at 5:42 PM, Francesco Chicchiriccò
<ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote:

On 21/02/2018 06:20, Jayamal Jayamaha wrote:

hey

I installed syncope to my machine using gui installer.
but at last moment it gave me some erros. I have attached
a screen shot of the log. Do you have any Idea about to
solve this. any help would appreciated


Hi,
did you follow all the steps from


https://ci.apache.org/projects/syncope/master/getting-started.html#gui-installer

<https://ci.apache.org/projects/syncope/master/getting-started.html#gui-installer>

? In particular, have you correctly set up
$CATALINA_HOME/conf/tomcat-users.xml?

Anyway, I would suggest to go with standalone, as reported in


https://issues.apache.org/jira/browse/SYNCOPE-1220?focusedCommentId=16369813=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16369813

<https://issues.apache.org/jira/browse/SYNCOPE-1220?focusedCommentId=16369813=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16369813>

HTH
Regards.

-- 
Francesco Chicchiriccò


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
<http://home.apache.org/%7Eilgrosso/>



--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Travel Assistance applications open

[Andrea Patricelli]

Hi all,

I'm pleased to forward to you this message from Apache TAC.

-


The Travel Assistance Committee (TAC) are pleased to announce that 
travel assistance applications for ApacheCon NA 2018 are now open! We 
will be supporting ApacheCon NA Montreal, Canada on 24th - 29th 
September 2018 TAC exists to help those that would like to attend 
ApacheCon events, but are unable to do so for financial reasons. For 
more info on this years applications and qualifying criteria, please 
visit the TAC website at < http://www.apache.org/travel/ 
<http://www.apache.org/travel/> >. Applications are now open and will 
close 1st May. Important: Applications close on May 1st, 2018. 
Applicants have until the closing date above to submit their 
applications (which should contain as much supporting material as 
required to efficiently and accurately process their request), this will 
enable TAC to announce successful awards shortly afterwards. As usual, 
TAC expects to deal with a range of applications from a diverse range of 
backgrounds. We therefore encourage (as always) anyone thinking about 
sending in an application to do so ASAP. We look forward to greeting 
many of you in Montreal Kind Regards, Gavin - (On behalf of the Travel 
Assistance Committee)


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: In-depth REST documentation

[Andrea Patricelli]

I think that swagger is the best choice to find out the correct JSON 
request body.


For example, to make user self operations, use [1]. Click on your 
preferred operation (UserSelf) and then click on top right "Try it out" 
button. You'll find some sample well-formed JSON values. You should 
send  the JSON suggested for each request.


Best regards,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope/swagger/


Il 09/02/2018 15:31, PeeDub ha scritto:

I am aware of those resources.

Of note is that documentation:
- does not describe what fields are required and which are optional
- does not mention requied fields such as "@class"
- does not list values for certain constrained fields (such as "type")

I am guessing that this list is my best hope for such questions?

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: In-depth REST documentation

[Andrea Patricelli]

Hi,

please take a look at [1] and especially to swagger extension [2].

You can also be interested in Syncope playground environment at [3] and [4].

HTH,
Andrea

[1] https://syncope.apache.org/docs/index.html
[2] https://syncope.apache.org/docs/reference-guide.html#swagger
[3] http://syncope-vm.apache.org:9080/syncope-console
[4] http://syncope-vm.apache.org:9080/syncope/swagger/


Il 08/02/2018 21:06, PeeDub ha scritto:

Hello,

I wonder if there is some in-depth documentation for using the REST API for
Syncope somewhere. It took me forever to realize that I needed to add an
"@class" attribute to my JSON for self registration, and that it needed to
have the value "org.apache.syncope.common.lib.to.UserTO". Is there somewhere
where this kind of information is captured?


--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: UPDATING USERS AND GROUPS

[Andrea Patricelli]

Hi Jim,

sorry for the late.


Il 01/17/18 02:17, Jim ha scritto:

Hi Andrea,

Already tried fresh installation and re-testing but still having the same
results.
It's ok when using API calls and with 2.0.7-SNAPSHOT. Since its ok with API
calls
we can close this thread but hoping you'll fix this for future versions.

Btw, have you tried installing a fresh Apache Syncope 2.0.7 using GUI
installer and reproduce my problem? Just for confirmation purposes or maybe
I am the only one who encountered this problem :)


Thanks for reporting, I'm not excluding that there's a problem. Thanks 
for reporting, I'm going to try a fresh installation and let you know here.


Have a nice day,
Andrea


Thank you!

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: UPDATING USERS AND GROUPS

[Andrea Patricelli]

Hi Jim,

could you try to clean Syncope database and re-test with a fresh 
installation?
Or at least could you share some more info about your environment and 
syncope logs like core.log, etc.?


Best regards,
Andrea


Il 16/01/2018 04:10, Jim ha scritto:

Hi Andrea,

Here is how I reproduce the problem and the provided solution:

Note: happens only before 5mins of execution(eg.pulling,pushing, created and
updating)

1st situation(pulled/pushed users):
1. Successfully pulled/pushed users
2. Clicked on the desired user
3. Clicked edit
4. Edited desired information
5. Clicked Finish
6. Error appears

2nd situation(newly created user):
1.Clicked newly created user
2.Clicked edit
3.Edited desired information
4. Clicked Finish
5. Error appears

3rd situation(newly updated user):
1.Clicked newly updated user
2.Clicked edit
3.Edited desired information
4. Clicked Finish
5. Error appears

Applying solution provided:
1. Clicked newly updated/created/pulled/pushed user
2. Clicked edit
3. Edited desired information
4. Clicked Finish
5. Error appears
6. Closed window
7. Re-open window
8. Clicked Finish
9. Error still appears

Please correct me if I'm doing it wrong.
Thanks!

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: UPDATING USERS AND GROUPS

[Andrea Patricelli]

Hi Jim,

This error is due to the fact that you are updating an "old" entity, 
this means that someone concurrently updated (and saved) the same 
entity, while you were updating it. This is a "controlled" exception to 
avoid clash of updates on the same object. The control is done on the 
ETag value assigned to User objects.
If you close and re-open the edit window you shouldn't get this 
exception anymore.


Best regards,
Andrea


Il 13/01/2018 04:23, Jim ha scritto:

Thank you for the quick reply!

What I mean is after updating and upon reupdating the said user or group
before 5mins I get the error java.util.concurrent.ExecutionException: org
apache.syncope.common.lib.SyncopeClientException: ConcurrentModification
[Mismatching ETag value]. Please see [1] for the screenshot of the error.

[1]https://pasteboard.co/H2FQCKk.png

Thanks!

Regards,
Jim

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: UPDATING USERS AND GROUPS

[Andrea Patricelli]

Hi Jim,

I'm not sure that your issue is related to the GUI installer.

What kind of delay are you experiencing when you do an update with 2.0.7 
installer? Do you see admin console stuck?


Could you share logs of your syncope installation?

Best regards,
Andrea


Il 12/01/2018 13:36, Jim ha scritto:

Good day,

I have syncope 2.0.7 installed in my system with the use of GUI installer.
My Issue is that after I update the details of a user or group, I need to
wait
5 minutes in order to update it again. I tried 2.0.7 SNAPSHOT and it can
update
continuously. Is this how it behaves in GUI installer? or maybe you can add
it
in the road map for 2.0.8 GUI installer?

Thanks!

Regards,
Jim

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Syncope API - /users/{key} PATCH error

[Andrea Patricelli]

HI Jim,

I guess that you are doing an update of an User through a UserPatch, am 
I right?


Your JSON is wrong; there is an error in your JSON definition: 
Unrecognized field "schema"


"schema" and "values" should be into "attrTo", since they are attributes 
of AttrTO entity.


Here is a correct example:

{
    "plainAttrs": [
        {
            "attrTO": {
    "schema":"firstname",
                "schemaInfo": {
                    "anyTypeClass":"BaseUser",
"@class":"org.apache.syncope.common.lib.to.PlainSchemaTO",
                    "key":"firstname"
                },
            "values": [
                "myname"
                ]
},
            "operation":"ADD_REPLACE"

        }
    ],
    "key":"b58456e3-8cb7-4183-8456-e38cb73183a4"
}

Please use also swagger application at [1] to play with Syncope REST 
services.


HTH,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope/swagger/

Il 09/01/2018 11:40, Jim ha scritto:

Good day,

I would like to ask about the error i encountered when I tried to call
http://localhost:8080/syncope/rest/users/b58456e3-8cb7-4183-8456-e38cb73183a4

This is my sample JSON BODY:


{
"plainAttrs": [
{
"schema":"firstname",
"attrTO": {
"schemaInfo": {
"anyTypeClass":"BaseUser",

"@class":"org.apache.syncope.common.lib.to.PlainSchemaTO",
"key":"firstname"
}
},
"values": [
"myname"
],
"operation":"ADD_REPLACE"

}
],
"key":"b58456e3-8cb7-4183-8456-e38cb73183a4"

}


ERROR:


http://syncope.apache.org/2.0;>UnrecognizedPropertyException:
Unrecognized field "schema" (class
org.apache.syncope.common.lib.patch.AttrPatch), not marked as ignorable (2
known properties: "attrTO", "operation"])
  at [Source: (org.apache.cxf.transport.http.AbstractHTTPDestination$1);
line: 4, column: 14] (through reference chain:
org.apache.syncope.common.lib.patch.UserPatch["plainAttrs"]-java.util.HashSet[0]-org.apache.syncope.common.lib.patch.AttrPatch["schema"])500Unknown

Hope you can help me!
Thank you!

Regards,
Jim


--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: Can I stop a task during it is running?

[Andrea Patricelli]

Hi Elena,

Tasks control panel is located in the admin console under "Control" tab of the 
Dashboard page, i.e. the page that you see just after login.

In the control page you can see all jobs that are related to scheduled or 
running tasks. If a job is running admin console shows a reload spinner moving 
and a stop button.

Hth,
Andrea


Il giorno 14 dic 2017, 02:15, alle ore 02:15, Elena Hong  
ha scritto:
>Hello.
>
>I wonder that stop a task.
>
>Can I stop a task during it is running?
>I found syncope Reference docs and API docs, I didn't find it.
>Even if I delete task during task is running, It doesn't stop.
>
>Give me a answer please.
>
>Thank you!

Re: Pull users from LDAP

[Andrea Patricelli]

t;schema":{"name":"statusManagementClass","displayName":"Status
management class ","helpMessage":"Class to be used to manage
enabled/disabled status. If no class is specified then identity status
management wont be
possible.","type":"java.lang.String","required":false,"order":36,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"readSchema","displayName":"Read
Schema","helpMessage":"If true, the connector will read the schema from the
server. If false, the connector will provide a default schema based on the
object classes in the configuration. This property must be true in order to
use extended object classes. Default is
\"true\".","type":"boolean","required":false,"order":22,"confidential":false,"defaultValues":[true]},"overridable":false,"values":[true]},{"schema":{"name":"passwordAttribute","displayName":"Password
Attribute","helpMessage":"The name of the LDAP attribute which holds the
password. When changing an user's password, the new password is set to this
attribute. Default is
\"userPassword\".","type":"java.lang.String","required":false,"order":8,"confidential":false,"defaultValues":["userPassword"]},"overridable":false,"values":["userPassword"]},{"schema":{"name":"respectResourcePasswordPolicyChangeAfterReset","displayName":"Respect
Resource Password Policy Change-After-Reset","helpMessage":"When this
resource is specified in a Login Module (i.e., this resource is a
pass-through authentication target) and the resource's password policy is
configured for change-after-reset, a user whose resource account password
has been administratively reset will be required to change that password
after successfu

Re: Using Syncope as authentication point for other applications like graylog,grafana

[Andrea Patricelli]

Hi sumankrishnaprasad,

At the moment Syncope cannot be used as authentication provider.
Though in its roadmap are scheduled some improvements to let Syncope act 
as OAuth or SAML provider, please check [1].


You should evaluate projects like CAS [2].

HTH,
Andrea

[1] https://issues.apache.org/jira/projects/SYNCOPE/versions/12334366
[2] https://www.apereo.org/projects/cas

Il 26/07/2017 09:51, sumankrishnaprasad ha scritto:

Hi
We are using graylog for consolidating various logs and grafana for
monitoring various nodes. We want to authenticate users logging to grafana
and graylog to be authenticated through syncope configured with our ldap. I
was able to configure syncope with our ldap. can you provide me some
direction or some example configuration how I can use syncope as
authentication provider for other applications such as graylog and grafana.



--
View this message in context: 
http://syncope-user.1051894.n5.nabble.com/Using-Syncope-as-authentication-point-for-other-applications-like-graylog-grafana-tp5709322.html
Sent from the syncope-user mailing list archive at Nabble.com.


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: H2 Database

[Andrea Patricelli]

Hi,


Il 26/07/2017 12:32, Dino Mifsud ha scritto:
Hi Yes...I solved the issue it now starts well. Apparently it was 
caused by jdbc pool setting in Tomcat which I had set up following the 
steps here:


https://syncope.apache.org/docs/reference-guide.html#apache-tomcat-8-and-8-5

are these settings not needed for Tomcat?


Yes those settings are needed.

Best regards,
Andrea


On 26 Jul 2017, at 12:15 PM, Andrea Patricelli 
<andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote:


Have you created database syncope with credentials syncope/syncope?

And, moreover, have you carefully followed DBMS configuration guide 
at [1]?
Be careful while editing provisioning.properties and 
Master.properties, you have only to update some lines, not all the file.


[1] https://syncope.apache.org/docs/reference-guide.html#postgresql


Il 26/07/2017 12:10, Dino Mifsud ha scritto:
No I missed that thanks. It seems to have solved the issue. The 
database tables now seem to be created in postgres however the 
application still fails to start. The error in the log folder is this :


12:03:49.617 INFO 
 org.apache.syncope.core.provisioning.java.ConnectorManager - Done 
loading 0 connectors
12:03:51.889 ERROR 
org.apache.syncope.core.provisioning.api.job.JobManager - Could not 
remove job taskJob89de5014-e3f5-4462-84d8-d97575740baf
org.quartz.impl.jdbcjobstore.LockException: Failure obtaining db row 
lock: ERROR: current transaction is aborted, commands ignored until 
end of transaction block {prepstmnt 583897870 SELECT * FROM 
QRTZ_LOCKS WHERE SCHED_NAME = 'scheduler' AND LOCK_NAME = ? FOR 
UPDATE} [code=0, state=25P02]
at 
org.quartz.impl.jdbcjobstore.StdRowLockSemaphore.executeSQL(StdRowLockSemaphore.java:157) 
~[quartz-2.3.0.jar:?]
at 
org.quartz.impl.jdbcjobstore.DBSemaphore.obtainLock(DBSemaphore.java:113) 
~[quartz-2.3.0.jar:?]
at 
org.quartz.impl.jdbcjobstore.JobStoreCMT.executeInLock(JobStoreCMT.java:238) 
~[quartz-2.3.0.jar:?]
at 
org.quartz.impl.jdbcjobstore.JobStoreSupport.removeTrigger(JobStoreSupport.java:1428) 
~[quartz-2.3.0.jar:?]
at 
org.quartz.core.QuartzScheduler.unscheduleJob(QuartzScheduler.java:1059) 
~[quartz-2.3.0.jar:?]
at org.quartz.impl.StdScheduler.unscheduleJob(StdScheduler.java:311) 
~[quartz-2.3.0.jar:?]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl.unregisterJob(JobManagerImpl.java:262) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl.registerJob(JobManagerImpl.java:157) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl.register(JobManagerImpl.java:237) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl$3.exec(JobManagerImpl.java:334) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl$3.exec(JobManagerImpl.java:324) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:136) 
~[syncope-core-spring-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.job.JobManagerImpl.load(JobManagerImpl.java:324) 
~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_91]
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:1.8.0_91]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:1.8.0_91]

at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91]
at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) 
~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) 
~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) 
~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) 
~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) 
~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) 
~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:64) 
~[syncope-core-persistence-jpa-2.0.4.jar:2.0.4]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) 
~[spring-aop-4.3.9.RELEASE.jar:4

Re: H2 Database

[Andrea Patricelli]

Hi Dino,

are you generating the project from archetype like described at [1] or 
are you using another evaluation method?


Supposing that you are using the archetype you can refer to [2] and [3] 
in order to setup PostreSQL DBMS.


[1] https://syncope.apache.org/docs/getting-started.html#create-project
[2] 
https://syncope.apache.org/docs/reference-guide.html#system-administration

[3] https://syncope.apache.org/docs/reference-guide.html#postgresql

Il 25/07/2017 19:12, Dino Mifsud ha scritto:

I would like to use a postgres DB instead of the H2 database. I did the changes 
in Master.properties file as shown but still it seems it is using the H2 
database. What could be the problem please?


Thanks


--
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member

Re: AW: AW: AW: Configuration of LDAP Identity Store

[Andrea Patricelli]

Hi Martin,


Il 25/07/2017 14:12, Böhmer, Martin ha scritto:


Hi Andrea,

Your proposed solutions are greatly appreciated. Here are my comments:

1.I created a JIRA account to file an improvement request. 
Unfortunately, I seem to lack the right to create an improvement for 
the “LDAP bundle” component. The only components I can create issues 
for are COMMONS, REST & OFFICE365. Am I doing something wrong?



No. Sorry I wasn't aware of it. I've opened [1] for you ;)


2.I not sure, if I understood you correctly. Are you saying, there is 
no chance LDAPMembershipPropagationAction will work out of the box? Or 
that you aren’t you sure if it will work and it would be worth setting 
this up and try it out? If it’s the second case, I would try it you.


I'm quite sure that the propagation action will not work. I experienced 
the same issue little time ago. You should "adapt" it to work out of the 
box, in order to do this you can try without any modification and see 
what is its behavior in order to modify it.


Regards,

Martin


Best regards,
Andrea

[1] https://connid.atlassian.net/browse/LDAP-25


*Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Ge**sendet:*Montag, 24. Juli 2017 11:33
*An:* user@syncope.apache.org
*Betreff:* Re: AW: AW: Configuration of LDAP Identity Store

Hi Martin,

I perfectly understand your situation.

Please see my responses inline.

Il 22/07/2017 00:53, Böhmer, Martin ha scritto:

Yes, I have set a group mapping. It’s kinda simple:

Type



/User/

Object Class



/__GROUP__/

Mapping
name



/Int: name
ext: cn
Remote key: yes/

Object Link



/‘cn=’ + name + ‘,ou=groups,dc=example,dc=com’/



//



I had a look at the working example you provided. Using “cn” as
the uidAttribute and in the DN for both users and groups worked
fine in my test installation. But, this is only going to work in
case I can influence the way the DNs are structured, so I am able
to harmonise user and group DNs. True for my test environment, but
it is not going to work with our production LDAP.

On the production LDAP server, user DNs are structured “uid=…” and
group DNs “cn=…”. As a result, the “cn” attribute for users is not
a unique identifier, as two different persons can have the same
“cn” in our environment (they will get different uids and email
addresses, etc). There is no way I can change/harmonise the
structure of the DNs (for various reasons).

Setting the uidAttriute to “cn” proved not work with our
production LDAP server - even though the Object Links of the
mappings reflect the differences of the DNs (see above and below).
I do not understand why the uidAttribute of the connector config
influences the remote key generation as the remote key could be
generated only by just evaluating the different ObjectLink JEXL
expressions…

You are right, uidAttribute is only used to retrieve the entity from 
the LDAP server, i.e. the connector will search entities by 
uidAttribute (cn, uid, etc.). For this reason you see the user 
correctly propagated to LDAP, but not correctly linked on Syncope.


So, any ideas on how to get the sync work with the different DNs?

I see two solutions:
1. Implement an improvement on ConnID LDAP connector in order to 
manage two (or more) different uidAttributes (at least one for USER 
and another for GROUP), as done for Active Directory connector. You 
could open an issue (improvement) at [1].
2. Define two different resources, one for USER and the other for 
GROUP, and set uidAttribute as *Override* while configuring the 
connector. With this solution you'll be able to define for each 
resource your specific uidAttribute.
Solution 2 unfortunately has a drawback: 
LDAPMembershipPropagationAction could not work anymore and probably 
needs to be reviewed in order to work with entities related to two 
different resources.


HTH,
Andrea

[1] 
https://connid.atlassian.net/projects/BASE/issues/BASE-56?filter=allopenissues


Regards,

Martin

    *Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net]
*Gesendet:* Freitag, 21. Juli 2017 15:35
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: AW: Configuration of LDAP Identity Store

Have you set a mapping for GROUP? Could you share it?
Pay attention to the object link for groups. It should be
something like this: 'cn=' + name + ',ou=groups,dc=sample,dc=com'
If it is correct (as I thisnk) try to use as uidAttribute an
attribute that both USER and GROUP have, and is mapped to any of
Syncope attributes. cn for example.
You have a working example at [1] (Apache DS, resource-ldap).

Best regards,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope-console

Il 21/07/2017 13:15, Böhmer, Martin ha scritto:

Hi Andrea

Re: AW: Configuration of LDAP Identity Store

[Andrea Patricelli]

Have you set a mapping for GROUP? Could you share it?
Pay attention to the object link for groups. It should be something like 
this: 'cn=' + name + ',ou=groups,dc=sample,dc=com'
If it is correct (as I thisnk) try to use as uidAttribute an attribute 
that both USER and GROUP have, and is mapped to any of Syncope 
attributes. cn for example.

You have a working example at [1] (Apache DS, resource-ldap).

Best regards,
Andrea

[1] http://syncope-vm.apache.org:9080/syncope-console

Il 21/07/2017 13:15, Böhmer, Martin ha scritto:


Hi Andrea,

Thank you for the quick reply!

I changed the uidAttribute as you suggested and sync works for users. 
However, now I have the very same problem with groups whose remote IDs 
happen to be empty.


So, when I change the uidAttribute to „uid“, will the same connector 
also work for groups? Or do I need to create a second connector for 
synchronizing groups?


I am asking, because groups have the attribute “cn” in their dn 
instead of “uid” (see below).


Regards,

Martin

*Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net]
*Gesendet:* Freitag, 21. Juli 2017 12:29
*An:* user@syncope.apache.org
*Betreff:* Re: Configuration of LDAP Identity Store

Hi Martin,

try to change, in connector configuration, the uidAttribute value to 
*uid* instead of "*entryUUID*".


BTW if this does not work could you attach core-connid.log file?

HTH,
Andrea

Il 21/07/2017 12:00, Böhmer, Martin ha scritto:

HI,

I cannot get the configuration of my LDAP Identity Store right.
What I want is a synchronization of user, groups and group
memberships, meaning that everything change in Syncope is
propagated to LDAP and vice-versa.

With my current configuration below, I am able to pull users from
LDAP (pull task) and propagate new users to LDAP when created in
Syncope. What is not working is the synchronization of users
existing in both systems. Syncope claims about a missing remote
key. This is particularly strange when creating a user in Syncope.
On the result screen of the user creation, the remote key is
correctly display. When I close that screen and open the “Manage
resources” dialog for that user, the remote key is gone and thus
propagation of updates to LDAP fails.

Any hints would be greatly appreciated!

Regards,

Martin

I’m using *_OpenLDAP_*. The tree looks like this

dc=example,dc=com

·ou=people

ouid=johndoe

o…

·ou=groups

ocn=testgroup

Here is the configuration of the *_LDAP connector_* (properties
not listed were not touched = default value)

Bundle



*net.tirasa.connid.bundles.ldap*

Host



*localhost*

TCP Port



389

Principal



*cn=syncope,dc=exmaple,dc=com*

Password



*/**/*

Base Contexts



*dc=exmaple,dc=com*

Password Attribute



userPassword

Account Object Classes



top, person, organizationalPerson, inetOrgPerson

Account User Name Attributes



uid, cn

Group Object Classes



top, groupOfuniqueNames

Group Name Attributes



cn

Group Member Attribute



uniqueMember

Maintain LDAP Group Membership



(Haken)

Password Hash Algorithm



*SSHA*

VLV Sort Attribute



*uid*

Uid Attribute



*entryUUID*

Read Schema



(Haken)

Base Contexts to Synchronize



(leer)

Object Classes to Synchronize



*inetOrgPerson, groupOfUniqueNames*

Attributes to Synchronize



(leer)

Remove Log Entry Object Class from Filter



(Haken)

Enable Password Synchronization



(Fehler)

Status management class



*net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement*

Capabilities



*/(all selected)/*

And this is the configuration of my *_LDAP resource_*:

Propagation Actions



*LDAPPAsswordPropagationAction*
*LDAPMembershipPropagationAction*

Override Capabilities?



(Fehler)

Account Policy



/(none)/

Password Policy



/(none)/

Pull Policy



/(none)/)

Finally, the *_mapping configuration_*

Type



/User/

Object Class



/__ACCOUNT__/

Mapping
username



/Int: username
ext: uid
Remote key: yes/

Mapping
email



/Int: email
Ext: mail/

Mapping
password



/Int: password
Ext: userPassword
Password: yes/

Object Link



/‘uid=’ + username + ‘,ou=people,dc=example,dc=com’/



--
Dott. Andrea Patricelli
Tel. +39 3204524292
Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.

Re: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND

[Andrea Patricelli]

BTW I reproduced your issue. I guess that if you open your 
/opt/syncope/conf/security.properties you have a placeholder 
${adminUser} instead of admin into "adminUser" property.


Please follow carefully instructions provided in the documentation at 
[1] (especially Deployment directories) on how to customize properties 
and check files under /opt/syncope and everything will work ;)


Best regards,
Andrea

[1] https://syncope.apache.org/docs/reference-guide.html#customization

Il 14/03/2017 09:30, Andrea Patricelli ha scritto:

Hi,

are you using the maven archetype right?

Have you also checked the enduser.properties file?
Could you please attach the compete stacktrace?

Best regards,
Andrea

Il 11/03/2017 08:24, alinturbut ha scritto:

Hi,

Thanks for the answer. I have managed to get some time and try again 
without

success. My security.properties file:

adminUser=${adminUser}
adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
adminPasswordAlgorithm=SHA1

anonymousUser=${anonymousUser}
anonymousKey=${anonymousKey}

secretKey=${secretKey}
# default for LDAP / RFC2307 SSHA
digester.saltIterations=1
digester.saltSizeBytes=8
digester.invertPositionOfPlainSaltInEncryptionResults=true
digester.invertPositionOfSaltInMessageBeforeDigesting=true
digester.useLenientSaltSizeCheck=true

passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator 



and the one after build:

adminUser=admin
adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
adminPasswordAlgorithm=SHA1

anonymousUser=anonymous
anonymousKey=12345

secretKey=12345
# default for LDAP / RFC2307 SSHA
digester.saltIterations=1
digester.saltSizeBytes=8
digester.invertPositionOfPlainSaltInEncryptionResults=true
digester.invertPositionOfSaltInMessageBeforeDigesting=true
digester.useLenientSaltSizeCheck=true

passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator 



It looks ok to me, the sha1 hash is the correct one for the default 
password

"password".

--
View this message in context: 
http://syncope-user.1051894.n5.nabble.com/javax-xml-ws-WebServiceException-Remote-exception-with-status-code-NOT-FOUND-tp5709065p5709072.html

Sent from the syncope-user mailing list archive at Nabble.com.




--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND

[Andrea Patricelli]

Hi,

are you using the maven archetype right?

Have you also checked the enduser.properties file?
Could you please attach the compete stacktrace?

Best regards,
Andrea

Il 11/03/2017 08:24, alinturbut ha scritto:

Hi,

Thanks for the answer. I have managed to get some time and try again without
success. My security.properties file:

adminUser=${adminUser}
adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
adminPasswordAlgorithm=SHA1

anonymousUser=${anonymousUser}
anonymousKey=${anonymousKey}

secretKey=${secretKey}
# default for LDAP / RFC2307 SSHA
digester.saltIterations=1
digester.saltSizeBytes=8
digester.invertPositionOfPlainSaltInEncryptionResults=true
digester.invertPositionOfSaltInMessageBeforeDigesting=true
digester.useLenientSaltSizeCheck=true

passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator

and the one after build:

adminUser=admin
adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
adminPasswordAlgorithm=SHA1

anonymousUser=anonymous
anonymousKey=12345

secretKey=12345
# default for LDAP / RFC2307 SSHA
digester.saltIterations=1
digester.saltSizeBytes=8
digester.invertPositionOfPlainSaltInEncryptionResults=true
digester.invertPositionOfSaltInMessageBeforeDigesting=true
digester.useLenientSaltSizeCheck=true

passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator

It looks ok to me, the sha1 hash is the correct one for the default password
"password".

--
View this message in context: 
http://syncope-user.1051894.n5.nabble.com/javax-xml-ws-WebServiceException-Remote-exception-with-status-code-NOT-FOUND-tp5709065p5709072.html
Sent from the syncope-user mailing list archive at Nabble.com.


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: Syncope getting stucked

[Andrea Patricelli]

Ah ok, now is a bit clearer, thanks :)

If application starts is good, I suggested better hardware because 2GB 
are, maybe, the lower bound for memory.
Abou t the exceptions, they are too generic, I cannot give you a precise 
answer on what could be the reason of your problem.

Please check also other log files, especially core.log.
Moreover it could be also some environment issue (too many open files or 
other machine configurations or features).


Best regards,
Andrea

Il 10/03/2017 10:40, Mohit Agrawal ha scritto:

Hi ,

Thanks for your reply

Sorry for the confusion.

We are using debian release of Syncope  and for database, we have 
connected syncope to  AWS' RDS postgreSQL DB.


From the exception, it doesn't looks issue is because of shortage 
memory ( not getting exception when do alloc). Do you still feel it is 
because of memory limitation ?



What is this below line indicates ?

ERROR org.apache.syncope.client.console.widgets.AlertWidget - 
Unexpected error while checking for updated approval info


and

javax.ws.rs.ProcessingException: java.net.SocketTimeoutException: 
SocketTimeoutException invoking 
http://localhost:8080/syncope/rest/userworkflow/forms: Read timed out


Thank you for your time

Regards,

Mohit






On Fri, Mar 10, 2017 at 2:17 PM, Andrea Patricelli 
<andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote:


Hi Mohit,


Il 10/03/2017 08:48, Mohit Agrawal ha scritto:

Hi Andrea ,

Yes i have deployed it on single machine (just for testing our
application), i am using the standalone version on tomcat 9 . Yes
, after restart it works.

How is it possible that you're using tomcat 9? The newest
standalone (available at [1]) is a zipped file with embedded
tomcat 8 (refer to [2]).


Do you think , this issue is related to memory (no space) ?


It could be. If you can try with a larger size it could be better,
for example 4GB (more important than CPU) and 2-4 cores. First of
all because the default db used by the standalone distribution is
an in-memory H2 instance. Like described here [3].


our machine configuration is t2.medium in AWS  (2 core, 2 GB RAM)
Syncope version : 2.0   (debian release)
We are limiting  "soft limit"  to 300 MB ( while configuring the
instance )

We observed CPU and memory usage (reported by AWS)  and it is 22
% memory and CPU is less than 2 %

Thanks for your support.

Regards,
Mohit



Best regards,
Andrea

[1]

http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip

<http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip>
[2]
https://syncope.apache.org/docs/getting-started.html#standalone
<https://syncope.apache.org/docs/getting-started.html#standalone>
[3]
https://syncope.apache.org/docs/getting-started.html#standalone-components
<https://syncope.apache.org/docs/getting-started.html#standalone-components>





    On Thu, Mar 9, 2017 at 1:38 PM, Andrea Patricelli
<andreapatrice...@apache.org
<mailto:andreapatrice...@apache.org>> wrote:

Hi Mohit,

I guess that you have deployed the Syncope application on a
single machine. What version of Syncope are you using? On
which Application server? After a restart does it come back
to work?

Are you sure that machine hardware is good enough to host a
Syncope application?

Best regards,
Andrea


Il 09/03/2017 08:04, Mohit Agrawal ha scritto:


Hi ,


We are seeing frequent syncope stuck (say after 2 days) in
our testing. When we try to use authenticate API (
/users/self ) , we are seeing exception in the syncope logs.
Could you please help us to identify what could be issue ? 
I have attached syncope log with this email. I have attached

the logs.


    Regards,


    Mohit


-- 
Andrea Patricelli


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope




-- 
Andrea Patricelli


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope




--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope

Re: Syncope getting stucked

[Andrea Patricelli]

Hi Mohit,


Il 10/03/2017 08:48, Mohit Agrawal ha scritto:

Hi Andrea ,

Yes i have deployed it on single machine (just for testing our 
application), i am using the standalone version on tomcat 9 . Yes , 
after restart it works.
How is it possible that you're using tomcat 9? The newest standalone 
(available at [1]) is a zipped file with embedded tomcat 8 (refer to [2]).


Do you think , this issue is related to memory (no space) ?

It could be. If you can try with a larger size it could be better, for 
example 4GB (more important than CPU) and 2-4 cores. First of all 
because the default db used by the standalone distribution is an 
in-memory H2 instance. Like described here [3].


our machine configuration is t2.medium in AWS  (2 core, 2 GB RAM)
Syncope version : 2.0   (debian release)
We are limiting  "soft limit"  to 300 MB ( while configuring the 
instance )


We observed CPU and memory usage (reported by AWS)  and it is 22 % 
memory and CPU is less than 2 %


Thanks for your support.

Regards,
Mohit



Best regards,
Andrea

[1] 
http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip

[2] https://syncope.apache.org/docs/getting-started.html#standalone
[3] 
https://syncope.apache.org/docs/getting-started.html#standalone-components






On Thu, Mar 9, 2017 at 1:38 PM, Andrea Patricelli 
<andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote:


Hi Mohit,

I guess that you have deployed the Syncope application on a single
machine. What version of Syncope are you using? On which
Application server? After a restart does it come back to work?

Are you sure that machine hardware is good enough to host a
Syncope application?

Best regards,
Andrea


Il 09/03/2017 08:04, Mohit Agrawal ha scritto:


Hi ,


We are seeing frequent syncope stuck (say after 2 days) in our
testing. When we try to use authenticate API ( /users/self ) , we
are seeing exception in the syncope logs. Could you please help
us to identify what could be issue ?  I have attached syncope log
with this email. I have attached the logs.


Regards,


    Mohit


-- 
Andrea Patricelli


Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
    Syncope




--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope