Re: Question about configuration for object synch between directories
You're welcome. Best regards, Andrea On 27/09/22 13:41, Michael Paxton wrote: Thanks Andrea, I will try the configurations you recommended. Thanks for the guidance! Cheers Michael On Tue, 27 Sep 2022, 01:55 Andrea Patricelli, wrote: Hi Michael, On 26/09/22 12:31, Michael Paxton wrote: Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories. This is not a misuse, since Syncope is a provisioning engine, born also to perform such pull/push operations. The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. Yes, on Active Directory connector the configuration parameter is the one you addressed. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I do not think so, you can even use two different connectors with separate resources, what makes the difference is how you build the object sent to the destination Active Directory. Bear also in mind that if you perform an update on a specific user assigned to a specific resource (say source Active Directory) also a propagation will be triggered, this is why you find entries propagated to the source Active Directory. If you're not interested in propagating on the source, when configuring the pull task you should set pull mode FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get users on Syncope, but not assigned to the source Active Directory resource. I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Yes, when deleting on Syncope, in order not to fire a DELETE propagation towards Active Directory, just UNLINK these users from the resource and delete or simply remove DELETE capability from Active Directory connector(s). Cheers, michael. HTH, Andrea On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli wrote: Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: > Hello all, > > I have a configuration where I have two directories (AD) and want to > synchronise > certain objects between them. > > I want to only synch objects that are members of SynchGroup > > I want to pull objects from SourceOU in each directory and to push > objects to DestinationOU in each directory. This will keep local > objects separated from synchronised objects > > To do this I have done the following: > - created a connector for each directory dedicated to PULLing. This is > configured to look at SourceOU and has Memberships set to the DN of > SynchGroup > - created a connector for each directory dedicated to PUSHing. This is > configured to look at DestinationOU > > This works, in a fashion, but the following things are occurring: > - It pulls (and then subsequently pushes) objects that aren't a member > of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? > - It sporadically moves (i assume, by UPDATE?) local objects from > SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP s
Re: Question about configuration for object synch between directories
Hi Michael, On 26/09/22 12:31, Michael Paxton wrote: Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories. This is not a misuse, since Syncope is a provisioning engine, born also to perform such pull/push operations. The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. Yes, on Active Directory connector the configuration parameter is the one you addressed. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I do not think so, you can even use two different connectors with separate resources, what makes the difference is how you build the object sent to the destination Active Directory. Bear also in mind that if you perform an update on a specific user assigned to a specific resource (say source Active Directory) also a propagation will be triggered, this is why you find entries propagated to the source Active Directory. If you're not interested in propagating on the source, when configuring the pull task you should set pull mode FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get users on Syncope, but not assigned to the source Active Directory resource. I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Yes, when deleting on Syncope, in order not to fire a DELETE propagation towards Active Directory, just UNLINK these users from the resource and delete or simply remove DELETE capability from Active Directory connector(s). Cheers, michael. HTH, Andrea On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli wrote: Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: > Hello all, > > I have a configuration where I have two directories (AD) and want to > synchronise > certain objects between them. > > I want to only synch objects that are members of SynchGroup > > I want to pull objects from SourceOU in each directory and to push > objects to DestinationOU in each directory. This will keep local > objects separated from synchronised objects > > To do this I have done the following: > - created a connector for each directory dedicated to PULLing. This is > configured to look at SourceOU and has Memberships set to the DN of > SynchGroup > - created a connector for each directory dedicated to PUSHing. This is > configured to look at DestinationOU > > This works, in a fashion, but the following things are occurring: > - It pulls (and then subsequently pushes) objects that aren't a member > of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? > - It sporadically moves (i assume, by UPDATE?) local objects from > SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP subtree you need to properly configure the mapping [2] and especially the "connObjectLink", a configuration field used as rule to build the DN of an entry by LDAP connectors. Please take a look at the shared doc and at the playground env here [3] (ApacheDS connector and resource-ldap resource). If you have to perform more complex computations while propagating, consider to implement your own Propagation actions class [4] to "hack" the attributes sent to the connector. > > I am relatively new to Syncope. I initially configured the tasks
Re: Question about configuration for object synch between directories
Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: Hello all, I have a configuration where I have two directories (AD) and want to synchronise certain objects between them. I want to only synch objects that are members of SynchGroup I want to pull objects from SourceOU in each directory and to push objects to DestinationOU in each directory. This will keep local objects separated from synchronised objects To do this I have done the following: - created a connector for each directory dedicated to PULLing. This is configured to look at SourceOU and has Memberships set to the DN of SynchGroup - created a connector for each directory dedicated to PUSHing. This is configured to look at DestinationOU This works, in a fashion, but the following things are occurring: - It pulls (and then subsequently pushes) objects that aren't a member of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? - It sporadically moves (i assume, by UPDATE?) local objects from SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP subtree you need to properly configure the mapping [2] and especially the "connObjectLink", a configuration field used as rule to build the DN of an entry by LDAP connectors. Please take a look at the shared doc and at the playground env here [3] (ApacheDS connector and resource-ldap resource). If you have to perform more complex computations while propagating, consider to implement your own Propagation actions class [4] to "hack" the attributes sent to the connector. I am relatively new to Syncope. I initially configured the tasks with a highly conflicting schedule which may have causedrace conditions or other unusual behaviour but the issues seem to persist even after staggering the schedule more sensibly. Apologies if the above seems overly convoluted. Any advice would be greatly appreciated. Don't worry ;) Best regards, Andrea Cheers, Michael. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping [3] https://syncope-vm2.apache.org/syncope-console [4] https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
2-factor authentication on Syncope
Hi Avetik, Please let's change the object of the thread, otherwise all mails will be added as comments to Jira issue SYNCOPE-1695. BTW If I well understood your question you want to login to Syncope console with 2FA, am I right? If so, Syncope does not provide 2-factor auth OOTB, but you can configure it to integrate with an external IdP through SAML [1] or OIDC [2] that provides such authetication features, i.e. an Access Manager, for example Apereo CAS [3]. Let me also point out that Syncope 3, currently at M0 release, provides OOTB a Web Access [4] module that is effectively an AM based on Apereo CAS project. Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider [2] https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client [3] https://apereo.github.io/cas/6.6.x/index.html [4] https://nightlies.apache.org/syncope/master/reference-guide.html#web-access On 19/09/22 14:58, avetik.yessa...@ihost.am wrote: Dear Colleagues, Appreciate if you may advise about who can help us to get a configuration file example for 2-Factor Authentication for Apache Syncope? Best regards, Avetik On 2022-09-19 16:22, Andrea Patricelli wrote: Dear Avetik, Glad to hear about your interest in Apache Syncope project, but such kind of requests should be done on the appropriate mailing list here [1]. Please use the user@syncope.apache.org ML to ask for what you're looking for. Thanks and regards! [1] https://syncope.apache.org/mailing-lists On 19/09/22 14:09, avetik.yessa...@ihost.am.INVALID wrote: Dear Andrea, Appreciate if you can advise who can provide 2-Factor Authentication configuration sample for Apache Syncope. Best regards, Avetik -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: how and where to provide elastic search cluster credentials to connect in the elasticsearchClientContext.xml
Glad to hear this. Nice catch! You're welcome and best regards, Andrea On 03/03/22 17:48, Vinay Kavala wrote: Hi Andrea, Thanks for that. However, the elastic extension jar from 2.1.9 syncope installation does not have proper bean setter methods to pass in the parameters. So we have upgraded from 2.1.9 to 2.1.10 according to this document https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.9+to+2.1.10 and deployed both the syncope-console and syncope-core war files and it worked!! Thanks a lot Andrea!!! Regards, Vinay *From:* Andrea Patricelli *Sent:* Thursday, March 3, 2022 4:50 AM *To:* user@syncope.apache.org *Subject:* Re: how and where to provide elastic search cluster credentials to connect in the elasticsearchClientContext.xml [CAUTION: EXTERNAL SENDER] Hi Vinay, Please try with this here [1] class="org.apache.syncope.ext.elasticsearch.client.ElasticsearchClientFactoryBean"> name="apiKeyId" value="myApiKeyId"/> value="myApiKeySecret"/> and let us know. Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml <https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml> On 01/03/22 19:45, Vinay Kavala wrote: Hi Team, In the documentation https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core <https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core> it is mentioned that we need to configure the elasticSearchClientContext.xml to connect to the ES Cluster. How do we pass on the username and password as credentials to the ElasticsearchClientFactoryBean? I have added the below in the xml file.. value="51cef73639d747b081088788c3ad3323.ip.es.odplabs.com"/> How(and where) do I need to pass in the credentials to connect to the ES Cluster? Thanks, Vinay -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ <http://www.tirasa.net/> Member at The Apache Software Foundation Syncope -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ PMC Member at The Apache Software Foundation Syncope
Re: how and where to provide elastic search cluster credentials to connect in the elasticsearchClientContext.xml
Hi Vinay, Please try with this here [1] class="org.apache.syncope.ext.elasticsearch.client.ElasticsearchClientFactoryBean"> name="apiKeyId" value="myApiKeyId"/> value="myApiKeySecret"/> and let us know. Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/client-elasticsearch/src/main/resources/elasticsearchClientContext.xml On 01/03/22 19:45, Vinay Kavala wrote: Hi Team, In the documentation https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core <https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core> it is mentioned that we need to configure the elasticSearchClientContext.xml to connect to the ES Cluster. How do we pass on the username and password as credentials to the ElasticsearchClientFactoryBean? I have added the below in the xml file.. value="51cef73639d747b081088788c3ad3323.ip.es.odplabs.com"/> How(and where) do I need to pass in the credentials to connect to the ES Cluster? Thanks, Vinay -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: Elastic Search extension usage and the impacted API's
Hi Vinay, More than a cache is a parallel persistence that stores only some information to better index searches. Please read my responses inline. On 11/02/22 16:47, Vinay Kavala wrote: Hi Team, I have couple of questions related to Elastic Search extension. 1. I just wanted to understand which API's are returning the cached attributes/results from the elastic search, after a successful elastic search extension configuration with Syncope Core. 1. for example - I assume the below API's fetch results from the elastic search cache, correct me if I am wrong. Are there any other API's which are returning the cached response? Where do I find the list of API's being served from elastic cache? 2. /users /users/{key} /anyObjects /anyObjects/{key} /schemas /schemas/{type} ATM only searches are performed through the Elasticsearch extension, here is the code [1]. So we can assume that only * GET /users * GET /groups * GET /anyObjects search APIs use the Elasticsearch "cache". 1. 1. Is there a way to turn off the elastic search cache on syncope after configuration? Is there a toggle to turn on/off the cache? Or do I need entirely revert all the configuration changes in order to turn off the cache? Basically you should revert all changes described here [2] (Enable the Elasticsearch extension) to return to a "clean" situation. But the most important change is to update this line [3] in your specific project configuration folder and restart the application server. The property any.search.dao leverages the search DAO bean to use, the default value is at [4]. Thanks, Vinay HTH, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/ext/elasticsearch/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/ElasticsearchAnySearchDAO.java [2] https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core [3] https://github.com/apache/syncope/blob/syncope-2.1.10/ext/elasticsearch/persistence-jpa/src/main/resources/persistence.properties#L22 [4] https://github.com/apache/syncope/blob/syncope-2.1.10/core/persistence-jpa/src/main/resources/persistence.properties#L22 -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: Apache syncope integration with Active Directory
Hi Marius, Il 16/09/20 10:38, Marius ha scritto: Hello, we are trying to get apache syncope to integrate/communicate with an active directory, we have a maven installation and have created the AD resource connector using the connector from the bundle directory and everything seems to be ok so far, the problem is that apache syncope does not seem to be communicating with the active directory. I found this guide online https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory, and I tried to create a new resource under the AD resource connector but I seem to be missing the "LDAPMembershipPropagationActions" action class under the resource when I try to create it, in fact I miss the other 2 too that he seems to have under the "Propagation Actions" menu. Now my question is how do I get on about having those classes available for usage? do I need to modify something with the sample he provided in the beginning of the post and then have to re-deploy everything? or is there an easier way of doing this. Thank you in advance for this Since Syncope 2.1.X implementations [1] have been introduced. In order to define a cutom propagation actions class you have to create your own implementation (from Configuration menu) and then you'll see it available under the "Propagation Actions" menu. I would like to ask you one more thing, in a working integration of apache syncope and AD, if I create a user using the apache syncope console does it get replicated automatically into the AD or do I have to do some additional configurations? No, if the connector and the external resource are conrrectly configured you only need to assign AD to the user while creating/updating him in console. Thank you very much in advance. Welcome and best regards, Andrea -- Sent from:http://syncope-user.1051894.n5.nabble.com/ [1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Fwd: How to generate swagger documentation
Sorry, my bad. The correct swagger url is [protocol]://[host]:[port]/syncope/swagger/ Best regards, Andrea Il 25/06/20 11:30, Andrea Patricelli ha scritto: Hi Anmol Il 24/06/20 18:22, Anmol Sharma ha scritto: Hi, I'm a new user exploring the Maven project workflow for Apache Syncope. I tried to use the `syncope-ext-swagger-ui` to generate the swagger documentation. When I run mvn clean package in the core module, I do not see swagger-ui docs or config generated. I also ran the build with the `all` profile but it did not notice any difference. I'm wondering if you could point me to some documentation on how to enable / generate swagger docs for a standalone deployment of the core module? Her you can find some docs about building Syncope in general [1]. To enable the swagger extension please follow [2], "Enable the Swagger extension" section. You can find swagger docs available at [protocol]://[host]:[port]/syncope-swagger/ Thanks anmol HTH, Andrea [1] https://syncope.apache.org/building [2] https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core -- - Anmol -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Fwd: How to generate swagger documentation
Hi Anmol Il 24/06/20 18:22, Anmol Sharma ha scritto: Hi, I'm a new user exploring the Maven project workflow for Apache Syncope. I tried to use the `syncope-ext-swagger-ui` to generate the swagger documentation. When I run mvn clean package in the core module, I do not see swagger-ui docs or config generated. I also ran the build with the `all` profile but it did not notice any difference. I'm wondering if you could point me to some documentation on how to enable / generate swagger docs for a standalone deployment of the core module? Her you can find some docs about building Syncope in general [1]. To enable the swagger extension please follow [2], "Enable the Swagger extension" section. You can find swagger docs available at [protocol]://[host]:[port]/syncope-swagger/ Thanks anmol HTH, Andrea [1] https://syncope.apache.org/building [2] https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core -- - Anmol -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Problem implementing First test Syncope pull action
I never followed this way and is quite unusual to apply such customizations. Please follow the approach that I suggested: add the class to the archetype codebase , build Syncope and redeploy the whole war of the core. Alternatively, if you're runing a 2.1.X version, you could add at runtime LDAPPasswordPullActions as a groovy implementation [1] and so you do not need to rebuild and restart at all. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations Il 04/05/20 08:49, oh...@yahoo.com ha scritto: Hi, No. I was able to build the LDAPPasswordPullActions.java separately, in Eclipse, using JARs from the Syncope installation. That got me the LDAPPasswordPullActions.class file in ./org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class. Then, I ran: jar uf /webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar ./org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class to add the LDAPPasswordPullActions.class to the yncope-core-provisioning-java-2.1.5.jar. Now, "tar tvf" shows: jar tvf syncope-core-provisioning-java-2.1.5.jar | grep LDAPPasswordPullAction 7975 Sun May 03 15:56:42 UTC 2020 org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.class Then, I bounced the Tomcat, and went to the Syncope admin web app to Configuration ==> Implementations and tried to add the PULL_ACTIONS, but the LDAPPasswordPullActions does NOT appear there. What else do I need to do to make the pull action available? Is there a MANIFEST.MF that needs to be modified also? Thanks, Jim On Monday, May 4, 2020, 02:08:00 AM EDT, Andrea Patricelli wrote: Hi Jim, Il 03/05/20 18:14, oh...@yahoo.com <mailto:oh...@yahoo.com> ha scritto: > Hi, > > I wanted to test pull actions, so I am trying to build and deploy the LDAPPasswordPullActions example: > > https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.java > > I was able compile that class cleanly and I added that class to the /webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar and then I bounced the Tomcat server. Do you mean that you added the class to the codebase of your archetype, rebuilt the whole core module and deployed it into the Tomcat, right? > > However, when I go into the Syncope admin web app and check under Implementations ==> PULL_ACTIONS, I don't see any pull actions appearing. > > Did I add the new class file to the correct JAR file? > > If so, what else would cause the new PULL ACTION to not appear? > > Thanks, > Jim Best regards, Andrea -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Problem implementing First test Syncope pull action
Hi Jim, Il 03/05/20 18:14, oh...@yahoo.com ha scritto: Hi, I wanted to test pull actions, so I am trying to build and deploy the LDAPPasswordPullActions example: https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/LDAPPasswordPullActions.java I was able compile that class cleanly and I added that class to the /webapps/syncope/WEB-INF/lib/syncope-core-provisioning-java-2.1.5.jar and then I bounced the Tomcat server. Do you mean that you added the class to the codebase of your archetype, rebuilt the whole core module and deployed it into the Tomcat, right? However, when I go into the Syncope admin web app and check under Implementations ==> PULL_ACTIONS, I don't see any pull actions appearing. Did I add the new class file to the correct JAR file? If so, what else would cause the new PULL ACTION to not appear? Thanks, Jim Best regards, Andrea -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to retrieve previous/historical attribute data
Hi Glenn Il 28/03/20 07:46, Glenn Roe ha scritto: Great news. Thanks, Andrea! Would you happen to know if the audit feature will be log or database driven? By default it is database driven, but you can provide to Syncope your own implementation and make Syncope use it by defining a custom implementation of [1] and [2] and chaning the *logger.dao* property in this [3] file (of the generated archetype). For other audit features (not directly related to data versioning) you can specify your own appender through Log4j2 features [4]. Also, do you happen to have a timeline for the 2.1.6 release? I'm not able to define a date, but will be released soon ;) Thanks again, Welcome and best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/dao/LoggerDAO.java [2] https://github.com/apache/syncope/blob/2_1_X/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/Logger.java [3] https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/resources/persistence.properties [4] https://syncope.apache.org/docs/2.1/reference-guide.html#audit-appenders Glenn On Friday, March 27, 2020, 3:32:14 AM EDT, Andrea Patricelli wrote: Hi Glenn, since 2.1.6 version, not yet released, you will have the possibility to see the whole history of an user, group or any object by going to Realms -> USER -> manage history. To enable this feature you have to setup the audit [1] in order to track events like [LOGIC]:[UserLogic]:[]:[update]:[SUCCESS]. You can see this feature in action on the playground env at [2]. Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit [2] https://syncope-vm2.apache.org/syncope-console Il 26/03/20 13:45, Glenn Roe ha scritto: Hello, I'm trying to figure out a way in Syncope to view a processed record's (via pull or push operation) previous or even historical attribute values. Is this possible within Syncope by either an API or other means? I'm trying to create a capability to view a record's historical attribute values in order to track bad data being processed. Thank you, Glenn -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to retrieve previous/historical attribute data
Hi Glenn, since 2.1.6 version, not yet released, you will have the possibility to see the whole history of an user, group or any object by going to Realms -> USER -> manage history. To enable this feature you have to setup the audit [1] in order to track events like [LOGIC]:[UserLogic]:[]:[update]:[SUCCESS]. You can see this feature in action on the playground env at [2]. Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit [2] https://syncope-vm2.apache.org/syncope-console Il 26/03/20 13:45, Glenn Roe ha scritto: Hello, I'm trying to figure out a way in Syncope to view a processed record's (via pull or push operation) previous or even historical attribute values. Is this possible within Syncope by either an API or other means? I'm trying to create a capability to view a record's historical attribute values in order to track bad data being processed. Thank you, Glenn -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: invalidmapping [only propagation allowed for derived]
Hi Arnold, Since derived attributes' values are generated, you can only propagate them (towards the resource, i.e. identity-store). You cannot pull from the identity-store the value of a derived attribute simply because its values are derived from other (plain) attributes ones. If you are pushing data towards a resource, i.e. execute a propagation task, you have to define the mapping for the derived attribute(s) as propagation only (->). Please refer to 1, 2 and 3. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#propagation [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping [3] https://syncope.apache.org/docs/2.1/reference-guide.html#derived Il 25/03/20 00:58, Arnold Miller ha scritto: Hi there! I'm trying to sync first and last names to a single full name to an identity store by using a push task, so I created a derived schema with the combination of both; however, when I try to map this the system says: invalidmapping [only propagation allowed for derived] Does anybody know what to do in this case? Thank you! Best Regards, Arnold Miller -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: More problems provisioning problems w/somewhat larger user base - Connection already closed
Hi jim, Which DBMS are you using? Generally speaking Syncope can manage several thousands of users, much more than 50k, without any problem. Maybe your issue is related to configuration of datasource pools. If you are using default Hikari datasource [1] you can act on Hikari pool configuration params [2] and [3], mainly the ones related to connection timeout. If you are using tomcat jdbc datasource [4] you have to manage connetion configuration directly on the tomcat configuration. Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/resources/domains/MasterDomain.xml#L48-L58 [2] https://github.com/brettwooldridge/HikariCP/wiki/About-Pool-Sizing [3] https://github.com/brettwooldridge/HikariCP#configuration-knobs-baby Il 19/02/20 04:57, oh...@yahoo.com ha scritto: Hi, I am continuing to test Syncope, trying to increase the number of users. So I started with a clean start, with only a few test users in Syncope and clean logs. I have a CSV file with 500 users and when I attempted to process this file with Syncope, I saw the following in the core.log (this is just a snippet of the log): 03:45:48.560 INFO hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose start 03:45:48.560 INFO hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose synched 03:45:48.611 INFO hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose script done 03:45:48.615 INFO hsqldb.db.HSQLDB6D91E2E024.ENGINE - checkpointClose end 03:46:11.350 ERROR org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler - Could not create USER Auid00290 org.apache.openjpa.persistence.PersistenceException: Connection has already been closed. {SELECT dynRealm_id FROM DynRealmMembers WHERE any_id=?} [code=0, state=null] at org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:5250) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:5210) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:134) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:107) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:59) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.jdbc.kernel.SQLStoreQuery$SQLExecutor.executeQuery(SQLStoreQuery.java:248) ~[openjpa-jdbc-3.1.0.jar:3.1.0] at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:1060) ~[openjpa-kernel-3.1.0.jar:3.1.0] at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:912) ~[openjpa-kernel-3.1.0.jar:3.1.0] at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:843) ~[openjpa-kernel-3.1.0.jar:3.1.0] at org.apache.openjpa.kernel.DelegatingQuery.execute(DelegatingQuery.java:601) ~[openjpa-kernel-3.1.0.jar:3.1.0] at org.apache.openjpa.persistence.QueryImpl.execute(QueryImpl.java:297) ~[openjpa-persistence-3.1.0.jar:3.1.0] at org.apache.openjpa.persistence.QueryImpl.getResultList(QueryImpl.java:314) ~[openjpa-persistence-3.1.0.jar:3.1.0] at org.apache.syncope.core.persistence.jpa.dao.AbstractAnyDAO.findDynRealms(AbstractAnyDAO.java:536) ~[syncope-core-persistence-jpa-2.1.5.jar:2.1.5] at sun.reflect.GeneratedMethodAccessor280.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343) ~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) ~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295) ~[spring-tx-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) ~[spring-tx-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) ~[syncope-core-persistence-jpa-2.1.5.jar:2.1.5] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.9.RELEASE.jar:5.1.9.RELEASE] at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
Re: Connector issue
Hi Steven, glad to hear this. Best regards, Andrea Il 28/11/19 16:15, Steven van der Merwe ha scritto: Hi Andrea Thank you very much - You are spot on. It was the fact that it was expecting an array but I was accidentally passing back an array of arrays It seems that it is all working now and propagating correctly. Thank you all very much for your help, it is very much appreciated Regards Steve On Thu, Nov 28, 2019 at 12:02 PM Andrea Patricelli mailto:andreapatrice...@apache.org>> wrote: Hi Steven, the error that you are experiencing is quite generic. But usually means that the key that you passed from Syncope is not matching the key of the object that the connector framework retrieved with the query method. As "not matching" I mean that the EqualsFilter [1] (or EqualsIgnoreCaseFilter [2]) is not accepting the two objects passed, i.e. the equals of the two objects in accept method returns false. Usually this depends on the mapping in Syncope or on the type of the key returned by the connector, that is not matching the key passed from Syncope. Best regards, Andrea [1] https://github.com/Tirasa/ConnId/blob/connid-1.5.0.1/java/connector-framework/src/main/java/org/identityconnectors/framework/common/objects/filter/EqualsFilter.java [2] https://github.com/Tirasa/ConnId/blob/connid-1.5.0.1/java/connector-framework/src/main/java/org/identityconnectors/framework/common/objects/filter/EqualsIgnoreCaseFilter.java Il 26/11/19 16:19, Steven van der Merwe ha scritto: Hi I managed to work out why it was not propagating the __UID__ - It turns out I had the config for the "mapping" the wrong way around. I have now moved a bit further forward but I am stuck on the following java.lang.IllegalStateException: Object {Uid=Attribute: {Name=__UID__, Value=[[db1c50ed-5224-46e7-8bf1-89934c50852c]]}, ObjectClass=ObjectClass: __GROUP__, Attributes=[Attribute: {Name=__NAME__, Value=[KinesisName]}, Attribute: {Name=__UID__, Value=[[db1c50ed-5224-46e7-8bf1-89934c50852c]]}, Attribute: {Name=realm, Value=[/]}, Attribute: {Name=name, Value=[name]}], Name=Attribute: {Name=__NAME__, Value=[KinesisName]}} was returned by the connector but failed to pass the framework filter. This seems like wrong implementation of the filter in the connector. at org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82) ~[connector-framework-internal-1.5.0.1.jar:?] I found someone else on the forums with the same issue and I have ensured that all of the attributes are there however it doesnt seem to work Regards Steve On Tue, Nov 26, 2019 at 9:01 AM Steven van der Merwe mailto:stevevanderme...@gmail.com>> wrote: Hi I am still a little confused for the following reason. In my search method there is no __UID__ anywhere am I missing something? For context my executeQuery looks like this (my log function uses recursion to print out all of the values) @Override public void executeQuery( final ObjectClass objectClass, final Filter filter, final ResultsHandler handler, final OperationOptions options) { PropagationDto propagationDto =new PropagationDto.Builder() .objectClass(objectClass) .query(filter) .options(options) .operation(PropagationDto.Operation.QUERY) .build(); sendDetails("executeQuery", propagationDto, true); try { Attribute key = getKeyFromFilter(filter); log("Key = ", key); ConnectorObjectBuilder bld =new ConnectorObjectBuilder(); bld.setUid(key.getValue().toString()); bld.setName(key.getName()); ConnectorObject ret = bld.build(); handler.handle(ret); }catch (UnsupportedOperationException uoe){ log("Search operation problem :" + uoe.getMessage()); } log("Search parameters: ObjectClass -", objectClass); log("Search parameters: Options -", options); log("Search parameters: Results -", handler); log("Search parameters: query -", filter); } AttributegetKeyFromFilter(Filter filter) { Attribute key =null; if (filterinstanceof EqualsFilter) { key =((EqualsFilter) filter).getAttribute(); if (keyinstanceof Uid) { log("Key is Uid"); } }else { throw new UnsupportedOperationException("Not yet supported"); } return key; } And my FilterTranslator like so @Override public FilterTranslator createFilterTranslator(final ObjectClass objectClass, final OperationOptions options) { return new FilterTranslator() { @Override public List translate(Filter filter) {//Just log for now log("Filter ObjectClass -", objectClass); log("Filter options -", options); log("Filter filter -", filter); return CollectionUtil.newList(filter); } }; } As you can
Re: Connector issue
- no object link When I test it does the following: - Create group : works and calls my connector - Delete group : does not call my connector (In the propagation task log it says NOT_ATTEMPTED) -> I have implemented all of the needed methods in my connector I think? Please could someone point me in the right direction as this is driving me crazy Regards Steve -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ -- Steve van der Merwe Blog : http://www.stevevandermerwe.co.za +27 84 978 3817 -- Steve van der Merwe Blog : http://www.stevevandermerwe.co.za +27 84 978 3817 -- Steve van der Merwe Blog : http://www.stevevandermerwe.co.za +27 84 978 3817 -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: ItemTransformer and PullAction questions
Hi Stephen, the ItemTransformer works only on the value of the attribute which it is mapped to, so, on my opinion, it isn't the right choice for you use case. You should work in your PullActions implementation, especially implementing beforeUpdate [1] method in order to update the value of the generated attribute. Alternatively you could consider defining the generated attribute as derived [2] and so let Syncope create its value for you based on JEXL expressions that takes the values of the two plain attributes (source). [1] https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/TestPullActions.java#L71-L94 [2] https://syncope.apache.org/docs/2.1/reference-guide.html#derived Il 26/11/19 00:05, Farrell, Stephen R. ha scritto: Hello, I have a use case where I am getting attributes from my trusted source but need to create a new attribute based on a lookup table. This lookup table takes the values of 2 existing attributes to find the value of the newly created attribute. I have accomplished the use case partially with a Pull Action implementation but it only works for user creation, not updating. When one of the source attributes change the value of the new attribute should also change but I cannot trigger such a change with my current Pull Action implementation and am asking for some advice. I tried to create the same logic as an ItemTransformer but I cannot seem to access the values of other attributes in the beforePropogation method. Thanks, Stephen -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.2 question
Hi, please read my responses inline. Il 14/11/19 19:26, lfinch ha scritto: Andrea - we're still working with scim connector. We are trying to send a number of attributes, and they are showing up in the propagation task, but not all are showing up at the external resource. This is what the external resource receives. { userName: 'queenie.arias@hcahealthcare.scrub', name: { familyName: 'Arias', givenName: 'Queenie' }, displayName: 'Queenie B Arias', emails: [ { value: 'queenie.arias@hcahealthcare.scrub', type: 'work' } ], schemas: [ 'urn:scim:schemas:core:1.0' ] } It’s missing: Internal Schema External Attribute __PASSWORD__password Status active RelationshipToOrganization userType usernameid Emailprimaryemails.work.primary scim1114.docx <http://syncope-user.1051894.n5.nabble.com/file/t339125/scim1114.docx> User_Id externalId I've attached some of the core.log and core-connid.log. Is there something else we should be looking for? Any thoughts on why these values aren't being received at the external resource? Thanks! In order to see details about the propagation task: 1. Set propagation trace level to ALL from resource configuration. 2. Check data sent to the SCIMV1.1 external resource by clicking on "Propagation tasks" from resource toggle menu or directly on user toggle menu (from Realm -> USER section). Click on the propagation task then on propagation task and then on details. Moreover you can also check the outcome logs of the execution (a part of what is logged in core-connid.log file) by clicking on propagation task -> view -> click on execution -> view. 3. Check mapping of the resource and attribute values on Syncope, for example I see from logs {\"name\":\"userType\",\"value\":null} this means that Syncope is sending a null value to the resource. From the logs I also see that there are errors given by the create method of the SCIMV1.1 connector. Please check if there are other useful logs and start from the task execution. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.2 question
Hi, which calls are you referring to? If you set net.tirasa.connid logs to TRACE it will log, on core-connid.log file, all information about interaction between Syncope and ConnID framework to send/receive data to/from external resources. Included String representation of objects. If you want to see payload and objects consider enabling debug mode like explained here [1] (search for JPDA Debug in Embedded Mode). Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization Il 11/11/19 23:29, lfinch ha scritto: Thank you, Andrea - we will try the logic action and the propagation action. My developer wants to see the actual calls being made. I have logging set to trace on connid, do I need to increase to all? Any other logs I should be examining? He wants to see the commands generated and how the data is being presented (over and above looking at the propagation task). Thank you. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.2 question
Hi Anita, derived schemas are considered as strings by Syncope, please consider not to use them. You could use: 1. A custom logic action [1] (assigned to the realm containing users) that assigns the value to the Syncope attribute "active" while creating/updating the user through console or via REST. This approach needs you to create a PLAIN schema of type *Boolean* named "active". 2. A custom propagation action [2] that injects the Boolean value among the attributes sent to the external resource, without the need of mapping it to a Syncope attribute. Take this [3] as an example of what I'm referring to. Moreover consider that the SCIM connector also supports status management, so you can use ConnID special attribute __ENABLE__ in your mapping (if choosing solution 1). E.g. "active" -> __ENABLED__ Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#logicactions [2] https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions [3] https://github.com/apache/syncope/blob/syncope-2.1.5/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java#L105-L134 Il 08/11/19 21:51, anita.fi...@cerecore.net ha scritto: Hello! I am using SCIM 1.1 connector and I need to pass a Boolean value from a derived schema. Here’s an example that works. { "schemas":["urn:scim:schemas:core:1.0"], "userName":"msbradjensen@hcahealthcare.scrub", "externalId":"bjensen", "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" }, "emails": [ { "value": "msbradjensen@hcahealthcare.scrub", "type": "work", "primary": true } ], "active": true } Here’s the propagation detail from Syncope: [ { "name" : "schemas", "value" : [ "urn:scim:schemas:core:1.0" ] }, { "name" : "active", "value" : [ "true" ] }, { "name" : "name.givenName", "value" : [ "Queenie" ] }, { "name" : "username", "value" : [ "queenie.arias@hcahealthcare.scrub" ] }, { "name" : "__NAME__", "value" : [ null ] }, { "name" : "name.familyName", "value" : [ "Arias" ] }, { "name" : "emails.work.primary", "value" : [ "true" ] }, { "name" : "externalId", "value" : [ "QBA3106" ] }, { "name" : "emails.work.value", "value" : [ "queenie.arias@hcahealthcare.scrub" ] } ] Here’s my error message: Users failed to create: CREATE FAILURE (key/name): 415183bf-4946-4069-9183-bf4946006945/QBA3106 with message: While executing request: {"Errors":[{"description":"The new user must be created in \u0027active\u0027 status for user with userName queenie.arias@hcahealthcare.scrub","code":"400"}]} It appears that the values would be accepted if they didn’t have double quotes. Here’s where the derived attributes are defined in schema Any suggestions? Thank you! Lynn Finch P: 615-236-3781 | M: 615-454-7925 -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: syncope-console HTTP Status 500 – Internal Server Error
Il 17/10/19 15:09, vesco ha scritto: Yeah i did follow [1] in facts all files that must be modified: - provisioning.properties - domains/Master.properties Were already ok, i mean i didn't have to edit nothing. My Postgre version is 12 cause in the reference it's written: "Apache Syncope 2.1.5 is verified with PostgreSQL server >= 10.3 and JDBC driver >= 42.2.6." So my PostgreSQL version is 12 ... ( 12 > 10.3 ;) ) Touchè, you're right :) And my JDBC is postgresql-42.2.8 [2] indeed fails; Thanks for the answer! Welcome, BTW IT tests are run against 11.5 version. I meant: maybe something has changed in PostgreSQL configuration from 10 to 12 version that causes tables creation failure? Does something change with a later version? Best regards, Andrea -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: syncope-console HTTP Status 500 – Internal Server Error
n$4.notify(RequestCycleListenerCollection.java:126) at org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122) at org.apache.wicket.util.listener.ListenerCollection.notify(ListenerCollection.java:80) at org.apache.wicket.request.cycle.RequestCycleListenerCollection.onException(RequestCycleListenerCollection.java:121) at org.apache.wicket.request.cycle.RequestCycle.handleException(RequestCycle.java:368) at org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:314) at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:259) at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:221) at org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70) at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:206) at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:299) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.GeneratedConstructorAccessor551.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:117) ... 38 more Caused by: org.apache.syncope.common.lib.SyncopeClientException: Unknown [NullPointerException: ] at org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37) at org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:143) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) at org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:375) at org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:951) at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:857) at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:298) at com.sun.proxy.$Proxy1256.platform(Unknown Source) at org.apache.syncope.client.console.SyncopeConsoleSession.(SyncopeConsoleSession.java:103) ... 42 more -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Vial
Re: 2 versions of Syncope?
Hi Jim, Basically 2.1 is the new stable release, while th 2.0 is the old stable that goes on with bugfixes only, to support actual installations. They differ by some features added to 2.1, but they share almost all bugfixes. In order to know what's new in Syncope 2.1 respect to 2.0 please refer to [1]. Best regards, Andrea [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Fusion#Fusion-2.1.0(June5th,2018) Il 16/09/19 18:44, oh...@yahoo.com ha scritto: Hi, I just saw that there were two release announcements, for: - Apache Syncope 2.0.14 - Apache Syncope 2.1.5 My apologies that I haven't been keeping up too closely, but what are the differences between the 2 versions? Thanks, Jim -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope trying to deploy using Maven and not getting login
.MetaData - Found duplicate metadata or mapping for "class org.apache.syncope.core.persistence.jpa.entity.conf.JPACPlainAttrUniqueValue". Ignoring. 07:53:22.653 INFO org.springframework.scheduling.quartz.SchedulerFactoryBean - Shutting down Quartz Scheduler 07:53:22.653 INFO org.quartz.core.QuartzScheduler - Scheduler ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 shutting down. 07:53:22.653 INFO org.quartz.core.QuartzScheduler - Scheduler ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 paused. 07:53:22.857 INFO org.quartz.core.QuartzScheduler - Scheduler unregistered from name 'quartz:type=QuartzScheduler,name=ClusteredScheduler,instance=gluu-prs9.mdtsoft.com1568289195837' in the local MBeanServer. 07:53:22.857 INFO org.quartz.core.QuartzScheduler - Scheduler ClusteredScheduler_$_gluu-prs9.mdtsoft.com1568289195837 shutdown complete. 07:53:22.859 INFO org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor - Shutting down ExecutorService 07:53:22.869 INFO org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor - Shutting down ExecutorService I get clean logs with no errors. my config directory is -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 From: Andrea Patricelli Sent: Friday, September 6, 2019 4:20 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Hi Philip, in order to make a correct deploy on your application server follow [2]. As the warning in the doc states: Be sure to put the corresponding JDBC driver JAR file under $CATALINA_HOME/lib for each datasource defined. You should provide postgres driver to Syncope by putting it into Tomcat lib folder. About the maven buld error: did you give the correct r/w permissions to /opt/syncope/buldles directory? If you want more info about the build please add the -X option to your maven build command. Best regards, Andrea [2] https://syncope.apache.org/docs/2.1/reference-guide.html#apache-tomcat-9 Il 05/09/19 16:38, Dalrymple, Philip ha scritto: OK I had one issue in that to make it work my build script needed to look like #!/bin/bash cd syncope sudo mkdir -p /opt/syncope/bundles sudo mkdir -p /opt/syncope/log sudo chmod 0777 /opt/syncope/log sudo mkdir -p /opt/syncope/conf # mvn clean verify \ # -Dconf.directory=/opt/syncope/conf \ # -Dbundles.directory=/opt/syncope/bundles \ # -Dlog.directory=/opt/syncope/log mvn clean verify \ -Dconf.directory=/opt/syncope/conf \ -Dlog.directory=/opt/syncope/log sudo cp core/target/classes/*properties /opt/syncope/conf sudo cp console/target/classes/*properties /opt/syncope/conf sudo cp enduser/target/classes/*properties /opt/syncope/conf sudo cp enduser/target/classes/customFormAttributes.json /opt/syncope/conf sudo cp enduser/target/classes/customTemplate.json /opt/syncope/conf i.e. not changing the bundles directory (which I want to do as I want to build in the bundles into the war files). When I do that I DO get logs (in /opt/syncope/log) Looks like I don't have the postgres dirver. I checked and the core/target/classes/provisioning.properties already had the changes for postgres ➜ syncope git:(master) ✗ more /opt/syncope/log/core.log 10:22:58.367 INFO org.springframework.security.core.SpringSecurityCoreVersion - You are running with Spring Security Core 5.1.5.RELEASE 10:22:58.370 INFO org.springframework.security.config.SecurityNamespaceHandler - Spring Security 'config' module version is 5.1.5.RELEASE 10:22:58.391 INFO org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser - Expressions were enabled for method security but no SecurityExpressionHandle r was configured. All hasPermision() expressions will evaluate to false. 10:22:58.437 INFO org.springframework.security.config.http.HttpSecurityBeanDefinitionParser - Checking sorted filter chain: [Root bean: class [org.springframework.security.web.cont ext.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factor yMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter ]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=nul l; destroyMethodName=null, order = 400, , order
Re: Syncope trying to deploy using Maven and not getting login
4.3.jar -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn -rf :syncope-core -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 ________ From: Andrea Patricelli Sent: Thursday, September 5, 2019 10:07 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login P.S. About the attached link: please take care to the doc starting from documentation at "Deployment directories" section. Il 05/09/19 16:04, Dalrymple, Philip ha scritto: OK I will give that a go. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 ________ From: Andrea Patricelli Sent: Thursday, September 5, 2019 10:03 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Ok, maybe I got your first problem. Please follow this [1]. Basically, in order to do a correct deploy, you should build with a special mvn command specifying bundles, logs and conf directories and, moreover, in order to let Syncope take correct configuration parameters (like for the jdbc connection) copy some of the properties files in sources under the specific conf directory. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization Il 05/09/19 15:56, Dalrymple, Philip ha scritto: OK this is weird I did a sudo find / -name "*core*.log*" -print and only find the logs from my first try using docker. (was not able to customize well enough and switched to maven deleting the docker images) I will keep looking. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 From: Dalrymple, Philip Sent: Thursday, September 5, 2019 9:53 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login OK I need to find where the logs are. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 From: Andrea Patricelli Sent: Thursday, September 5, 2019 9:52 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Hi Philip, you should check core.log, core-rest.log, core-persistence.log and core-connid.log files in order to understand what is the problem. The NOT FOUND error in console simply means that core is unavailable, probably because it failed to start. Please check for exceptions in core*.log files and attach it into this thread. Best regards, Andrea Il 05/09/19 15:32, Dalrymple, Philip ha scritto: I am trying to deploy Syncope using the Maven method. I have followed the instructions in http://syncope.apache.org/docs/2.1/getting-started.html#maven-project and then edited core/src/main/resources/domains/Master.properties to have the correct postgres password, I re-did the mvn clean install and placed the war files in my tomcat/webapps directory, they deployed without me restarting tomcat. When I got to http://X:8080/syncope-console I get a 500 erro
Re: Syncope trying to deploy using Maven and not getting login
Ok, maybe I got your first problem. Please follow this [1]. Basically, in order to do a correct deploy, you should build with a special mvn command specifying bundles, logs and conf directories and, moreover, in order to let Syncope take correct configuration parameters (like for the jdbc connection) copy some of the properties files in sources under the specific conf directory. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization Il 05/09/19 15:56, Dalrymple, Philip ha scritto: OK this is weird I did a sudo find / -name "*core*.log*" -print and only find the logs from my first try using docker. (was not able to customize well enough and switched to maven deleting the docker images) I will keep looking. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 From: Dalrymple, Philip Sent: Thursday, September 5, 2019 9:53 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login OK I need to find where the logs are. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 ____ From: Andrea Patricelli Sent: Thursday, September 5, 2019 9:52 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Hi Philip, you should check core.log, core-rest.log, core-persistence.log and core-connid.log files in order to understand what is the problem. The NOT FOUND error in console simply means that core is unavailable, probably because it failed to start. Please check for exceptions in core*.log files and attach it into this thread. Best regards, Andrea Il 05/09/19 15:32, Dalrymple, Philip ha scritto: I am trying to deploy Syncope using the Maven method. I have followed the instructions in http://syncope.apache.org/docs/2.1/getting-started.html#maven-project and then edited core/src/main/resources/domains/Master.properties to have the correct postgres password, I re-did the mvn clean install and placed the war files in my tomcat/webapps directory, they deployed without me restarting tomcat. When I got to http://X:8080/syncope-console I get a 500 error (see below) when I got to .../syncope or .../syncope/index.html or .../syncope-enduser I get a 404 error. I checked in WEB-INF/classes/persistence.properties (in syncope) and it had the correct DB user, host, and password info and I verified that I could connect to the DB BUT the DB was empty. the stack trace on the syncope-console type Exception report message Unable to instantiate web session class org.apache.syncope.client.console.SyncopeConsoleSession description The server encountered an internal error that prevented it from fulfilling this request. exception org.apache.wicket.WicketRuntimeException: Unable to instantiate web session class org.apache.syncope.client.console.SyncopeConsoleSession org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:121) org.apache.wicket.Application.fetchCreateAndSetSession(Application.java:1555) org.apache.wicket.Session.get(Session.java:176) org.apache.syncope.client.console.SyncopeConsoleSession.get(SyncopeConsoleSession.java:91) org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener.onException(SyncopeConsoleRequestCycleListener.java:80) org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:126) org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122) org.apache.wicket.util.listener.ListenerCollection.notify(ListenerCollection.java:80) org.apache.wicket.request.cycle.RequestCycleListenerCollection.onException(RequestCycleListenerCollection.java:121) org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:126) org.apache.wicket.request.cycle.RequestCycleListenerCollection$4.notify(RequestCycleListenerCollection.java:122) org.apache.wicket.util.listener.ListenerCollection.notify(List
Re: Syncope trying to deploy using Maven and not getting login
P.S. About the attached link: please take care to the doc starting from documentation at "Deployment directories" section. Il 05/09/19 16:04, Dalrymple, Philip ha scritto: OK I will give that a go. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 ________ From: Andrea Patricelli Sent: Thursday, September 5, 2019 10:03 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Ok, maybe I got your first problem. Please follow this [1]. Basically, in order to do a correct deploy, you should build with a special mvn command specifying bundles, logs and conf directories and, moreover, in order to let Syncope take correct configuration parameters (like for the jdbc connection) copy some of the properties files in sources under the specific conf directory. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization Il 05/09/19 15:56, Dalrymple, Philip ha scritto: OK this is weird I did a sudo find / -name "*core*.log*" -print and only find the logs from my first try using docker. (was not able to customize well enough and switched to maven deleting the docker images) I will keep looking. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 From: Dalrymple, Philip Sent: Thursday, September 5, 2019 9:53 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login OK I need to find where the logs are. -- This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise postmas...@mdtsoft.com <mailto:postmas...@mdtsoft.com>. 3480 Preston Ridge Road Suite 450 Alpharetta, GA 30005 Philip W. Dalrymple III MDT Software - Automation Management Company +1 678 297 1001 Fax +1 678 297 1003 ________ From: Andrea Patricelli Sent: Thursday, September 5, 2019 9:52 To: user@syncope.apache.org Subject: Re: Syncope trying to deploy using Maven and not getting login Hi Philip, you should check core.log, core-rest.log, core-persistence.log and core-connid.log files in order to understand what is the problem. The NOT FOUND error in console simply means that core is unavailable, probably because it failed to start. Please check for exceptions in core*.log files and attach it into this thread. Best regards, Andrea Il 05/09/19 15:32, Dalrymple, Philip ha scritto: I am trying to deploy Syncope using the Maven method. I have followed the instructions in http://syncope.apache.org/docs/2.1/getting-started.html#maven-project and then edited core/src/main/resources/domains/Master.properties to have the correct postgres password, I re-did the mvn clean install and placed the war files in my tomcat/webapps directory, they deployed without me restarting tomcat. When I got to http://X:8080/syncope-console I get a 500 error (see below) when I got to .../syncope or .../syncope/index.html or .../syncope-enduser I get a 404 error. I checked in WEB-INF/classes/persistence.properties (in syncope) and it had the correct DB user, host, and password info and I verified that I could connect to the DB BUT the DB was empty. the stack trace on the syncope-console type Exception report message Unable to instantiate web session class org.apache.syncope.client.console.SyncopeConsoleSession description The server encountered an internal error that prevented it from fulfilling this request. exception org.apache.wicket.WicketRuntimeException: Unable to instantiate web session class org.apache.syncope.client.console.SyncopeConsoleSession org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:121) org.apache.wicket.Application.fetchCreateAndSetSession(Application.java:1555) org.apache.wicket.Session.get(Session.java:176) org.apache.syncope.client.console.SyncopeConsoleSession.get(SyncopeConsoleSession.java:91) org.apache.syncope.client.console.SyncopeC
Re: Syncope trying to deploy using Maven and not getting login
78 297 1001 Fax +1 678 297 1003 -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: demo problem
Hi now playground enduser is working fine. Maybe you tried to connect during the daily build and deploy. Best regards, Andrea Il 03/09/19 16:25, Гололобов Никита ha scritto: https://syncope-vm.apache.org/syncope-enduser/ don't work. Error text: "Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request Reason: Error reading from remote server" -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope Feasibility Questions
Hi Naaman, Il 21/08/19 13:15, Naaman Hart ha scritto: Hey Syncope, We're looking at a way of provisioning identities into a cloud based PaaS that's under development. The application we're going to host is LDAP only so we're thinking of hosting an AWS managed AD within and then using Syncope (installed on customer site) to pull from their AD and push to ours. Thereby giving us identities that we could refer to when we provide SAML SSO via their IDP. Questions are basically the below. 1. Is Syncope the right tool to be used as a collection/sync 'agent' for this purpose. Short answer: Yes. Long answer: As far as I understood you need to migrate users (and also groups?) from one AD to another. You can easily do this by configuring two AD resources [1], and, with a pull operation [2], provision them to Syncope and to destination AD (on AWS). In order to do this you can also consider to add custom logic (to make some intermediate data elaboration) to the pull operation by developing a custom pull action in Java or Groovy [3]. 1. 2. Can we slim Syncope down sufficiently that we can give it to a customer with specific instructions to allow them to use it for syncing. We want it fairly simple because there's no guarantee of the level of experience we'd meet on the customer end. A barebones install also would mean greater flexibility in asking the customer to host this for us. If it’s too intensive then they may push back on hosting it. Do you mean to have a barebone installation of the UI, i.e. admin console? If so, actual console is the reference implementation; it can be easily customized since it has been developed using Apache Wicket, an extensible Java framework for frontends [4]. In other words you can "shrink to the bone" the actual admin console in order to expose only some functionalities. Moreover, if console does not fit your needs, you can consider developing a custom frontend application that interacts with Syncope. This is easily doable since Syncope core exposes REST APIs, take a look at [5] and [6]. Thanks in advance for having a look at this. Any guidance is greatly appreciated. Cheers, Glad to hear about your interest in Syncope :) Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#external-resources [2] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull [3] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions _[4]_ https://wicket.apache.org/ _[5] _ <https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions>https://syncope.apache.org/docs/2.1/reference-guide.html#architecture [6] <https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions>https://syncope.apache.org/docs/2.1/reference-guide.html#rest ** *Naaman Hart* Cloud DevOps Architect, Strategic Programs Mobile: +44 (0) 7733 107459 _<https://www.alfresco.com/>_<https://twitter.com/alfresco>__<https://www.facebook.com/alfrescosoftware/>__<https://www.linkedin.com/company/alfresco>__<https://www.youtube.com/c/alfresco>__<https://www.glassdoor.co.uk/Overview/Working-at-Alfresco-Software-EI_IE404506.11,28.htm>_ _ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to user item_transformers
P.S. sorry, I missed the link :) [4] https://syncope.apache.org/docs/2.1/getting-started#maven-project Il 31/07/19 14:18, Andrea Patricelli ha scritto: Syncope docker images are harder to customize respect to the simple java artifacts generated with the "preferred method" for installation [4]. For this reason if you want to customize Syncope though Java classes, I suggest to you to get Syncope from archetype and deploy wars on your preferred application server. Another solution, in order to continue working on docker, would be to implement your transformer (like other implementations) in Groovy that allows you to plugin scripts at runtime. So consider using a Groovy implementation for your transformer. The code is likely to be the identical to the Java one. Best regards, Andrea Il 31/07/19 13:39, Noah Hansen . ha scritto: We were able to get the class created but we are still struggling with finding where org.apache.syncope.core.provisioning.java.data is properly located within the docker instance. Some help would be greatly appreciated thanks, -Noah On Tue, Jul 30, 2019 at 10:45 AM Andrea Patricelli mailto:andreapatrice...@apache.org>> wrote: You should create your own transformer class and place it in your sources in the right path (class package). Like described here [2]: /"transformers -//JEXL <http://commons.apache.org/proper/commons-jexl/>//expression or Java class implementing//ItemTransformer <https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java>//; the purpose is to transform values before they are sent to or received from the underlying connector" / So basically you need to implement the interface [3] with your custom transformer and place it under org.apache.syncope.core.provisioning.java.data Best regards, Andrea // [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping [3] https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java Il 30/07/19 16:28, Noah Hansen . ha scritto: There are no classes showing up while creating it. That's the problem I'm having -Noah On Tue, Jul 30, 2019 at 10:03 AM Andrea Patricelli mailto:andreapatrice...@apache.org>> wrote: Hi Noah, if you are using 2.1.X version you should first create an implementation [1] of ITEM_TRANSFORMER and while creating the implementation you will be asked for the class. Then you can use the just created implementation into item transformer field while editing provisioning rules. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations Il 30/07/19 15:55, Noah Hansen . ha scritto: > Hi All, > > I'm trying to user item_transformers in the implementation section and > can't figure out how? When I try to create a new transformer it won't > let me choose a class. How do I add a class? > > Thanks > -Noah -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to user item_transformers
Syncope docker images are harder to customize respect to the simple java artifacts generated with the "preferred method" for installation [4]. For this reason if you want to customize Syncope though Java classes, I suggest to you to get Syncope from archetype and deploy wars on your preferred application server. Another solution, in order to continue working on docker, would be to implement your transformer (like other implementations) in Groovy that allows you to plugin scripts at runtime. So consider using a Groovy implementation for your transformer. The code is likely to be the identical to the Java one. Best regards, Andrea Il 31/07/19 13:39, Noah Hansen . ha scritto: We were able to get the class created but we are still struggling with finding where org.apache.syncope.core.provisioning.java.data is properly located within the docker instance. Some help would be greatly appreciated thanks, -Noah On Tue, Jul 30, 2019 at 10:45 AM Andrea Patricelli mailto:andreapatrice...@apache.org>> wrote: You should create your own transformer class and place it in your sources in the right path (class package). Like described here [2]: /"transformers -//JEXL <http://commons.apache.org/proper/commons-jexl/>//expression or Java class implementing//ItemTransformer <https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java>//; the purpose is to transform values before they are sent to or received from the underlying connector" / So basically you need to implement the interface [3] with your custom transformer and place it under org.apache.syncope.core.provisioning.java.data Best regards, Andrea // [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping [3] https://github.com/apache/syncope/blob/syncope-2.1.4/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/ItemTransformer.java Il 30/07/19 16:28, Noah Hansen . ha scritto: There are no classes showing up while creating it. That's the problem I'm having -Noah On Tue, Jul 30, 2019 at 10:03 AM Andrea Patricelli mailto:andreapatrice...@apache.org>> wrote: Hi Noah, if you are using 2.1.X version you should first create an implementation [1] of ITEM_TRANSFORMER and while creating the implementation you will be asked for the class. Then you can use the just created implementation into item transformer field while editing provisioning rules. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations Il 30/07/19 15:55, Noah Hansen . ha scritto: > Hi All, > > I'm trying to user item_transformers in the implementation section and > can't figure out how? When I try to create a new transformer it won't > let me choose a class. How do I add a class? > > Thanks > -Noah -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to user item_transformers
Hi Noah, if you are using 2.1.X version you should first create an implementation [1] of ITEM_TRANSFORMER and while creating the implementation you will be asked for the class. Then you can use the just created implementation into item transformer field while editing provisioning rules. HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#implementations Il 30/07/19 15:55, Noah Hansen . ha scritto: Hi All, I'm trying to user item_transformers in the implementation section and can't figure out how? When I try to create a new transformer it won't let me choose a class. How do I add a class? Thanks -Noah -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Update user info in Active Directory from SQL Server
P.S. Sorry, the link [1] is referring to the first row of the response ;) " Syncope can do the work for you if rightly setup and configured." Best regards, Andrea Il 26/07/19 09:40, Andrea Patricelli ha scritto: Hi Ramón González, Definitely what Tavernt said. Syncope can do the work for you if rightly setup and configured. Here are some references: - To setup a Syncope environment [2] - To configure a (source) SQL server connector and resource through Database table or Scripted SQL connector [3] [4] and an Active Directory (destination) connector and resource [5]. Once configured resources, you have to pull [6] users into Syncope and define some logic in Java or Groovy (the business rules addressed by Tavernt), i.e. [7], if you need to make so processing before sending users to AD resource. While pulling you can automatically assign, in different ways, users to AD and link Syncope users to SQL server and AD. Moreover, once users have assigned AD and SQL server resources, at each change, Syncope takes care of synchronizing entities towards resources. To have an idea of what a pull task is and how to configure (also scheduling) it, please take a look at [8]. Thanks also to Tavernt for the precise overview of the whole flow. Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#identity-stores [2] https://syncope.apache.org/docs/2.1/getting-started#obtain-apache-syncope [3] https://syncope.apache.org/docs/2.1/reference-guide.html#connector-bundles [4] https://connid.atlassian.net/wiki/spaces/BASE/pages/5570562/Database [5] https://connid.atlassian.net/wiki/spaces/BASE/pages/360482/Active+Directory+JNDI [6] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull [7] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions [8] https://syncope.apache.org/docs/2.1/reference-guide.html#tasks-pull Il 26/07/19 09:13, Tavernt Muchenje ha scritto: Hi RG, Yes, that’s the role of IdM to provision users/account to downstream systems (AD in this case). Apache Syncope can easily be configured to read and pull users from SQL server DB and apply some business rules before creating the users in AD. In addition you can schedule how often you need to check for user changes in SQL. Cheers --- signature_1995866963 Tavernt J. Muchenje (MBA, CCSP, CISSP) Managing Director | Enterprise Security Architect I’CURITY SOLUTIONS (PTY) LTD M: +27 (0)72 727 8371 W: www.icurity.co.za <http://www.icurity.co.za> BEE: Level 1 *From: *Ramón González *Reply-To: * *Date: *Friday, 26 July 2019 at 02:32 *To: * *Subject: *Update user info in Active Directory from SQL Server Hello, An HR department uses an app to manage employee info such as manager, position, phone number, cellphone, birthday, emergency contact, etc. This info is stored in *SQL Server.* Is it possible to update user info in *Active Directory (AD)* from SQL Server? Right now, user info is updated in SQL Server but is outdated in AD. Thanks in advance. Regards, RG -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Update user info in Active Directory from SQL Server
Hi Ramón González, Definitely what Tavernt said. Syncope can do the work for you if rightly setup and configured. Here are some references: - To setup a Syncope environment [2] - To configure a (source) SQL server connector and resource through Database table or Scripted SQL connector [3] [4] and an Active Directory (destination) connector and resource [5]. Once configured resources, you have to pull [6] users into Syncope and define some logic in Java or Groovy (the business rules addressed by Tavernt), i.e. [7], if you need to make so processing before sending users to AD resource. While pulling you can automatically assign, in different ways, users to AD and link Syncope users to SQL server and AD. Moreover, once users have assigned AD and SQL server resources, at each change, Syncope takes care of synchronizing entities towards resources. To have an idea of what a pull task is and how to configure (also scheduling) it, please take a look at [8]. Thanks also to Tavernt for the precise overview of the whole flow. Best regards, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#identity-stores [2] https://syncope.apache.org/docs/2.1/getting-started#obtain-apache-syncope [3] https://syncope.apache.org/docs/2.1/reference-guide.html#connector-bundles [4] https://connid.atlassian.net/wiki/spaces/BASE/pages/5570562/Database [5] https://connid.atlassian.net/wiki/spaces/BASE/pages/360482/Active+Directory+JNDI [6] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull [7] https://syncope.apache.org/docs/2.1/reference-guide.html#pullactions [8] https://syncope.apache.org/docs/2.1/reference-guide.html#tasks-pull Il 26/07/19 09:13, Tavernt Muchenje ha scritto: Hi RG, Yes, that’s the role of IdM to provision users/account to downstream systems (AD in this case). Apache Syncope can easily be configured to read and pull users from SQL server DB and apply some business rules before creating the users in AD. In addition you can schedule how often you need to check for user changes in SQL. Cheers --- signature_1995866963 Tavernt J. Muchenje (MBA, CCSP, CISSP) Managing Director | Enterprise Security Architect I’CURITY SOLUTIONS (PTY) LTD M: +27 (0)72 727 8371 W: www.icurity.co.za <http://www.icurity.co.za> BEE: Level 1 *From: *Ramón González *Reply-To: * *Date: *Friday, 26 July 2019 at 02:32 *To: * *Subject: *Update user info in Active Directory from SQL Server Hello, An HR department uses an app to manage employee info such as manager, position, phone number, cellphone, birthday, emergency contact, etc. This info is stored in *SQL Server.* Is it possible to update user info in *Active Directory (AD)* from SQL Server? Right now, user info is updated in SQL Server but is outdated in AD. Thanks in advance. Regards, RG -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Log events
Good morning, Please take a look at [1] and [2] (playground environment based on latest 2.1.5-SNAPSHOT version) in order to understand if current auditing features fit your needs. More specifically, what kind of improvements and features about audit do you need? HTH, Andrea [1] https://syncope.apache.org/docs/2.1/reference-guide.html#audit [2] http://syncope-vm.apache.org:9080/syncope-console Il 14/06/19 20:56, lfinch ha scritto: Dear Ernst Developer I'm working with a new implementation of Syncope 2 I was asked today to develop more robust auditing features, very similar to what you were posting about back in 2012. Were you able to develop something, and would you mind sharing? Thanks! Lynn -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: New to Syncope - send notifications from user to admin
Hi Jan, ok now I understood your need. In Syncope user's lifecycle (also groups and any objects) is leveraged by a workflow, managed by the workflow layer. Besides the default workflow implementation [1] you can configure Syncope to use Flowable BPMN engine; thus configure a BPMN workflow definition that fits your needs (go to approval on user self update). Please take a look at [2]. Take a look at [3] to have an idea of workflow definition with approval steps. For example if you run Syncope in embedded mode [4] and try to update a sample user (say puccini) by adding a group from enduser, you can see an approval request in console (accessible from shaking hands icon). HTH, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java [2] https://syncope.apache.org/docs/2.1/reference-guide.html#workflow-layer [3] https://github.com/apache/syncope/blob/2_1_X/ext/flowable/flowable-bpmn/src/main/resources/userWorkflow.bpmn20.xml [4] http://syncope.apache.org/docs/getting-started.html#embedded-mode Il 13/06/19 14:05, Jan ha scritto: The post I made probably wasnt clear enough. The end user can change their password, groups, rosources etc... The changes the end user does is seen in the admin console. What I basically need is, that the end user changes the stuff he needs, this gives me a notification in my admin console, where I will be making the changes after checking them. Thank you -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: New to Syncope - send notifications from user to admin
Hi, please read my responses inline. Il 10/06/19 15:14, Jan ha scritto: Dear Syncope, I am new to Syncope and Im trying to get it working as an end-user governance system. Ill just try to post a model situation how I would like it to work :-) Is it even possible? 1) I am the admin, who would work in the admin console (I already have a fully functional AD connector, with push pull commands - Ive got all the users from the AD in Syncope) All the governance would be made here Nice, this step is not trivial :) 2) One of the HR employees would like to send me a notification through syncope to create an account: John Smith, which department he is located in, which data storage he should have access to. 3) This notification would be recieved in both Syncope and my mailbox, I would just create the account in syncope, set the priviledges and push it into AD Here are a few problems that I encountered: So far I got my end user registering module working with a security question. Right now I can create new users through the syncope enduser system <http://syncope-user.1051894.n5.nabble.com/file/t339126/syncope_enduser.png> The biggest problem is, that I cannot login via the end-user login screen, so I have no idea what I can do there :) See picture below. All I can do is keep clicking next next and when I click finish, nothing happens The same goes with password reset. I can click on password reset, enter security question, Syncope tells me that "user xx has been successfully updated" - I have no Idea what was updated, because the old password heeps working. <http://syncope-user.1051894.n5.nabble.com/file/t339126/enduser_syncope2.png> If anyone would help me, I would be extremely grateful :) From the screenshots I see that you're using 2.1 version. If you're using User Requests please consider to use latest snapshot version 2.1.5-SNAPSHOT since some bugfixes and improvements have been made in [1]. What happens on Syncope depends on the workflow that you're using. Basically you receive the "green notification" on user create and password reset this means that enduser successfully sent the request to Syncope core. Logging to console as admin, do you see any request in the top right bar (shaking hands icon)? What is the status of the user created through the enduser? Did you check logs of the application? I suggest to you to check for errors in core.log, core-persistence.log, core-rest.log and core-connid.log. Best regards, Andrea [1] https://issues.apache.org/jira/projects/SYNCOPE/issues/SYNCOPE-1462 -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Flowable modeler configuration
Hi Adam Il 30/04/19 06:36, Adam Levine ha scritto: Franceso: Thank you so much for this information! It was the guide I was looking for. And, I think I broke it. I was using the demo site, admin and bellini. - (admin) Created a new flow using the assignPrinterRequest you referenced - (user) Created a request using the +, but did not fill in the form Did you perform this from enduser right? - (admin) claimed the unfilled request - (user) tried to fill out the form, could only delete it at that point What do you mean with "could only delete it"? From enduser or console? - (admin) saw I could fill the form, but cancelled - (admin) unclaimed request And I got this: https://pastebin.com/CzmJNK7M The error is unclear unfortunately. To understand we need more details. After unclaiming did you click on some other link? Also, 1 question and 1 comment Q1: I've noticed this behaviour in the past, and it still seems to happen, both on my local and demo. When I'm logged in as the admin account, it will randomly log me out. I'm not inactive for any amount of time, haven't been logged in for very long, and.. boom. Different browsers, different machines, different times, different installs. It happens when I'm logged in as only the admin, or when logged in as both user and admin. I do recall a few random logouts on the user app, too. - Is this a known issue? This could happen if you have multiple sessions (on console) on different tabs of browsers logged in with the same user. It is not considered a bug. C1: On the enduser app, the links for compressed and darkmode are strangely obscured. I wasn't sure what they were until I clicked on them. And, the changes I made on the enduser app spilled over to the console app. See attached image. Did you perform some changes to the enduser CSS? It seems that the container of the wizard is larger than usual. Or maybe browser zoom or screen resolution are influencing the view. Thank you again for your endless help and patience :) You're welcome, best regards, Andrea On Fri, Apr 26, 2019 at 4:49 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote: Hi, generally speaking, Flowable is not used "as-is" with all its features, but embedded through an extension. In particular, Flowable Forms are not used as standalone entities, but rather as they used to work since the time of Activiti, e.g. embedded in the BPMN process definition. Also the Flowable Modeler is embedded with only the capabilities relevant to Syncope. If you want to see a working sample of user request (with forms), create new user requests from Admin Console, name it "assignPrinterRequest" and paste the content of https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/resources/assignPrinterRequest.bpmn20.xml or create another, name it "directorGroupRequest" and paste the content of https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/main/resources/directorGroupRequest.bpmn20.xml Once defined, user requests can be managed either via REST or Admin Console (for approval) / Enduser UI (for starting / canceling / checking status / etc.) Hope this clarifies. Regards. On 25/04/19 06:58, Adam Levine wrote: > On my maven build, and on the publicly hosted demo, I am unable to do > anything with forms inside the flowable modeler. > > (extensions -> flowable -> select item from table -> flowable modeler) > > - When selecting an event, like the start event, and clicking on > "form reference", an error is displayed: > There was an error loading the forms. Try again later > Also, the only enabled button is "Cancel". > > I ran the Flowable all-in-one to try and find a configuration > difference. In this app, all the buttons are enabled, and no error > message is shown. And, there is an entire menu bar up top (Processes, > Case Models, Forms, Decision Tables, Apps) that is displayed. That > menu bar is present on my syncope install when I open up the developer > tools, but it's just not visible. > > Is this a matter of configuration? Does Flowable need to be running > in parallel with syncope for form design? > > Thank you for any guidance you can provide. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Custom Task/ Scheduled Tasks
Hi Phil, please read inline Il 15/01/19 22:57, pcrowder ha scritto: How do you configure custom tasks to execute at a scheduled interval? It looks like you can only specify the key and class for a TaskJob_Delegate ie no scheduling information. Is that done somewhere else? This kind of information are in the first part of the wizard, which (in the second step) asks you about scheduling. There are jobs listed under the Control tab in the Dashboard but there doesn't appear to be a way to add a job. This section has the only purpose to show jobs scheduled by Syncope and associated to some task (previously created and scheduled), and, in case manage them. You should create custom tasks from: Topology -> click on Syncope green node -> custom tasks -> button "+". Thank you, HTH, Andrea Phil -- Sent from:http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.0.11 installation issue - Using Maven
) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.apache.wicket.authroles.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:115) ... 47 more Caused by: org.apache.syncope.common.lib.SyncopeClientException: Unknown [NullPointerException: ] at org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37) at org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:143) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) at org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313) at org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876) at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789) at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) at com.sun.proxy.$Proxy1065.platform(Unknown Source) at org.apache.syncope.client.console.SyncopeConsoleSession.(SyncopeConsoleSession.java:103) Could someone please help to solve this issue? Thanks in advance, Indhu -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Create a user from postman in Standalone distribution:
Hi Juan, You request is giving an error because you are sending values that aren't meaningful for Syncope, you cannot send "string" value for auxClasses, resource, attribute schemas, etc. Those properties refer to other entities that should exist on Syncope (resources, any type classes, schemas, etc.). In your specific case the error returned by Syncope means that you are not sending some required (see related schema definition) attributes, like *fullname*, *surname* and *userId*. Here is an working example done on [1]. { "@class": "org.apache.syncope.common.lib.to.UserTO", "realm": "/", "plainAttrs": [ { "schema": "fullname", "values": [ "donizzetti donizzetti" ] }, { "schema": "firstname", "values": [ "donizzetti" ] }, { "schema": "userId", "values": [ "donizze...@apache.org" ] }, { "schema": "surname", "values": [ "donizzetti" ] } ], "username": "donizzetti", "password": "Password123" } ] } Please take also a look at [2] HTH, Andrea [1] http://syncope-vm.apache.org:9080/syncope-console [2] https://syncope.apache.org/docs/2.1/reference-guide.html#type-management Il 06/12/18 13:02, Juan Medina ha scritto: I'm traying to create a user from postman in Standalone distribution: I try with Post to: http://localhost:9080/syncope/rest/users Body (JSON from the http://localhost:9080/syncope/swagger/): { "@class": "org.apache.syncope.common.lib.to.UserTO", "realm": "/", "auxClasses": [ "string" ], "plainAttrs": [ { "schema": "string", "values": [ "string" ] } ], "derAttrs": [ { "schema": "string", "values": [ "string" ] } ], "virAttrs": [ { "schema": "string", "values": [ "string" ] } ], "resources": [ "string" ], "username": "string", "password": "string", "securityQuestion": "string", "securityAnswer": "string", "roles": [ "string" ], "privileges": [ "string" ], "relationships": [ { "type": "string", "otherEndType": "string", "otherEndKey": "string", "otherEndName": "string" } ], "memberships": [ { "groupKey": "string", "groupName": "string", "plainAttrs": [ { "schema": "string", "values": [ "string" ] } ], "derAttrs": [ { "schema": "string", "values": [ "string" ] } ], "virAttrs": [ { "schema": "string", "values": [ "string" ] } ] } ] } But the response is: { "status": 400, "type": "RequiredValuesMissing", "elements": [ "surname", "fullname", "userId" ] } I try to add it but the request header throw a x-application-error-info says: Unknown:UnrecognizedPropertyException: Unrecognized field "surname" (class org.apache.syncope.common.lib.to.UserTO), not marked as ignorable -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.1 for Docker Issues
Hi Andrew, Il 15/11/18 18:00, Andrew Waterson ha scritto: Unsure why it wasn’t working. I haven’t tried a fresh 2.1.2 image yet, but upgrading a working 2.1.1 to 2.1.2 seems to be running fine after I made the /etc/apache-syncope directory persistent. Glad to hear that now is working. I guess that this way maybe worked because making */etc/apache-syncope* persitent is like starting from a fresh installation, because mounting a volume on local machine fresh new directory "empties" the target dir on docker environment. Best regards, Andrea *From:*Andrea Patricelli [mailto:andreapatrice...@apache.org] *Sent:* Wednesday, November 14, 2018 10:31 AM *To:* user@syncope.apache.org *Subject:* Re: Syncope 2.1.1 for Docker Issues Hi Andrew, I'm not able to reproduce your issue; I've just tested with the docker compose taken from [1] with version 2.1.2 and it works fine. It seems that your *workflow.properties* is missing *historyLevel* property, please try again with fresh new 2.1.2 images taken from docker hub. Best regards, Andrea Il 13/11/18 17:34, Andrew Waterson ha scritto: When running a docker-compose for 2.1.2, syncope-core will not initialize. Receiving the below error. However, 2.1.1 works fine in Docker. syncope_1_949d5739a0e5 | 12-Nov-2018 23:00:24.611 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener syncope_1_949d5739a0e5 | org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'org.apache.syncope.core.flowable.support.DomainProcessEngineConfiguration#0' defined in URL [jar:file:/var/lib/tomcat8/webapps/syncope/WEB-INF/lib/syncope-ext-flowable-bpmn-2.1.2.jar!/workflowFlowableContext.xml]: Could not resolve placeholder 'historyLevel' in value "${historyLevel}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'historyLevel' in value "${historyLevel}" syncope_1_949d5739a0e5 | at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:228) -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.1 for Docker Issues
Hi Andrew, I'm not able to reproduce your issue; I've just tested with the docker compose taken from [1] with version 2.1.2 and it works fine. It seems that your *workflow.properties* is missing *historyLevel* property, please try again with fresh new 2.1.2 images taken from docker hub. Best regards, Andrea Il 13/11/18 17:34, Andrew Waterson ha scritto: When running a docker-compose for 2.1.2, syncope-core will not initialize. Receiving the below error. However, 2.1.1 works fine in Docker. syncope_1_949d5739a0e5 | 12-Nov-2018 23:00:24.611 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener syncope_1_949d5739a0e5 | org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'org.apache.syncope.core.flowable.support.DomainProcessEngineConfiguration#0' defined in URL [jar:file:/var/lib/tomcat8/webapps/syncope/WEB-INF/lib/syncope-ext-flowable-bpmn-2.1.2.jar!/workflowFlowableContext.xml]: Could not resolve placeholder 'historyLevel' in value "${historyLevel}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'historyLevel' in value "${historyLevel}" syncope_1_949d5739a0e5 | at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:228) -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Java Rest Endpoint entityManager problem
Hi Ben, please take [1] and [2] as reference to have a working reference example. Please notice the use of @Transactional annotations on UserLogic class. HTH, Andrea Il 29/10/18 14:45, Ben.H ha scritto: I did create the endpoint, and it all wires up correctly. It even works when I use the methods from the base DAO class (e.g. using the find method with the id as opposed to the findByUsername method). I have been able to work around this problem using the Id. I didn't think it was available to me at that point, but we were able to work. However, I still am curious why the base class could find the entitymanager and the UserDao could not... -- Sent from: http://syncope-user.1051894.n5.nabble.com/ [1] https://github.com/apache/syncope/blob/syncope-2.0.10/core/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/UserServiceImpl.java [2] https://github.com/apache/syncope/blob/syncope-2.0.10/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Java Rest Endpoint entityManager problem
Hi Ben, I guess that you put the bean in the wrong package, it seems that spring is not finding the entity manager bean. How have you added the rest endpoint? Could you please list steps, classes and packages? Best regards, Andrea Il 23/10/18 15:26, Ben.H ha scritto: I'm trying to create a rest endpoint in java. I can hit the endpoint, which has an autowired UserDAO on it, no exception is thrown when the UserDAO is autowired but when I go to do a findByUsername I get an IllegalStateException stating; Could not find EntityManager for domain Master. Should I be using the UserDAO or should I be using some other component? And why won't it autowire correctly? -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Modify Console 'Edit USER' modal
Hi, you can customize wizard shape by editing wizard layout for a specific role. Go to Configuration -> Security -> Roles; define a role and edit its JSON layout configuration. Only users with that role will see the customized form. If you want to perform deeper customizations you have to override some administration console Java classes. Best regards, Andrea Il 10/10/2018 18:50, pcrowder ha scritto: Hello, Where can I override the 'Edit USER' and 'New USER' wizards in the admin console. 1. I would like to remove the 'Auxiliary classes' panel for both ie an admin user cannot edit this. 2. Also, I have had a request to change the display order of the 'Plain Attributes'. Thank you, Phil -- Sent from:http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Action whenever AnyObject is created/updated/deleted
Hi Hernâni Borges, You should use "logic actions". Please refer to documentation at [1] (switch version according to your current Syncope version). At [2] there's a sample implementation. HTH, Andrea [1] https://syncope.apache.org/docs/2.0/reference-guide.html#logicactions [2] https://github.com/apache/syncope/blob/syncope-2.0.10/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/DoubleValueLogicActions.java Il 08/10/2018 14:25, Hernâni Borges de Freitas ha scritto: Hello, We are interested in having an action that calls an http endpoint to flush caches whenever an AnyObject is created/updated/deleted. What’s the easiest way to achieve this functionality? Thanks Hernani -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Ldap pull task fail if one or more of ldap users have uid like this "Na\\\me" or "Na\me"
r.java:136) at net.tirasa.connid.bundles.ldap.LdapConnector.executeQuery(LdapConnector.java:57) at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:171) at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130) at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) at com.sun.proxy.$Proxy389.search(Unknown Source) at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) at com.sun.proxy.$Proxy389.search(Unknown Source) at sun.reflect.GeneratedMethodAccessor762.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165) -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: AW: AW: Syncope Console realms listing
Hi Maria, no problem. Since Syncope Docker images are generate from .deb packages you should extend the original Docker image of the console and manually replace the file in the compiled sources. Otherwise you should build your own Docker image of the console starting from the war generated by your customized sources and use it in the compose file. To do this for sure you need a new Dockerfile and to work with maven docker plugin. Best regards, Andrea Il 13/09/2018 11:59, Maria Barth ha scritto: Hello Andrea, sorry to bother you again J Could you please advice, how I can deploy the new syncope-console.war to the syncope-console docker container? I am using the Docker Compose tool. Thank you and regards, Maria *Von:*Maria Barth [mailto:mba...@cad-schroer.de] *Gesendet:* Mittwoch, 12. September 2018 16:34 *An:* *Betreff:* AW: AW: Syncope Console realms listing Hi Andrea, thank you very much, it worked fine for my embedded Syncope. I only had to add @Override *public**boolean*isVisible() { *return*availableRealms.stream(). anyMatch(availableRealm -> realmTO.getFullPath().startsWith(availableRealm)); } in RealmChoicePanel.java Best regards, Maria *Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org] *Gesendet:* Dienstag, 11. September 2018 09:41 *An:* user@syncope.apache.org *Betreff:* Re: AW: Syncope Console realms listing Hi, please take a look to the class at [1]. You should toggle visibility of the component that displays the realm list to false instead of simply disabling the component row. N.B. In order to override classes you should use a Syncope archetype project [2]. Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java [2] https://syncope.apache.org/docs/2.1/getting-started.html#create-project Il 10/09/2018 11:24, Maria Barth ha scritto: Hi Andrea, thank you for the quick responce. I am using the version 2.1.1. Could you give me some hints about the console customization, nesseccary to hide not allowed realms? Best regards, Maria *Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org] *Gesendet:* Montag, 10. September 2018 11:06 *An:* user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: Syncope Console realms listing Hi Maria, Could you please specify which version of Syncope are you using? The current implementation of the console shows all other realms, but disables the ones on which the admin user does not have permission (you should see a "not allowed" icon on realms different than "Firma1"). in order to hide not allowed realms you should make a customization to the current console implementation. HTH, Andrea Il 10/09/2018 10:23, Maria Barth ha scritto: Hello, my requirement is to have a user in Syncope, who is able to administrate other users in the same realm, but who may not see the list of other realms. Is it possible? I have configured a role, with following entitlements on the realm: "entitlements":[ "ACCESS_TOKEN_LIST", "ANYTYPE_LIST", "ANYTYPE_READ", "ANYTYPECLASS_LIST", "ANYTYPECLASS_READ", "DOMAIN_READ", "GROUP_DELETE", "GROUP_UPDATE", "GROUP_CREATE", "GROUP_LIST", "GROUP_READ", "GROUP_SEARCH", "MEMBERSHIP_DELETE", "MEMBERSHIP_UPDATE", "MEMBERSHIP_CREATE", "MEMBERSHIP_LIST", "MEMBERSHIP_READ", "REALM_LIST", "RELATIONSHIPTYPE_LIST", "RELATIONSHIPTYPE_READ", "ROLE_DELETE", "ROLE_UPDATE", "ROLE_CREATE", "ROLE_LIST", "ROLE_READ", "SCHEMA_LIST", "USER_SEARCH", "USER_DELETE", "USER_CREATE", "USER_UPDATE", "USER_READ"], "realms":["/Firma1"], But if the user having this role
Re: Update Plain schema attribute for a realm
Hi Indhupriya, Il 07/09/2018 15:57, indhupriya ha scritto: Hi, I have a requirement to update a Plain schema attribute for a realm to a constant value. i.e. I've ~2K users in a /test realm (totally ~10k from other realms too) and these users have an attribute "location". For all these ~2K users in "/test" realm we need to update the "location" value say as "test1". We know it is possible to update attribute for each users separately using userID or unique ID. But is there any way to update for all the users using REST API? or by updating the field in Syncope MySQL table? The best solution is to stop your Syncope instance, update manually MySQL UPlainAttrValue table and restart. We are using syncope 2.0.2, MySQL and glassfish server BTW I warmly suggest to upgrade to latest Syncope version, currently 2.0.10. Please refer to [1]. Thanks in advance, Indhupriya.S -- Sent from: http://syncope-user.1051894.n5.nabble.com/ Best regards, Andrea [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Jazz -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: AW: Syncope Console realms listing
Hi, please take a look to the class at [1]. You should toggle visibility of the component that displays the realm list to false instead of simply disabling the component row. N.B. In order to override classes you should use a Syncope archetype project [2]. Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_1_X/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java [2] https://syncope.apache.org/docs/2.1/getting-started.html#create-project Il 10/09/2018 11:24, Maria Barth ha scritto: Hi Andrea, thank you for the quick responce. I am using the version 2.1.1. Could you give me some hints about the console customization, nesseccary to hide not allowed realms? Best regards, Maria *Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org] *Gesendet:* Montag, 10. September 2018 11:06 *An:* user@syncope.apache.org *Betreff:* Re: Syncope Console realms listing Hi Maria, Could you please specify which version of Syncope are you using? The current implementation of the console shows all other realms, but disables the ones on which the admin user does not have permission (you should see a "not allowed" icon on realms different than "Firma1"). in order to hide not allowed realms you should make a customization to the current console implementation. HTH, Andrea Il 10/09/2018 10:23, Maria Barth ha scritto: Hello, my requirement is to have a user in Syncope, who is able to administrate other users in the same realm, but who may not see the list of other realms. Is it possible? I have configured a role, with following entitlements on the realm: "entitlements":[ "ACCESS_TOKEN_LIST", "ANYTYPE_LIST", "ANYTYPE_READ", "ANYTYPECLASS_LIST", "ANYTYPECLASS_READ", "DOMAIN_READ", "GROUP_DELETE", "GROUP_UPDATE", "GROUP_CREATE", "GROUP_LIST", "GROUP_READ", "GROUP_SEARCH", "MEMBERSHIP_DELETE", "MEMBERSHIP_UPDATE", "MEMBERSHIP_CREATE", "MEMBERSHIP_LIST", "MEMBERSHIP_READ", "REALM_LIST", "RELATIONSHIPTYPE_LIST", "RELATIONSHIPTYPE_READ", "ROLE_DELETE", "ROLE_UPDATE", "ROLE_CREATE", "ROLE_LIST", "ROLE_READ", "SCHEMA_LIST", "USER_SEARCH", "USER_DELETE", "USER_CREATE", "USER_UPDATE", "USER_READ"], "realms":["/Firma1"], But if the user having this role and being defined on the realm „/Firma1“ enters the „Realms“ in the console, he is able to see the list of all realms: Thank you for your help and regards, Maria Barth Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: News & Events <http://www.cad-schroer.ch/emailaction/> *CAD Schroer GmbH* *Geschaeftsfuehrer:* *Tel.:*+49 2841-9184-0 Fritz-Peters-Strasse 11 Michael Schroer *Fax: *+49 2841-9184-44 47447 Moers Thomas Schubert *E-Mail:*i...@cad-schroer.de <mailto:i...@cad-schroer.de> Deutschland Amtsgericht Kleve HRB 5339 *Web:*www.cad-schroer.de <../dereferrer?redirectUrl=http%3A%2F%2Fwww.cad-schroer.de> -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope administrator create realms
Hi Maria, Your problem is related to entitlements REALM_DELETE, REALM_UPDATE and REALM_CREATE. If you want to enable realm read/editing you need to add also other entitlements, otherwise remove those three entitlements. This set for example should work: RESOURCE_READ, RELATIONSHIPTYPE_READ, IMPLEMENTATION_READ, REMEDIATION_LIST, TASK_LIST, RELATIONSHIPTYPE_LIST, IMPLEMENTATION_LIST, USER_CREATE, GROUP_SEARCH, RESOURCE_LIST, ANYTYPE_READ, USER_SEARCH, ACCESS_TOKEN_LIST, CONFIGURATION_LIST, ANYTYPECLASS_READ, ROLE_LIST, ANYTYPECLASS_LIST, USER_READ, ROLE_READ, REALM_DELETE, SCHEMA_LIST, USER_DELETE, REALM_UPDATE, SECURITY_QUESTION_READ, REALM_CREATE, ANYTYPE_LIST, USER_UPDATE, POLICY_READ, GROUP_READ, POLICY_LIST, REALM_LIST, TASK_READ, DOMAIN_READ, DYNREALM_READ Best regards, Andrea Il 10/09/2018 12:03, Maria Barth ha scritto: Hello, I am evalueting Syncope as a possible IDM-system for integrating in a new product. One of the requirements is to have an administrator role allowing to perform all actions with all realms, users, groups, roles and able to view access tokens. I have configured a role as following: "entitlements":[ "ACCESS_TOKEN_LIST", "ANYTYPE_LIST", "ANYTYPE_READ", "ANYTYPECLASS_LIST", "ANYTYPECLASS_READ", "DOMAIN_READ", "GROUP_DELETE", "GROUP_UPDATE", "GROUP_CREATE", "GROUP_LIST", "GROUP_READ", "GROUP_SEARCH", "MEMBERSHIP_DELETE", "MEMBERSHIP_UPDATE", "MEMBERSHIP_CREATE", "MEMBERSHIP_LIST", "MEMBERSHIP_READ", "POLICY_READ", "REALM_LIST", "REALM_CREATE", "REALM_DELETE", "REALM_UPDATE", "RELATIONSHIPTYPE_LIST", "RELATIONSHIPTYPE_READ", "RESOURCE_LIST", "RESOURCE_READ", "ROLE_DELETE", "ROLE_UPDATE", "ROLE_CREATE", "ROLE_LIST", "ROLE_READ", "USER_SEARCH", "USER_DELETE", "USER_CREATE", "USER_UPDATE", "USER_READ" ], "realms":["/"], It seems I am still missing some entitlements, because the user needs to login again as soon as he hits -the „Realms“ item on the left -the „Details“ tab after hitting „Dashboard“ – „Users“ (see the attachment) -one of the leaves of the realm tree in the right corner after hitting „Dashboard“ – „Users“. Thank you and regards, Maria Barth Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: http://www.cad-schroer.de/emailaction/ ---------- CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve HRB 5339 Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44 --Website: http://www.cad-schroer.de -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope Console realms listing
Hi Maria, Could you please specify which version of Syncope are you using? The current implementation of the console shows all other realms, but disables the ones on which the admin user does not have permission (you should see a "not allowed" icon on realms different than "Firma1"). in order to hide not allowed realms you should make a customization to the current console implementation. HTH, Andrea Il 10/09/2018 10:23, Maria Barth ha scritto: Hello, my requirement is to have a user in Syncope, who is able to administrate other users in the same realm, but who may not see the list of other realms. Is it possible? I have configured a role, with following entitlements on the realm: "entitlements":[ "ACCESS_TOKEN_LIST", "ANYTYPE_LIST", "ANYTYPE_READ", "ANYTYPECLASS_LIST", "ANYTYPECLASS_READ", "DOMAIN_READ", "GROUP_DELETE", "GROUP_UPDATE", "GROUP_CREATE", "GROUP_LIST", "GROUP_READ", "GROUP_SEARCH", "MEMBERSHIP_DELETE", "MEMBERSHIP_UPDATE", "MEMBERSHIP_CREATE", "MEMBERSHIP_LIST", "MEMBERSHIP_READ", "REALM_LIST", "RELATIONSHIPTYPE_LIST", "RELATIONSHIPTYPE_READ", "ROLE_DELETE", "ROLE_UPDATE", "ROLE_CREATE", "ROLE_LIST", "ROLE_READ", "SCHEMA_LIST", "USER_SEARCH", "USER_DELETE", "USER_CREATE", "USER_UPDATE", "USER_READ"], "realms":["/Firma1"], But if the user having this role and being defined on the realm „/Firma1“ enters the „Realms“ in the console, he is able to see the list of all realms: Thank you for your help and regards, Maria Barth Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: News & Events <http://www.cad-schroer.ch/emailaction/> *CAD Schroer GmbH* *Geschaeftsfuehrer:* *Tel.:* +49 2841-9184-0 Fritz-Peters-Strasse 11 Michael Schroer *Fax: *+49 2841-9184-44 47447 Moers Thomas Schubert *E-Mail:* i...@cad-schroer.de Deutschland Amtsgericht Kleve HRB 5339 *Web:* www.cad-schroer.de <../dereferrer?redirectUrl=http%3A%2F%2Fwww.cad-schroer.de> -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Application hierarchy mapping in Syncope
Hi Il 28/08/2018 17:22, Hernâni Borges de Freitas ha scritto: Assuming that I have a structure of / /application-a /application-b With roles and managers assigned to realms /application-a and /application-b and several AnyObjects defined in /. Would it be possible for a user manager in /application-a to assign the AnyObject X defined in / to a group that only exists in /application-a ? Would be possible for another user manager in /application-b to the same for the same AnyObject defined in / ? Bear in mind that we are talking about the same AnyObject and it only exists in the parent realm not in the realm of any of the applications. Yes, it is possible to assign groups in /application-a to objects in /. According to documentation "/A User or an Any Object can be members of Groups in the same realm or in one of the parent realms./" But, _if the manager user has assigned a role on realm /application-a_, *no* is not possible for that user a to manage objects in /. You should assign to the manager a role that gives entitlements on realm /. Or use delegated administration through dynamic realms, describe here [1]. But I think ou should use delegation only if there isn't any other chance to implement your scenario. Thanks so much again Hernani Best regards, Andrea [1] https://syncope.apache.org/docs/2.0/reference-guide.html#delegated-administration On 28 Aug 2018, at 15:43, Andrea Patricelli wrote: Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto: Hi Andrea, Thanks for you fast answer. I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject. Only a tip about this: password propagation and storing is optional, so you can create users without managing their passwords. About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b. Ok, now I got. If you assign to USER with, for example, username "manager-a" the role "manager-role-application-a" (assigned to realm /a) with entitlements to update user or anyobject, you can manage groups of anyobjects in realm /a and all its children. Best regards, Andrea Hernani On 28 Aug 2018, at 15:21, Andrea Patricelli wrote: Hi Hernâni, Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto: Hello I am trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API. Syncope has the following realms: / /application-a /application-b /application-x - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope. - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications. - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms. - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems. Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT? I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use. You can define roles and map the role to a specific realm, for example: manager-role-application-a -&g
Re: Application hierarchy mapping in Syncope
Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto: Hi Andrea, Thanks for you fast answer. I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject. Only a tip about this: password propagation and storing is optional, so you can create users without managing their passwords. About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b. Ok, now I got. If you assign to USER with, for example, username "manager-a" the role "manager-role-application-a" (assigned to realm /a) with entitlements to update user or anyobject, you can manage groups of anyobjects in realm /a and all its children. Best regards, Andrea Hernani On 28 Aug 2018, at 15:21, Andrea Patricelli wrote: Hi Hernâni, Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto: Hello I am trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API. Syncope has the following realms: / /application-a /application-b /application-x - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope. - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications. - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms. - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems. Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT? I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use. You can define roles and map the role to a specific realm, for example: manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children). manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children). manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children). With children I mean inner realms like /application-a/child-a/ or application-x/child-x Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1]. HTH, Andrea [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms Thanks -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Application hierarchy mapping in Syncope
Hi Hernâni, Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto: Hello I am trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API. Syncope has the following realms: / /application-a /application-b /application-x - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope. - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications. - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms. - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems. Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT? I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use. You can define roles and map the role to a specific realm, for example: manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children). manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children). manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children). With children I mean inner realms like /application-a/child-a/ or application-x/child-x Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1]. HTH, Andrea [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms Thanks -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How do export users, groups and membership from syncope to extern DB?
Hi, please add a mapping for the USER password in the (flag the field as password attribute). Moreover assign DBPasswordPropagationActions to the resource sued to propagate users. Then you should find "password" variable populated in the groovy scripts. Best regards, Andrea Il 12/08/2018 06:57, d.cheremnov ha scritto: Thank you! Please take a look at [1]. Especially to commented description: "password: password string, clear text". N.B. If you want to enable cleartext passwords please flag clearTextPasswordToScript in connector configuration. 0) Parameter password.cipher.algorithm = [BCRYPT] https://gyazo.com/d25dc0e11c788ad004f8bb2a483b5c02 1) Connector (scriptedsql): https://gyazo.com/34ed370b64e9eb21581c32d6c3622357 2) Resource: https://gyazo.com/8394ce3f9a4dc7310cd1cfa853d2c013 3) User provision: https://gyazo.com/6fd7a2100c5479064e338c1adced4989 4) Push task: https://gyazo.com/b2da710a39aad58611942bedd529f2ae 5) ActivitiCreateScript.groovy: log.info("Entering " + action + " Script. attributes: " + attributes); def sql = new Sql(connection); def firstnameAttributes = attributes.get("FIRST_"); def lastnameAttributes = attributes.get("LAST_"); def emailAttributes = attributes.get("EMAIL_"); //def pwdAttributes = attributes.get("__HASHED_PASSWORD__"); switch ( objectClass ) { case "__ACCOUNT__": sql.execute("INSERT INTO act_id_user (ID_,REV_,FIRST_,LAST_,EMAIL_,PWD_) values (?,?,?,?,?,?)", [ id, 1, firstnameAttributes.isEmpty() ? null : firstnameAttributes.get(0), lastnameAttributes.isEmpty() ? null : lastnameAttributes.get(0), emailAttributes.isEmpty() ? null : emailAttributes.get(0), password ]) break case "__GROUP__": log.info("Create new group..."); break default: id; } return id; 6) Result of push task: https://gyazo.com/b7c677f7c5f708cdc3f28af7fbe10a91 https://gyazo.com/7bcbf9a34383ffb761a0556881f5fa96 but password and PWD_ = null -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How do export users, groups and membership from syncope to extern DB?
Hi, Do you want to propagate users to an external SQL database right? Which version of Syncope are you running? Il 10/08/2018 11:52, d.cheremnov ha scritto: Hi! 1. Activiti DataBase: CREATE TABLE IF NOT EXISTS `act_id_user` ( `ID_` varchar(64) COLLATE utf8_bin NOT NULL, `REV_` int(11) DEFAULT NULL, `FIRST_` varchar(255) COLLATE utf8_bin DEFAULT NULL, `LAST_` varchar(255) COLLATE utf8_bin DEFAULT NULL, `EMAIL_` varchar(255) COLLATE utf8_bin DEFAULT NULL, `PWD_` varchar(255) COLLATE utf8_bin DEFAULT NULL, `PICTURE_ID_` varchar(64) COLLATE utf8_bin DEFAULT NULL, PRIMARY KEY (`ID_`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin; CREATE TABLE IF NOT EXISTS `act_id_group` ( `ID_` varchar(64) COLLATE utf8_bin NOT NULL, `REV_` int(11) DEFAULT NULL, `NAME_` varchar(255) COLLATE utf8_bin DEFAULT NULL, `TYPE_` varchar(255) COLLATE utf8_bin DEFAULT NULL, PRIMARY KEY (`ID_`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin; CREATE TABLE IF NOT EXISTS `act_id_membership` ( `USER_ID_` varchar(64) COLLATE utf8_bin NOT NULL, `GROUP_ID_` varchar(64) COLLATE utf8_bin NOT NULL, PRIMARY KEY (`USER_ID_`,`GROUP_ID_`), KEY `ACT_FK_MEMB_GROUP` (`GROUP_ID_`), CONSTRAINT `ACT_FK_MEMB_GROUP` FOREIGN KEY (`GROUP_ID_`) REFERENCES `act_id_group` (`ID_`), CONSTRAINT `ACT_FK_MEMB_USER` FOREIGN KEY (`USER_ID_`) REFERENCES `act_id_user` (`ID_`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin; 2. ActivitiUserDBConnector (users, 'table' connector): https://gyazo.com/e13dda814cf587deb116a4a344faffe1 3. __ACCOUNT__ provision rules (users resource): https://gyazo.com/387f96a1a4ef597fdb67bc2859d0451e 4. I added 2 users on the syncode and do Push: https://gyazo.com/421bdd80f3089c14d8856c4e4f7f8bfb Question: 1. How to export 'password' field to `act_id_user` table ? Please take a look at [1]. Especially to commented description: "password: password string, clear text". N.B. If you want to enable cleartext passwords please flag clearTextPasswordToScript in connector configuration. 2. Exists groups. I can export the groups to `act_id_group` table, use 'scriptedsql' connector? Yes you can. By properly managing objectClass in Groovy script. 3. How to export an 'user-group' membership to `act_id_membership` table? You need a custom PropagationActions, something like [2]. In this custom action you have to implement the "before" method where you can, for example, create your own connid attribute to pass to groovy scripts, say __MEMBERSHIPS__. In __MEMBERSHIPS__ you can pass list of the groups of the user and then use this attribute in the groovy script (see examples in the code at [1]) in order to populate act_id_membership table. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ HTH, Andrea [1] https://github.com/apache/syncope/blob/2_0_X/fit/core-reference/src/test/resources/scriptedsql/CreateScript.groovy [2] https://github.com/apache/syncope/blob/2_0_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: REST connector examples
Hi Wyllys, please check [1]. This playground environment is based on Syncope 2.1.1-SNAPSHOT. You can find in the Topology page REST connector with rest-target-resource. Moreover to have a reference implementation for groovy scripts used by the connector please refer to [2]. HTH, Andrea [1] http://syncope-vm.apache.org:9080/syncope-console [2] https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/rest On 2018/08/07 21:37:30, Wyllys Ingersoll wrote: > Are there examples of configuring the REST connector bundle using the > console UI? I want to configure a simple REST service to receive > updates when a user is created/deleted/updated but Im not sure how to > setup the connector parameters to send the data to my service. > > thanks, > Wyllys Ingersoll > -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Kubernetes (Syncope Cannot talk to Postgres)
Hi Craig, Il 07/08/2018 08:30, Francesco Chicchiriccò ha scritto: On 07/08/2018 00:03, craig wrote: I am setting up syncope in Kubernetes. I will be happy to contribute my yamls once I get it running as it doesn't seem to be a common setup for Syncope. This sounds great, it would be a great addition, maybe to place right after https://syncope.apache.org/docs/getting-started.html#docker-compose-samples I am new to Syncope and I am having some issues. I was able to get the docker-compose examples working just fine but having connectivity issues when running in K8s. Without knowing Syncope (or even postgres) that well I am struggling on where to start. Issue: Syncope cannot connect to postgres:5432 20:49:13.640 ERROR org.flowable.common.engine.impl.AbstractEngineConfiguration - Exception while initializing Database connection org.postgresql.util.PSQLException: Connection to postgres:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. [...] Did you set a password for the user "syncope" like explained at [1]? Is connectivity on protocol TCP allowed on your postgres instance? BTW I found something (maybe) useful for you at [2]. Were the Syncope tables (SyncopeUser, for example) created, in the database? Were the Flowable (e.g. ACT_*) and Quartz (e.g. QRTZ_*) created as well? Did you setup any connection control on the postgresql container? Things that I did: 1) Connect to database directly from postgres container command line "psql -U syncope" 2) Connect to database from syncope container command line "psql -U syncope -h postgres" Since this works, I cannot figure out why you get the exception above... 3) Confirm that the port 5432 is open by running the command "telnet postgres 5432" and it was open 4) Confirm that both a database named "syncope" and user named "syncope" exist in the postgres database 5) Confirmed the configuration of K8s looks correct. The port appears to be up, the replica sets look correct Any help or guidance on things to look at would be helpful. Craig HTH, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#postgresql [2] https://blog.bigbinary.com/2016/01/23/configure-postgresql-to-allow-remote-connection.html -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 2.1.0,using maven archetype: Where are default PasswortRules?
Hi, We are improving documentation here [1]. You should login to console UI, go to COonfiguration -> Implementations and select PASSWORD_RULE. Then click on "+" button and add an JAVA implementation; give it a name and select DefaultPasswordRuleConf for example. Then go to Configuration -> Policyes -> Password and repeat steps that you did, now you should find the rule that you configured previously based on default one. Best regards, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#default-password-rule Il 30/07/2018 15:37, gatherer ha scritto: Hi, short version: https://syncope.apache.org/docs/reference-guide.html#policies-password talks about Default Password Rule "The default password rule (enforced by DefaultPasswordRule and configurable via DefaultPasswordRuleConf) contains the following controls:" I created an new "DefaultPasswordPolicy" under Configuration -> Policies -> Password. If I click on my new created policy, I can choose between "edit/clone/rules/delete". I click rules, than "the plus sign": Problem: I cannot create a new rule because the combobox is empty (Only Showing "Choose One".) Shouldn't there be some predefined rules? Like https://github.com/apache/syncope/blob/syncope-2.1.0/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultPasswordRule.java How to define some? How to get some? Long story: * Postgresql an tomcat installed. * jdbc Datasource defined, up, running * openjdk version "1.8.0_171" * Apache Tomcat/8.5.14 (Debian) I used the following mvn: mvn archetype:generate \ -DarchetypeGroupId=org.apache.syncope \ -DarchetypeArtifactId=syncope-archetype \ -DarchetypeRepository=http://repo1.maven.org/maven2 \ -DarchetypeVersion=2.1.0 Created the following directories $ sudo mkdir /opt/syncope/bundles $ sudo mkdir /opt/syncope/log $ sudo mkdir /opt/syncope/conf After fixing the "junit version missing in the console pom", I build it using: mvn clean verify \ -Dconf.directory=/opt/syncope/conf \ -Dbundles.directory=/opt/syncope/bundles \ -Dlog.directory=/opt/syncope/log cp core/target/classes/*properties /opt/syncope/conf cp console/target/classes/*properties /opt/syncope/conf cp enduser/target/classes/*properties /opt/syncope/conf cp enduser/target/classes/customForm.json /opt/syncope/conf Then deployed the webapps using: for I in `find .| grep war$`; do cp $I /opt/syncope/tomcat8/webapps/; done This blog shows the configuration combobox (using 2.0.9) which is empty in my version. http://blog.tirasa.net/configure-syncope-to-check-for-pwned-passwords.html ( http://blog.tirasa.net/gallery/tirasa/blog/hibp_2.png) Thanks for your help, gatherer -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: 'Null' External fields are not updating in syncope during PULL task
Hi, FYI [1] have been solved. Best regards, Andrea [1] https://issues.apache.org/jira/browse/SYNCOPE-1345 Il 24/07/2018 13:09, Andrea Patricelli ha scritto: Hi, thanks for all the info provided. I confirm that there is a bug in the application. I opened an issue about this [1]. Best regards, Andrea [1] https://issues.apache.org/jira/browse/SYNCOPE-1343 Il 24/07/2018 11:42, indhupriya ha scritto: Hi Andrea, I am using db-table connector for connecting to MySQL and 'ad' connector for active directory connection. The same issue exist in both cases. Thanks, Indhupriya.S -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: 'Null' External fields are not updating in syncope during PULL task
Hi, thanks for all the info provided. I confirm that there is a bug in the application. I opened an issue about this [1]. Best regards, Andrea [1] https://issues.apache.org/jira/browse/SYNCOPE-1343 Il 24/07/2018 11:42, indhupriya ha scritto: Hi Andrea, I am using db-table connector for connecting to MySQL and 'ad' connector for active directory connection. The same issue exist in both cases. Thanks, Indhupriya.S -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: 'Null' External fields are not updating in syncope during PULL task
Ok, thanks for the info. Which connector are you using? db-scripted or db-table? Best regards, Andrea Il 24/07/2018 08:25, indhupriya ha scritto: Hi Andrea, Thanks for the quick turn around. The syncope version we are using is 2.0.2 and Yes, We have confirmed that the other modified fields (with values) are updated in Syncope and only the fields which are modified as 'NULL' is not getting updated during PULL task from external resource. And also we noted that, if we use PUSH task (after the fields are modified as Null in syncope) the fields are getting updated to Null in external resources (say MySQL). Hence, only during PULL task this issue is happening. Additionally, this is the configuration existing in both PUSH and PULL task. <http://syncope-user.1051894.n5.nabble.com/file/t339059/syncope.png> Thanks in Advance, Indhupriya -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: 'Null' External fields are not updating in syncope during PULL task
Hi Indhupriya, which version of Syncope are you running? Do you confirm that other fields (with values) are correctly updated? Best regards, Andrea Il 23/07/2018 15:10, indhupriya ha scritto: Hi, When an existing field is updated as "Null" in external resource such as "LDAP or MySQL", PULL task is not changing the field as 'NULL' in Syncope and retain the deleted field content. But, when a field is edited to some other value, the changed value is updated. Is there a way to update the "Null" field in Syncope? For Example: Lets say MySQL has initial fields: "id:1, email:t...@testmail.com, number:24" After Pull task is executed, Syncope has fields: "id:1, email:t...@testmail.com, number:24" After that, MySQL fields are changed as: "id:1, email:*NULL*, number:*30*" When PULL task is executed again (Scheduled run), Syncope has fields: "id:1, email:*t...@testmail.com*, number:*30*" i.e, the value of email retains even when the value is changed as Null in MySQL, whereas the value for the "number" field is updated to '30'. Thanks in advance, Indhupriya.S -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Avoid any propagation to external resources during the night
Hi Alireza, Your code unfortunately does not work because it does not really update conninstance capabilities. The fastest way to achieve your goal is to throw an IgnoreProvisionException [1] in the if body. HTH, Andrea Best regards, Andrea [1] https://github.com/apache/syncope/blob/2_0_X/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/IgnoreProvisionException.java Il 23/07/2018 15:20, alireza ranjbaran ha scritto: Hi dears, Based on our user management policy nothing should be changed at night (00:00 ~ 6:00) in the Active Directory. I tried below code in PropagationActions to implement that in syncope but it does not worked. Could you please give me any hint ? @Override public void before(final PropagationTask task, final ConnectorObject beforeObj) { ConnInstance connInstance = task.getResource().getConnector(); //ConnInstanceTO connInstanceTO = connInstanceDataBinder.getConnInstanceTO(connInstance); if (night() && connInstance.getCapabilities().contains(ConnectorCapability.UPDATE)) { connInstance.getCapabilities().remove(ConnectorCapability.UPDATE); } else { connInstance.getCapabilities().add(ConnectorCapability.UPDATE); } } -- /Best Regards,/ /Alireza Ranjbaran / /IT Security Engineer/ / / -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Active Directory Connector - Delete User Not Working
Moreover, please flag "Retrieve deleted users" in connector configuration. Best regards, Andrea Il 22/06/2018 10:21, Andrea Patricelli ha scritto: Hi Sudeesh, Your configuration seems good. Please read inline. Best regards, Andrea Il 21/06/2018 16:49, Sudeesh Kumar P ha scritto: Hi Andrea , I have attached the logs below: I have tried in Active directory 2012 & 2016. In both Iam facing the same issue. AD Connector: {"key":"0d35158b-4747-400b-b515-8b4747100bd3","adminRealm":"/","location":"file:/C:/javasoftwares/syncopeWithActiveDirectory-master/core/target/bundles/","connectorName":"net.tirasa.connid.bundles.ad.ADConnector","bundleName":"net.tirasa.connid.bundles.ad","version":"1.3.4","displayName":"AD_teak","connRequestTimeout":10,"poolConf":null,"conf":[{"schema":{"name":"host","displayName":"Server hostname","helpMessage":"Insert hostname","type":"java.lang.String","required":true,"order":1,"confidential":false,"defaultValues":[]},"overridable":false,"values":["TESTAD"]},{"schema":{"name":"ssl","displayName":"SSL","helpMessage":"User SSL to perform password provisioning","type":"boolean","required":false,"order":1,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"memberships","displayName":"Memberships","helpMessage":"Specify memberships","type":"[Ljava.lang.String;","required":false,"order":1,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"retrieveDeletedUser","displayName":"Retrieve deleted users","helpMessage":"Specify TRUE to retrieve deleted users also. The default is \"true\".","type":"boolean","required":false,"order":2,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"port","displayName":"Server port","helpMessage":"Insert port. The default is 636.","type":"int","required":false,"order":2,"confidential":false,"defaultValues":[636]},"overridable":false,"values":["389"]},{"schema":{"name":"retrieveDeletedGroup","displayName":"Retrieve deleted groups","helpMessage":"Specify TRUE to retrieve deleted groups also","type":"boolean","required":false,"order":3,"confidential":false,"defaultValues":[true]},"overridable":false,"values":["false"]},{"schema":{"name":"trustAllCerts","displayName":"Trust all certs","helpMessage":"Specify TRUE to trust all certs. The default is \"false\".","type":"boolean","required":false,"order":4,"confidential":false,"defaultValues":[false]},"overridable":false,"values":["true"]},{"schema":{"name":"failover","displayName":"Failover","helpMessage":"Failover host:port","type":"[Ljava.lang.String;","required":false,"order":4,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"principal","displayName":"Principal","helpMessage":"Insert DN of a user with administration capabilities","type":"java.lang.String","required":false,"order":5,"confidential":false,"defaultValues":[]},"overridable":false,"values":["CN=Administrator,CN=Users,DC=DELL,DC=COM"]},{"schema":{"name":"membershipsInOr","displayName":"Verify memberships in OR","helpMessage":"Specify TRUE if you want to verify memberships using OR logical operator. The default is \"false\".","type":"bool
Re: Active Directory Connector - Delete User Not Working
.String;","required":false,"order":13,"confidential":false,"defaultValues":[]},"overridable":false,"values":["OU=SYNCOPE,DC=DELL,DC=COM"]},{"schema":{"name":"groupMemberReferenceAttribute","displayName":"Group members reference attribute ","helpMessage":"Group attribute referencing (by DN) the users members of a group","type":"java.lang.String","required":false,"order":14,"confidential":false,"defaultValues":["member"]},"overridable":false,"values":["member"]},{"schema":{"name":"groupOwnerReferenceAttribute","displayName":"Group owner reference attribute","helpMessage":"Group attribute name referencing (by DN) the owner","type":"java.lang.String","required":false,"order":15,"confidential":false,"defaultValues":["managedBy"]},"overridable":false,"values":["managedBy"]},{"schema":{"name":"startSyncFromToday","displayName":"Null token is the latest","helpMessage":"Reset null token value to the latest (sync with null token will not return any result). The default is \"true\".","type":"boolean","required":false,"order":16,"confidential":false,"defaultValues":[true]},"overridable":false,"values":[true]},{"schema":{"name":"pwdUpdateOnly","displayName":"Permit password update only","helpMessage":"Specify TRUE if you want to permit password update only: create/delete operation will be denied while other attributes update requests will be ignored.","type":"boolean","required":true,"order":17,"confidential":false,"defaultValues":[false]},"overridable":false,"values":[false]},{"schema":{"name":"membershipConservativePolicy","displayName":"Conservative membership policy","helpMessage":"Conservative managing and assignment of groups to user. The groups already assigned will not be removed.","type":"boolean","required":false,"order":18,"confidential":false,"defaultValues":[false]},"overridable":false,"values":[false]},{"schema":{"name":"defaultIdAttribute","displayName":"Default Uid","helpMessage":"The name of the attribute which is mapped to the id attribute in case of object different from account and group. Default is \"cn\".","type":"java.lang.String","required":false,"order":19,"confidential":false,"defaultValues":["cn"]},"overridable":true,"values":["cn"]},{"schema":{"name":"uidAttribute","displayName":"Uid Attribute","helpMessage":"The name of the attribute which is mapped to the Uid attribute. Default is \"sAMAccountName\".","type":"java.lang.String","required":false,"order":21,"confidential":false,"defaultValues":["sAMAccountName"]},"overridable":true,"values":["cn"]},{"schema":{"name":"gidAttribute","displayName":"Uid Attribute for groups","helpMessage":"The name of the attribute which is mapped to the Uid attribute for groups. Default is \"sAMAccountName\".","type":"java.lang.String","required":false,"order":22,"confidential":false,"defaultValues":["sAMAccountName"]},"overridable":false,"values":["sAMAccountName"]},{"schema":{"name":"objectClassesToSynchronize","displayName":"Object classes to synchronize","helpMessage":"Specify object classes to identify entry to synchronize","type":"[Ljava.lang.String;","required":false,"order":25,"confidential":false,"defaultValues":["user"]},"overridable":false,"values":["user","organizationalUnit"]}],"capabilities":["CREATE","UPDATE","DELETE","SEARCH","SYNC"]} AD_Resource: {"key":"AD_users_groups","
Re: Active Directory Connector - Delete User Not Working
Hi Sudeesh, Il 20/06/2018 14:37, Sudeesh Kumar P ha scritto: Hi, I have setup the Apache Syncope project 2.0.5 which was obtained from (https://github.com/Tirasa/syncopeWithActiveDirectory.git <http://github.com/Tirasa/syncopeWithActiveDirectory.git>). I have connected my Active directory server through AD connector. I can import user to Apache Syncope through the connector. If I delete a user in Active directory it is not getting removed from Apache Syncope. I can also see that the user is removed from the AD_resource. I used Full_Reconciliation pull task and also enabled delete option in both connector side and resource side. If I use Incremental option for Pull Task, I can see the user getting imported to the AD connector resource but the user is not getting created in Apache Syncope. Versions tried – 2.0.5,2.0.8,2.0.9 If there is any working project with the above scenario please share it. This one should work, but sometimes configuration should be tuned in order to let Syncope work as expected. Which version of Active Directory are you using? Do you see any errors in core.log and core-connid.log files? Please share your connector and resource configuration. You can get them by running: curl -X GET "http://syncope-vm.apache.org:9080/syncope/rest/connectors/*my-conn-key*; -H "accept: application/json" -H "X-Syncope-Domain: Master" and curl -X GET "http://syncope-vm.apache.org:9080/syncope/rest/resources/*my-resource-key*; -H "accept: application/json" -H "X-Syncope-Domain: Master" or using swagger extension [1] Best regards, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#swagger Regards Sudeesh Kumar -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope 'Task' table is very large / Too big. How to reduce it?
Hi indhupriya, In order to prevent uncontrolled "Task" size increment you should properly set the trace level of the resource, for propagation and pull operations. You can do this in console by editing the resource (click on resource and the on "Edit resource") and moving trace level from ALL to another value among: - NONE: no tasks are stored. - SUMMARY: only a small recap of the whole execution is stored for each task. - FAILURES: only failed tasks are stored. You can also do this by updating resource information through Syncope endpoint: http://[host]:[port]/syncope/rest/resources Moreover also notification tasks have a specific trace level and contribute to fill "Task" table. You can setup trace level also for them. In order to solve your current problems you should clean your "Task" table; the drawback is that you'll loose information about propagation/pull tasks run on the resource. HTH, Andrea Il 12/06/2018 10:58, indhupriya ha scritto: Hi, We are facing connection slowness in syncope 2.0.2 version and sometimes we are not even able to log into syncope because of it. When we did further analysis, we found that the Task.idb file in MySQL Database is too big and when we tried to optimize the table, we in-turn found that the size of "Task" table is too large too. Could some one help us on a possible solution to resolve the issue and how to prevent it from future occurrence? Thanks in Advance, Indhu -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Provisioning Realms
Hi Martin, first of all I suggest to refer to this blog post [1] to have a reference on how con configure (also) mapping for realm provisioning. Il 03/05/2018 12:14, Martin van Es ha scritto: Hi, This is related to my earlier question about creating Realms based on dynamic VO's (organized as o= entities in LDAP). I'm trying to get FULL RECONCILIATION working, which succeeds for the first time, but results in unique "u_realm_name" constraint violations on second attempt, even though I have set matching rule to ignore. So, it seems syncope has no way of understand what realms are allready provisioned and this is intended as a one-time provision action? Not at all. The setup uses the __ACCOUNT__ objectclass, because that's the only way I got the search code to apply my object filter (I don't want objects of objectClass=dcObject). Mapping to organization only doesn't apply this filter. In the mapping, I assign internal 'name' to external 'o' (Remote Key, purpose: <-) and use Object link 'o='+name+',dc=scz,dc=vnet'. I set the resource Account objectClass to organization and LDAP Filter for Retrieving Accounts to (!(objectClass=dcObject)). I can see this working correctly when I explore the resource. First time pull results in these succeful actions: Realms [created/failures]: 3/0 [updated/failures]: 0/0 [deleted/failures]: 0/0 [no operation/ignored]: 0/0 Realms created in the root realm: CREATE SUCCESS (key/name): 3a3370df-3aa2-4787-b370-df3aa2278786///Foobar CREATE SUCCESS (key/name): 38d90785-ab9c-4fc8-9907-85ab9c2fc8e4///Foobar2 CREATE SUCCESS (key/name): b3c86117-400b-457d-8861-17400bf57d5d///Foobar3 Please check if realm path is correctly created on Syncope. But all succesive attempts result in these exceptions in the core-connid.log (abbreviated for readability): org.apache.openjpa.persistence.EntityExistsException: The transaction has been rolled back. See the nested exceptions for details on the errors that occurred. Caused by: org.apache.openjpa.persistence.EntityExistsException: ERROR: duplicate key value violates unique constraint "u_realm_name" Detail: Key (name, parent_id)=(Foobar, ea696a4f-e77a-4ef1-be67-8f8093bc8686) already exists. {prepstmnt 220401755 INSERT INTO Realm (id, name, ACCOUNTPOLICY_ID, PARENT_ID, PASSWORDPOLICY_ID) VALUES (?, ?, ?, ?, ?)} [code=0, state=23505] While pulling realms you need to correctly manage the realm matching, please refer to the blog post to correctly configure realms pull (§Advanced: Pull Organizational Units as Syncope Realms). If I set matching policy to update, this should never result in an INSERT, so it's clear there is no match and the provisioner tries to "provision". Best regards, Martin HTH, Andrea [1] http://blog.tirasa.net/syncope-basics-manage-active-directory.html -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How share spring bean data about connector in high available environment?
Hi Elena, What do you exactly mean with "in memory"? If I correctly got your observation I can suggest that: Syncope, indeed, saves relevant data on database and does not maintain them in memory. You should configure properly your Syncope cluster in order to avoid such problems, especially jpa persistence layer through openjpa remote commit provider. Wich version are you using? If you're on 2.0, please refer to [1]. HTH, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#high-availability Il 02/04/2018 04:03, Elena Hong ha scritto: How can each syncope servers in high available environment share connector which saved as spring bean at inmemory? * My environment. I set high available with two syncope servers called A, B and nginx. * My problem 1. I call connector update api to nginx. 2. nginx call syncope server A, and update connector 'new' data in DB and spring bean. 3. I call connector read api to nginx. 4. nginx call syncope server B, then B returned 'old' data at spring bean. How can I solved it..? give me a tip please.. -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to make sql queries on a authentication groovy script
Ok now I got. You do not need to read Syncope mapping, or anything by Syncope, but options and objectClass. You only have to return the value of the email attribute read from the REST WS response. The name of the external attribute you should already know, it is static, because is the one used in the mapping. Best regards, Andrea Il 28/02/2018 13:21, HugoCerdeira ha scritto: Thanks once again for the quick reply, Setting the mapping as bidirectional, did not work. Using the command "this.binding.variables.each {k,v -> map[k]=v}" on my groovy script, to check what it actually has I get the following map: [password:authPassword, log:org.identityconnectors.common.logging.Log@2d9ed949, objectClass:__ACCOUNT__, options:[:], client:org.apache.cxf.jaxrs.client.WebClient@2adc36e6, action:AUTHENTICATE, username:authUsername] Its like the mapping is being ignored. Cheers, Hugo Cerdeira. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to make sql queries on a authentication groovy script
Il 28/02/2018 13:08, HugoCerdeira ha scritto: Hi, Thanks for your quick answers, After mapping the email on the resource, I cant access it on the groovyscript. This is my mapping: <http://syncope-user.1051894.n5.nabble.com/file/t338967/Screen_Shot_2018-02-28_at_12.png> If I use the external_email on the groovyscript, my script just fails to execute. Any idea on whats going on? Please try to set the mapping as bidirectional: double arrow icon in mapping tab. Cheers, Hugo Cerdeira. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ Best regards, Andrea -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to make sql queries on a authentication groovy script
Il 28/02/2018 11:31, HugoCerdeira ha scritto: Hi, Well that helps, but what if I need to get the user email in order to make the external authentication work? its seems like I cant access the email, even if I map it on the resource. Use email as remote key and add mapping on Syncope: email -> external_email. In groovy script you just need to return external_email value and add the previous mapping to Syncope. Thanks for your help, Hugo Cerdeira. Best regards, Andrea -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: How to make sql queries on a authentication groovy script
Good morning, Il 27/02/2018 17:59, HugoCerdeira ha scritto: Hi, I'm making an authentication groovy script my goal is the following flow: 1. Script makes a request to a service sending the user and password. 2. If the request response is successful query the syncope db for the user id, using the username. 3. Return the user id. The problem is, since the resource is configured as a REST resource, how can execute sql queries from the script? is it possible to do that without having to hardcode the sql connection config into my groovy script? You do not need to query Syncope database to look for id on Syncope. Because you only need to return the value of the attribute that, on Syncope, is mapped as remote key. I mean: if your mapping for remote key looks like "username -> idattribute" (syncope -> REST resource) you only need to return the value of idattribute on REST resource. Syncope will take care of look (on the REST resource) if id is correct by using the mapping. P.S. if you need to look for an user on Syncope always prefer rest apis [1] to db client ;) Thanks, Hugo Cerdeira. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ Best regards, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#rest -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Pass-throught authentication
erInternal(FilterChainProxy.java:214) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)/ From the example on git here <https://github.com/apache/syncope/blob/master/fit/core-reference/src/test/resources/rest/AuthenticateScript.groovy> , I concluded that in order to the script succeed authenticating the user it must return a valid user Id, so my script (for testing purposes) literally returns an id from an user: return "random id"; My configs Resource config <http://syncope-user.1051894.n5.nabble.com/file/t338967/1.png> <http://syncope-user.1051894.n5.nabble.com/file/t338967/2.png> <http://syncope-user.1051894.n5.nabble.com/file/t338967/3.png> <http://syncope-user.1051894.n5.nabble.com/file/t338967/4.png> Policy <http://syncope-user.1051894.n5.nabble.com/file/t338967/pol.png> Any help is greatly appreciated, thanks, Hugo Cerdeira. -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope Installation problem
Hi Jayamal, you may have some errors while starting Syncope standalone. Do you see some errors in log files? You can find them in apache-tomcat*/logs directory and should check especially core.log and catalina.out. Best regards, Andrea Il 23/02/2018 08:07, Jayamal Jayamaha ha scritto: hey when I try to connect using above username and password, I got following error. Any idea about this. Any help would be appreciated Login failed: java.net.ConnectException: ConnectException invoking http://localhost:9080/syncope/rest/platform: Connection refused: connect On Thu, Feb 22, 2018 at 1:35 PM, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: On 22/02/2018 06:16, Jayamal Jayamaha wrote: Hey I have successfully installed the standalone version and now I want the user name and password to log to the end-user/app. can I know what is the user name and password or should I create a new user account? Short answer: admin / password Long answer: keep reading the getting started guide: https://ci.apache.org/projects/syncope/master/getting-started.html#paths-and-components <https://ci.apache.org/projects/syncope/master/getting-started.html#paths-and-components> That's everything you've got now. Regards. On Wed, Feb 21, 2018 at 5:42 PM, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: On 21/02/2018 06:20, Jayamal Jayamaha wrote: hey I installed syncope to my machine using gui installer. but at last moment it gave me some erros. I have attached a screen shot of the log. Do you have any Idea about to solve this. any help would appreciated Hi, did you follow all the steps from https://ci.apache.org/projects/syncope/master/getting-started.html#gui-installer <https://ci.apache.org/projects/syncope/master/getting-started.html#gui-installer> ? In particular, have you correctly set up $CATALINA_HOME/conf/tomcat-users.xml? Anyway, I would suggest to go with standalone, as reported in https://issues.apache.org/jira/browse/SYNCOPE-1220?focusedCommentId=16369813=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16369813 <https://issues.apache.org/jira/browse/SYNCOPE-1220?focusedCommentId=16369813=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16369813> HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/> -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Travel Assistance applications open
Hi all, I'm pleased to forward to you this message from Apache TAC. - The Travel Assistance Committee (TAC) are pleased to announce that travel assistance applications for ApacheCon NA 2018 are now open! We will be supporting ApacheCon NA Montreal, Canada on 24th - 29th September 2018 TAC exists to help those that would like to attend ApacheCon events, but are unable to do so for financial reasons. For more info on this years applications and qualifying criteria, please visit the TAC website at < http://www.apache.org/travel/ <http://www.apache.org/travel/> >. Applications are now open and will close 1st May. Important: Applications close on May 1st, 2018. Applicants have until the closing date above to submit their applications (which should contain as much supporting material as required to efficiently and accurately process their request), this will enable TAC to announce successful awards shortly afterwards. As usual, TAC expects to deal with a range of applications from a diverse range of backgrounds. We therefore encourage (as always) anyone thinking about sending in an application to do so ASAP. We look forward to greeting many of you in Montreal Kind Regards, Gavin - (On behalf of the Travel Assistance Committee) -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: In-depth REST documentation
I think that swagger is the best choice to find out the correct JSON request body. For example, to make user self operations, use [1]. Click on your preferred operation (UserSelf) and then click on top right "Try it out" button. You'll find some sample well-formed JSON values. You should send the JSON suggested for each request. Best regards, Andrea [1] http://syncope-vm.apache.org:9080/syncope/swagger/ Il 09/02/2018 15:31, PeeDub ha scritto: I am aware of those resources. Of note is that documentation: - does not describe what fields are required and which are optional - does not mention requied fields such as "@class" - does not list values for certain constrained fields (such as "type") I am guessing that this list is my best hope for such questions? -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: In-depth REST documentation
Hi, please take a look at [1] and especially to swagger extension [2]. You can also be interested in Syncope playground environment at [3] and [4]. HTH, Andrea [1] https://syncope.apache.org/docs/index.html [2] https://syncope.apache.org/docs/reference-guide.html#swagger [3] http://syncope-vm.apache.org:9080/syncope-console [4] http://syncope-vm.apache.org:9080/syncope/swagger/ Il 08/02/2018 21:06, PeeDub ha scritto: Hello, I wonder if there is some in-depth documentation for using the REST API for Syncope somewhere. It took me forever to realize that I needed to add an "@class" attribute to my JSON for self registration, and that it needed to have the value "org.apache.syncope.common.lib.to.UserTO". Is there somewhere where this kind of information is captured? -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: UPDATING USERS AND GROUPS
Hi Jim, sorry for the late. Il 01/17/18 02:17, Jim ha scritto: Hi Andrea, Already tried fresh installation and re-testing but still having the same results. It's ok when using API calls and with 2.0.7-SNAPSHOT. Since its ok with API calls we can close this thread but hoping you'll fix this for future versions. Btw, have you tried installing a fresh Apache Syncope 2.0.7 using GUI installer and reproduce my problem? Just for confirmation purposes or maybe I am the only one who encountered this problem :) Thanks for reporting, I'm not excluding that there's a problem. Thanks for reporting, I'm going to try a fresh installation and let you know here. Have a nice day, Andrea Thank you! -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Engineer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: UPDATING USERS AND GROUPS
Hi Jim, could you try to clean Syncope database and re-test with a fresh installation? Or at least could you share some more info about your environment and syncope logs like core.log, etc.? Best regards, Andrea Il 16/01/2018 04:10, Jim ha scritto: Hi Andrea, Here is how I reproduce the problem and the provided solution: Note: happens only before 5mins of execution(eg.pulling,pushing, created and updating) 1st situation(pulled/pushed users): 1. Successfully pulled/pushed users 2. Clicked on the desired user 3. Clicked edit 4. Edited desired information 5. Clicked Finish 6. Error appears 2nd situation(newly created user): 1.Clicked newly created user 2.Clicked edit 3.Edited desired information 4. Clicked Finish 5. Error appears 3rd situation(newly updated user): 1.Clicked newly updated user 2.Clicked edit 3.Edited desired information 4. Clicked Finish 5. Error appears Applying solution provided: 1. Clicked newly updated/created/pulled/pushed user 2. Clicked edit 3. Edited desired information 4. Clicked Finish 5. Error appears 6. Closed window 7. Re-open window 8. Clicked Finish 9. Error still appears Please correct me if I'm doing it wrong. Thanks! -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: UPDATING USERS AND GROUPS
Hi Jim, This error is due to the fact that you are updating an "old" entity, this means that someone concurrently updated (and saved) the same entity, while you were updating it. This is a "controlled" exception to avoid clash of updates on the same object. The control is done on the ETag value assigned to User objects. If you close and re-open the edit window you shouldn't get this exception anymore. Best regards, Andrea Il 13/01/2018 04:23, Jim ha scritto: Thank you for the quick reply! What I mean is after updating and upon reupdating the said user or group before 5mins I get the error java.util.concurrent.ExecutionException: org apache.syncope.common.lib.SyncopeClientException: ConcurrentModification [Mismatching ETag value]. Please see [1] for the screenshot of the error. [1]https://pasteboard.co/H2FQCKk.png Thanks! Regards, Jim -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: UPDATING USERS AND GROUPS
Hi Jim, I'm not sure that your issue is related to the GUI installer. What kind of delay are you experiencing when you do an update with 2.0.7 installer? Do you see admin console stuck? Could you share logs of your syncope installation? Best regards, Andrea Il 12/01/2018 13:36, Jim ha scritto: Good day, I have syncope 2.0.7 installed in my system with the use of GUI installer. My Issue is that after I update the details of a user or group, I need to wait 5 minutes in order to update it again. I tried 2.0.7 SNAPSHOT and it can update continuously. Is this how it behaves in GUI installer? or maybe you can add it in the road map for 2.0.8 GUI installer? Thanks! Regards, Jim -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Syncope API - /users/{key} PATCH error
HI Jim, I guess that you are doing an update of an User through a UserPatch, am I right? Your JSON is wrong; there is an error in your JSON definition: Unrecognized field "schema" "schema" and "values" should be into "attrTo", since they are attributes of AttrTO entity. Here is a correct example: { "plainAttrs": [ { "attrTO": { "schema":"firstname", "schemaInfo": { "anyTypeClass":"BaseUser", "@class":"org.apache.syncope.common.lib.to.PlainSchemaTO", "key":"firstname" }, "values": [ "myname" ] }, "operation":"ADD_REPLACE" } ], "key":"b58456e3-8cb7-4183-8456-e38cb73183a4" } Please use also swagger application at [1] to play with Syncope REST services. HTH, Andrea [1] http://syncope-vm.apache.org:9080/syncope/swagger/ Il 09/01/2018 11:40, Jim ha scritto: Good day, I would like to ask about the error i encountered when I tried to call http://localhost:8080/syncope/rest/users/b58456e3-8cb7-4183-8456-e38cb73183a4 This is my sample JSON BODY: { "plainAttrs": [ { "schema":"firstname", "attrTO": { "schemaInfo": { "anyTypeClass":"BaseUser", "@class":"org.apache.syncope.common.lib.to.PlainSchemaTO", "key":"firstname" } }, "values": [ "myname" ], "operation":"ADD_REPLACE" } ], "key":"b58456e3-8cb7-4183-8456-e38cb73183a4" } ERROR: http://syncope.apache.org/2.0;>UnrecognizedPropertyException: Unrecognized field "schema" (class org.apache.syncope.common.lib.patch.AttrPatch), not marked as ignorable (2 known properties: "attrTO", "operation"]) at [Source: (org.apache.cxf.transport.http.AbstractHTTPDestination$1); line: 4, column: 14] (through reference chain: org.apache.syncope.common.lib.patch.UserPatch["plainAttrs"]-java.util.HashSet[0]-org.apache.syncope.common.lib.patch.AttrPatch["schema"])500Unknown Hope you can help me! Thank you! Regards, Jim -- Sent from: http://syncope-user.1051894.n5.nabble.com/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: Can I stop a task during it is running?
Hi Elena, Tasks control panel is located in the admin console under "Control" tab of the Dashboard page, i.e. the page that you see just after login. In the control page you can see all jobs that are related to scheduled or running tasks. If a job is running admin console shows a reload spinner moving and a stop button. Hth, Andrea Il giorno 14 dic 2017, 02:15, alle ore 02:15, Elena Hongha scritto: >Hello. > >I wonder that stop a task. > >Can I stop a task during it is running? >I found syncope Reference docs and API docs, I didn't find it. >Even if I delete task during task is running, It doesn't stop. > >Give me a answer please. > >Thank you!
Re: Pull users from LDAP
t;schema":{"name":"statusManagementClass","displayName":"Status management class ","helpMessage":"Class to be used to manage enabled/disabled status. If no class is specified then identity status management wont be possible.","type":"java.lang.String","required":false,"order":36,"confidential":false,"defaultValues":[]},"overridable":false,"values":[]},{"schema":{"name":"readSchema","displayName":"Read Schema","helpMessage":"If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes. Default is \"true\".","type":"boolean","required":false,"order":22,"confidential":false,"defaultValues":[true]},"overridable":false,"values":[true]},{"schema":{"name":"passwordAttribute","displayName":"Password Attribute","helpMessage":"The name of the LDAP attribute which holds the password. When changing an user's password, the new password is set to this attribute. Default is \"userPassword\".","type":"java.lang.String","required":false,"order":8,"confidential":false,"defaultValues":["userPassword"]},"overridable":false,"values":["userPassword"]},{"schema":{"name":"respectResourcePasswordPolicyChangeAfterReset","displayName":"Respect Resource Password Policy Change-After-Reset","helpMessage":"When this resource is specified in a Login Module (i.e., this resource is a pass-through authentication target) and the resource's password policy is configured for change-after-reset, a user whose resource account password has been administratively reset will be required to change that password after successfu
Re: Using Syncope as authentication point for other applications like graylog,grafana
Hi sumankrishnaprasad, At the moment Syncope cannot be used as authentication provider. Though in its roadmap are scheduled some improvements to let Syncope act as OAuth or SAML provider, please check [1]. You should evaluate projects like CAS [2]. HTH, Andrea [1] https://issues.apache.org/jira/projects/SYNCOPE/versions/12334366 [2] https://www.apereo.org/projects/cas Il 26/07/2017 09:51, sumankrishnaprasad ha scritto: Hi We are using graylog for consolidating various logs and grafana for monitoring various nodes. We want to authenticate users logging to grafana and graylog to be authenticated through syncope configured with our ldap. I was able to configure syncope with our ldap. can you provide me some direction or some example configuration how I can use syncope as authentication provider for other applications such as graylog and grafana. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Using-Syncope-as-authentication-point-for-other-applications-like-graylog-grafana-tp5709322.html Sent from the syncope-user mailing list archive at Nabble.com. -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: H2 Database
Hi, Il 26/07/2017 12:32, Dino Mifsud ha scritto: Hi Yes...I solved the issue it now starts well. Apparently it was caused by jdbc pool setting in Tomcat which I had set up following the steps here: https://syncope.apache.org/docs/reference-guide.html#apache-tomcat-8-and-8-5 are these settings not needed for Tomcat? Yes those settings are needed. Best regards, Andrea On 26 Jul 2017, at 12:15 PM, Andrea Patricelli <andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote: Have you created database syncope with credentials syncope/syncope? And, moreover, have you carefully followed DBMS configuration guide at [1]? Be careful while editing provisioning.properties and Master.properties, you have only to update some lines, not all the file. [1] https://syncope.apache.org/docs/reference-guide.html#postgresql Il 26/07/2017 12:10, Dino Mifsud ha scritto: No I missed that thanks. It seems to have solved the issue. The database tables now seem to be created in postgres however the application still fails to start. The error in the log folder is this : 12:03:49.617 INFO org.apache.syncope.core.provisioning.java.ConnectorManager - Done loading 0 connectors 12:03:51.889 ERROR org.apache.syncope.core.provisioning.api.job.JobManager - Could not remove job taskJob89de5014-e3f5-4462-84d8-d97575740baf org.quartz.impl.jdbcjobstore.LockException: Failure obtaining db row lock: ERROR: current transaction is aborted, commands ignored until end of transaction block {prepstmnt 583897870 SELECT * FROM QRTZ_LOCKS WHERE SCHED_NAME = 'scheduler' AND LOCK_NAME = ? FOR UPDATE} [code=0, state=25P02] at org.quartz.impl.jdbcjobstore.StdRowLockSemaphore.executeSQL(StdRowLockSemaphore.java:157) ~[quartz-2.3.0.jar:?] at org.quartz.impl.jdbcjobstore.DBSemaphore.obtainLock(DBSemaphore.java:113) ~[quartz-2.3.0.jar:?] at org.quartz.impl.jdbcjobstore.JobStoreCMT.executeInLock(JobStoreCMT.java:238) ~[quartz-2.3.0.jar:?] at org.quartz.impl.jdbcjobstore.JobStoreSupport.removeTrigger(JobStoreSupport.java:1428) ~[quartz-2.3.0.jar:?] at org.quartz.core.QuartzScheduler.unscheduleJob(QuartzScheduler.java:1059) ~[quartz-2.3.0.jar:?] at org.quartz.impl.StdScheduler.unscheduleJob(StdScheduler.java:311) ~[quartz-2.3.0.jar:?] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl.unregisterJob(JobManagerImpl.java:262) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl.registerJob(JobManagerImpl.java:157) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl.register(JobManagerImpl.java:237) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl$3.exec(JobManagerImpl.java:334) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl$3.exec(JobManagerImpl.java:324) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:136) ~[syncope-core-spring-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.job.JobManagerImpl.load(JobManagerImpl.java:324) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_91] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_91] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) ~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) ~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) ~[spring-tx-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:64) ~[syncope-core-persistence-jpa-2.0.4.jar:2.0.4] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.9.RELEASE.jar:4
Re: H2 Database
Hi Dino, are you generating the project from archetype like described at [1] or are you using another evaluation method? Supposing that you are using the archetype you can refer to [2] and [3] in order to setup PostreSQL DBMS. [1] https://syncope.apache.org/docs/getting-started.html#create-project [2] https://syncope.apache.org/docs/reference-guide.html#system-administration [3] https://syncope.apache.org/docs/reference-guide.html#postgresql Il 25/07/2017 19:12, Dino Mifsud ha scritto: I would like to use a postgres DB instead of the H2 database. I did the changes in Master.properties file as shown but still it seems it is using the H2 database. What could be the problem please? Thanks -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member
Re: AW: AW: AW: Configuration of LDAP Identity Store
Hi Martin, Il 25/07/2017 14:12, Böhmer, Martin ha scritto: Hi Andrea, Your proposed solutions are greatly appreciated. Here are my comments: 1.I created a JIRA account to file an improvement request. Unfortunately, I seem to lack the right to create an improvement for the “LDAP bundle” component. The only components I can create issues for are COMMONS, REST & OFFICE365. Am I doing something wrong? No. Sorry I wasn't aware of it. I've opened [1] for you ;) 2.I not sure, if I understood you correctly. Are you saying, there is no chance LDAPMembershipPropagationAction will work out of the box? Or that you aren’t you sure if it will work and it would be worth setting this up and try it out? If it’s the second case, I would try it you. I'm quite sure that the propagation action will not work. I experienced the same issue little time ago. You should "adapt" it to work out of the box, in order to do this you can try without any modification and see what is its behavior in order to modify it. Regards, Martin Best regards, Andrea [1] https://connid.atlassian.net/browse/LDAP-25 *Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org] *Ge**sendet:*Montag, 24. Juli 2017 11:33 *An:* user@syncope.apache.org *Betreff:* Re: AW: AW: Configuration of LDAP Identity Store Hi Martin, I perfectly understand your situation. Please see my responses inline. Il 22/07/2017 00:53, Böhmer, Martin ha scritto: Yes, I have set a group mapping. It’s kinda simple: Type /User/ Object Class /__GROUP__/ Mapping name /Int: name ext: cn Remote key: yes/ Object Link /‘cn=’ + name + ‘,ou=groups,dc=example,dc=com’/ // I had a look at the working example you provided. Using “cn” as the uidAttribute and in the DN for both users and groups worked fine in my test installation. But, this is only going to work in case I can influence the way the DNs are structured, so I am able to harmonise user and group DNs. True for my test environment, but it is not going to work with our production LDAP. On the production LDAP server, user DNs are structured “uid=…” and group DNs “cn=…”. As a result, the “cn” attribute for users is not a unique identifier, as two different persons can have the same “cn” in our environment (they will get different uids and email addresses, etc). There is no way I can change/harmonise the structure of the DNs (for various reasons). Setting the uidAttriute to “cn” proved not work with our production LDAP server - even though the Object Links of the mappings reflect the differences of the DNs (see above and below). I do not understand why the uidAttribute of the connector config influences the remote key generation as the remote key could be generated only by just evaluating the different ObjectLink JEXL expressions… You are right, uidAttribute is only used to retrieve the entity from the LDAP server, i.e. the connector will search entities by uidAttribute (cn, uid, etc.). For this reason you see the user correctly propagated to LDAP, but not correctly linked on Syncope. So, any ideas on how to get the sync work with the different DNs? I see two solutions: 1. Implement an improvement on ConnID LDAP connector in order to manage two (or more) different uidAttributes (at least one for USER and another for GROUP), as done for Active Directory connector. You could open an issue (improvement) at [1]. 2. Define two different resources, one for USER and the other for GROUP, and set uidAttribute as *Override* while configuring the connector. With this solution you'll be able to define for each resource your specific uidAttribute. Solution 2 unfortunately has a drawback: LDAPMembershipPropagationAction could not work anymore and probably needs to be reviewed in order to work with entities related to two different resources. HTH, Andrea [1] https://connid.atlassian.net/projects/BASE/issues/BASE-56?filter=allopenissues Regards, Martin *Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net] *Gesendet:* Freitag, 21. Juli 2017 15:35 *An:* user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: AW: Configuration of LDAP Identity Store Have you set a mapping for GROUP? Could you share it? Pay attention to the object link for groups. It should be something like this: 'cn=' + name + ',ou=groups,dc=sample,dc=com' If it is correct (as I thisnk) try to use as uidAttribute an attribute that both USER and GROUP have, and is mapped to any of Syncope attributes. cn for example. You have a working example at [1] (Apache DS, resource-ldap). Best regards, Andrea [1] http://syncope-vm.apache.org:9080/syncope-console Il 21/07/2017 13:15, Böhmer, Martin ha scritto: Hi Andrea
Re: AW: Configuration of LDAP Identity Store
Have you set a mapping for GROUP? Could you share it? Pay attention to the object link for groups. It should be something like this: 'cn=' + name + ',ou=groups,dc=sample,dc=com' If it is correct (as I thisnk) try to use as uidAttribute an attribute that both USER and GROUP have, and is mapped to any of Syncope attributes. cn for example. You have a working example at [1] (Apache DS, resource-ldap). Best regards, Andrea [1] http://syncope-vm.apache.org:9080/syncope-console Il 21/07/2017 13:15, Böhmer, Martin ha scritto: Hi Andrea, Thank you for the quick reply! I changed the uidAttribute as you suggested and sync works for users. However, now I have the very same problem with groups whose remote IDs happen to be empty. So, when I change the uidAttribute to „uid“, will the same connector also work for groups? Or do I need to create a second connector for synchronizing groups? I am asking, because groups have the attribute “cn” in their dn instead of “uid” (see below). Regards, Martin *Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net] *Gesendet:* Freitag, 21. Juli 2017 12:29 *An:* user@syncope.apache.org *Betreff:* Re: Configuration of LDAP Identity Store Hi Martin, try to change, in connector configuration, the uidAttribute value to *uid* instead of "*entryUUID*". BTW if this does not work could you attach core-connid.log file? HTH, Andrea Il 21/07/2017 12:00, Böhmer, Martin ha scritto: HI, I cannot get the configuration of my LDAP Identity Store right. What I want is a synchronization of user, groups and group memberships, meaning that everything change in Syncope is propagated to LDAP and vice-versa. With my current configuration below, I am able to pull users from LDAP (pull task) and propagate new users to LDAP when created in Syncope. What is not working is the synchronization of users existing in both systems. Syncope claims about a missing remote key. This is particularly strange when creating a user in Syncope. On the result screen of the user creation, the remote key is correctly display. When I close that screen and open the “Manage resources” dialog for that user, the remote key is gone and thus propagation of updates to LDAP fails. Any hints would be greatly appreciated! Regards, Martin I’m using *_OpenLDAP_*. The tree looks like this dc=example,dc=com ·ou=people ouid=johndoe o… ·ou=groups ocn=testgroup Here is the configuration of the *_LDAP connector_* (properties not listed were not touched = default value) Bundle *net.tirasa.connid.bundles.ldap* Host *localhost* TCP Port 389 Principal *cn=syncope,dc=exmaple,dc=com* Password */**/* Base Contexts *dc=exmaple,dc=com* Password Attribute userPassword Account Object Classes top, person, organizationalPerson, inetOrgPerson Account User Name Attributes uid, cn Group Object Classes top, groupOfuniqueNames Group Name Attributes cn Group Member Attribute uniqueMember Maintain LDAP Group Membership (Haken) Password Hash Algorithm *SSHA* VLV Sort Attribute *uid* Uid Attribute *entryUUID* Read Schema (Haken) Base Contexts to Synchronize (leer) Object Classes to Synchronize *inetOrgPerson, groupOfUniqueNames* Attributes to Synchronize (leer) Remove Log Entry Object Class from Filter (Haken) Enable Password Synchronization (Fehler) Status management class *net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement* Capabilities */(all selected)/* And this is the configuration of my *_LDAP resource_*: Propagation Actions *LDAPPAsswordPropagationAction* *LDAPMembershipPropagationAction* Override Capabilities? (Fehler) Account Policy /(none)/ Password Policy /(none)/ Pull Policy /(none)/) Finally, the *_mapping configuration_* Type /User/ Object Class /__ACCOUNT__/ Mapping username /Int: username ext: uid Remote key: yes/ Mapping email /Int: email Ext: mail/ Mapping password /Int: password Ext: userPassword Password: yes/ Object Link /‘uid=’ + username + ‘,ou=people,dc=example,dc=com’/ -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.
Re: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND
BTW I reproduced your issue. I guess that if you open your /opt/syncope/conf/security.properties you have a placeholder ${adminUser} instead of admin into "adminUser" property. Please follow carefully instructions provided in the documentation at [1] (especially Deployment directories) on how to customize properties and check files under /opt/syncope and everything will work ;) Best regards, Andrea [1] https://syncope.apache.org/docs/reference-guide.html#customization Il 14/03/2017 09:30, Andrea Patricelli ha scritto: Hi, are you using the maven archetype right? Have you also checked the enduser.properties file? Could you please attach the compete stacktrace? Best regards, Andrea Il 11/03/2017 08:24, alinturbut ha scritto: Hi, Thanks for the answer. I have managed to get some time and try again without success. My security.properties file: adminUser=${adminUser} adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 adminPasswordAlgorithm=SHA1 anonymousUser=${anonymousUser} anonymousKey=${anonymousKey} secretKey=${secretKey} # default for LDAP / RFC2307 SSHA digester.saltIterations=1 digester.saltSizeBytes=8 digester.invertPositionOfPlainSaltInEncryptionResults=true digester.invertPositionOfSaltInMessageBeforeDigesting=true digester.useLenientSaltSizeCheck=true passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator and the one after build: adminUser=admin adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 adminPasswordAlgorithm=SHA1 anonymousUser=anonymous anonymousKey=12345 secretKey=12345 # default for LDAP / RFC2307 SSHA digester.saltIterations=1 digester.saltSizeBytes=8 digester.invertPositionOfPlainSaltInEncryptionResults=true digester.invertPositionOfSaltInMessageBeforeDigesting=true digester.useLenientSaltSizeCheck=true passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator It looks ok to me, the sha1 hash is the correct one for the default password "password". -- View this message in context: http://syncope-user.1051894.n5.nabble.com/javax-xml-ws-WebServiceException-Remote-exception-with-status-code-NOT-FOUND-tp5709065p5709072.html Sent from the syncope-user mailing list archive at Nabble.com. -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND
Hi, are you using the maven archetype right? Have you also checked the enduser.properties file? Could you please attach the compete stacktrace? Best regards, Andrea Il 11/03/2017 08:24, alinturbut ha scritto: Hi, Thanks for the answer. I have managed to get some time and try again without success. My security.properties file: adminUser=${adminUser} adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 adminPasswordAlgorithm=SHA1 anonymousUser=${anonymousUser} anonymousKey=${anonymousKey} secretKey=${secretKey} # default for LDAP / RFC2307 SSHA digester.saltIterations=1 digester.saltSizeBytes=8 digester.invertPositionOfPlainSaltInEncryptionResults=true digester.invertPositionOfSaltInMessageBeforeDigesting=true digester.useLenientSaltSizeCheck=true passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator and the one after build: adminUser=admin adminPassword=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 adminPasswordAlgorithm=SHA1 anonymousUser=anonymous anonymousKey=12345 secretKey=12345 # default for LDAP / RFC2307 SSHA digester.saltIterations=1 digester.saltSizeBytes=8 digester.invertPositionOfPlainSaltInEncryptionResults=true digester.invertPositionOfSaltInMessageBeforeDigesting=true digester.useLenientSaltSizeCheck=true passwordGenerator=org.apache.syncope.core.spring.security.DefaultPasswordGenerator It looks ok to me, the sha1 hash is the correct one for the default password "password". -- View this message in context: http://syncope-user.1051894.n5.nabble.com/javax-xml-ws-WebServiceException-Remote-exception-with-status-code-NOT-FOUND-tp5709065p5709072.html Sent from the syncope-user mailing list archive at Nabble.com. -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: Syncope getting stucked
Ah ok, now is a bit clearer, thanks :) If application starts is good, I suggested better hardware because 2GB are, maybe, the lower bound for memory. Abou t the exceptions, they are too generic, I cannot give you a precise answer on what could be the reason of your problem. Please check also other log files, especially core.log. Moreover it could be also some environment issue (too many open files or other machine configurations or features). Best regards, Andrea Il 10/03/2017 10:40, Mohit Agrawal ha scritto: Hi , Thanks for your reply Sorry for the confusion. We are using debian release of Syncope and for database, we have connected syncope to AWS' RDS postgreSQL DB. From the exception, it doesn't looks issue is because of shortage memory ( not getting exception when do alloc). Do you still feel it is because of memory limitation ? What is this below line indicates ? ERROR org.apache.syncope.client.console.widgets.AlertWidget - Unexpected error while checking for updated approval info and javax.ws.rs.ProcessingException: java.net.SocketTimeoutException: SocketTimeoutException invoking http://localhost:8080/syncope/rest/userworkflow/forms: Read timed out Thank you for your time Regards, Mohit On Fri, Mar 10, 2017 at 2:17 PM, Andrea Patricelli <andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote: Hi Mohit, Il 10/03/2017 08:48, Mohit Agrawal ha scritto: Hi Andrea , Yes i have deployed it on single machine (just for testing our application), i am using the standalone version on tomcat 9 . Yes , after restart it works. How is it possible that you're using tomcat 9? The newest standalone (available at [1]) is a zipped file with embedded tomcat 8 (refer to [2]). Do you think , this issue is related to memory (no space) ? It could be. If you can try with a larger size it could be better, for example 4GB (more important than CPU) and 2-4 cores. First of all because the default db used by the standalone distribution is an in-memory H2 instance. Like described here [3]. our machine configuration is t2.medium in AWS (2 core, 2 GB RAM) Syncope version : 2.0 (debian release) We are limiting "soft limit" to 300 MB ( while configuring the instance ) We observed CPU and memory usage (reported by AWS) and it is 22 % memory and CPU is less than 2 % Thanks for your support. Regards, Mohit Best regards, Andrea [1] http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip <http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip> [2] https://syncope.apache.org/docs/getting-started.html#standalone <https://syncope.apache.org/docs/getting-started.html#standalone> [3] https://syncope.apache.org/docs/getting-started.html#standalone-components <https://syncope.apache.org/docs/getting-started.html#standalone-components> On Thu, Mar 9, 2017 at 1:38 PM, Andrea Patricelli <andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote: Hi Mohit, I guess that you have deployed the Syncope application on a single machine. What version of Syncope are you using? On which Application server? After a restart does it come back to work? Are you sure that machine hardware is good enough to host a Syncope application? Best regards, Andrea Il 09/03/2017 08:04, Mohit Agrawal ha scritto: Hi , We are seeing frequent syncope stuck (say after 2 days) in our testing. When we try to use authenticate API ( /users/self ) , we are seeing exception in the syncope logs. Could you please help us to identify what could be issue ? I have attached syncope log with this email. I have attached the logs. Regards, Mohit -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Re: Syncope getting stucked
Hi Mohit, Il 10/03/2017 08:48, Mohit Agrawal ha scritto: Hi Andrea , Yes i have deployed it on single machine (just for testing our application), i am using the standalone version on tomcat 9 . Yes , after restart it works. How is it possible that you're using tomcat 9? The newest standalone (available at [1]) is a zipped file with embedded tomcat 8 (refer to [2]). Do you think , this issue is related to memory (no space) ? It could be. If you can try with a larger size it could be better, for example 4GB (more important than CPU) and 2-4 cores. First of all because the default db used by the standalone distribution is an in-memory H2 instance. Like described here [3]. our machine configuration is t2.medium in AWS (2 core, 2 GB RAM) Syncope version : 2.0 (debian release) We are limiting "soft limit" to 300 MB ( while configuring the instance ) We observed CPU and memory usage (reported by AWS) and it is 22 % memory and CPU is less than 2 % Thanks for your support. Regards, Mohit Best regards, Andrea [1] http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip [2] https://syncope.apache.org/docs/getting-started.html#standalone [3] https://syncope.apache.org/docs/getting-started.html#standalone-components On Thu, Mar 9, 2017 at 1:38 PM, Andrea Patricelli <andreapatrice...@apache.org <mailto:andreapatrice...@apache.org>> wrote: Hi Mohit, I guess that you have deployed the Syncope application on a single machine. What version of Syncope are you using? On which Application server? After a restart does it come back to work? Are you sure that machine hardware is good enough to host a Syncope application? Best regards, Andrea Il 09/03/2017 08:04, Mohit Agrawal ha scritto: Hi , We are seeing frequent syncope stuck (say after 2 days) in our testing. When we try to use authenticate API ( /users/self ) , we are seeing exception in the syncope logs. Could you please help us to identify what could be issue ? I have attached syncope log with this email. I have attached the logs. Regards, Mohit -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope