Re: Any tutorials?
Hi Sergio, sorry, my bad. You need to: 1. declare the JDBC driver dependency in enduser/pom.xml (not core/pom.xml as said initially), as follows: mysql mysql-connector-java 5.1.42 test right after com.h2database h2 test 2. add the JDBC driver as Tomcat dependency, via cargo: mysql mysql-connector-java right after com.h2database h2 I have just tried to be sure, and it worked in embedded mode. In case of deployment onto an external container (rather than in embedded mode), you'll have to copy the JDBC Driver JAR onto the container's classpath ($CATALINA_HOME/lib for Tomcat). HTH Regards. On 21/08/2017 23:42, Sergio Muriel wrote: com.mysql.jdbc.Driver for MySQL com.microsoft.sqlserver.jdbc.SQLServerDriver for SQL Server Yes, I'm trying to configure a DBTable Connector Bundle? *From:* Francesco Chicchiriccò <ilgro...@apache.org> *Sent:* Sunday, August 20, 2017 1:02 AM *To:* user@syncope.apache.org *Subject:* Re: Any tutorials? On 2017-08-20 01:20 Sergio Muriel wrote: > Although I can see now the drivers in: > > core/target/syncope/WEB-INF/lib/mssql-jdbc-6.1.0.jre8.jar > > core/target/syncope/WEB-INF/lib/mysql-connector-java-5.1.42.jar > > I still get the same error "InvalidExternalResource [JDBC Driver is not > found on classpath.]" when I try to create a new resource. > > I did as you suggest: > > * Added the dependency to core/pom.xml > * Rebuilt everything from the root directory via "mvn -Pall clean > install". > * Ran it from enduser via "mvn -P embedded,all" > > I don't know what is wrong. Which value did you provide for the "JDBC Driver" property? Are you attempting to configure the DBTable Connector Bundle? https://connid.atlassian.net/wiki/spaces/BASE/pages/360497/Database+Table#DatabaseTable-ConfigurationProperties Regards. > FROM: Francesco Chicchiriccò <ilgro...@apache.org> > SENT: Saturday, August 19, 2017 7:39 AM > TO: user@syncope.apache.org > SUBJECT: Re: Any tutorials? > > Hi Sergio, > about some points below: > >> First point about AnyTypeClasses worked flawlessly. (Although I'm >> still trying >> to figure out why I cannot reuse those schemata pre-loaded there). > > The pre-loaded Schemas are already assigned to some AnyTypeClass - and > each Schema might be assigned to an AnyTypeClass instance at most. > >> I take back part of what I said on the second point. The dependency >> addition >> actually works and downloads the drivers, but I did it on >> enduser/pom.xml >> instead of core/pom.xml because the Getting Started page [1] suggests >> to run it >> from there: >> >> " .. then, from the enduser subdirectory, execute: >> mvn -P embedded,all" > > Logically, the MySQL JDBC driver is used by the Core, not by the > Enduser UI, so the correct procedure is to add the dependency to > core/pom.xml, rebuild everything from the root directory via "mvn clean > install" or "mvn -Pall clean install", then move back to the enduser > subdirectory and start as reported by the Getting Started guide. > > Regards. > > On 19-ago-17, at 2:37, Sergio Muriel <sergio...@hotmail.com> wrote: > >> Hi again Francesco, > >> I take back part of what I said on the second point. The dependency >> addition >> actually works and downloads the drivers, but I did it on >> enduser/pom.xml >> instead of core/pom.xml because the Getting Started page [1] suggests >> to run it >> from there: > >> " .. then, from the enduser subdirectory, execute: >> mvn -P embedded,all" > >> Is it okay? > >> [1] https://syncope.apache.org/docs/getting-started.html <https://syncope.apache.org/docs/getting-started.html> Apache Syncope 2.0.4 - Getting Started <https://syncope.apache.org/docs/getting-started.html> syncope.apache.org Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under the Apache 2 ... > > Apache Syncope 2.0.4 - Getting Started > syncope.apache.org > Apache Syncope is an Open Source system for managing digital identities > in enterprise environments, implemented in Java EE technology and > released under the Apache 2 ... > >> From: Sergio Muriel <sergio...@hotmail.com> >> Sent: Friday, August 18, 2017 3:06 PM >> To: user@syncope.apache.org >> Subject: R
Re: Syncope on AWS
On 20/08/2017 14:43, John Stegeman wrote: Hello All, Hi John, welcome to Apache Syncope :-) We have installed Syncope into AWS’s CodePipline (commit/build/deploy) and are using AWS’s Elastic Beanstalk environment. We pretty much have the entire process documented and working, however we are running into an error with Console. Essentially, when trying to access the Users and Groups administration area, Console kicks you out and returns to the login screen. We have tracked down where the return code is being processed. Also, we have checked the API via swagger. We also tried with the distribution WAR’s using the built-in H2 database with the same result.. The rest of console seems to function properly. In the console.log this errore appears at the top of the log: 11:38:28.163 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body reader has been found for class org.apache.syncope.common.lib.to.ErrorTO, ContentType: text/html;charset=iso-8859-1 11:38:28.175 ERROR org.apache.cxf.jaxrs.utils.JAXRSUtils - No message body reader has been found for class java.util.List, ContentType: text/html;charset=iso-8859-1 11:38:28.177 ERROR org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener - Exception found org.apache.wicket.WicketRuntimeException: Error attaching this container for rendering: [WebMarkupContainer [Component id = body]] And the subsequent REST call produces this error: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.0.45] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141] Caused by: javax.xml.ws.WebServiceException: Remote exception with status code: NOT_FOUND at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:76) ~[syncope-client-lib-2.0.4.jar:2.0.4] at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) ~[syncope-client-lib-2.0.4.jar:2.0.4] Using swagger on GET/groups/own a 500 error is returned and GET/users returns a 404 error code. We have actually made great progress and will share with the community Any insight or suggestions is greatly appreciated. With which user are you logging into the Admin Console (or are you using with Swagger)? admin or other? In order to understand what is happening, you should share the relevant snippets from your log files (core-* and console); in particular, please clear up all log files' content after logging into Admin Console, then attempt to access the Realms page and see what messages are added there. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Multi-factor authentication in Syncope?
Hi Nicolas, and glad of your interest in Apache Syncope. See my replies embedded below. Regards. On 2017-08-19 20:41 Nicholas Folse wrote: Greetings, I'm researching digital identity management frameworks and found Apache Syncope. I have two main questions. The first is about implementing support for new authenticators (e.g. U2F, hardware tokens, etc.). The second question is about using Syncope for IoT applications. FIRST: Does Syncope support multi-factor authentication? The documentation references OAuth, but I can't seem to find any details about how this is done. AFAICT the only place where OAuth is referenced in the documentation is when it introduces the Access Management technology: https://syncope.apache.org/docs/reference-guide.html#access-managers but this does not apply to Syncope, being mainly - at least in the current version - rather a Provisioning Engine: https://syncope.apache.org/docs/reference-guide.html#provisioning-engines How could I implement support for new authenticators? For example, would it be possible to implement a U2F module? The NIST digital identity guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html) detail a number of different authenticators and I'm curious how these could be integrated into Syncope. Other libraries like pac4j also include support for a variety of different authenticators. Could Syncope be adapted to support pac4j? The authentication and authorization process in Syncope is based on Spring Security, and features JWT: https://syncope.apache.org/docs/reference-guide.html#rest-authentication-and-authorization The current authentication methods include only username / password and SAML 2.0 SSO, but the service design built for the latter can be definitely replicated for other mechanisms, including OAuth 2.0: https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature FYI, the SAML 2.0 SP feature https://syncope.apache.org/docs/reference-guide.html#saml-2-0-service-provider was built on the support provided by Apache CXF, and there are already plans for OAuth 2.0: https://issues.apache.org/jira/browse/SYNCOPE-534 https://issues.apache.org/jira/browse/SYNCOPE-1018 I'd say that integration with pac4j is definitely possible, but requires some integration work. On a side note, my company has some experience in integration with CAS: http://blog.tirasa.net/cas-rest-authentication.html SECOND: A recent post on opensource forum mentions Syncope's potential regarding IoT, but I couldn't find any mention of this in the reference guide. Can you point me to some documentation regarding IoT use-cases and scenarios? The only aspect that could bind Syncope an IoT is ATM its native support for Any Objects, e.g. for modeling new identity types, their attributes and relationships. Please bare in mind that anything regarding Syncope is currently bound to the provisioning domain. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Any tutorials?
On 2017-08-20 01:20 Sergio Muriel wrote: Although I can see now the drivers in: core/target/syncope/WEB-INF/lib/mssql-jdbc-6.1.0.jre8.jar core/target/syncope/WEB-INF/lib/mysql-connector-java-5.1.42.jar I still get the same error "InvalidExternalResource [JDBC Driver is not found on classpath.]" when I try to create a new resource. I did as you suggest: * Added the dependency to core/pom.xml * Rebuilt everything from the root directory via "mvn -Pall clean install". * Ran it from enduser via "mvn -P embedded,all" I don't know what is wrong. Which value did you provide for the "JDBC Driver" property? Are you attempting to configure the DBTable Connector Bundle? https://connid.atlassian.net/wiki/spaces/BASE/pages/360497/Database+Table#DatabaseTable-ConfigurationProperties Regards. FROM: Francesco Chicchiriccò <ilgro...@apache.org> SENT: Saturday, August 19, 2017 7:39 AM TO: user@syncope.apache.org SUBJECT: Re: Any tutorials? Hi Sergio, about some points below: First point about AnyTypeClasses worked flawlessly. (Although I'm still trying to figure out why I cannot reuse those schemata pre-loaded there). The pre-loaded Schemas are already assigned to some AnyTypeClass - and each Schema might be assigned to an AnyTypeClass instance at most. I take back part of what I said on the second point. The dependency addition actually works and downloads the drivers, but I did it on enduser/pom.xml instead of core/pom.xml because the Getting Started page [1] suggests to run it from there: " .. then, from the enduser subdirectory, execute: mvn -P embedded,all" Logically, the MySQL JDBC driver is used by the Core, not by the Enduser UI, so the correct procedure is to add the dependency to core/pom.xml, rebuild everything from the root directory via "mvn clean install" or "mvn -Pall clean install", then move back to the enduser subdirectory and start as reported by the Getting Started guide. Regards. On 19-ago-17, at 2:37, Sergio Muriel <sergio...@hotmail.com> wrote: Hi again Francesco, I take back part of what I said on the second point. The dependency addition actually works and downloads the drivers, but I did it on enduser/pom.xml instead of core/pom.xml because the Getting Started page [1] suggests to run it from there: " .. then, from the enduser subdirectory, execute: mvn -P embedded,all" Is it okay? [1] https://syncope.apache.org/docs/getting-started.html Apache Syncope 2.0.4 - Getting Started syncope.apache.org Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under the Apache 2 ... From: Sergio Muriel <sergio...@hotmail.com> Sent: Friday, August 18, 2017 3:06 PM To: user@syncope.apache.org Subject: Re: Any tutorials? Hi Francesco, First point about AnyTypeClasses worked flawlessly. (Although I'm still trying to figure out why I cannot reuse those schemata pre-loaded there). Second point about dependency still throws same error: " InvalidExternalResource. JDBC Driver is not found on classpath." This is what I added (right before the first occurrence in core/pom.xml ) : mysql mysql-connector-java 5.1.42 com.microsoft.sqlserver sqljdbc4 4.0 Since I'm trying to connect to sqlserver as well. Suggestions will be greatly appreciated. Thank you! Best Regards, Sergio From: Francesco Chicchiriccò <ilgro...@apache.org> Sent: Friday, August 18, 2017 1:32 AM To: user@syncope.apache.org Subject: Re: Any tutorials? Hi Sergio, see my replies embedded below. Regards. On 17/08/2017 23:28, Sergio Muriel wrote: Thank you Francesco. I'm trying to accomplish what you say, however I'm having two issues at the moment: 1. I log in to syncope-console/ as admin, click on Types -> AnyTypeClasses -> New AnyTypeClass but I find no schema to add because all lists are empty. Of course, you need first to create new schemas that are not assigned yet to any AnyTypeClass. 1. I was able to create a connector in Topology -> connid -> Add New Connector, but when I try to create a resource for that connector it shows this error message: InvalidExternalResource. JDBC Driver is not found on classpath. This happens because you are likely attempting to create a DBTable or ScriptedSQL connector for a DBMS (MySQL / MariaDB? PostgreSQL? other?), for which you'll need to include the related JDBC driver. Since it seems you're running the Maven project, just add the related dependency to core/pom.xml (right before the first occurrence): mysql mysql-connector-java 5.1.42 for MySQL, or org.mariadb.jdbc mariadb-java-client 1.6.1 for MariaDB, and so on. I created my project with maven archetype and run it with mvn -P embedded,all Any clue of what I'm doing wrong here?
Re: Any tutorials?
Hi Sergio, about some points below: > First point about AnyTypeClasses worked flawlessly. (Although I'm still trying > to figure out why I cannot reuse those schemata pre-loaded there). The pre-loaded Schemas are already assigned to some AnyTypeClass - and each Schema might be assigned to an AnyTypeClass instance at most. > I take back part of what I said on the second point. The dependency addition > actually works and downloads the drivers, but I did it on enduser/pom.xml > instead of core/pom.xml because the Getting Started page [1] suggests to run > it > from there: > > " .. then, from the enduser subdirectory, execute: > mvn -P embedded,all" Logically, the MySQL JDBC driver is used by the Core, not by the Enduser UI, so the correct procedure is to add the dependency to core/pom.xml, rebuild everything from the root directory via "mvn clean install" or "mvn -Pall clean install", then move back to the enduser subdirectory and start as reported by the Getting Started guide. Regards. On 19-ago-17, at 2:37, Sergio Muriel <sergio...@hotmail.com> wrote: > Hi again Francesco, > I take back part of what I said on the second point. The dependency addition > actually works and downloads the drivers, but I did it on enduser/pom.xml > instead of core/pom.xml because the Getting Started page [1] suggests to run > it > from there: > " .. then, from the enduser subdirectory, execute: > mvn -P embedded,all" > Is it okay? > [1] https://syncope.apache.org/docs/getting-started.html > From: Sergio Muriel <sergio...@hotmail.com> > Sent: Friday, August 18, 2017 3:06 PM > To: user@syncope.apache.org > Subject: Re: Any tutorials? > Hi Francesco, > First point about AnyTypeClasses worked flawlessly. (Although I'm still trying > to figure out why I cannot reuse those schemata pre-loaded there). > Second point about dependency still throws same error: " > InvalidExternalResource. JDBC Driver is not found on classpath." This is what > I > added (right before the first occurrence in core/pom.xml ) : > > > mysql > mysql-connector-java > 5.1.42 > > > com.microsoft.sqlserver > sqljdbc4 > 4.0 > > > Since I'm trying to connect to sqlserver as well. > Suggestions will be greatly appreciated. > Thank you! > Best Regards, > Sergio > From: Francesco Chicchiriccò <ilgro...@apache.org> > Sent: Friday, August 18, 2017 1:32 AM > To: user@syncope.apache.org > Subject: Re: Any tutorials? > Hi Sergio, > see my replies embedded below. > Regards. > On 17/08/2017 23:28, Sergio Muriel wrote: >> Thank you Francesco. >> I'm trying to accomplish what you say, however I'm having two issues at the >> moment: >>1. I log in to syncope-console/ as admin, click on Types -> >> AnyTypeClasses -> >> New AnyTypeClass but I find no schema to add because all lists are empty. > Of course, you need first to create new schemas that are not assigned yet to > any > AnyTypeClass. >>1. I was able to create a connector in Topology -> connid -> Add New >> Connector, >>but when I try to create a resource for that connector it shows this error >> message: InvalidExternalResource. JDBC Driver is not found on classpath. > This happens because you are likely attempting to create a DBTable or > ScriptedSQL connector for a DBMS (MySQL / MariaDB? PostgreSQL? other?), for > which you'll need to include the related JDBC driver. > Since it seems you're running the Maven project, just add the related > dependency > to core/pom.xml (right before the first occurrence): > > mysql > mysql-connector-java > 5.1.42 > > for MySQL, or > > org.mariadb.jdbc > mariadb-java-client > 1.6.1 > > for MariaDB, and so on. >> I created my project with maven archetype and run it with >> mvn -P embedded,all >> Any clue of what I'm doing wrong here? >> Your help is very appreciated. >> Sergio >> From: Francesco Chicchiriccò <ilgro...@apache.org> >> Sent: Friday, August 11, 2017 5:14 AM >> To: user@syncope.apache.org >> Subject: Re: Any tutorials? >> On 10/08/2017 19:16, Sergio Muriel wrote: >>> Hi, >>> does anyone know about any easy to follow Syncope tutorials or >>> documentation? >>> I have been reading the reference guide but I find it hard to follow. >>> This is what I need to do: Synchronize db2db fields , web service to web >>> service >>> and database fields to web service and vice versa. >> Hi Sergio, and welcome to Apache Syncope! >> We don't have much "from 0 to ready" tutorials
Re: Any tutorials?
Hi Sergio, see my replies embedded below. Regards. On 17/08/2017 23:28, Sergio Muriel wrote: Thank you Francesco. I'm trying to accomplish what you say, however I'm having two issues at the moment: 1. I log in to syncope-console/ as admin, click on Types -> AnyTypeClasses -> New AnyTypeClass but I find no schema to add because all lists are empty. Of course, you need first to create new schemas that are not assigned yet to any AnyTypeClass. 1. I was able to create a connector in Topology -> connid -> Add New Connector, but when I try to create a resource for that connector it shows this error message: InvalidExternalResource. JDBC Driver is not found on classpath. This happens because you are likely attempting to create a DBTable or ScriptedSQL connector for a DBMS (MySQL / MariaDB? PostgreSQL? other?), for which you'll need to include the related JDBC driver. Since it seems you're running the Maven project, just add the related dependency to core/pom.xml (right before the first occurrence): mysql mysql-connector-java 5.1.42 for MySQL, or org.mariadb.jdbc mariadb-java-client 1.6.1 for MariaDB, and so on. I created my project with maven archetype and run it with mvn -P embedded,all Any clue of what I'm doing wrong here? Your help is very appreciated. Sergio ---- *From:* Francesco Chicchiriccò <ilgro...@apache.org> *Sent:* Friday, August 11, 2017 5:14 AM *To:* user@syncope.apache.org *Subject:* Re: Any tutorials? On 10/08/2017 19:16, Sergio Muriel wrote: Hi, does anyone know about any easy to follow Syncope tutorials or documentation? I have been reading the reference guide <http://syncope.apache.org/docs/reference-guide.html> but I find it hard to follow. This is what I need to do: Synchronize db2db fields, web service to web service and database fields to web service and vice versa. Hi Sergio, and welcome to Apache Syncope! We don't have much "from 0 to ready" tutorials out there; you might want to read this post by Colm about pulling users from LDAP: http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Also, someone started a primer a while ago https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer but it's in the very early stages. At a high level, for your own use case you'll need to: 1. define all the plain schemas you want to model for the Internal Storage 2. create one or more Connectors 3. for each Connector, create one or more External Resource where you define the mapping between Internal Storage's schemas and External Resource's attributes 4. for each Resource you want to pull users from, create a Pull Task I'd suggest to start with one Connector / Resource (maybe for the DB you want to pull users from) and then proceed incrementally. If the users you want to pull from the external DB fit in a single table, you can use the DBTable connector, otherwise you'll need the ScriptedSQL, which also requires to code / adjust some Groovy scripts to work. Maybe it's also an idea for you to start with the Standalone Distribution, which is full of test data, and look at how things are configured there. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Any tutorials?
On 10/08/2017 19:16, Sergio Muriel wrote: Hi, does anyone know about any easy to follow Syncope tutorials or documentation? I have been reading the reference guide <http://syncope.apache.org/docs/reference-guide.html> but I find it hard to follow. This is what I need to do: Synchronize db2db fields, web service to web service and database fields to web service and vice versa. Hi Sergio, and welcome to Apache Syncope! We don't have much "from 0 to ready" tutorials out there; you might want to read this post by Colm about pulling users from LDAP: http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Also, someone started a primer a while ago https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer but it's in the very early stages. At a high level, for your own use case you'll need to: 1. define all the plain schemas you want to model for the Internal Storage 2. create one or more Connectors 3. for each Connector, create one or more External Resource where you define the mapping between Internal Storage's schemas and External Resource's attributes 4. for each Resource you want to pull users from, create a Pull Task I'd suggest to start with one Connector / Resource (maybe for the DB you want to pull users from) and then proceed incrementally. If the users you want to pull from the external DB fit in a single table, you can use the DBTable connector, otherwise you'll need the ScriptedSQL, which also requires to code / adjust some Groovy scripts to work. Maybe it's also an idea for you to start with the Standalone Distribution, which is full of test data, and look at how things are configured there. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Configuration of LDAP Identity Store
On 01/08/2017 18:27, Böhmer, Martin wrote: Hi Francesco, Thanks for the update. I’m excited to try out 2.0.5-SNAPSHOT. You can start right away, actually: could you please remember me which distribution are you using? Standalone, deb, Maven project... Just to make sure I understood your approach correctly: You said earlier, using the 1.5.2-SNAPSHOT version of the ConnID LDAP Bundle might be a workaround too (see below). But as far as I understood your solution to SYNCOPE-1182, it is going work with the ConnID LDAP Bundle 1.5.1 release currently referenced by the pom.xml in the 2_0_X branch!? So no need to worry about the ConnID version, I am right? Correct. Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Dienstag, 1. August 2017 15:45 *An:* user@syncope.apache.org *Betreff:* Re: Configuration of LDAP Identity Store On 28/07/2017 09:15, Böhmer, Martin wrote: Hi Francesco, What you propose sounds good to me from my external view not being able to follow all the technical details. Looking forward to the implemented solution. FYI: https://issues.apache.org/jira/browse/SYNCOPE-1182 The implementation is now available with latest 2.0.5-SNAPSHOT (which should be available within hours). Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 27. Juli 2017 12:34 *An:* user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: Configuration of LDAP Identity Store Hi Martin and Andrea, sorry if I come late to the party. First of all, I confirm that Andrea's approach is the correct one, at this moment: the way how LDAPMembershipsPropagationActions is architected requires that the same Resource is used for both Users and Groups, and the configuration available in the test data for ApacheDS works as long as uid and cn contain exactly the same value. Hence, the suggestion to try out the LDAP connector 1.5.2-SNAPSHOT (which can be downloaded from [0]) is the most logical, currently. The issue originally described below is somehow related to some thoughts I am elaborating about the usage that Syncope makes of ConnId APIs, and I believe there is room for improvement. I plan to write down a full proposal, but here's the raw idea. For several operations, but in particular *before* and *after* executing a Propagation Task, Syncope queries the External Resource to see if a matching item is found, and it does that via ConnId's GetApiOp [1]. Such operation is implemented at Framework level, e.g. before reaching out any effective Connector, via a plain search [2] where the key is the special __UID__ attribute and the value is the one passed as argument, alongside with ObjectClass. Using GetApiOp used to make entirely sense in the old days of ConnId 1.3 and Syncope 1.1, when the Mapping Item identified as "AccountId" (now Remote Key) was forced to blank the external attribute name (see [3]): in such cases, in fact, __UID__ was used as external attribute. ConnId 1.4 slightly changed the way how the __UID__ attribute is managed: as a result, since Syncope 1.2, it is mandatory to specify an external attribute name for the Remote Key (see [4] in Syncope 2.0). To give an idea, the sample from [3] would result in querying the External Resource for "__UID__ == 'ilgrosso'", while the sample from [4] *should* result in "uid == 'ilgrosso'" but will instead produce the same query as in the past. The problem here is that what actually __UID__ means is left to any Connector's implementation: LDAP configures that via the UidAttribute property (and GidAttribute in 1.5.2-SNAPSHOT), AD does something similar, others do differently. What I see here is that from one side the Remote Key is defined in Syncope at high level (e.g. as part of the Resource configuration, in the Mapping), while the raw __UID__ is still used under the hoods in some cases (before executing a Propagation Task, as said above, for example), hence it is the low level configuration (not Resource's but Connector's) that comes into play. My proposal is to simply get rid of GetApiOp and replace its usage in Syncope with search, using as key the External attribute name defined in the mapping, rather than __UID__. This should solve your issue (and others) at a glance, as Users will be looked up by uid, Groups by cn and Realms by ou (if your Mappings were set in these ways). Not sure if this clarifies, but I will make some work around such concepts hopefully soon. Regards. [0] https://oss.sonatype.org/content/repositories/snapshots/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ldap/1.5.2-SNAPSHOT/net.tirasa.connid.bundles.ldap-1.5.2-20170607.094522-5.jar [1] h
Re: DefaultLogicActions and pull
On 01/08/2017 16:07, Mikael Ekblom wrote: Hi, I have tried to move some related logic for the whole realm to the DefaultLogicActions-implementation within our Syncope. Now though I can see that during the pull and the subsequent creation of the users, the defaultlogicaction beforeCreate, afterCreate etc. will never be triggered during actual pull and the subsequent creation. Updates after the pull (if a field changes) do trigger the suitable functions (beforeUpdate, afterupdate etc. ). The action is specified for the realm, where I put the users during the pull. No error messages or anything indication a serious problem. Am I missing something or should it just not be possible to do? I think the sync process should generate a create request towards the core at some point even if you pull the information from an external source? Hi Mikael, LogicActions are triggered when the Logic layer is involved, e.g. during REST calls. https://syncope.apache.org/docs/reference-guide.html#overview If you need to perform custom tasks during pull, use PullActions. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope to Database
On 01/08/2017 15:59, Dino Mifsud wrote: Thanks for your reply..but does the Search script need to return all records at once or the SearchScript is executed every time for each entry in the Syncope users? Of course not: the search script should return only the records matching the passed query: see https://github.com/apache/syncope/blob/2_0_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L76-L93 for example: it's Scripted REST (not Scripted SQL), but the concept is the same. Regards. On 01 Aug 2017, at 1:57 PM, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: On 01/08/2017 13:42, Dino Mifsud wrote: Hi I am trying to sync users from Syncope to a backend DB using scriptesql connector. The users are being created (in the tables) but a subsequent call creates again the users duplicating them. Also I am getting this error in the Search script which I cannot solve. See stack trace below. Can you help me please? much appreciated Hi Dino, glad to see that you are progressing. The error below (and also the duplication of entries that you observe) derive from an incomplete / erroneous implementation of the search script: you must ensure that: 1. the search scripts effectively founds the item it was requested to (if such item is effectively existing in the external database): look in the core-connid.log right before the second, unwanted, create() 2. the search scripts returns all the attributes it was asked for by Syncope: you should find, prior to the error message below, in core-connid.log something like as 13:41:25.136 DEBUG Enter: search(ObjectClass: __ACCOUNT__, EQUALS: Attribute: {Name=fullname, Value=[17b7da3asyncope...@apache.org <mailto:17b7da3asyncope...@apache.org>]}, org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy$2@6afd8683, OperationOptions: {ATTRS_TO_GET:[__NAME__,fullname,__UID__,__ENABLE__]})Method: search in this case, Syncope is asking for [__NAME__,fullname,__UID__,__ENABLE__] to be available in the results: if not all attributes are included, you receive the "XXX was returned by the connector but failed to pass the framework filter. This seems like wrong implementation of the filter in the connector" error message. HTH Regards. 12:04:41.720 DEBUG Search script loadedMethod: executeQuery 12:04:41.720 DEBUG ObjectClass: __ACCOUNT__Method: executeQuery 12:04:41.720 INFO Entering SEARCH Script**Method: run 12:04:41.722 INFO GGOO SEARCH SCRIPT..Method: run 12:04:41.722 DEBUG Search okMethod: executeQuery 12:04:41.722 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=uid, Value=[administrator]}, Attribute: {Name=__NAME__, Value=[administrator]}, Attribute: {Name=cn, Value=[administrator]}, Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: {Name=__NAME__, Value=[administrator]}}Method: handle 12:04:41.722 DEBUG Exception:Method: handle java.lang.IllegalStateException: Object {Uid=Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__NAME__, Value=[administrator]}, Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: {Name=__NAME__, Value=[administrator]}} was returned by the connector but failed to pass the framework filter. This seems like wrong implementation of the filter in the connector. at org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl$AttributesToGetSearchResultsHandler.handle(SearchImpl.java:278) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1.handle(SearchImpl.java:142) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.SearchResultsHandlerLoggingProxy.handle(SearchResultsHandlerLoggingProxy.java:64) ~[connector-framework-internal-1.4.2.0.jar:?] at net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.processResults(ScriptedSQLConnector.java:586) ~[?:?] at net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:403) ~[?:?] at net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:61) ~[?:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:193) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130) ~[connector-framework-internal-1.4.2.0.jar:?] at sun.reflect.GeneratedMethodAcces
Re: Configuration of LDAP Identity Store
On 28/07/2017 09:15, Böhmer, Martin wrote: Hi Francesco, What you propose sounds good to me from my external view not being able to follow all the technical details. Looking forward to the implemented solution. FYI: https://issues.apache.org/jira/browse/SYNCOPE-1182 The implementation is now available with latest 2.0.5-SNAPSHOT (which should be available within hours). Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 27. Juli 2017 12:34 *An:* user@syncope.apache.org *Betreff:* Re: Configuration of LDAP Identity Store Hi Martin and Andrea, sorry if I come late to the party. First of all, I confirm that Andrea's approach is the correct one, at this moment: the way how LDAPMembershipsPropagationActions is architected requires that the same Resource is used for both Users and Groups, and the configuration available in the test data for ApacheDS works as long as uid and cn contain exactly the same value. Hence, the suggestion to try out the LDAP connector 1.5.2-SNAPSHOT (which can be downloaded from [0]) is the most logical, currently. The issue originally described below is somehow related to some thoughts I am elaborating about the usage that Syncope makes of ConnId APIs, and I believe there is room for improvement. I plan to write down a full proposal, but here's the raw idea. For several operations, but in particular *before* and *after* executing a Propagation Task, Syncope queries the External Resource to see if a matching item is found, and it does that via ConnId's GetApiOp [1]. Such operation is implemented at Framework level, e.g. before reaching out any effective Connector, via a plain search [2] where the key is the special __UID__ attribute and the value is the one passed as argument, alongside with ObjectClass. Using GetApiOp used to make entirely sense in the old days of ConnId 1.3 and Syncope 1.1, when the Mapping Item identified as "AccountId" (now Remote Key) was forced to blank the external attribute name (see [3]): in such cases, in fact, __UID__ was used as external attribute. ConnId 1.4 slightly changed the way how the __UID__ attribute is managed: as a result, since Syncope 1.2, it is mandatory to specify an external attribute name for the Remote Key (see [4] in Syncope 2.0). To give an idea, the sample from [3] would result in querying the External Resource for "__UID__ == 'ilgrosso'", while the sample from [4] *should* result in "uid == 'ilgrosso'" but will instead produce the same query as in the past. The problem here is that what actually __UID__ means is left to any Connector's implementation: LDAP configures that via the UidAttribute property (and GidAttribute in 1.5.2-SNAPSHOT), AD does something similar, others do differently. What I see here is that from one side the Remote Key is defined in Syncope at high level (e.g. as part of the Resource configuration, in the Mapping), while the raw __UID__ is still used under the hoods in some cases (before executing a Propagation Task, as said above, for example), hence it is the low level configuration (not Resource's but Connector's) that comes into play. My proposal is to simply get rid of GetApiOp and replace its usage in Syncope with search, using as key the External attribute name defined in the mapping, rather than __UID__. This should solve your issue (and others) at a glance, as Users will be looked up by uid, Groups by cn and Realms by ou (if your Mappings were set in these ways). Not sure if this clarifies, but I will make some work around such concepts hopefully soon. Regards. [0] https://oss.sonatype.org/content/repositories/snapshots/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ldap/1.5.2-SNAPSHOT/net.tirasa.connid.bundles.ldap-1.5.2-20170607.094522-5.jar [1] https://github.com/Tirasa/ConnId/blob/master/java/connector-framework/src/main/java/org/identityconnectors/framework/api/operations/GetApiOp.java [2] https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/GetImpl.java [3] https://pasteboard.co/GCRf497.png [4] https://pasteboard.co/GCRixXp.png On 25/07/2017 14:12, Böhmer, Martin wrote: Hi Andrea, Your proposed solutions are greatly appreciated. Here are my comments: 1.I created a JIRA account to file an improvement request. Unfortunately, I seem to lack the right to create an improvement for the “LDAP bundle” component. The only components I can create issues for are COMMONS, REST & OFFICE365. Am I doing something wrong? 2.I not sure, if I understood you correctly. Are you saying, there is no chance LDAPMembershipPropagationAction will work out of the box? Or that you aren’t you sure if it will work and it would be worth setting this up and try it out? If it’s the second case, I would try it you. Regards, M
Re: Syncope to Database
?:1.8.0_91] at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98) ~[connector-framework-internal-1.4.2.0.jar:?] at com.sun.proxy.$Proxy256.search(Unknown Source) ~[?:?] at org.identityconnectors.framework.impl.api.local.operations.GetImpl.getObject(GetImpl.java:67) ~[connector-framework-internal-1.4.2.0.jar:?] at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91] at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) ~[connector-framework-internal-1.4.2.0.jar:?] at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?] at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91] at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) ~[connector-framework-internal-1.4.2.0.jar:?] at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?] at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91] at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83) ~[connector-framework-internal-1.4.2.0.jar:?] at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?] at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getObject(AbstractConnectorFacade.java:261) ~[connector-framework-internal-1.4.2.0.jar:?] at org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.getObject(AsyncConnectorFacade.java:104) ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke() ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:115) ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_91] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91] Caused by: java.lang.IllegalStateException: Object {Uid=Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__NAME__, Value=[administrator]}, Attribute: {Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: {Name=__NAME__, Value=[administrator]}} was returned by the connector but failed to pass the framework filter. This seems like wrong implementation of the filter in the connector. at org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl$AttributesToGetSearchResultsHandler.handle(SearchImpl.java:278) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1.handle(SearchImpl.java:142) ~[connector-framework-internal-1.4.2.0.jar:?] at org.identityconnectors.framework.impl.api.SearchResultsHandlerLoggingProxy.handle(SearchResultsHandlerLoggingProxy.java:64) ~[connector-framework-internal-1.4.2.0.jar:?] at net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.processResults(ScriptedSQLConnector.java:586) ~[?:?] at net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:403) ~[?:?] ... 35 more -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, Pon
Re: Notification page crashes in Console UI after e-mail config
Hi Martin, FYI the mail debugging feature is now fully enabled in 2.0.5-SNAPSHOT, and the upgraded documentation https://ci.apache.org/projects/syncope/2_0_X/reference-guide.html#e-mail-configuration now features a couple of working samples. Please note that with 2.0.4, while making STARTTLS work is possible (but not trivial), mail debugging is not. Regards. On 28/07/2017 15:12, Böhmer, Martin wrote: Hi Francesco, Thanks for your feedback. I created an issues as requested: https://issues.apache.org/jira/browse/SYNCOPE-1180 Regarding the documentation, I am still missing the information that I would like to see in there. So I am kinda unable to contribute. Regards, Martin *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 27. Juli 2017 11:16 *An:* user@syncope.apache.org *Betreff:* Re: AW: Notification page crashes in Console UI after e-mail config On 21/07/2017 11:23, Böhmer, Martin wrote: Hi Francesco, I finally had the chance to give Syncope 2.0.4 a try on a fresh machine as you suggested. Good news: I do not have any issues with the notification page any more. That's great to hear :-) However, notifications are not working due to the email configuration. I found the documentation in the reference guide lacks of important details. https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration 1.The reference guide only names the properties. This is fine for user, host, etc., but the protocol needs some explanation. I you have never worked with JavaMail, you’re lost. It would be really helpful to have a link from the Syncope mail properties to the JavaMail properties (if this link exists). Or just give examples for SMTP with STARTSSL (there is no flag for enabling StartSSL!?) and SMTPS scenarios. Feel free to open a PR for improving the docs; in particular https://github.com/apache/syncope/blob/2_0_X/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/emailconfiguration.adoc If you would like to go along this way, please first take a look at http://syncope.apache.org/contributing.html and send an ICLA as specified, thanks! 2.Where to find the promised debug output when mailDebug is set to true? I restarted tomcat and created a notification task. There is no info on “handshake, authentication, delivery and disconnection” in catalina.out or core.log or console.log This would need some investigation: would you mind opening an issue on JIRA? Thanks. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncing to database
On 28/07/2017 10:26, Dino Mifsud wrote: Hi I have a scenario where I need to sync users from Syncope to database. The users in the database are not stored in one table so the mapping is not that straight forward. Is there a way in Syncope to use custom SQL scripts (not Groovy) to meet such requirements please? If the users in the external database are not stored in a single table, you cannot unfortunately use the DatabaseTable connector, which is simpler and does not require any script. The only option left is the Scripted SQL connector; template Groovy scripts are provided in https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/scriptedsql ...or you might want to write down your own connector but, believe me, is way harder than customizing some Groovy scripts. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Configuration of LDAP Identity Store
strange when creating a user in Syncope. On the result screen of the user creation, the remote key is correctly display. When I close that screen and open the “Manage resources” dialog for that user, the remote key is gone and thus propagation of updates to LDAP fails. Any hints would be greatly appreciated! Regards, Martin I’m using *_OpenLDAP_*. The tree looks like this dc=example,dc=com ·ou=people ouid=johndoe o… ·ou=groups ocn=testgroup Here is the configuration of the *_LDAP connector_* (properties not listed were not touched = default value) Bundle *net.tirasa.connid.bundles.ldap* Host *localhost* TCP Port 389 Principal *cn=syncope,dc=exmaple,dc=com* Password */**/* Base Contexts *dc=exmaple,dc=com* Password Attribute userPassword Account Object Classes top, person, organizationalPerson, inetOrgPerson Account User Name Attributes uid, cn Group Object Classes top, groupOfuniqueNames Group Name Attributes cn Group Member Attribute uniqueMember Maintain LDAP Group Membership (Haken) Password Hash Algorithm *SSHA* VLV Sort Attribute *uid* Uid Attribute *entryUUID* Read Schema (Haken) Base Contexts to Synchronize (leer) Object Classes to Synchronize *inetOrgPerson, groupOfUniqueNames* Attributes to Synchronize (leer) Remove Log Entry Object Class from Filter (Haken) Enable Password Synchronization (Fehler) Status management class *net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement* Capabilities */(all selected)/* And this is the configuration of my *_LDAP resource_*: Propagation Actions *LDAPPAsswordPropagationAction* *LDAPMembershipPropagationAction* Override Capabilities? (Fehler) Account Policy /(none)/ Password Policy /(none)/ Pull Policy /(none)/) Finally, the *_mapping configuration_* Type /User/ Object Class /__ACCOUNT__/ Mapping username /Int: username ext: uid Remote key: yes/ Mapping email /Int: email Ext: mail/ Mapping password /Int: password Ext: userPassword Password: yes/ Object Link /‘uid=’ + username + ‘,ou=people,dc=example,dc=com’/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Pull users from LDAP
On 25/07/2017 00:48, justin.isenhour wrote: Sasha, I'm curious, were you able to resolve this issue? I am facing a similar issue myself. For me the first time I run a pull task it works fine be then fails because I have a mapping issue (not really related to this) but then after that every time I try to run the pull task again I get this message "org.identityconnectors.framework.common.exceptions.ConnectorException: Operation Not Supported. Bad cookie". If I recycle the JVM I can run it again. Can you provide any direction or insight into this? Hi Justin, it seems you are experiencing problems with the ConnId pagination APIs, introduced by https://connid.atlassian.net/browse/BASE-14 and supported by the LDAP Connector Bundle with https://connid.atlassian.net/browse/LDAP-16 Which LDAP server implementation are you using? Would you mind to share your Connector and Resource configurations? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AW: Password Reset Token Generation Not Working After Upgrading to 2.0.4
Hi Martin and Justin, would any of you open an issue for such a problem? Thanks. Regards. On 22/07/2017 00:15, Böhmer, Martin wrote: I can confirm that something seems to go wrong when generating the token as it contains Asian characters and is way longer than expected. I submitted a "forgot password" request via the enduser UI. This is the link it wants me to open to reset the password: http://localhost:9080/syncope-enduser/app/#!/confirmpasswordreset?token=%F0%A3%81%A8%E9%90%81%F0%A4%97%A0%F0%A7%B9%A7%E3%A2%8C%EC%9F%9C%E4%A2%91%E7%9F%A5%F0%A3%B2%8C%E9%87%B2%E9%BB%B7%F0%A3%A7%B0%E3%A7%9B%F0%AB%96%B1%F0%A4%BC%B2%F0%A4%86%B4%E6%80%9B%E2%BC%93%E8%B3%81%E7%BD%B5%F0%A6%AB%B0%F0%A5%B9%B3%E1%80%80%F0%A7%B3%BD%F0%A1%9B%B5%F0%A3%B4%AC%F0%A1%A8%A3%F0%A7%AC%8C%EA%B6%8B%F0%A8%B9%A7%E3%BF%AD%EC%8D%B4%F0%A9%B0%B7%E6%9C%97%F0%96%A6%9A%F0%A2%AD%86%E2%80%91%E9%9F%98%EB%87%84%EA%BD%A8%F0%A7%8D%A9%E8%9C%99%E5%85%AA%F0%9D%88%93%F0%A6%AA%89%F0%A6%9C%96%E3%A9%8A%E5%96%9D%F0%A9%8A%98%F0%A9%BE%8C%F0%A7%BF%B8%F0%A0%8C%9B%F0%A9%B3%9B%F0%A7%A5%A5%F0%A2%BA%B9w%E0%BD%87%F0%A7%B9%89%F0%A0%99%BD%F0%A1%B0%AD%F0%A7%9B%85%E4%8C%8B%ED%89%9C%F0%A5%B6%A7%EA%9F%BB%EB%BB%80%F0%A7%BF%A4%EC%9A%91%F0%A8%B3%90%EB%9D%8D%E3%91%B8%EB%B2%9E%D5%99%E4%88%A0%F0%A8%9E%9A%EC%89%AF%F0%96%A2%B7%F0%AA%B3%B8%E8%BA%92%F0%A7%82%BB%F0%A5%94%9D%E9%A0%84%E9%A1%89%F0%A1%BE%97%EC%82%B4%EB%94%8A%F0%93%88%8F%EB%85%A8%F0%A2%AE%A6%F0%92%8A%B5%E6%BD%90%E5%A0%8E%E4%9C%B1%F0%AA%9F%B2%F0%A6%BA%9E%F0%92%88%B6%E4%9E%87%E5%A7%8B%F0%AA%9E%A2%E6%99%99%E6%8A%9E%E1%B8%97%F0%A4%B1%93%F0%AF%A2%8A%EF%AE%B9%E8%B6%AD%F0%A0%A7%90%F0%A7%8F%B8%E5%A1%A1%EC%A0%BB%E2%BC%B2%F0%A3%92%91%E3%81%A3%F0%A5%BB%9D%EB%93%93%F0%AA%B0%A2%E1%AE%A8%E7%B4%AC%F0%AA%81%95%E7%99%B0%F0%A3%84%90%E1%86%84%EB%B5%AD%E8%B4%8A%E8%A5%99%F0%A0%BD%BB%E6%85%81%F0%AA%97%B7%ED%92%AB%F0%A3%80%B3%E9%B3%AC%EA%8F%BD%E3%AA%B5%F0%A4%8B%8F%E5%AA%8A%F0%A1%A7%B9%EB%B4%AB%F0%96%A6%92%F0%A9%87%BD%F0%A2%9E%8D%E8%8C%8D%F0%A6%93%8D%F0%96%A6%BD%F0%AF%A4%AB%F0%9F%87%BA%E6%99%82%EC%97%BD%EB%95%BA%EB%A5%9C%EA%8B%BF%E8%B7%91%F0%A4%96%8E%E9%AC%91%E4%84%99%E7%B0%85%F0%A4%80%BE%E6%A1%9A%E6%89%AE%E8%A1%8B%EC%AD%8F%E1%92%9D%F0%A5%9B%B4%EB%85%8D%F0%A7%9D%98%D3%A7%EC%96%A3%E2%93%BE%E1%BB%A7%F0%A0%A7%97%F0%A9%A3%87%F0%AF%A3%BE%E2%A9%9B%F0%AA%B9%AA%E7%89%AB%EB%9D%8E%EC%9D%80%E4%92%87%F0%A2%BA%8E%EB%BB%BE%E9%8B%9D%E4%9E%B9%F0%A0%BD%8D%F0%A7%BB%A0%F0%93%83%B5%F0%A3%83%9B%F0%A7%83%97%EA%83%B9%F0%9F%92%BB%ED%99%86%F0%A0%83%8E%F0%A7%98%8C%F0%A2%AB%84%F0%A6%B4%B8%E8%83%95%F0%AB%99%B3%F0%A6%B3%85%E5%90%AB%F0%A3%B5%8E%E5%BF%A2%E2%8E%A5%F0%AA%B6%85%F0%A6%B7%BF%F0%A9%B1%92%F0%9D%90%BB%F0%A1%99%82%F0%9F%81%96%F0%A0%A4%B0%F0%A3%BA%A0%F0%AB%9D%A1%F0%A4%A8%BB%F0%92%81%8D%F0%A9%B2%9D%E8%91%BF%F0%AB%83%AA%EC%95%84%F0%A2%8A%83%F0%A3%9E%96%E6%97%A6%E5%B1%BC%E5%AF%A7%EB%AA%98%E2%8F%A4%F0%A2%B6%BB%F0%A1%94%86%E5%83%9A%F0%A6%8A%A6%E9%BE%AA%F0%A4%95%A9%F0%A9%B6%8A%E4%B1%89%F0%A3%B7%92%E4%8A%B8%CA%9E%E3%AA%A5%F0%A5%8C%A1%F0%A4%9F%89%F0%A9%9F%83%E6%89%96%E9%8F%81%F0%A8%BF%84%E7%AB%8F%F0%A3%82%BC%E7%89%AC%E4%B0%98%F0%A3%B3%A4%F0%9D%90%A3%F0%A6%A8%80%F0%A1%AA%8E%F0%A9%B9%8F%EB%90%87%E8%B1%B4%F0%A6%9C%BF%EF%B1%8C%EB%BB%90%F0%A1%B7%B4%EA%AC%AC Regards, Martin -Ursprüngliche Nachricht- Von: justin.isenhour [mailto:justin.isenh...@compass-usa.com] Gesendet: Freitag, 21. Juli 2017 22:27 An: user@syncope.apache.org Betreff: Password Reset Token Generation Not Working After Upgrading to 2.0.4 When I make a REST call to the User Self confirmPasswordReset API for a users I am getting a JPA persistence error. It seems that it is not able to save the User object because of the token value, see value below. I just recently upgrade to 2.0.4, prior to the upgrade this was working. Anyone have any ideas on the issue and what we need to do to resolve it? *JPA Exception:* Caused by: org.apache.openjpa.persistence.PersistenceException: Incorrect string value: '\xF0\xA2\xA8\xAC\xEA\x92...' for column 'token' at row 1 {prepstmnt 1197754412 UPDATE SyncopeUser SET lastChangeDate = ?, lastModifier = ?, token = ?, tokenExpireTime = ? WHERE id = ?} [code=1366, state=HY000] *Generate Token Value:* ખ३¹ֽ··߀½낵◭羐쒵࢙ꤿ쇟ॷ¬Ꮈ䥡ࡱ梭縶=夾¥¼㷓ߎ¡ॎ¯ં«イ॓ᵲ㏉ચ¶认짃ㄘੰܪ㠄멼饖뵣ࢪ§डµ櫆ꄳ㋏ࢡ ਡ⋨¯搘級籰녣헶੶·䬇࠼¸҉뫫Ӈॠࡁ씜҅몋뚧цࣈ㧤㈰ং¸﮷ࣅឹ櫚ࠟ¢ঘૈꇽঀ©⤠ਪ¸顉宏ৈ䚻兮蠥胳鏏યਤ¦¼ੂऌથ°䰱ज±ओ¥뱐ਸº剾Є¿ટ ֦ºਚ¼ࡦ㦘¤ૉ㌳ꋂ㴹걲জ¿쨐व´ਭ§«࡞¢ࡵ⥮ਜ¯晶৫ू¬ッ࣓म¶ࡉ긱ঈ¼ú뵳N쩸L鎹ࣺএ丠䆵ɥ檵ইº³䌻峨躾च²뱛ਚ륋斴¶꼲݉ݍ«䅯媍¼║ࡥ½쐬ࡤણ·鸼ࡡ°݆¬ॾ曻狤鹳५¯ਨᏅਾº࣒³伡༽♦쪕㙳韍ऑ´さબ릊띸뚒Ҍ¤㗆ੴ㯙ৈ♥뛂赗놚੫¥屑퓐䂍簇踬濡¹£稹ृ±沽쪿´㞿忟뾑甝ꈰࡻ¡➢ࡨª媉֨ঃ৴ⱚࢪ®ࡰਉ燈ෝ∯ঘ¦邈¾ࣕӏ䐯埨넰ࡋਫ਼ࣈªࡺ龚婁錄 Thanks, Justin Isenhour -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AW: Notification page crashes in Console UI after e-mail config
On 21/07/2017 11:23, Böhmer, Martin wrote: Hi Francesco, I finally had the chance to give Syncope 2.0.4 a try on a fresh machine as you suggested. Good news: I do not have any issues with the notification page any more. That's great to hear :-) However, notifications are not working due to the email configuration. I found the documentation in the reference guide lacks of important details. https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration 1.The reference guide only names the properties. This is fine for user, host, etc., but the protocol needs some explanation. I you have never worked with JavaMail, you’re lost. It would be really helpful to have a link from the Syncope mail properties to the JavaMail properties (if this link exists). Or just give examples for SMTP with STARTSSL (there is no flag for enabling StartSSL!?) and SMTPS scenarios. Feel free to open a PR for improving the docs; in particular https://github.com/apache/syncope/blob/2_0_X/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/emailconfiguration.adoc If you would like to go along this way, please first take a look at http://syncope.apache.org/contributing.html and send an ICLA as specified, thanks! 2.Where to find the promised debug output when mailDebug is set to true? I restarted tomcat and created a notification task. There is no info on “handshake, authentication, delivery and disconnection” in catalina.out or core.log or console.log This would need some investigation: would you mind opening an issue on JIRA? Thanks. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: [ANN] Apache Syncope 2.0.4
ser_id LEFT OUTER JOIN AccountPolicy t2 ON t1.ACCOUNTPOLICY_ID = t2.id <http://t2.id/> LEFT OUTER JOIN Realm t3 ON t1.PARENT_ID = t3.id <http://t3.id/> LEFT OUTER JOIN PasswordPolicy t4 ON t1.PASSWORDPOLICY_ID = t4.id <http://t4.id/> LEFT OUTER JOIN ExternalResource t7 ON t6.resource_id = t7.id <http://t7.id/> LEFT OUTER JOIN AccountPolicy t8 ON t7.ACCOUNTPOLICY_ID = t8.id <http://t8.id/> LEFT OUTER JOIN ConnInstance t9 ON t7.CONNECTOR_ID = t9.id <http://t9.id/> LEFT OUTER JOIN PasswordPolicy t10 ON t7.PASSWORDPOLICY_ID = t10.id <http://t10.id/> LEFT OUTER JOIN PullPolicy t11 ON t7.PULLPOLICY_ID = t11.id <http://t11.id/> WHERE t0.id <http://t0.id/> = ? ORDER BY t6.user_id ASC [params=(String) ] 39291 Master TRACE [main] openjpa.jdbc.SQL - 980801953> [5 ms] spent 39382 Master TRACE [main] openjpa.Runtime - Found datasource1: datasource 41260873 from configuration. StoreContext: org.apache.openjpa.kernel.BrokerImpl@261c5d1f <mailto:org.apache.openjpa.kernel.BrokerImpl@261c5d1f> 39382 Master TRACE [main] openjpa.Runtime - org.apache.openjpa.persistence.EntityManagerFactoryImpl@fbe70d8 <mailto:org.apache.openjpa.persistence.EntityManagerFactoryImpl@fbe70d8> created EntityManager org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f <mailto:org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f>. 39382 Master TRACE [main] openjpa.DataCache - Cache hit while looking up key "USER". 39382 Master TRACE [main] openjpa.DataCache - Cache hit while looking up key "BaseUser". 39382 Master TRACE [main] openjpa.DataCache - Cache hit while looking up key "email". 39382 Master TRACE [main] openjpa.DataCache - Cache hit while looking up key "USER". 39382 Master TRACE [main] openjpa.jdbc.SQLDiag - load: class org.apache.syncope.core.persistence.jpa.entity.JPAAnyType oid: USER 39382 Master TRACE [main] openjpa.jdbc.SQLDiag - Eager relations: [org.apache.syncope.core.persistence.jpa.entity.JPAAnyType.classes] 39382 Master TRACE [main] openjpa.jdbc.SQL - 716294057> executing prepstmnt 1084093309 SELECT t0.kind, t1.anyType_id, t2.id <http://t2.id/> FROM AnyType t0 LEFT OUTER JOIN AnyType_AnyTypeClass t1 ON t0.id <http://t0.id/> = t1.anyType_id LEFT OUTER JOIN AnyTypeClass t2 ON t1.anyTypeClass_id = t2.id <http://t2.id/> WHERE t0.id <http://t0.id/> = ? ORDER BY t1.anyType_id ASC [params=(String) USER] 39382 Master TRACE [main] openjpa.jdbc.SQL - 716294057> [0 ms] spent 39382 Master TRACE [main] openjpa.jdbc.SQLDiag - Loading eager toMany: classes for org.apache.syncope.core.persistence.jpa.entity.JPAAnyType 39382 Master TRACE [main] openjpa.jdbc.JDBC - 716294057> [0 ms] close 39382 Master TRACE [main] openjpa.DataCache - Cache hit while looking up key "USER". 39382 Master TRACE [main] openjpa.Runtime - org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f.close <mailto:org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f.close>() invoked. 11:41:26.337 [HikariPool-1 housekeeper] DEBUG com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Pool stats (total=11, active=1, idle=10, waiting=0) 11:41:56.339 [HikariPool-1 housekeeper] DEBUG com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Pool stats (total=11, active=1, idle=10, waiting=0) referenced library : ** ** refer attachment 2017. 7. 14. 오후 8:44에 "Changseok Keum" <keum...@gmail.com <mailto:keum...@gmail.com>>님이 작성: Of course, I will send codes and logs after weekend. Thanks a lot. 2017. 7. 14. 오후 8:31에 "Francesco Chicchiriccò" <ilgro...@apache.org <mailto:ilgro...@apache.org>>님이 작성: On 14/07/2017 13:23, Changseok Keum wrote: Hi, I recently updated the syncope version to 2.0.4 released with views.xml and indexes.xml referenced by guide. As testing, EntityManager.merge() not doing anything, no error log when userDAO.save() called with parameterized user added with some plainAttributes. (without plainAttributes, there is no problem.) The same codes works well before the version 2.0.3. I think I did something wrong with updating, but I can not proceed with debugging inside EntityManager merge function so it is hard to find the reason. Could you please give me some advice to solve this situations? Hi, can you share your code? Or some logs? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 14/07/2017 16:17, justin.isenhour wrote: Francesco, I was finally able to upgrade Syncope to v2.0.4 and now the synchronization of mustChangePassword is working as expected. Thanks for your help with this issue. Glad to hear that :-) Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: [ANN] Apache Syncope 2.0.4
On 14/07/2017 13:23, Changseok Keum wrote: Hi, I recently updated the syncope version to 2.0.4 released with views.xml and indexes.xml referenced by guide. As testing, EntityManager.merge() not doing anything, no error log when userDAO.save() called with parameterized user added with some plainAttributes. (without plainAttributes, there is no problem.) The same codes works well before the version 2.0.3. I think I did something wrong with updating, but I can not proceed with debugging inside EntityManager merge function so it is hard to find the reason. Could you please give me some advice to solve this situations? Hi, can you share your code? Or some logs? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.0.4
The Apache Syncope team is pleased to announce the release of Syncope 2.0.4. Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: http://syncope.apache.org/downloads.html Read the full change log is available here: https://s.apache.org/syncope204 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Notification page crashes in Console UI after e-mail config
Hi Martin, thanks for your willing to contribute. PostgreSQL is my personal (and my company's) preferred choice for our customers, when deploying Apache Syncope. With such configuration, we are running Syncope in production in several environments (most of them are Debian / Ubuntu, but also RedHat / CentOS). Moreover, there is a work-in-progress about Syncope on Docker, currently based on DEB distribution and Syncope 2.0.2 at https://github.com/andrea-patricelli/syncope-docker/tree/2_0_X All that to say that the problem you are experiencing is definitely not something that should depend on the product itself but rather somehow on your environment / configuration. I have only found the following reference in Syncope: https://issues.apache.org/jira/browse/SYNCOPE-606 where the problem was that the DataSource was manually enabled in /etc/tomcat7/Catalina/localhost/syncope.xml (/etc/tomcat8/Catalina/localhost/syncope.xml in your case). Would you mind to try again in a fresh Debian / Ubuntu box (VM or Docker image is just fine) by following the steps in http://syncope.apache.org/docs/getting-started.html#debian-packages and nothing more? I've just been through it and everything worked flawlessly. Regards. On 04/07/2017 22:19, Böhmer, Martin wrote: Hi Francesco, I downloaded & installed the latest JDBC 4.2 driver (as I am running Oracle Java 8). Unfortunately the problem stays exactly the same. Here are some ideas from my side. They are just educated guesses and may lead the wrong way as I am unable to further validate them due to my lack of knowledge about Syncope’s implementation. 1.Quartz Scheduler configuration issue (org.quartz.jobStore.dontSetAutoCommitFalse) http://www.quartz-scheduler.org/documentation/quartz-2.2.x/configuration/ConfigJobStoreTX.html 2.Issue with Spring Batch an Postgres transactions https://stackoverflow.com/questions/32113132/jdbc-auto-commit-not-working-with-postgresql-9-driver Best regards, Martin *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Dienstag, 4. Juli 2017 12:01 *An:* user@syncope.apache.org *Betreff:* Re: Notification page crashes in Console UI after e-mail config On 04/07/2017 10:33, Böhmer, Martin wrote: Hi Francesco, sorry to hear that. PostgreSQL (provided by Ubuntu repos): 9.5+173 JDBC (shipped with PostgreSQL): postgresql-jdbc4-9.2.jar This JDBC Driver is way too old for PostgreSQL 9.5; please download the latest 42.1.1 for JDBC 4.1 (if using JDK 7) or for JDBC 4.2 (if using JDK 8) from https://jdbc.postgresql.org/download.html Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Freitag, 30. Juni 2017 16:50 *An:* user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: AW: Notification page crashes in Console UI after e-mail config Hi Martin, I went through your logs and cannot guess much. Only questions coming to my mind are: * PostgreSQL DB version? * PostgreSQL JDBC JAR version? Regards. On 29/06/2017 11:17, Böhmer, Martin wrote: clearing the logs was exactly what I did to provide the core and console log attached to my previous email. Anyway, I did as you suggested and included all the logs from Tomcat and Syncope. Please find them attached (access to Pastebin from our company network is blocked). Best regards, Martin *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 29. Juni 2017 09:10 *An**:*user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: Notification page crashes in Console UI after e-mail config Hi Martin, see my replies below. Regards. On 28/06/2017 16:44, Böhmer, Martin wrote: Hi, I tried to activate the notification feature, but ran into an error I am unable to tackle. Here is what I did: 1.Adjusted mail.properties file according to our local setup (i.e. changed the server name) 2.Via the Console UI I changed the parameter “notificationjob.cronExpression” from empty string to: * 0/5 * * * ? * 3.Restarted Tomcat 4.Opened Notifications page in Console UI: Configuration àNotifications (in order to create a notification task to check e-mail config) At step 4 I was redirected to the login screen showing the message “Error while contacting Syncope core”. I attached the Core and Console log files. Root cause seems to be: org.apache.syncope.common.lib.SyncopeClientException: DataIntegrityViolation [Cannot commit when autoCommit is enabled.] Did I do something wrong? No, you didn't. The Admin Co
Re: Notification page crashes in Console UI after e-mail config
On 04/07/2017 10:33, Böhmer, Martin wrote: Hi Francesco, sorry to hear that. PostgreSQL (provided by Ubuntu repos): 9.5+173 JDBC (shipped with PostgreSQL): postgresql-jdbc4-9.2.jar This JDBC Driver is way too old for PostgreSQL 9.5; please download the latest 42.1.1 for JDBC 4.1 (if using JDK 7) or for JDBC 4.2 (if using JDK 8) from https://jdbc.postgresql.org/download.html Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Freitag, 30. Juni 2017 16:50 *An:* user@syncope.apache.org *Betreff:* Re: AW: Notification page crashes in Console UI after e-mail config Hi Martin, I went through your logs and cannot guess much. Only questions coming to my mind are: * PostgreSQL DB version? * PostgreSQL JDBC JAR version? Regards. On 29/06/2017 11:17, Böhmer, Martin wrote: clearing the logs was exactly what I did to provide the core and console log attached to my previous email. Anyway, I did as you suggested and included all the logs from Tomcat and Syncope. Please find them attached (access to Pastebin from our company network is blocked). Best regards, Martin *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 29. Juni 2017 09:10 *An**:*user@syncope.apache.org <mailto:user@syncope.apache.org> *Betreff:* Re: Notification page crashes in Console UI after e-mail config Hi Martin, see my replies below. Regards. On 28/06/2017 16:44, Böhmer, Martin wrote: Hi, I tried to activate the notification feature, but ran into an error I am unable to tackle. Here is what I did: 1.Adjusted mail.properties file according to our local setup (i.e. changed the server name) 2.Via the Console UI I changed the parameter “notificationjob.cronExpression” from empty string to: * 0/5 * * * ? * 3.Restarted Tomcat 4.Opened Notifications page in Console UI: Configuration àNotifications (in order to create a notification task to check e-mail config) At step 4 I was redirected to the login screen showing the message “Error while contacting Syncope core”. I attached the Core and Console log files. Root cause seems to be: org.apache.syncope.common.lib.SyncopeClientException: DataIntegrityViolation [Cannot commit when autoCommit is enabled.] Did I do something wrong? No, you didn't. The Admin Console's behavior is due to an unhanded exception raised by the Core. Unfortunately, the message above does not help in recognizing what could have happened. Can you please stop Tomcat, clear all logs, replicate the problem and paste all of your logs via pastebin or similar? My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK 1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu 16.04 LTS. You might want to give a try to the latest 2.0.4-SNAPSHOT from: * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-core/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-console/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-enduser/2.0.4-SNAPSHOT/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/> -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AW: Notification page crashes in Console UI after e-mail config
Hi Martin, I went through your logs and cannot guess much. Only questions coming to my mind are: * PostgreSQL DB version? * PostgreSQL JDBC JAR version? Regards. On 29/06/2017 11:17, Böhmer, Martin wrote: Hi Francesco, clearing the logs was exactly what I did to provide the core and console log attached to my previous email. Anyway, I did as you suggested and included all the logs from Tomcat and Syncope. Please find them attached (access to Pastebin from our company network is blocked). Best regards, Martin *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Donnerstag, 29. Juni 2017 09:10 *An**:*user@syncope.apache.org *Betreff:* Re: Notification page crashes in Console UI after e-mail config Hi Martin, see my replies below. Regards. On 28/06/2017 16:44, Böhmer, Martin wrote: Hi, I tried to activate the notification feature, but ran into an error I am unable to tackle. Here is what I did: 1.Adjusted mail.properties file according to our local setup (i.e. changed the server name) 2.Via the Console UI I changed the parameter “notificationjob.cronExpression” from empty string to: * 0/5 * * * ? * 3.Restarted Tomcat 4.Opened Notifications page in Console UI: Configuration àNotifications (in order to create a notification task to check e-mail config) At step 4 I was redirected to the login screen showing the message “Error while contacting Syncope core”. I attached the Core and Console log files. Root cause seems to be: org.apache.syncope.common.lib.SyncopeClientException: DataIntegrityViolation [Cannot commit when autoCommit is enabled.] Did I do something wrong? No, you didn't. The Admin Console's behavior is due to an unhanded exception raised by the Core. Unfortunately, the message above does not help in recognizing what could have happened. Can you please stop Tomcat, clear all logs, replicate the problem and paste all of your logs via pastebin or similar? My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK 1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu 16.04 LTS. You might want to give a try to the latest 2.0.4-SNAPSHOT from: * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-core/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-console/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-enduser/2.0.4-SNAPSHOT/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Notification page crashes in Console UI after e-mail config
Hi Martin, see my replies below. Regards. On 28/06/2017 16:44, Böhmer, Martin wrote: Hi, I tried to activate the notification feature, but ran into an error I am unable to tackle. Here is what I did: 1.Adjusted mail.properties file according to our local setup (i.e. changed the server name) 2.Via the Console UI I changed the parameter “notificationjob.cronExpression” from empty string to: * 0/5 * * * ? * 3.Restarted Tomcat 4.Opened Notifications page in Console UI: Configuration àNotifications (in order to create a notification task to check e-mail config) At step 4 I was redirected to the login screen showing the message “Error while contacting Syncope core”. I attached the Core and Console log files. Root cause seems to be: org.apache.syncope.common.lib.SyncopeClientException: DataIntegrityViolation [Cannot commit when autoCommit is enabled.] Did I do something wrong? No, you didn't. The Admin Console's behavior is due to an unhanded exception raised by the Core. Unfortunately, the message above does not help in recognizing what could have happened. Can you please stop Tomcat, clear all logs, replicate the problem and paste all of your logs via pastebin or similar? My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK 1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu 16.04 LTS. You might want to give a try to the latest 2.0.4-SNAPSHOT from: * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-core/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-console/2.0.4-SNAPSHOT/ * https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-enduser/2.0.4-SNAPSHOT/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AW: Password not propagated when changed via enduser UI
On 27/06/2017 09:19, Böhmer, Martin wrote: Hi Francesco, Thanks for you quick reply. You remarks were very helpful to better understand Syncope. Glad to hear that :-) I am running the 2.0.3 release of the Syncope Debian distribution. OpenLDAP version is 2.4.42+dfsg-2ubuntu3. Can you estimate when release 2.0.4 will be available? There was no date set in JIRA. Syncope 2.0.4 is already full of fixes, improvements and new features: https://issues.apache.org/jira/projects/SYNCOPE/versions/12340328 Still a few are standing (mainly bugfixes, others can be moved to 2.0.5); moreover, CXF 3.1.12 (which we use as foundation of Syncope REST layer, and more) in currently under vote. Given such elements, I would estimate next release 2.0.4 to be available in 2-3 weeks time. Regards. *Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Gesendet:* Montag, 26. Juni 2017 17:42 *An:* user@syncope.apache.org *Betreff:* Re: Password not propagated when changed via enduser UI Hi Martin, welcome to Apache Syncope. Which version / distribution are you running? See my replies embedded below. Regards. On 25/06/2017 18:48, Böhmer, Martin wrote: Hi, I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task. However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason. I have replicated your case with 2.0.4-SNAPSHOT (by using the sample ApacheDS LDAP resource available) and opened https://issues.apache.org/jira/browse/SYNCOPE-1125 As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors. Aligning the cipher algorithms is only needed when pulling or pushing password values as binary objects, and this only occurs during pull or push task execution. Setting password via Admin Console or Enduser UI instead does not require such alignment, as the cleartext value is passed along with the REST invocation. What I am doing wrong? What configuration may be wrong or missing? I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS. Best regards, Martin PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP… This is not possible unless you have defined an Account Policy [1] with LDAP for pass-through authentication [2]. [1] https://syncope.apache.org/docs/reference-guide.html#policies-account [2] https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Password not propagated when changed via enduser UI
Hi Martin, welcome to Apache Syncope. Which version / distribution are you running? See my replies embedded below. Regards. On 25/06/2017 18:48, Böhmer, Martin wrote: Hi, I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task. However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason. I have replicated your case with 2.0.4-SNAPSHOT (by using the sample ApacheDS LDAP resource available) and opened https://issues.apache.org/jira/browse/SYNCOPE-1125 As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors. Aligning the cipher algorithms is only needed when pulling or pushing password values as binary objects, and this only occurs during pull or push task execution. Setting password via Admin Console or Enduser UI instead does not require such alignment, as the cleartext value is passed along with the REST invocation. What I am doing wrong? What configuration may be wrong or missing? I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS. Best regards, Martin PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP… This is not possible unless you have defined an Account Policy [1] with LDAP for pass-through authentication [2]. [1] https://syncope.apache.org/docs/reference-guide.html#policies-account [2] https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 14/06/2017 19:40, justin.isenhour wrote: Francesco, Thanks for your reply. I have followed the steps you described but am not getting the same result as you. If in ApacheDS password policy section I have Allow Must Change flagged then when I try to create a new user the sync with ApacheDS fails, it complains that there are 2 values being set for attribute pwdReset. If I uncheck Allow Must Change flag then the create/sync is successful, however, after that any attempt I make to toggle Must Change Password on/off does not sync with ApacheDS. I tried toggling this from the console as well as using the user self Patch API. In both of these case there is no propagation task being created. The only propagation task I see is the initial create. (making other updates does initiate a propagation task and LDAP is updated as expected). Any thoughts as to why changes to Must Change Password are not trigger a propagation task? Which Syncope version and distribution are you using? You might want to download the latest 2.0.4-SNAPSHOT standalone distribution [1] (instructions [2]) and try to perform the steps reported previously with the embedded ApacheDS 2.0 M24 (which is exactly what I did). Regards. [1] https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.0.4-SNAPSHOT/syncope-standalone-2.0.4-20170614.162350-94-distribution.zip [2] https://ci.apache.org/projects/syncope/getting-started.html#standalone -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Error with openJPA multithreading
Il 2017-06-14 18:43 justin.isenhour ha scritto: Is anyone able to provide any insight into this issue as I am getting this quite often during testing both from the syncope console and from direct API calls. Hi, this error seldom appears to me as well, but it is so rare that I could not find a way to reproduce it. Please, send more details about your environment, Syncope version and distribution, and operations that lead to such error. Anyway, I made some fixes in the current 2.0.4-SNAPSHOT which should be preventing such errors to occur, maybe you'd want to give it a try. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: error importing by Mastecontent.xml e postgres database dump
questListenerInterface.java:241) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:248) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) ~[wicket-request-7.4.0.jar:7.4.0] at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70) ~[wicket-native-websocket-core-7.6.0.jar:7.6.0] at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) ~[wicket-core-7.6.0.jar:7.6.0] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) ~[tomcat8-catalina-8.0.32.jar:8.0.32] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) ~[tomcat8-coyote-8.0.32.jar:8.0.32] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) ~[tomcat8-coyote-8.0.32.jar:8.0.32] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1504) ~[tomcat8-coyote-8.0.32.jar:8.0.32] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1460) ~[tomcat8-coyote-8.0.32.jar:8.0.32] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat8-util-8.0.32.jar:8.0.32] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131] [1] https://syncope.apache.org/docs/reference-guide.html#deal-with-internal-storage-export-import -- View this message in context: http://syncope-user.1051894.n5.nabble.com/error-importing-by-Mastecontent-xml-e-postgres-database-dump-tp5709259.html Sent from the syncope-user mailing list archive at Nabble.com. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
Hi, here's what I did (after creating new Maven project, in embedded mode - it should be exactly the same with standalone distribution): 1. from Admin Console, I went to Topology > resource-ldap > edit provision rules 2. added a mapping item to USER / __ACCOUNT__, with * 'mustChangePassword' as internal attribute * 'pwdReset' as external attribute * JEXL transformer 'mustChangePassword == 1' 3. saved After that, I have created a new user, and assigned 'resource-ldap': the user got created as expected on the embedded ApacheDS instance (e.g. the one behind 'resource-ldap' above), with 'pwdReset: false'. Then, on the user row, I have clicked on the "set must change password" menu entry: an update was sent to ApacheDS and 'pwdReset' became true. I clicked again on the same menu entry (which I have now changed to "toggle must change password"): another update to ApacheDS and 'pwdReset' became false. Is there anything different that you were expecting? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: cmd bundle framework filter bundle
On 31/05/2017 10:16, Mikael Ekblom wrote: Hi, I need to ask you at Tirasa too, that have you seen this error regarding the cmd bundle and powershell? java.lang.IllegalStateException: Object {Uid=Attribute: {Name=__UID__, Value=[backsee1]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=uid, Value=[x]}, Attribute: {Name=personnr, Value=[1029]}, Attribute: {Name=__NAME__, Value=[1029]}, Attribute: {Name=__UID__, Value=[]}, Attribute: {Name=__ENABLE__, Value=[true]}], Name=Attribute: {Name=__NAME__, Value=[1029]}} was returned by by the connector but failed to pass the framework filter. This seems like wrong implementation of the filter in the connector. I guess syncope sees these as regular strings. Searching goes fine, no problem there. All attributes can be viewed. But when you try to create, then s-t hits the fan. I have tested both the 0.2 version of the cmd bundle and I’m testing the 0.3-snapshot version also and I’m modifying the 0.3-version for troubleshooting purposes. Both the 0.2-version and the 0.3-snapshot version gives the same result. Maybe I need to make my own version of execute sequence…J Hi Mikael, the exception above comes from [1], e.g. from the ConnId framework rather than the ConnId CMD bundle. You need to provide more details about the error (e.g. longer stacktraces) in order to understand exactly which ConnId filter - which is set by Syncope code - is not allowing some search results to pass. Regards. [1] https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/FilteredResultsHandler.java#L82-L84 -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 01/06/2017 19:40, justin.isenhour wrote: Hi All, I am using the Syncope 2.0.3 with ApacheDS 2.0.0-M23 for identity store. In ApacheDS I have Must Change Password enabled for the password policy. When a new user is created the pwdReset flag is true. How can I get Syncope to change the flag to False? Changing the Must Change Password attribute for the UserTo doesn't impact this, neither does reset the users password. So far I have found no way to change this flag. I tried adding a mapping between mustChangePassword and pwdReset with a JEXL transformer to convert Syncope's 0|1 value to ApacheDS's expected true|false. With this in place when I create a user with must change password as true the provisioning is successful but when I try to create/update a user with value false the sync fails. ApacheDS complains that I am trying to set more than one value to the pwdReset attribute that only accepts a single value. Anyone have any thoughts or recommendations? Hi Justin, thanks for your interest in Apache Syncope. It seems you have come quite far with Syncope LDAP configuration, nice :-) I am not very familiar with ApacheDS' pwdReset attribute: could you please point to me in which LDAP ObjectClass is that available? I would like to replicate your setup. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Bulk Deletion of Users using APIs
On 29/05/2017 13:05, rajkumar wrote: Hi, Really thanks for your quick reply, But the URL you have shared given the Java coding but i want to do this bulk deletion using any API client. I see, ok. Below are the values i am using to achieve the same and let me know if am doing any mistake here. *URL *: http://52.58.169.64:8080/syncope/rest/users *Type* : Delete *Payload*: { "operation":"DELETE", "targets":[ *"{id}"* ] } *content-type* - application/json This cannot work. But deleting single user is working fine with below details: *URL *: http://52.58.169.64:8080/syncope/rest/users/{userId} *Type* : Delete This is fine, of course. *Also please let me know, is there a way to run multiple HTTP request at same time in postman.* I would suggest to enable Swagger UI in your deployment and look at POST /user/bulk under _users; it should be something like as *URL *: http://52.58.169.64:8080/syncope/rest/users/bulk *Type* : POST *Payload*: { "type":"DELETE", "targets":[ *"{key}"* ] } Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope .deb installation, no resources tab
On 18/05/2017 17:32, Thomas Maerz wrote: Question though, In order to use the AD ConnID, should I deploy using Maven or will .deb work fine? If you are using .deb, just check the content of the directory /var/lib/apache-syncope/bundles to see if the AD connector bundle is already there. Regards. On May 18, 2017, at 10:30 AM, Thomas Maerz <thomasma...@kmnr.org> wrote: Yes, sorry about that. I started on this in preparation for a migration project and we proceeded without it. For now we have been manually synchronizing the directories but it appears it will go on longer than anticipated so I’d like to get something set up to eliminate human error. Thank you for the response. Thomas On May 18, 2017, at 10:28 AM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: Wow, a timebomb from 6 months ago :-) There is no (yet) step-by-step tutorial for Syncope and AD available, but: 1. several other people seemed to succeed at it - see the recent [1] for example - so I guess it shouldn't be hard for them to support you here 2. there is absolutely no point in starting a project with Syncope 1.2 today Regards [1] https://lists.apache.org/thread.html/bc0a61c40790a4f7e13076b8b9d2a6073a76fffc29d9773bac7e265e@%3Cuser.syncope.apache.org%3E On 18/05/2017 17:24, Thomas Maerz wrote: So there is no documentation still for Syncope 2.0 working with AD? If this is the case, would it be better for me to just use Syncope 1.x? Thomas On Nov 4, 2016, at 9:48 AM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: On 04/11/2016 15:44, Thomas Maerz wrote: Hi, I’ve just installed Syncope on Ubuntu Server 16.04 using the .deb packages. I am looking to create an Active Directory Connector. The connector bundle is in the bundles directory out of the box, but my installation does not have a resources tab in the syncope-console. I’ve read the documentation and I don’t know what I am doing wrong. Can the .deb installation not utilize resource connectors or am I doing something wrong? Hi Thomas, which version are you running? It looks like you are looking at the wiki pages, which are working for Syncope prior to 2.0 (e.g. 1.2, 1.1, ...), not for 2.0 and above. I would suggest to take a look at the official docs: https://syncope.apache.org/docs/getting-started.html https://syncope.apache.org/docs/reference-guide.html This tutorial might also be useful for your use case: http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope Rest AccessToken 404
On 2017-05-12 18:42 Hugo Cerdeira wrote: Hi, so I'm trying to log in to syncope via webservices, /syncope/rest/accessToken, but i get 404 error; also the accessTokens tab doesn't show when I navigate on my browser to /syncope guess you mean /syncope-console here any ideas on whats going on? Yes, you are not running Syncope 2.0.3 (access tokens were added in that version, which is the current stable). Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: No password propagation after User creation.
This mapping item is wrong: { "key": "d721e6e2-c9dd-4966-a1e6-e2c9dd0966ef", "intAttrName": "password", "extAttrName": "password", "connObjectKey": false, "password": false, "mandatoryCondition": "true", "purpose": "PROPAGATION", "propagationJEXLTransformer": null, "pullJEXLTransformer": null, "mappingItemTransformerClassNames": [], }, It should have been instead something like as: { "key": "d721e6e2-c9dd-4966-a1e6-e2c9dd0966ef", "intAttrName": "password", "extAttrName": "__PASSWORD__", "connObjectKey": false, "password": true, "mandatoryCondition": "true", "purpose": "PROPAGATION", "propagationJEXLTransformer": null, "pullJEXLTransformer": null, "mappingItemTransformerClassNames": [], }, Note the difference in extAttrName and password fields. This kind of mapping item is generated via Admin Console when you flag 'Password'. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: No password propagation after User creation.
On 12/05/2017 11:49, HugoCerdeira wrote: yes, it does include the password: internal attribute=password; external attribute=password; mandatory = true Please provide more details about this mapping item: just read it via REST and paste the JSON content (or a screenshot from Admin Console). Regards. ilgrosso wrote On 12/05/2017 11:31, Hugo Cerdeira wrote: Hi, I'm trying to propagate a User when creating it via rest services of the syncope-core, I'm able to create him successfully but I get this propagation error: "propagationStatuses": [ { "beforeObj": null, "afterObj": null, "resource": "ofbizUsersPropagation", "status": "FAILURE", "failureReason": "Not attempted because there are mandatory attributes without value(s): [password]" } I'm sending the password on the rest services and the User is correctly created since I can log in using it. I've tried turning return.password.value true/false but didn't make any difference, any tips? What is the user mapping for that resource? Does it include password? -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: No password propagation after User creation.
On 12/05/2017 11:31, Hugo Cerdeira wrote: Hi, I'm trying to propagate a User when creating it via rest services of the syncope-core, I'm able to create him successfully but I get this propagation error: "propagationStatuses": [ { "beforeObj": null, "afterObj": null, "resource": "ofbizUsersPropagation", "status": "FAILURE", "failureReason": "Not attempted because there are mandatory attributes without value(s): [password]" } I'm sending the password on the rest services and the User is correctly created since I can log in using it. I've tried turning return.password.value true/false but didn't make any difference, any tips? What is the user mapping for that resource? Does it include password? -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Storing Custom User variables and Unique Email constraint
On 06/05/2017 00:23, Ravindra Singareddy wrote: Hi All, I need to store User Custom variables like firstName, MiddleName, and Last Name and using following code: SyncopeClientFactoryBean clientFactory = new SyncopeClientFactoryBean(). setAddress("http://localhost:8080/syncope/rest;). setDomain("Master"). setContentType(SyncopeClientFactoryBean.ContentType.XML). setUseCompression(true); SyncopeClient client = clientFactory.create("admin", "password"); UserService userService = client.getService(UserService.class); UserTO userTo = new UserTO(); userTo.setUsername(username); userTo.setPassword(password); userTo.setCreationDate(new Date()); userTo.setCreator("admin"); userTo.setRealm("/"); userTo.getPlainAttrs().add(new AttrTO.Builder().schema("email").value(email).build()); userTo.getPlainAttrs().add(new AttrTO.Builder().schema("firstName").value(firstName).build()); userTo.getPlainAttrs().add(new AttrTO.Builder().schema("middleName").value(middleName).build()); userTo.getPlainAttrs().add(new AttrTO.Builder().schema("lastName").value(lastName).build()); Response userResponse = userService.create(userTo,true); System.out.println(userResponse.getStatus()); After Successful creation of user, authenticated using email, with following code: client = clientFactory. setDomain("Master").create(email, password); Pair<Map<String, Set>, UserTO> self = client.self(); Object auth = self.getKey(); UserTO selfUserTO = (UserTO)self.getValue(); System.out.println(selfUserTO); First Question: selfUserTO is not retrieving firstName, middleName, and LastName from Plain Attributes. What are changes needed to be done for storing these plain attributes values? You need to create the related schemas (if you haven't done that yet) and then to assign such schemas to the AnyTypeClass for users. More information: https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer https://syncope.apache.org/docs/reference-guide.html#type-management Second Question: I am able to save email address and also able to retrieve (authenticate) using the email address. If I have created two users with the same email address, the system is not able to log in using this email address. Because the email address is not unique across all users. How to make email address unique across all users. You need to change the email schema definition and flag uniqueConstraint to true; you can do that either via Admin Console or REST. Please be aware that, if there are users with the 'email' attribute set, such update is not possible: you'll need either to create another schema or to remove all the existing email values. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Scripted SQL resource
On 08/05/2017 09:37, Mikael Ekblom wrote: Hi, Never mind, I found it. The groovy-script did not like the fact that the columns within the external db resource had different names than the attributes internally defined to be mapped for the user class itself. I solved it by aliasing the columns from the external db within the query itself to match the provisioning rule. Glad that you solved! :-) Regards. *From:* Mikael Ekblom [mailto:mikael.ekb...@arcada.fi] *Sent:* torstai 4. toukokuuta 2017 16.51 *To:* user@syncope.apache.org *Subject:* Scripted SQL resource Hi, We have a scripted sql resource set up to fetch data from our HR system. SEARCH and SYNC capabilities set. Now, as the lines tells us below, the search is returning values to the it-parameter set within the groovy sql eachRow command and its closure. The result array seems to be populated. 16:17:02.952 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[4377]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=Efternamn, Value=[Caspar Klaus Sönvis]}, Attribute: {Name=Fornamn, Value=[Berntzen]}, Attribute: {Name=__NAME__, Value=[4377]}, Attribute: {Name=__UID__, Value=[4377]}, Attribute: {Name=__ENABLE__, Value=[true]}], Name=Attribute: {Name=__NAME__, Value=[4377]}}Method: handle 16:17:02.952 DEBUG *Return: false* Method: handle But, this is not the case when we try to search and sync from this resource. When we do a “Explore” through the resource and try to view the contents for this particular connector, only the pre-defined attributes __UID__,__NAME__ and __ENABLE__ are visible. The rest of the attributes we set to provision are not visible for some reason. I attached an example of this as a .png. The attributes Efternamn and Fornamn should also be visible but no. As the log states, it seems to state that *Return: false.* Any pullactionhandler that we have created will confirm that this operation will not return anything but the __UID__,__NAME__ and __ENABLE__ . As such we cannot build the usernames accordingly only via this information. When we connect to this same resource with a dbtable-configuration everything is mapping fine… This will not work in this case though. I first thought that do I now have some ISO-8859-1 conversion issue, but this seems not to be the case. Not for the Dbtable-resource at least. Another scripted SQL groovy resource towards the same SQL-server and thus we use the same scripted sql bundle version. I set the fetched __UID__values a bit differently 16:21:01.956 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[170776-]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=Ort, Value=[Sibbo]}, Attribute: {Name=efternamn, Value=[Ekblom]}, Attribute: {Name=fornamn, Value=[Mikael]}, Attribute: {Name=Adress, Value=[xx]}, Attribute: {Name=__NAME__, Value=[170776-xxx]}, Attribute: {Name=__UID__, Value=[170776-]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=personbeteckning, Value=[170776-]}], Name=Attribute: {Name=__NAME__, Value=[170776-xxx]}}Method: handle 16:21:01.956 DEBUG *Return: true* Method: handle With a similar scripted sql-resource through groovy, everything is visible from the built in variables to the other variables stated through the mapping rules. Column formats are the same. The big question is: why is the example above stating *Return false* and the other, similar one, not? Has anyone seen this before? What makes a scripted groovy sql resource to return false except for the built in values that must be there? At times like these, you wish that you could pay for support…J Regards, Mikael -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Delegate admin for realms
On 05/05/2017 06:06, Kwong,Vincent wrote: Hi Francesco, Tried with positive result, thanks a lot. That's good to hear. But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user. I have now created https://issues.apache.org/jira/browse/SYNCOPE-1072 https://issues.apache.org/jira/browse/SYNCOPE-1073 Here is my comments: 1.Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies I have also created https://issues.apache.org/jira/browse/SYNCOPE-1074 2.Some console display should reflect user access to avoid confusion Please give more details, this is not clear. Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* Thursday, May 04, 2017 4:57 PM *To:* user@syncope.apache.org *Subject:* Re: Delegate admin for realms On 04/05/2017 04:59, Kwong,Vincent wrote: Hi All, I am new to syncope and going to evaulate the syncope functionality for my coming project. I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration. Sample Structure: Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1) 1.Each team will have a admin to mange the user under that realm 2.Each sub-group will have another admin to look after all teams 3.Each admin have the control for their own sub-group / team only I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm. Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù Hi Vincent, glad of your interest in Apache Syncope. To be sure, I have created some sample data in an attempt to replicate your use case. First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'. Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems). Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g. * admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5] * admin...@syncope.apache.org <mailto:admin...@syncope.apache.org> which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3] * admin...@syncope.apache.org <mailto:admin...@syncope.apache.org> which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4] * admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6] Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role. The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected. HTH Regards. [1] http://pasteboard.co/29sHsujiu.png [2] http://pasteboard.co/29sWCF785.png [3] http://pasteboard.co/29tBRMtxQ.png [4] http://pasteboard.co/29tMu5CWi.png [5] http://pasteboard.co/dlwgYicg.png [6] http://pasteboard.co/29tnvwPlb.png -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Delegate admin for realms
On 04/05/2017 04:59, Kwong,Vincent wrote: Hi All, I am new to syncope and going to evaulate the syncope functionality for my coming project. I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration. Sample Structure: Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1) 1.Each team will have a admin to mange the user under that realm 2.Each sub-group will have another admin to look after all teams 3.Each admin have the control for their own sub-group / team only I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm. Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù Hi Vincent, glad of your interest in Apache Syncope. To be sure, I have created some sample data in an attempt to replicate your use case. First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'. Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems). Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g. * admi...@syncope.apache.org which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5] * admin...@syncope.apache.org which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3] * admin...@syncope.apache.org which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4] * admi...@syncope.apache.org which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6] Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role. The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected. HTH Regards. [1] http://pasteboard.co/29sHsujiu.png [2] http://pasteboard.co/29sWCF785.png [3] http://pasteboard.co/29tBRMtxQ.png [4] http://pasteboard.co/29tMu5CWi.png [5] http://pasteboard.co/dlwgYicg.png [6] http://pasteboard.co/29tnvwPlb.png -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AdminPasswordAlgorithm
[Please do not cross-post: user@ is enough] On 2017-05-01 11:37 Ravindra Singareddy wrote: Hi All, Using BCRYPT as adminPasswordAlgorithm in security.properties as follows: adminPassword=$2y$10$g.5bFpWp4j6SxSB6iGokT.Sq01SpgSSyBexppJtc9T4TlNfLWVp0q adminPasswordAlgorithm=BCRYPT But not able to login into syncope-console. Does BCRYPT password algorithm is supported for admin user? When setting adminPassword=$2a$06$/LWhVDsRs7v3ldMdDzuAguJM5yli9AaSbUJYXC2DboPUwslJUrr/y adminPasswordAlgorithm=BCRYPT with has generated via [1] for 'password123', everything works as expected. Regards. [1] http://bcrypthashgenerator.apphb.com/?PlainText=password123 -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Adding new fields over a MariaDB
On 26/04/2017 19:16, Tech wrote: Hello, using the Syncope 203, when we try to add a new type, we get this error at the moment of saving the change. Here we just try to add an additional email with an EmailValidator, but this happen with any new field that we try to add. Regars [...] Caused by: org.apache.openjpa.lib.jdbc.ReportingSQLException: (conn:34) Incorrect arguments to mysqld_stmt_execute Query is: INSERT INTO PlainSchema (id, cipherAlgorithm, conversionPattern, enumerationKeys, enumerationValues, mandatoryCondition, mimeType, multivalue, readonly, secretKey, type, uniqueConstraint, validatorClass, ANYTYPECLASS_ID) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?), parameters ['psy_p_emailWork',,,<Buffer:''>,<Buffer:''>,'false',,0,0,,'String',0,'org.apache.syncope.core.persistence.jpa.attrvalue.validation.EmailAddressValidator',] {prepstmnt 894668994 INSERT INTO PlainSchema (id, cipherAlgorithm, conversionPattern, enumerationKeys, enumerationValues, mandatoryCondition, mimeType, multivalue, readonly, secretKey, type, uniqueConstraint, validatorClass, ANYTYPECLASS_ID) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)} [code=1210, state=HY000] Just google a bit and you will find that such error is often caused by some versions of the MySQL JDBC driver (I assume that is applicable to MariaDB) as well. More generally, I do believe that most of the troubles you are experiencing lately are due to bad MySQL / MariaDB versions, tuning and configuration, as your errors are hardly reproducible with recent versions of MySQL, MariaDB or their respective JDBC drivers. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.0.3
The Apache Syncope team is pleased to announce the release of Syncope 2.0.3. Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: http://syncope.apache.org/downloads.html Despite being a minor release, and besides the high number of fixes provided, this new release brings several new features and improvements. Read the full change log is available here: https://s.apache.org/syncope203 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Windows server scripted sql + groovy
Hi Mikael, see my replies on-line. Regards. On 04/04/2017 09:35, Mikael Ekblom wrote: Hi, Ah, ok. The groovy-all.jar had to be moved into the syncope web-inf lib directory.So now we have two options: local file bundle and through the connid-server. Very well! Another question by the way. We have our HR-system as a cloud solution. It will be configured as an external resource of course. The thing now is that we are used to generate usernames according to an automated solution. We do not use firstname.lastname as the uid or samaccountname format. A recursive function so to speak based on the firstname lastname combination that we get from HR and other duplication checks etc. I cannot see that syncope will manage automated creation of username as for now from an external resource on the fly? Not even through transformations? I 'd say you need to code a PullActions class https://syncope.apache.org/docs/reference-guide.html#pullactions e.g. something that is invoked around your pull task execution, with option to mangle its input / output data. Please be aware that PullActions (as all other customizations) require to start with a Maven project: https://syncope.apache.org/docs/reference-guide.html#customization I think I will need to extend a connector for this task… and then the famous Office365 license thing that I think you had on the table too. Exactly, my personal TODO list keeps growing, though... :-/ *From:*Marco Di Sabatino Di Diodoro [mailto:marco.disabat...@tirasa.net] *Sent:* maanantai 3. huhtikuuta 2017 14.31 *To:* user@syncope.apache.org *Subject:* Re: Windows server scripted sql + groovy Hi Il 03/04/2017 12:44, Mikael Ekblom ha scritto: Hi, We or I have been playing around with syncope for a while. I have a question now regarding a scripted sql resource and groovy. What we are trying to achieve here, is to get the student accounts over from our home grown student administration system. The scripted sql connector bundle is available as per definition in the connid.properties file and is also available through the administrative panel. But, the log is complaining about the following: “java.lang.IlegalArgumentException: Language not supported: GROOVY” when the script language is defined. Check if in your connector server instance the groovy-all jar is present. If not, try to copy it from Syncope in the connector server. Regards M Some definition missing? I cannot pinpoint anything based on the documentation. I even tried to install groovy separately on the server itself, but it did not solve the problem. It would help a lot to get this done natively. Otherwise I need to implement another proxy repository for this task. Regards, Mikael -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: REST Web Service
On 20/03/2017 15:45, Tech wrote: Dear experts, we are trying to configure a REST Web Service, but we don't how it should be deployed. We found in the /test directory some groovy script to Create/Update/etc, but we don't understand in a real environment where these script should be copied before compiling. Hi, both the Scripted REST [1] and the Scripted SQL [2] connector bundles share the same approach: the actual implementation of the ConnId operations (e.g. the child classes of [3], as CREATE, UPDATE, DELETE, SEARCH, SYNC, AUTHENTICATE, ...) is delegated to individual Groovy scripts. The immediate benefit of this approach is that you can adapt the actual logic for dealing with a specific REST service or a given database, thus achieving the maximum flexibility; the downside is that you need to code the scripts, and this requires some skills. You can find some samples of scripts for the REST connector in the folder core/src/test/resources/rest of your generated Maven project, or at [4], and scripts for the Scripted SQL connector in the folder core/src/test/resources/scriptedsql of your generated Maven project, or at [5]. As you can easily figure out, the actual script content only makes sense when dealing with the specific REST service / database they were designed for, e.g. [6] and [7] respectively. An important feature for speeding up the development of these scripts is the 'Reload Script On Execution' connector property: when set to true, each script is reloaded and recompiled every time it is called, e.g. every time that the corresponding ConnId operation is invoked by Syncope. In this way one can immediately check if the script is running fine or find out errors. Please do not forge to disable this property once running in production! Finally, consider that each script can be passed - in the connector configuration - either as actual content or as absolute file path: this is the reason why there are "Create Script" and "Create Script Filename", "Update Script" and "Update Script Filename", etc. Hope this clarifies. Regards. [1] https://connid.atlassian.net/wiki/display/BASE/REST [2] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL [3] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/spi/operations/SPIOperation.html [4] https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/rest [5] https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/scriptedsql [6] https://github.com/apache/syncope/blob/2_0_X/fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/UserService.java [7] https://github.com/apache/syncope/blob/2_0_X/fit/build-tools/src/main/resources/testdb.sql#L46-L51 -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Custom Attributes
On 20/03/2017 16:57, Vlad Zelenko wrote: I can see the link. It shows Viewing Restriction to You and Me, No EDIT restrictions. I can add comments, and see no way to add/change page content. :) Please try again... On Mon, Mar 20, 2017 at 11:53 AM Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: Hi, you should now be able to edit https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer Please let me know if it works. Regards. On 20/03/2017 15:23, Francesco Chicchiriccò wrote: > On 20/03/2017 15:17, vladz wrote: >> [...] >> I'll say, an illustrated how-to document for most common tasks involving >> both the configuration and UI would eliminate questions like mine. >> And to >> put my "money" where my "mouth" is - I'd be happy to help with that. :) > > That's great to hear, Vlad! > > Please first review [1], then send an ICLA [2] and create an account > on Confluence [3]; once done, please communicate your username so that > I can grant you with editing rights. > > FYI, the only resource available online providing some kind of HOWTO > for Syncope 2.0 is [4], maybe it could be useful for you too. > > Regards. > > [1] http://syncope.apache.org/contributing.html > [2] http://www.apache.org/licenses/#clas > [3] https://cwiki.apache.org/confluence/signup.action > [4] http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Custom Attributes
Hi, you should now be able to edit https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer Please let me know if it works. Regards. On 20/03/2017 15:23, Francesco Chicchiriccò wrote: On 20/03/2017 15:17, vladz wrote: [...] I'll say, an illustrated how-to document for most common tasks involving both the configuration and UI would eliminate questions like mine. And to put my "money" where my "mouth" is - I'd be happy to help with that. :) That's great to hear, Vlad! Please first review [1], then send an ICLA [2] and create an account on Confluence [3]; once done, please communicate your username so that I can grant you with editing rights. FYI, the only resource available online providing some kind of HOWTO for Syncope 2.0 is [4], maybe it could be useful for you too. Regards. [1] http://syncope.apache.org/contributing.html [2] http://www.apache.org/licenses/#clas [3] https://cwiki.apache.org/confluence/signup.action [4] http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Custom Attributes
On 20/03/2017 15:17, vladz wrote: [...] I'll say, an illustrated how-to document for most common tasks involving both the configuration and UI would eliminate questions like mine. And to put my "money" where my "mouth" is - I'd be happy to help with that. :) That's great to hear, Vlad! Please first review [1], then send an ICLA [2] and create an account on Confluence [3]; once done, please communicate your username so that I can grant you with editing rights. FYI, the only resource available online providing some kind of HOWTO for Syncope 2.0 is [4], maybe it could be useful for you too. Regards. [1] http://syncope.apache.org/contributing.html [2] http://www.apache.org/licenses/#clas [3] https://cwiki.apache.org/confluence/signup.action [4] http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Custom Attributes
On 19/03/2017 20:49, vladz wrote: While registering the new user, I'd like to be able to save additional data. In the default installation, there was a 'plainAttrs' schema entry for 'email', which I replaced by lastname and firstname, both defined as String types, not required, no validation, no integrity checks. When I try to add user with these values set as "plainAttrs": [], the user saves just fine. When I add data there, as: "plainAttrs": [ { "schema":"firstname", "values":["Test"] }, { "schema":"lastname", "values":["Last"] } ] it fails to save, the following error found in core-persistence.log: 14:16:39.348 WARN org.apache.syncope.core.persistence.jpa.validation.entity.EntityValidationListener - Bean validation errors found: [ConstraintViolationImpl{rootBean=JPAUser[null], propertyPath='plainAttrs', message='InvalidPlainAttr;lastname not allowed for this instance', leafBean=JPAUser[null], value=JPAUser[null]}] and core-rest.log contains more details: 15:35:35.729 ERROR org.apache.syncope.core.rest.cxf.RestServiceExceptionMapper - Exception thrown org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException: JPAUser [InvalidPlainAttr] at org.apache.syncope.core.persistence.jpa.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:71) ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_66] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_66] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_66] at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_66] at org.apache.openjpa.event.BeanLifecycleCallbacks.makeCallback(BeanLifecycleCallbacks.java:85) ~[openjpa-kernel-2.4.2.jar:2.4.2] Then configuration for Plain Attrs looks like this: (select id, `mandatoryCondition`, multivalue, readonly, type, uniqueConstraint, validatorClass from PlainSchema where id like '%name') id mandatoryCondition multivalue readonlytype uniqueConstraint validatorClass firstname false 0 0 String 0 NULL lastnamefalse 0 0 String 0 NULL Why am I not able to save these 2 attributes during self-registration? Hi, short answer: from Admin Console, go to Configuration > Types > AnyTypesClasses, edit 'BaseUser' and add 'firstname' and 'lastname' there. Long answer: invest some time in understanding how the type management works in Syncope: https://syncope.apache.org/docs/reference-guide.html#type-management HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Login Logic
On 2017-03-17 23:06 vladz wrote: I hope I am not getting on the wrong track... But here goes. Now that I've worked out the logic for Self-Registration, I am wondering If and How I could manage the login process via Syncope. I have not found any REST methods for "authenticating" the user. That is, sending in a combination of user name and password, receiving back an identity key or user object. How can the client app resolve the user stored in syncope via self-registration where the app itself does not keep a separate user store? Up to Syncope 2.0.2 (e.g. the current stable version), the only authentication method supported (at least, by default) is the HTTP Basic Authentication: this means that each and every REST method invocation requires an 'Authentication' HTTP header to be sent. On the Syncope Core, such Authentication header is processed by the Spring Security components, which verify the passed credentials against the internal storage. Starting with Syncope 2.0.3, however, the authentication process is reviewed, and support for JSON Web Tokens is introduced: the new process is described at [1]. Syncope 2.0.3 is expected to be release in some time - say about one month from now. FYI, the current REST features are described in [2]. Regards. [1] https://ci.apache.org/projects/syncope/reference-guide.html#rest-authentication-and-authorization [2] https://syncope.apache.org/docs/reference-guide.html#restful-services -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Self Registration help
On 16/03/2017 22:27, Vlad Zelenko wrote: Hey all. I am evaluating syncope as IMS, and want to test the REST API. For starters, I am using Swagger UI to test self-registration. Hi Vlad, glad of your interest in Apache Syncope. 1. (POST /users/self) When I execute it from the browser, I invariably receive CODE 403 with message "Access to the specified resource has been forbidden." Question: what is the value of the 'selfRegistration.allowed' configuration parameter [1] in your Syncope deployment? (You can find it out from Admin Console under Configuration > Parameters). E.g. was self-registration enabled at all? When enabled, the "POST /users/self" endpoint requires to be invoked anonymously, e.g. without any 'Authorization' HTTP header. Are you sure that you did not populate the username / password fields in the Swagger UI when attempting the "POST /users/self" invocation? 2. When I use the suggested 'curl' line (http://localhost:8080/syncope/rest/users/self?storePassword=true, etc.), 'Access Denied' is seen in 'core-rest.log' of the application, but nothing comes back to the STDOUT of cURL. Use "curl -v" and you will get all the response headers, including X-Application-Error-Code and X-Application-Error-Info. More on available REST headers at [2]. 3. When I use regular create user in Swagger UI (POST /users) with the same UserTO payload (see below), the user is created in syncope, code 201 is returned with a Generated Key. PAYLOAD: {"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"} My question is, what is the correct way of performing Self-registration using REST API (I need this for our web application?) Losing my mind over this... It seems - for very valid reasons, I presume - that you are not interested in the Enduser application [3] nor in using the Java client library [4] for communicating via REST with Core (architectural reference available at [5]). I would invite you anyway to carefully consider all the related security aspects: you can read from [6] how we did tackle them in the Enduser application. Regards. [1] https://syncope.apache.org/docs/reference-guide.html#configuration-parameters [2] https://syncope.apache.org/docs/reference-guide.html#rest-headers [3] https://syncope.apache.org/docs/reference-guide.html#customization-enduser [4] https://syncope.apache.org/docs/reference-guide.html#client-library [5] https://syncope.apache.org/docs/reference-guide.html#architecture [6] http://blog.tirasa.net/syncope-enduser-security-features.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Hosted syncope provider
On 14/03/2017 18:54, Amish Munshi wrote: Hello All, I wanted to introduce myself and had a couple of questions on syncope. I have been using multiple identity management products and have done several IDM deployment ranging upto 100 million users with 100 authentications/second and 1000 authorizations/second. Hi Amish, well, your numbers look impressive, congratulations. Syncope seems very interesting and I wanted to check whether its possible to provide a hosted syncope solution to my clients. Glad to hear this! Is there already an hosted syncope provider that we can subscribe to? Not that I am aware of, at least none that declares that publicly. If you want to taste Apache Syncope - only for evaluation - you could download the standalone distribution from http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip and read how to run it at http://syncope.apache.org/docs/getting-started.html#standalone Is it possible to host a single syncope implementation as multi tenant implementation? Yes it is: since 2.0, Apache Syncope supports multi-tenancy via domains: more at https://syncope.apache.org/docs/reference-guide.html#domains Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Creating a virtual schema type ->empty type list
On 03/03/2017 08:49, Mikael Ekblom wrote: Hi, Sorry, I don't get this last point: FYI, Syncope can be deployed and run in Windows environments too. I was referring to the fact that it might be that we will jump over to deploy Syncope on some Linux-distribution. But as you said, it is deployed already on a Windows server and works fine. What we need to check is how to connect to office365 PowerShell and automatically assign licenses through the IDM if possible. Synchronization with Azure AD should work out of the box through sync with AD -> Azure AD connect , but assigning licenses is something else. This should also be role based. I must see what I can find for that or maybe write my own bundle Now I understand, interesting. FYI, verifying the connection with Office365 is on my (quite long ATM) TODO list, too :-) Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* keskiviikko 1. maaliskuuta 2017 16.30 *To:* user@syncope.apache.org *Subject:* Re: Creating a virtual schema type ->empty type list On 01/03/2017 08:29, Mikael Ekblom wrote: Hi, OK, so that was the logic behind it! Now I start to have all the dependencies clear. Tested it and now everything makes sense. That's great to hear. Our deployment is pretty small though. Only 200 + personnel + some 2000 students. But I’ll check the postgress option. The core seems to be configured by default towards the Postgress option. Yes, it is :-) I like the way you can augment Syncope if needed in a strongly typed language. Maybe we’ll even be able to remove the existing php-based “IDM”, which is more of a plain sync engine with no editable business logic capabilities what so ever. Not my production though… It might be that we will end up with a *nix environment in the end. Sorry, I don't get this last point: FYI, Syncope can be deployed and run in Windows environments too. Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* tiistai 28. helmikuuta 2017 17.54 *To:* user@syncope.apache.org <mailto:user@syncope.apache.org> *Subject:* Re: Creating a virtual schema type ->empty type list On 28/02/2017 16:26, Mikael Ekblom wrote: Hi, We are currently evaluating Syncopy as a candidate for our future IDM. Hi, glad to hear that :-) We have some choices on the table and we are even considering writing our own IDM from scratch, but that is something I would like to avoid for practical reasons…J I think that would be inventing the wheel again nowadays. Our neighbor Helsinki University is implementing the same solution, so I thought that I will join the community regarding this one. Anyhow, I have a working Syncopy 2.0.2 running on a Windows server 2012 R2 with mysql as the backbone. It is setup and configured via Apache Maven and is running with Tomcat 8.5 as the container. Everything seems to be working. I have managed to create the connector to our AD with the built in/shipped connector. I have also assigned a resource to that connector. Via that resource, we will pull information from our AD as an initial test. The connector reports that it works. Very nice, indeed. One note: while it is perfectly fine for evaluation, I would personally prefer PostgreSQL over MySQL / MariaDB, as some of my customers have been reporting complaints about search performances. We have been constantly providing enhancements and fixes about that, but there have been simply no issues in all the PostgreSQL-based deployments - some of them being very large in numbers. One problem though. I have been able to create all schema types but the virtual one. When I’m supposed to create a virtual schema type for attributes that Syncope will not own and set the ad-resource as the de facto resource, the type drop down list for the virtual schema is empty and just states “Choose one”. What am I missing here? Some schema definition topic missed somewhere? This is not a panic question, as we are just evaluating, but I figure that I might save some time to ask via the mailing list first. I do have my own abstractions to do for our own maybe to come IDM…J I am assuming you are using the Admin UI here. If so, you need first to select a Resource (among the ones available) and then the Type combo will be populated with all the provision rules defined for that Resource. Finally, you will need to provide the external attribute to which the new Virtual Schema's attributes will be linked. More details available at: https://syncope.apache.org/docs/reference-guide.html#virtual HTH Regards. -- Francesco Chicchiriccò
Re: Users Can't Save Answers to Security Questions
Hi, welcome to Syncope. You'll find my comments embedded below. Regards. On 03/03/2017 01:20, Terrance A. Crow wrote: I’m having an issue with both Syncope 2.0.1 and Syncope 2.0.2 where the end-users can’t save their answers to security questions. Steps to recreate: 1. Using syncope-console as admin, create a security question. 2. Log in to syncope-enduser as a normal (non-admin) user. Select the new security question, specify an answer, click on Finish, click on Save, and enter the correct captcha information. 3. Log back on using the same ID to syncope-enduser and observe that the answer to the security question is blank. 4. Log into syncope-console as admin, add the security answer to the USER Search screen, and observe a blank answer for the user in question. Once set, the security answer is *never* reported, neither in Admin Console nor in Enduser UI, to avoid potential security issues. I have just added a note to the SNAPSHOT reference guide [1]: this version will replace [2] once next release (2.0.3) will be out. Thanks for reporting! The password reset process, however, is not working properly until the latest fixes already available in 2.0.3-SNAPSHOT, that will be publicly available (alongside with others) with Syncope 2.0.3. The ID’s the result of a self-registration. Syncope’s running on CentOS 7 (patched to current) under Oracle Java JDK 1.8.0_121. The Tomcat version is 8.0.41. I found a similar condition in Jira (SYNCOPE-942), but it’s not an exact match and that issue’s closed. Am I missing something obvious? [1] https://ci.apache.org/projects/syncope/reference-guide.html#password-reset-no-security-answer [2] https://syncope.apache.org/docs/reference-guide.html#password-reset -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Creating a virtual schema type ->empty type list
On 01/03/2017 08:29, Mikael Ekblom wrote: Hi, OK, so that was the logic behind it! Now I start to have all the dependencies clear. Tested it and now everything makes sense. That's great to hear. Our deployment is pretty small though. Only 200 + personnel + some 2000 students. But I’ll check the postgress option. The core seems to be configured by default towards the Postgress option. Yes, it is :-) I like the way you can augment Syncope if needed in a strongly typed language. Maybe we’ll even be able to remove the existing php-based “IDM”, which is more of a plain sync engine with no editable business logic capabilities what so ever. Not my production though… It might be that we will end up with a *nix environment in the end. Sorry, I don't get this last point: FYI, Syncope can be deployed and run in Windows environments too. Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* tiistai 28. helmikuuta 2017 17.54 *To:* user@syncope.apache.org *Subject:* Re: Creating a virtual schema type ->empty type list On 28/02/2017 16:26, Mikael Ekblom wrote: Hi, We are currently evaluating Syncopy as a candidate for our future IDM. Hi, glad to hear that :-) We have some choices on the table and we are even considering writing our own IDM from scratch, but that is something I would like to avoid for practical reasons…J I think that would be inventing the wheel again nowadays. Our neighbor Helsinki University is implementing the same solution, so I thought that I will join the community regarding this one. Anyhow, I have a working Syncopy 2.0.2 running on a Windows server 2012 R2 with mysql as the backbone. It is setup and configured via Apache Maven and is running with Tomcat 8.5 as the container. Everything seems to be working. I have managed to create the connector to our AD with the built in/shipped connector. I have also assigned a resource to that connector. Via that resource, we will pull information from our AD as an initial test. The connector reports that it works. Very nice, indeed. One note: while it is perfectly fine for evaluation, I would personally prefer PostgreSQL over MySQL / MariaDB, as some of my customers have been reporting complaints about search performances. We have been constantly providing enhancements and fixes about that, but there have been simply no issues in all the PostgreSQL-based deployments - some of them being very large in numbers. One problem though. I have been able to create all schema types but the virtual one. When I’m supposed to create a virtual schema type for attributes that Syncope will not own and set the ad-resource as the de facto resource, the type drop down list for the virtual schema is empty and just states “Choose one”. What am I missing here? Some schema definition topic missed somewhere? This is not a panic question, as we are just evaluating, but I figure that I might save some time to ask via the mailing list first. I do have my own abstractions to do for our own maybe to come IDM…J I am assuming you are using the Admin UI here. If so, you need first to select a Resource (among the ones available) and then the Type combo will be populated with all the provision rules defined for that Resource. Finally, you will need to provide the external attribute to which the new Virtual Schema's attributes will be linked. More details available at: https://syncope.apache.org/docs/reference-guide.html#virtual HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Dynamic role - the task remains blocked
On 01/03/2017 15:08, Tech wrote: Hello, thank you for your feedback. As described, we stopped already the AS and we restarted, but the process was continuing to turn. And did you check if there was any zombie java process around, after stopping and *before* starting again? The only solution it was to restore the database, but we know that this situation it will repeat for sure, that's why we would like to find a solution As usual, you need to investigate in the logs what is the actual source for the error, possibly trying to isolate as much as possible what makes the system unstable. Regards. On 01/03/17 14:57, Francesco Chicchiriccò wrote: Hi, I am assuming that this e-mail is a duplicate of [1]: correct? See my replies below. Regards. On 01/03/2017 10:35, Tech wrote: Dear experts, we want to report you something we detected in the Syncope-Console. We are importing some information from a database where a column is called "MYGROUP" and the content is "Employee". We created a group into Syncope called MYGROUP and in the group we defined a Dynamic group where the attribute.myrole == Employee, the user is automatically assigned to the group. When we check the users, we can validate that they are correctly assigned to the group MYGROUP. We perform some modification on the Database, we run again the pull, but this time we see that from the Dashboard/Control/Available, we see the pull still running, and also pushing on the Stop, the popup will confirm us that the task has been performed correctly, It seems that the pull task has entered into some kind of error condition that cannot be stopped by the Quartz engine (an example could be some kind of blocking I/O operation). but also restarting Syncope, the task will be still running. This is really odd: please try to 1. stop the Java EE container 2. check with ps if there is any hanging java process and kill -9 if so 3. start again the Java EE container I think the actual problem is, as said above, something that prevents the Java EE container to exit properly. We are not able to run anymore any Pull, and we were forced to run a restore of the database. What should be done to avoid this? [1] https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Dynamic role - the task remains blocked
Hi, I am assuming that this e-mail is a duplicate of [1]: correct? See my replies below. Regards. On 01/03/2017 10:35, Tech wrote: Dear experts, we want to report you something we detected in the Syncope-Console. We are importing some information from a database where a column is called "MYGROUP" and the content is "Employee". We created a group into Syncope called MYGROUP and in the group we defined a Dynamic group where the attribute.myrole == Employee, the user is automatically assigned to the group. When we check the users, we can validate that they are correctly assigned to the group MYGROUP. We perform some modification on the Database, we run again the pull, but this time we see that from the Dashboard/Control/Available, we see the pull still running, and also pushing on the Stop, the popup will confirm us that the task has been performed correctly, It seems that the pull task has entered into some kind of error condition that cannot be stopped by the Quartz engine (an example could be some kind of blocking I/O operation). but also restarting Syncope, the task will be still running. This is really odd: please try to 1. stop the Java EE container 2. check with ps if there is any hanging java process and kill -9 if so 3. start again the Java EE container I think the actual problem is, as said above, something that prevents the Java EE container to exit properly. We are not able to run anymore any Pull, and we were forced to run a restore of the database. What should be done to avoid this? [1] https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Assign group to user from DB
Hi, are you sure that you are using the Scripted SQL connector? The Database Table connector, in fact, only provides support for the __ACCOUNT__ ObjectClass, e.g. only for users, as suggested by the error below. In order to use the Scripted SQL connector, you must also provide the adequate Groovy scripts matching your own database schema; some samples can be found under the core/src/test/resources/scriptedsql directory of your generated Maven project. HTH Regards. On 27/02/2017 17:47, Tech wrote: Hello, coming back to this point: we prepared the code to integrate the group propagation from a DB to Syncope but we encountered some problems. Before integrating the code that we developed, we started to add the concept of Group into our system. * Our database has a column called "role", where the only content is "GroupTest". * We created the group "GroupTest" also in Syncope to have a 1:1 relation. * We created the type "role" and we put it into the "BaseGroup" schema. * We go back to the resources and we Edit provision rules, we add a Group that we map with name:role. Since now on, every Pull, also the one for the Users, will terminate in a FAILURE with the error: org.quartz.JobExecutionException: While pulling from connector [See nested exception: java.lang.IllegalArgumentException: Operation requires an Account ObjectClass.] at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284) at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60) at org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558) at org.apache.syncope.core.provisioning.java.job.AbstractSchedTaskJobDelegate.execute(AbstractSchedTaskJobDelegate.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) Removing the mapping of the group, everything will turn back to normality. Any idea why this could happen? Thanks! On 06/02/17 17:58, Marco Di Sabatino Di Diodoro wrote: Il 06/02/2017 17:41, Marco Di Sabatino Di Diodoro ha scritto: Hi, Il 06/02/2017 17:11, Tech ha scritto: Dear experts, we're pulling information from a database. We want to assign automatically a group to a user. The original table has a format like -- "USERNAME" : "user01" -- "ROLE": "employee" In a pull task is possible to add a template. The template can be used for setting default values on entities during a pull task. To configure a template go to Topology --> select the external resource to pull --> Pull Task and click the Template icon [1 Pull Templates]. [1] https://syncope.apache.org/docs/reference-guide.html#provisioning-pull If a User is associated to a Group in your Database, and you like assign the corresponding User as a member of the corresponding Group in Syncope, you must implement a Pull Action [1]. Connid doesn't implement the assignment of a membership, so to obviate we can use a pull action. [1] https://syncope.apache.org/docs/reference-guide.html#pullactions We want the user being created into Syncope associated to the already existing group "employee", but we don't see how to create this association. Is there any reference that we should check? Thanks -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AD-sync errors
On 01/03/2017 10:52, g2hari wrote: In between, is there any detailed Active directory sync document available ? I followed the below documentation which was created in 5th June (outdated), https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource There is a pretty clear statement on top of the page that says: Version Warning The content below is for Apache Syncope <= 1.2 - for later versions the Reference Guide is available. I suppose you are using Apache Syncope 2.0, no? Many of them are not covered with the new interface, clarity missing on Internal and external mapping for Active directory attributes. There is no similar documentation yet for 2.0; the only related content (but for LDAP) can be found in http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Creating a virtual schema type ->empty type list
On 28/02/2017 16:26, Mikael Ekblom wrote: Hi, We are currently evaluating Syncopy as a candidate for our future IDM. Hi, glad to hear that :-) We have some choices on the table and we are even considering writing our own IDM from scratch, but that is something I would like to avoid for practical reasons…J I think that would be inventing the wheel again nowadays. Our neighbor Helsinki University is implementing the same solution, so I thought that I will join the community regarding this one. Anyhow, I have a working Syncopy 2.0.2 running on a Windows server 2012 R2 with mysql as the backbone. It is setup and configured via Apache Maven and is running with Tomcat 8.5 as the container. Everything seems to be working. I have managed to create the connector to our AD with the built in/shipped connector. I have also assigned a resource to that connector. Via that resource, we will pull information from our AD as an initial test. The connector reports that it works. Very nice, indeed. One note: while it is perfectly fine for evaluation, I would personally prefer PostgreSQL over MySQL / MariaDB, as some of my customers have been reporting complaints about search performances. We have been constantly providing enhancements and fixes about that, but there have been simply no issues in all the PostgreSQL-based deployments - some of them being very large in numbers. One problem though. I have been able to create all schema types but the virtual one. When I’m supposed to create a virtual schema type for attributes that Syncope will not own and set the ad-resource as the de facto resource, the type drop down list for the virtual schema is empty and just states “Choose one”. What am I missing here? Some schema definition topic missed somewhere? This is not a panic question, as we are just evaluating, but I figure that I might save some time to ask via the mailing list first. I do have my own abstractions to do for our own maybe to come IDM…J I am assuming you are using the Admin UI here. If so, you need first to select a Resource (among the ones available) and then the Type combo will be populated with all the provision rules defined for that Resource. Finally, you will need to provide the external attribute to which the new Virtual Schema's attributes will be linked. More details available at: https://syncope.apache.org/docs/reference-guide.html#virtual HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Understanding connector agent in remote system
Hi, a ConnId Connector Server [1] can be essentially seen as a remote container for connector bundles. Normally, Syncope is configured to look up for connector bundles from a local directory, but there are more options [2], including referencing connector servers. Once a (Java or .Net) connector server is set up and running, Syncope will be able to use the connector bundles deployed there as if they were instead deployed in a local directory. As you can imagine, this is especially useful when, for example, you are running Syncope on Linux but need to provision by using PowerShell scripts, which require to be run on Windows. In this case, all you need is to 1. deploy a Java connector server on Windows 2. deploy the ConnId CMD bundle [3] onto such connector server 3. write the PowerShell scripts 4. configure Syncope (as explained in [2]) for using such connector server 5. use the Admin Console to configure the CMD bundle as if it was deployed locally The communication between Syncope and ConnId connector servers is based on a TCP protocol defined by ConnId, which can also use SSL (as explained in [2]). HTH Regards. On 22/02/2017 14:22, Tech wrote: Dear experts, we checked from the documentation that the conn bundles could be also deployed on the target system instead of that in Syncope. We want to understand with you if it would be possible to configure a similar scenario and to validate if our understanding is correct: * Syncope is deployed on Server1 and the target system on the Server2. * Syncope calls the remote connector deployed on the Server2 (using REST?) * The remote connector deployed on Server2 extracts the data (SELECT FIRSTNAME, LASTNAME FROM USER;) * The remote connector caches the result of the query * Syncope extract the information from the remote connector and take them to Server1. Is that correct? Thanks -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Bug to JEXL script using custom field with "-" propagating a "0"
On 15/02/2017 16:18, Tech wrote: Dear Experts, we want to bring to your attention a bug that we detected into the admin console. If you create a custom field containing a dash "-" like "first-name", we detected that in the case we would like to apply some JEXL in the push (but maybe this might apply also in other cases), for example if we want to push our internal field "first-name" to Active Directory "email", the provisioning will just propagate "0". For example: * first-name + '@mydomain.local' will return * "0@mydomain.local" This error will disappear if the field will be named "first_name" or "firstname". Let us know if we should open a bug in Jira. This limitation actually comes from the fact that you are using a schema in a JEXL expression, and variables in JEXL (similarly as in Java) do not admit the minus character in their name; see https://commons.apache.org/proper/commons-jexl/reference/syntax.html for reference, under 'Identifiers / variables' Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Active Directory password propagation
On 15/02/2017 13:56, Tech wrote: Hello, actually that field at that stage was not flagged. Checking them it's now working, but was generated confusion is that without checking them, the other information as FirstName, LastName etc are propagated. Is there a way to keep as default the check [v] active? No, but that panel will disappear once 2.0.3 will be out (see [1]), and the default behaviour will be as if every check was active. Regards. [1] https://issues.apache.org/jira/browse/SYNCOPE-991 BQ_BEGIN On 15/02/2017 12:07, Andrea Patricelli wrote: BQ_BEGIN Good morning, we made a double check and password propagation on Active Directory was successful. In the user edit form (first tab of the wizard), beneath password and confirm password text areas, there are two (or more) checkboxes (depends on the number of resources associated to the user), have you flagged the AD checkbox? Please see image at [1]. HTH, Andrea [1] https://ibin.co/3CTCYNjuyWT7.png Il 13/02/2017 14:52, Tech ha scritto: BQ_BEGIN Dear experts, We guess that there is a bug in the AD connector. 1. We are able to set in SSL the connection 2. we can create a user with a chosen password 3. we login with success to the system using the chosen password 4. we try to change any value from the user interface and these changes are immediately reflected to the AD 5. we change the password, but it is not propagated 6. we change the first name and it's correctly propagated, but the password is not 7. we try to manually run the PushTask, and only in this case the password is correctly propagated We are able to automatically propagate all fields except the password (that requires a manual propagation), could you please double check? Thanks On 30/01/2017 16:02, Tech wrote: BQ_BEGIN The value in 'password.cipher.algorithm' was SHA1. We updated to AES, we changed again the password for the user and we tried to login again to the enduser portal. It's working, we tried to connect to AD but without success. We realized after that the password, with a difference with the other fields, is not immediately propagate when changed, but it's only propagated by the scheduler. Can this be changed? Thanks for your support On 30/01/2017 15:24, Francesco Chicchiriccò wrote: BQ_BEGIN On 30/01/2017 15:18, Tech wrote: BQ_BEGIN Yes, I can confirm, right in this moment we are only performing manual provisioning. This is of course not the goal, but before moving to an automatic provision of accounts we want the manual one working BQ_END What is your value for the 'password.cipher.algorithm' general configuration parameter? If not 'AES', pushing password values (as any other encrypted value) will not work anyway. The point is that Active Directory requires cleartext password values (encrypted via ConnId's GuardedString), which are normally available only during user update, not later. This unless AES (e.g. reversible encryption) is set for internal password values. Provisioning - via resource assignment - is part of user update, push occurs after user update. Regards. BQ_BEGIN On 30/01/2017 15:14, Francesco Chicchiriccò wrote: BQ_BEGIN On 30/01/2017 15:11, Tech wrote: BQ_BEGIN We are associating using a manual provisioning BQ_END Do you mean that you are only relying on a push task for provisioning to AD? Could you confirm that you are *not* assigning the AD resource directly to the users, neither via group membership or template? BQ_BEGIN Here the main information: Connector version 1.3.2 -SSL enabled -Retrieve deleted users enabled -Retrieve deleted groups enabled -Trust all certs enabled Entry object classes: -Top -person -organizationalPerson -inetOrgPerson -user Custom user search filter cn=* Rootsuffixes + base contexts + defaul people container: ou=myad,dc=test,dc=local uidAttribute - cn Object clases to synchronize - user Resource: username -> cn (remote key) password -> __PASSWORD__ (Password) email -> mail fn -> givenName ln -> sn username -> sAMAccountName Object link 'CN='+username+',OU=myad,dc=test,dc=local' Push tasks: Active Matching rule : Update Unmatching rule: provision Allow Create, update, delete, sync status On 30/01/2017 15:01, Francesco Chicchiriccò wrote: BQ_BEGIN On 30/01/2017 14:53, Tech wrote: BQ_BEGIN This is what happen when I open the Password Manager, while when I update the password no log is generated. BQ_END This is what I suspected: you could definitely find a confirmation if you are able to verify that the user on Active Directory has still the password set during create (while on Syncope the password value was changed). How are you associating the users to the AD resource? Directly or via group? Could you please enlist your full connector configuration (with *all* options) an
Re: Password reset procedure from enduser interface
On 13/02/2017 18:59, Tech wrote: Hello Francesco, Thanks for your update, we created the notification in the parameters and the template, but we get stuck before the point you were describing: We went through the procedure, the user creates his own account, with an email and a password. For simplicity, we created only one security question. Once he forget the password, he comes back to the EndUser interface and he request to insert the challenge answer. Even if the challenge answer is correct (and I can check that it's correctly stored into the database), we receive an error saying: 18:44:20.883 ERROR org.apache.syncope.client.enduser.resources.UserSelfPasswordReset - Error while updating user java.lang.Exception: A correct security answer should be provided at org.apache.syncope.client.enduser.resources.UserSelfPasswordReset.newResourceResponse(UserSelfPasswordReset.java:76) ~[syncope-client-enduser-2.0.2.jar:2.0.2] [...] But we know that the challenge answer is correct and all in lowercase like in the database, I can't understand why it doesn't find the correct value. Yes, there are a couple of bugs, already fixed with 2.0.3-SNAPSHOT: https://issues.apache.org/jira/browse/SYNCOPE-1012 https://issues.apache.org/jira/browse/SYNCOPE-1013 I think you'd better move to 2.0.3-SNAPSHOT for your tests. Regards. BQ_BEGIN On 19/01/2017 11:22, Francesco Chicchiriccò wrote: BQ_BEGIN On 18/01/2017 14:13, Francesco Chicchiriccò wrote: BQ_BEGIN On 18/01/2017 11:59, Francesco Chicchiriccò wrote: BQ_BEGIN On 18/01/2017 11:38, Tech wrote: BQ_BEGIN Hello, we faced something that could be a bug in version 2.0.1 and version 2.0.2. We created a SecurityQuestion from the Admin interface and the user is prompted to enter one during the creation of his account. The SecurityQuestion is correctly stored into the DB. We "forget" the password and we try to recover it using the interface, but we cannot reset it. This is happening both for existing and new users. Could you please double-check? BQ_END I assume you have already checked https://syncope.apache.org/docs/reference-guide.html#password-reset to understand how the password reset process is expected to work. BQ_END A fundamental part for the outlined procedure to be effective, is to have the notifications in place; see https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration for details. After that user has provided the correct answer to security question via EndUser UI, a notification e-mail based on the 'requestPasswordReset' template is sent; as you can see from the template, an URL for accessing the EndUser UI (containing the unique token generated for such request) is contained in the e-mail. Once clicked there, the process can continue with input of the new password value. Finally, another notification e-mail based on the 'confirmPasswordReset' template is sent out. BQ_END FYI I have updated the password reset information with the further comments above; see https://ci.apache.org/projects/syncope/reference-guide.html#password-reset Regards. BQ_END BQ_END -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AnyType Role assignment to Groups
On 07/02/2017 11:55, Colm O hEigeartaigh wrote: Hi Francesco, On Mon, Feb 6, 2017 at 10:31 AM, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: - OR create a condition "User U is dynamically assigned CustomRole R because he is member of Group G”. I don’t find the way how to define this condition in Syncope. Only group memberships and role assignments can be static or dynamic. Would it be possible to make this more flexible without changing a lot of code? If a user can have a UserCustomRole relationship to a CustomRole, then if the user is a member of group G then the relationship is dynamically defined between the user and CustomRole. It seems like a useful thing to be able to do to me or is there a technical reason why it can't be done? So, you're essentially proposing to add the possibility to specify relationships between Groups and Any Objects (at the moment, only Users / Any Objects and Any Objects / Any Objects). The semantic should be that if group G has relationship R with Any Object A, all users and any objects in G will have such relationship with A. It is indeed feasible, but it will require some modifications in the data model, JPA implementation, data binder and finally admin console. Something not trivial but definitely doable. Moreover, since it involves modifications in the database structure, I would see it for 2.1.0 at earliest. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: syncope-standalone maven artifact not available
On 06/02/2017 19:56, Adrian Gonzalez wrote: Hello, I've the impression that syncope-standalone artifact is available only in SNAPSHOT repo. It's available from here : https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/ But not from here :https://repo.maven.apache.org/maven2/org/apache/syncope/syncope-standalone/ Am I missing a repo ? The release process [1] deploys to the central Maven repository only the artifacts that can be effectively used via Maven. The standalone distribution, the Eclipse IDE Plugin, the CLI, the DEB packages and the GUI installer are instead downloadable via the ASF dist area [2], and links to ASF mirror infrastructure are provided in [3]. The SNAPSHOT repository is instead populated by our Jenkins jobs [4]. Hope this clarifies. Regards. [1] http://syncope.apache.org/release-process.html [2] https://www.apache.org/dist/syncope/ [3] http://syncope.apache.org/downloads.html [4] https://builds.apache.org/view/S-Z/view/Syncope/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AnyType Role assignment to Groups
Hi Sabina, my replies below. Regards. On 05/02/2017 22:29, Sabina Mirauta wrote: Hi Syncope users, We need to store in Syncope roles for users and groups. Since the Syncope roles are meant only for internal usage, I created an own AnyType CustomRole. I have also defined a relationship UserCustomRole and for users I am able to create UserCustomRole relationships to CustomRoles. For usability reasons we need to assign roles to groups, so that all users from a group have a role. I don’t find another way to assign the CustomRole to a Group, than making the CustomRole a (static or dynamic) member of the group. I don’t like the role to be member of the group, members should be only the users. AnyType instances are given the possibility to me member of groups, as much as users. Can someone tell me a simple and more natural way to - assign an AnyType CustomRole to a Group without making the CustomRole member of the group No, at least without creating any extension to the data model. - OR create a condition "User U is dynamically assigned CustomRole R because he is member of Group G”. I don’t find the way how to define this condition in Syncope. Only group memberships and role assignments can be static or dynamic. Or maybe I can create and assign CustomRoles in Syncope in another way? Like without AnyTypes? Detailed instructions would help me very much. Thank you! Sabina Mirauta -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Deploy MVN Syncope with Workflow
On 02/02/2017 14:27, Tech wrote: The point is that we create a brand new database (empty), we deploying using "-P all" and for some reason the database is already filled with some test data. We see that there are already some connectors configured, some roles and moreover some users like "*Verdi*", "*Rossini*" and "*Vivaldi*" that we don't understand where they are coming from. This is the test content coming from core/src/test/resources/domains/MasterContent.xml which is normally only loaded when starting in embedded mode; in production mode (e.g. with plain build) the content from core/src/main/resources/domains/MasterContent.xml is loaded instead. You should identify which MasterContent.xml is actually loaded when starting with an empty database, and possibly why. Normally, the test content is expected to be loaded exclusively in the in-memory H2 instance used by embedded mode. Regards. On 02/02/2017 12:25, Francesco Chicchiriccò wrote: On 02/02/2017 12:21, Tech wrote: Dear experts, we would like to deploy syncope 2.0.2 using the workflows. We are using this command: * mvn -P all clean verify -Dconf.directory=/opt/syncope/conf -Dbundles.directory=/opt/syncope/bundles -Dlog.directory=/opt/syncope/log In the * core/src/main/resources/all/provisioning.properties and * core/src/main/resources/provisioning.properties we configured * quartz.sql=tables_mariadb.sql and in the * core/src/main/resources/domain/Master.properties we configured our MariaDB, but we are still pointing to the H2, while deploying without the option "-P all" we can correctly point to our MariaDB. Is there any other parameter that we should configure? If you want to use, in the application deployed into the external Java EE container (for example) core/src/main/resources/all/provisioning.properties core/src/main/resources/all/workflow.properties instead of core/src/main/resources/provisioning.properties core/src/main/resources/workflow.properties you will need to copy core/src/main/resources/all/provisioning.properties core/src/main/resources/all/workflow.properties to /opt/syncope/conf, as you have configured such directory to be the source for configuration. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Deploy MVN Syncope with Workflow
On 02/02/2017 12:21, Tech wrote: Dear experts, we would like to deploy syncope 2.0.2 using the workflows. We are using this command: * mvn -P all clean verify -Dconf.directory=/opt/syncope/conf -Dbundles.directory=/opt/syncope/bundles -Dlog.directory=/opt/syncope/log In the * core/src/main/resources/all/provisioning.properties and * core/src/main/resources/provisioning.properties we configured * quartz.sql=tables_mariadb.sql and in the * core/src/main/resources/domain/Master.properties we configured our MariaDB, but we are still pointing to the H2, while deploying without the option "-P all" we can correctly point to our MariaDB. Is there any other parameter that we should configure? If you want to use, in the application deployed into the external Java EE container (for example) core/src/main/resources/all/provisioning.properties core/src/main/resources/all/workflow.properties instead of core/src/main/resources/provisioning.properties core/src/main/resources/workflow.properties you will need to copy core/src/main/resources/all/provisioning.properties core/src/main/resources/all/workflow.properties to /opt/syncope/conf, as you have configured such directory to be the source for configuration. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Active Directory password propagation
On 30/01/2017 16:02, Tech wrote: The value in 'password.cipher.algorithm' was SHA1. We updated to AES, we changed again the password for the user and we tried to login again to the enduser portal. It's working, we tried to connect to AD but without success. We realized after that the password, with a difference with the other fields, is not immediately propagate when changed, but it's only propagated by the scheduler. No, this is not correct. The password is always sent along with all other attributes, both during propagation (automated provisioning) or push (manual provisioning). The only difference is that, since the password values are never stored as cleartext into the internal storage, the actual value is available during propagation but must be retrieved from the internal storage during push. When using AES, the encrypted value from the internal storage can be decrypted and sent to AD. Now, there could always be some bug that prevents the push flow to correctly retrieve and send password values: as soon as I'll have some available slots, I could take a look at this. Regards. On 30/01/2017 15:24, Francesco Chicchiriccò wrote: On 30/01/2017 15:18, Tech wrote: Yes, I can confirm, right in this moment we are only performing manual provisioning. This is of course not the goal, but before moving to an automatic provision of accounts we want the manual one working What is your value for the 'password.cipher.algorithm' general configuration parameter? If not 'AES', pushing password values (as any other encrypted value) will not work anyway. The point is that Active Directory requires cleartext password values (encrypted via ConnId's GuardedString), which are normally available only during user update, not later. This unless AES (e.g. reversible encryption) is set for internal password values. Provisioning - via resource assignment - is part of user update, push occurs after user update. Regards. On 30/01/2017 15:14, Francesco Chicchiriccò wrote: On 30/01/2017 15:11, Tech wrote: We are associating using a manual provisioning Do you mean that you are only relying on a push task for provisioning to AD? Could you confirm that you are *not* assigning the AD resource directly to the users, neither via group membership or template? Here the main information: Connector version 1.3.2 -SSL enabled -Retrieve deleted users enabled -Retrieve deleted groups enabled -Trust all certs enabled Entry object classes: -Top -person -organizationalPerson -inetOrgPerson -user Custom user search filter cn=* Rootsuffixes + base contexts + defaul people container: ou=myad,dc=test,dc=local uidAttribute - cn Object clases to synchronize - user Resource: username -> cn (remote key) password -> __PASSWORD__ (Password) email -> mail fn -> givenName ln -> sn username -> sAMAccountName Object link 'CN='+username+',OU=myad,dc=test,dc=local' Push tasks: Active Matching rule : Update Unmatching rule: provision Allow Create, update, delete, sync status On 30/01/2017 15:01, Francesco Chicchiriccò wrote: On 30/01/2017 14:53, Tech wrote: This is what happen when I open the Password Manager, while when I update the password no log is generated. This is what I suspected: you could definitely find a confirmation if you are able to verify that the user on Active Directory has still the password set during create (while on Syncope the password value was changed). How are you associating the users to the AD resource? Directly or via group? Could you please enlist your full connector configuration (with *all* options) and resource mapping? Screenshots will also work via http://pasteboard.co/, for example. Regards. 13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: getObject 13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, LdapFilter[nativeFilter: (cn=user07); entryDN: null], org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: executeQuery 13:43:57.478 WARN Reading passwords not supported Method: getAttributesToGet 13:43:57.478 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute 13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch 13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch 13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: getInternalSearch 13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch 13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter (&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(object
Re: Install Syncope
On 31/01/2017 11:39, Anas Asharat wrote: Dear, Kindly note I faced error in syncope installation “core deploy failed”, please check attached files for more information. Have you verified to met all the prerequisites: https://syncope.apache.org/docs/getting-started.html#installer-prerequisites ? In particular, about the Tomcat users under $CATALINA_HOME/conf/tomcat-users.xml Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* Tuesday, January 31, 2017 11:22 AM *To:* user@syncope.apache.org *Subject:* Re: Install Syncope On 31/01/2017 10:10, Anas Asharat wrote: Dears, Also I have one question, can you send me the certificate sheet for syncope with OS, oracle database release, etc.. Hi, there is no "certificate sheet"; about DBMS, you need to trust the community documentation: http://syncope.apache.org/docs/getting-started.html#internal-storage About OS, anything modern enough to satisfy Java / Java EE container requirements: http://syncope.apache.org/docs/getting-started.html#java will work. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Install Syncope
On 31/01/2017 11:09, Anas Asharat wrote: Thank you dear, Ok I see the document but I have question here, The below steps should be done before or after installation? Since no such file now, but I think I can find them after installation. The steps below are due when using the Maven project (another installation method), and are automatically performed on your behalf by the GUI installer. Oracle |jpa.driverClassName=oracle.jdbc.OracleDriver| |jpa.url=jdbc:oracle:thin:@localhost:1521:orcl| |jpa.username=syncope| |jpa.password=syncope| |jpa.dialect=org.apache.openjpa.jdbc.sql.OracleDictionary| |jpa.pool.validationQuery=SELECT 1| |FROM DUAL| |#note: other connection pool settings can also be configured here, see persistenceContext.xml| |quartz.jobstore=org.quartz.impl.jdbcjobstore.oracle.OracleDelegate| |quartz.sql=tables_oracle.sql| |audit.sql=audit_oracle.sql| |database.schema=SYNCOPE| This assumes that you have an Oracle instance running on localhost, listening on its default port 1521 with a database |syncope| under tablespace |SYNCOPE| fully accessible by user |syncope| with password |syncope|. You will also need to 1.create directory |core/src/main/resources/META-INF| 2. download Oracle mapping file for the version you are building (1_2_X <https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=1_2_X>, 1.1.X <https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=refs/heads/1_1_X>, 1.0.X <https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=refs/heads/1_0_X>) 3.rename it to |orm.xml| 4.and copy it under the directory created above also what document mean with oracle tablespace ? mean the default tablesapce for the user The tablespace in which you have created the database that Syncope will use, possibly the default for the user. Regards. *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org] *Sent:* Tuesday, January 31, 2017 11:22 AM *To:* user@syncope.apache.org *Subject:* Re: Install Syncope On 31/01/2017 10:10, Anas Asharat wrote: Dears, Also I have one question, can you send me the certificate sheet for syncope with OS, oracle database release, etc.. Hi, there is no "certificate sheet"; about DBMS, you need to trust the community documentation: http://syncope.apache.org/docs/getting-started.html#internal-storage About OS, anything modern enough to satisfy Java / Java EE container requirements: http://syncope.apache.org/docs/getting-started.html#java will work. Regards -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Install Syncope
On 31/01/2017 10:10, Anas Asharat wrote: Dears, Also I have one question, can you send me the certificate sheet for syncope with OS, oracle database release, etc.. Hi, there is no "certificate sheet"; about DBMS, you need to trust the community documentation: http://syncope.apache.org/docs/getting-started.html#internal-storage About OS, anything modern enough to satisfy Java / Java EE container requirements: http://syncope.apache.org/docs/getting-started.html#java will work. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Install Syncope
On 31/01/2017 10:02, Anas Asharat wrote: Dears, Thanks for your reply, but really still not working. In the installation document I see 3 approach for installation: 1-Stand alone http://syncope.apache.org/docs/getting-started.html#standalone As the doc says, "Not meant for any production environment." 2-Debian packages http://syncope.apache.org/docs/getting-started.html#debian-packages This is bound to Debian / Ubuntu and PostgreSQL, no Oracle. 3-GUI Installer http://syncope.apache.org/docs/getting-started.html#gui-installer As the doc says, "Getting up and running quickly on any supported DBMS and Java EE container, independently from the underlying operating system." So, this supports Oracle. Which one can configured with oracle database, and which one can be used for production environment? Out of the 3 above, the last one (GUI Installer). I need one clear documnet for all installation steps, am still confused with installation. I hope that the indications above make things a bit more clear. Regards. *From:*Marco Di Sabatino Di Diodoro [mailto:marco.disabat...@tirasa.net] *Sent:* Monday, January 30, 2017 6:24 PM *To:* user@syncope.apache.org *Subject:* Re: Install Syncope Hi, Il 30/01/2017 16:45, Anas Asharat ha scritto: Dears, I hope my email find you well. Am new with Syncope, I tried to install Syncope 2.0.1 with oracle database, I face installation failure every time I tried to install the application. Can you help me or give document with installing syncope with oracle database? You're looking at the old guide (Syncope 1.2). If you're using Apache Syncope 2.0.1 you can find the documentation here [1] To install Syncope with Oracle take a look at the reference guide [2]. Regards M [1] https://syncope.apache.org/docs/ <https://syncope.apache.org/docs/> [2] https://syncope.apache.org/docs/reference-guide.html#oracle-database I used the below document: *https://syncope.apache.org/downloads.html* https://cwiki.apache.org/confluence/display/SYNCOPE/Install+Syncope+from+installer -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.0.2 released
The Apache Syncope team is pleased to announce the release of Syncope 2.0.2. Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: http://syncope.apache.org/downloads.html The full change log is available here: https://s.apache.org/syncope202 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Active Directory password propagation
On 30/01/2017 15:18, Tech wrote: Yes, I can confirm, right in this moment we are only performing manual provisioning. This is of course not the goal, but before moving to an automatic provision of accounts we want the manual one working What is your value for the 'password.cipher.algorithm' general configuration parameter? If not 'AES', pushing password values (as any other encrypted value) will not work anyway. The point is that Active Directory requires cleartext password values (encrypted via ConnId's GuardedString), which are normally available only during user update, not later. This unless AES (e.g. reversible encryption) is set for internal password values. Provisioning - via resource assignment - is part of user update, push occurs after user update. Regards. On 30/01/2017 15:14, Francesco Chicchiriccò wrote: On 30/01/2017 15:11, Tech wrote: We are associating using a manual provisioning Do you mean that you are only relying on a push task for provisioning to AD? Could you confirm that you are *not* assigning the AD resource directly to the users, neither via group membership or template? Here the main information: Connector version 1.3.2 -SSL enabled -Retrieve deleted users enabled -Retrieve deleted groups enabled -Trust all certs enabled Entry object classes: -Top -person -organizationalPerson -inetOrgPerson -user Custom user search filter cn=* Rootsuffixes + base contexts + defaul people container: ou=myad,dc=test,dc=local uidAttribute - cn Object clases to synchronize - user Resource: username -> cn (remote key) password -> __PASSWORD__ (Password) email -> mail fn -> givenName ln -> sn username -> sAMAccountName Object link 'CN='+username+',OU=myad,dc=test,dc=local' Push tasks: Active Matching rule : Update Unmatching rule: provision Allow Create, update, delete, sync status On 30/01/2017 15:01, Francesco Chicchiriccò wrote: On 30/01/2017 14:53, Tech wrote: This is what happen when I open the Password Manager, while when I update the password no log is generated. This is what I suspected: you could definitely find a confirmation if you are able to verify that the user on Active Directory has still the password set during create (while on Syncope the password value was changed). How are you associating the users to the AD resource? Directly or via group? Could you please enlist your full connector configuration (with *all* options) and resource mapping? Screenshots will also work via http://pasteboard.co/, for example. Regards. 13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: getObject 13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, LdapFilter[nativeFilter: (cn=user07); entryDN: null], org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: executeQuery 13:43:57.478 WARN Reading passwords not supported Method: getAttributesToGet 13:43:57.478 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute 13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch 13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch 13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: getInternalSearch 13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch 13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter (&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) and SearchControls: {returningAttributes=[cn, entryDN, givenName, mail, sAMAccountName, sn, unicodePwd, userAccountControl], scope=SUBTREE} Method: doSearch 13:43:57.479 DEBUG User Account Control: 512Method: createConnectorObject 13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, Attribute: {Name=userAccountControl, Value=[512]}, Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute: {Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: handle 13:43:57.479 DEBUG Return: falseMethod: handle 13:43:57.479 DEBUG Return Method: executeQuery 13:43
Re: Active Directory password propagation
On 30/01/2017 15:11, Tech wrote: We are associating using a manual provisioning Do you mean that you are only relying on a push task for provisioning to AD? Could you confirm that you are *not* assigning the AD resource directly to the users, neither via group membership or template? Here the main information: Connector version 1.3.2 -SSL enabled -Retrieve deleted users enabled -Retrieve deleted groups enabled -Trust all certs enabled Entry object classes: -Top -person -organizationalPerson -inetOrgPerson -user Custom user search filter cn=* Rootsuffixes + base contexts + defaul people container: ou=myad,dc=test,dc=local uidAttribute - cn Object clases to synchronize - user Resource: username -> cn (remote key) password -> __PASSWORD__ (Password) email -> mail fn -> givenName ln -> sn username -> sAMAccountName Object link 'CN='+username+',OU=myad,dc=test,dc=local' Push tasks: Active Matching rule : Update Unmatching rule: provision Allow Create, update, delete, sync status On 30/01/2017 15:01, Francesco Chicchiriccò wrote: On 30/01/2017 14:53, Tech wrote: This is what happen when I open the Password Manager, while when I update the password no log is generated. This is what I suspected: you could definitely find a confirmation if you are able to verify that the user on Active Directory has still the password set during create (while on Syncope the password value was changed). How are you associating the users to the AD resource? Directly or via group? Could you please enlist your full connector configuration (with *all* options) and resource mapping? Screenshots will also work via http://pasteboard.co/, for example. Regards. 13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: getObject 13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, LdapFilter[nativeFilter: (cn=user07); entryDN: null], org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: executeQuery 13:43:57.478 WARN Reading passwords not supported Method: getAttributesToGet 13:43:57.478 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute 13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch 13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch 13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: getInternalSearch 13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch 13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter (&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) and SearchControls: {returningAttributes=[cn, entryDN, givenName, mail, sAMAccountName, sn, unicodePwd, userAccountControl], scope=SUBTREE} Method: doSearch 13:43:57.479 DEBUG User Account Control: 512Method: createConnectorObject 13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, Attribute: {Name=userAccountControl, Value=[512]}, Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute: {Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: handle 13:43:57.479 DEBUG Return: falseMethod: handle 13:43:57.479 DEBUG Return Method: executeQuery 13:43:57.480 DEBUG Return: {Uid=Attribute: {Name=__UID__, Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute: {Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: getObject On 30/01/2017 14:36, Francesco Chicchiriccò wrote: On 30/01/2017 12:34, Tech wrote: When we create the user we are able
Re: Active Directory password propagation
On 30/01/2017 14:53, Tech wrote: This is what happen when I open the Password Manager, while when I update the password no log is generated. This is what I suspected: you could definitely find a confirmation if you are able to verify that the user on Active Directory has still the password set during create (while on Syncope the password value was changed). How are you associating the users to the AD resource? Directly or via group? Could you please enlist your full connector configuration (with *all* options) and resource mapping? Screenshots will also work via http://pasteboard.co/, for example. Regards. 13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: getObject 13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, LdapFilter[nativeFilter: (cn=user07); entryDN: null], org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, OperationOptions: {ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) Method: executeQuery 13:43:57.478 WARN Reading passwords not supported Method: getAttributesToGet 13:43:57.478 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an LDAP attribute Method: getLdapAttribute 13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch 13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch 13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: getInternalSearch 13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch 13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter (&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) and SearchControls: {returningAttributes=[cn, entryDN, givenName, mail, sAMAccountName, sn, unicodePwd, userAccountControl], scope=SUBTREE} Method: doSearch 13:43:57.479 DEBUG User Account Control: 512Method: createConnectorObject 13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, Attribute: {Name=userAccountControl, Value=[512]}, Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute: {Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: handle 13:43:57.479 DEBUG Return: falseMethod: handle 13:43:57.479 DEBUG Return Method: executeQuery 13:43:57.480 DEBUG Return: {Uid=Attribute: {Name=__UID__, Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute: {Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: getObject On 30/01/2017 14:36, Francesco Chicchiriccò wrote: On 30/01/2017 12:34, Tech wrote: When we create the user we are able to initialize the correct password, connecting to the target system we can verify that Syncope did its job. If the Admin tries to reset the password from the console, or if the user tries to change is password from the enduser interface, the password is still correctly updated into Syncope, but it's not propagated to AD, therefore the user will be able to login only using the old password. Hi, I am not completely familiar with AD password management internals, but I would examine what Syncope is actually sending to AD by watching the core-connid.log file both when creating new user and updating existing user, to determine if Syncope is effectively sending the updated password to AD during the latter phase. Regards. On 30/01/2017 12:28, Tech wrote: I'm not sure about this step. As mentioned we can already propagate changes as "email, "first name" and "last name". The AD user that we are using is able to change the passwords of other AD users, create, update and delete other users. I think that there is an additional step t
Re: Active Directory password propagation
On 30/01/2017 12:34, Tech wrote: When we create the user we are able to initialize the correct password, connecting to the target system we can verify that Syncope did its job. If the Admin tries to reset the password from the console, or if the user tries to change is password from the enduser interface, the password is still correctly updated into Syncope, but it's not propagated to AD, therefore the user will be able to login only using the old password. Hi, I am not completely familiar with AD password management internals, but I would examine what Syncope is actually sending to AD by watching the core-connid.log file both when creating new user and updating existing user, to determine if Syncope is effectively sending the updated password to AD during the latter phase. Regards. On 30/01/2017 12:28, Tech wrote: I'm not sure about this step. As mentioned we can already propagate changes as "email, "first name" and "last name". The AD user that we are using is able to change the passwords of other AD users, create, update and delete other users. I think that there is an additional step that was not performed in Syncope. On 27/01/2017 16:32, Fabio Martelli wrote: Il 27/01/2017 15:53, Tech ha scritto: Yes, we are connecting via SSL. We know that the connection is working because we are still able to propagate the user modification like firstname and lastname. We can change the password and internally is working, but it's not propagated to AD. When you performed the change password by using the administration console, did you select AD resource in the list provided after password fields? Are you sure that the user principal configured to perform updates into AD owns all the needed entitlements? the On 27/01/2017 15:42, Fabio Martelli wrote: Hi, find my comment in-line. Regards, F. Il 27/01/2017 12:12, Tech ha scritto: Hello, we are working on the password propagation using the AD connector. We are able to check the connectivity both using plain and SSL, we are able to create new users and to update information like email, first name and last name. We edit the connector: * We check SSL * we change the Server port to 636 * We enable Trust all certs We run again some modification and the first name and last name are still updated. We try now to change the password, both from user and admin interface. The user can correctly access to Syncope using the new credentials, while we detect that the password is not correctly propagated to the target system. Do you mean that you can still access with the previous one? Please note that you can change password by working in SSL only [1]. Regards, F. [1] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482#ActiveDirectory(JNDI)-Configuration -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSVDir pull connector challenge
On 24/01/2017 10:56, Martin van Es wrote: On Tue, Jan 24, 2017 at 10:03 AM, Francesco Chicchiriccò<ilgro...@apache.org> wrote: So, you suggest I turn to Connid now for my functional issues with CSVDir? I would first clarify if there is something wrong ongoing (as suggested above), then possibly report to ConnId. I was referring to the required explicit __NAME_ or __UID__ remote key mapping to make CSVDir actually work in syncope and/or the absence of a selectable key attribute when configuring the mapping. Ah ok, sure, why not. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSVDir pull connector challenge
On 23/01/2017 17:46, Martin van Es wrote: On Mon, Jan 23, 2017 at 4:36 PM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: but essentially, the "mandatory condition" can be specified both at Schema level (hence value(s) must be provided globally) or at mapping level (hence value(s) must be provided when provisioning to / from that external resource). Ok, that's clear. But that doesn't explain why email wouldn't propagate from my CSVDir source into Syncope when the mandatory flag was false? You need to look at core-connid.log and the propagation task(s) generated for the given user(s) in order to have a better view of what is actually happening. Anyway, as commented there, the real issue in only about the failure to report the error message to Admin UI; the rest is about the way how the ConnId CSVDir bundle works, so not any Syncope issue. So, you suggest I turn to Connid now for my functional issues with CSVDir? I would first clarify if there is something wrong ongoing (as suggested above), then possibly report to ConnId. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSVDir pull connector challenge
On 23/01/2017 15:35, Martin van Es wrote: On Mon, Jan 23, 2017 at 1:47 PM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: I can't select target columns that are designated for key, status and delete by the connector. Is this by-design? I think it is somewhat by design, but I am not sure it is for good; for the moment, please use: * __NAME__ as value for key column * __ENABLE__ as value for status column (you should not need to provide a mapping for this, though, as it is done automatically) Well that's contradictory to the error I reported (Unable to find property: 'connObjectKeyValidation') but using your hint I am now able to harvest accounts from the csv file, thx. Another thing I noticed: I need to make email attribute mandatory for it to appear in the provisioned user, while my assumption was that it would provision email when available, but not break on absence? The status attribute behaves differently (status false is correctly updated to suspended and vice versa) while status -> __ENABLE_ mandotory field is set to false. I invite you to read the details from https://syncope.apache.org/docs/reference-guide.html#mapping but essentially, the "mandatory condition" can be specified both at Schema level (hence value(s) must be provided globally) or at mapping level (hence value(s) must be provided when provisioning to / from that external resource). As an example, this simply means that Syncope refuses to send out propagations to the CSVDir connector if email is not provided and mapping mandatory condition is set to 'true'. When the mapping mandatory condition is set to 'false', instead, Syncope won't raise any error before propagating to the CSVDir connector if email is not provided. What happens into the connector, in such case, depends on the connector bundle implementation. I am able to replicate your error, please file an issue for this. https://issues.apache.org/jira/browse/SYNCOPE-1000 (HA! 1000 is mine ;) Nice catch :-) Anyway, as commented there, the real issue in only about the failure to report the error message to Admin UI; the rest is about the way how the ConnId CSVDir bundle works, so not any Syncope issue. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSVDir pull connector challenge
On 23/01/2017 13:30, Martin van Es wrote: Hi, Finally, I've taken the time and went ahead (re)installing Syncope to try and play with 2.0. First: it's a nice improvement (on the admin interface). Well done! Thanks! :-) Also glad for your enduring interest in Apache Syncope. I've (re) created my test LDAP connector and am able to provision/activate/enable/disable users and groups/groupMembership from admin console. Now I'd like to emulate an authoritative source connector (e.g. HR) from CSVDir connector. I supply five columns in this file called id,email,sn,status and delete. I inserted a header line designating these columns and exactly one test account as 2nd line. Values are separated by comma's. I created the connector and resource to follow the columnames/order in my file, but when I try to setup user provision rules, two thing surprise me: I can't select target columns that are designated for key, status and delete by the connector. Is this by-design? As far as I can read from the class implementing the ConnId SCHEMA operation (e.g. the one that it is used to populate that Admin UI autocomplete text fields): https://github.com/Tirasa/ConnIdCSVDirBundle/blob/master/src/main/java/net/tirasa/connid/bundles/csvdir/methods/CSVDirSchema.java#L65 I think it is somewhat by design, but I am not sure it is for good; for the moment, please use: * __NAME__ as value for key column * __ENABLE__ as value for status column (you should not need to provide a mapping for this, though, as it is done automatically) The delete column seems to be reserved for internal usage. Second, when I finish the provisioning rules (mapping surname to sn and email to email, because that's all that's available on target) by clicking "Save" in the last dialog, Syncope fails with error: "Unable to find property: 'connObjectKeyValidation'. Locale: null, style: null" The message you should get is "There must be exactly one AccountId", which is anyway bad as 'AccountId' (up to 1_2_X) is now (from 2_0_X) ConnObjectKey instead. It complains that there must be exactly one mapping flagged as 'Remote key'. I am able to replicate your error, please file an issue for this. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Password reset procedure from enduser interface
On 18/01/2017 14:13, Francesco Chicchiriccò wrote: On 18/01/2017 11:59, Francesco Chicchiriccò wrote: On 18/01/2017 11:38, Tech wrote: Hello, we faced something that could be a bug in version 2.0.1 and version 2.0.2. We created a SecurityQuestion from the Admin interface and the user is prompted to enter one during the creation of his account. The SecurityQuestion is correctly stored into the DB. We "forget" the password and we try to recover it using the interface, but we cannot reset it. This is happening both for existing and new users. Could you please double-check? I assume you have already checked https://syncope.apache.org/docs/reference-guide.html#password-reset to understand how the password reset process is expected to work. A fundamental part for the outlined procedure to be effective, is to have the notifications in place; see https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration for details. After that user has provided the correct answer to security question via EndUser UI, a notification e-mail based on the 'requestPasswordReset' template is sent; as you can see from the template, an URL for accessing the EndUser UI (containing the unique token generated for such request) is contained in the e-mail. Once clicked there, the process can continue with input of the new password value. Finally, another notification e-mail based on the 'confirmPasswordReset' template is sent out. FYI I have updated the password reset information with the further comments above; see https://ci.apache.org/projects/syncope/reference-guide.html#password-reset Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Date format on user self-registration
On 18/01/2017 12:01, Francesco Chicchiriccò wrote: On 18/01/2017 11:34, Tech wrote: Hello, thanks, in the version 2.0.2 the Date is working correctly. Please be aware that there is no 2.0.2 yet, only 2.0.2-SNAPSHOT, which is the ongoing work that will eventually bring the official 2.0.2. The instructions I have you below are for backMariaDB_ApplicationDataSourceporting the fix in 2.0.2-SNAPSHOT into your local project based on 2.0.1. I assume something went wrong in this process, I will update my reference project at https://github.com/Tirasa/syncopeOnJBoss with such backport as soon as I got some spare time, maybe this could help you. FYI, I have just upgraded the reference project above (all the 2.0 branches, e.g. master, MariaDB_ContainerDataSource and MariaDB_ApplicationDataSource) with the fix for SYNCOPE-992. After building and new deployment to Wildfly, I have created two plain schemas and added to the BaseUser class (via Admin Console): 1. 'sample date' with conversion pattern '-MM-dd' 2. 'sample date and time' with conversion pattern '-MM-dd'T'HH:mm:ss.SSSZ' Then I performed a self registration via EndUser and provided values for the two date attributes just created. As expected, the values where correctly reported either by the Admin Console and by the EndUser UI. HTH Regards. On 18/01/2017 10:31, Francesco Chicchiriccò wrote: On 18/01/2017 10:23, Tech wrote: Hello, we created the new java files as requested, we modified the dynamicPlainAttribute.js , but we didn't resolve the situation yet. We tried two scenarios: the first with an existing user that needs to enter the date field where before it was empty, the second with a brand new user where he enter for the first time the information, but also in this case the date is not saved into the system. Could you please double check? Hi, I have just tried locally and it worked as expected; you could also try yourself with our public demo at http://syncope-vm.apache.org:9080/syncope-console/ http://syncope-vm.apache.org:9080/syncope-enduser/ The version deployed there is the latest 2.0.2-SNAPSHOT. Regards. On 13/01/2017 11:58, Francesco Chicchiriccò wrote: On 2017-01-12 14:50 (+0100), Francesco Chicchiriccò <ilgro...@apache.org> wrote: On 12/01/2017 14:27, Tech wrote: Dear experts, We added the date as custom field, we added it to the BaseUser class and after we added to the USER schema. During the self registration we are able to display the field, that is correctly displayed as Date (we can also see the calendar button). We can complete the registration procedure, but the information is not stored into the Database. We modified the Conversion-Pattern using -MM-dd, but this changes only the way the data is displayed in the interface, but we can't still store the information into the database. Hi, it seems you've spotted a bug in the Enduser UI; I have just performed the following steps: 1. from Admin UI, create new Date schema with conversion pattern '-MM-dd' and added to the base type for USER 2. perform self-registration via Enduser UI, provided a value for the new Date attribute 3. open the new user from Admin UI, no value found for the new Date attribute So, the bug is confirmed. Moreover, I also did: 4. from Admin UI, set a value for the new Date attribute on the new user 5. log into the Enduser UI as the new user, see the value set from Admin UI, then update the Date schema with a new value 6. from Admin UI, see the new value as provided via Enduser UI Hence the bug seems to occur only during self-registration. Would you mind opening an issue on https://issues.apache.org/jira/browse/SYNCOPE/ ? Hi, I have just committed a fix for SYNCOPE-992 (the issue you've opened as request above, thx). Such fix will be available with release of Apache Syncope 2.0.2; should you want to backport the fix on your local project, you will have to 1. create the directory enduser/src/main/java/org/apache/syncope/client/enduser/resources/ the download the class https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfCreateResource.java in the new created directory 2. replace the file content of enduser/src/main/webapp/app/js/directives/dynamicPlainAttribute.js with the content from https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/resources/META-INF/resources/app/js/directives/dynamicPlainAttribute.js Afterwards, naturally, you'll have to rebuild & redeploy. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Label on custom attributes
On 18/01/2017 13:40, Tech wrote: Dear all, we need to create custom attributes in Syncope, but we realized the correspondence 1:1 with Key/Column/Label. For example we might need to display some attributes that should not be read necessary in English and that could contain accents. For example we imagine something like this: firstname: { "lang":"en" { "value":"Name" }, "lang":"fr": { "value":"Prénom" } } In this case we could keep a stick reference for the name, in our case "firstname", but after display in a different way (and language) and being able to implement also accents: is there a way to do it? The EndUser UI already provides translation features: take a look at the JSON files available under enduser/src/main/webapp/app/languages/ You have a directory for each language available, and two files in each directory: 'static.json' for application messages and 'dynamic.json' for labels (including attributes). HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Date format on user self-registration
On 18/01/2017 11:34, Tech wrote: Hello, thanks, in the version 2.0.2 the Date is working correctly. Please be aware that there is no 2.0.2 yet, only 2.0.2-SNAPSHOT, which is the ongoing work that will eventually bring the official 2.0.2. The instructions I have you below are for backporting the fix in 2.0.2-SNAPSHOT into your local project based on 2.0.1. I assume something went wrong in this process, I will update my reference project at https://github.com/Tirasa/syncopeOnJBoss with such backport as soon as I got some spare time, maybe this could help you. Regards. On 18/01/2017 10:31, Francesco Chicchiriccò wrote: On 18/01/2017 10:23, Tech wrote: Hello, we created the new java files as requested, we modified the dynamicPlainAttribute.js , but we didn't resolve the situation yet. We tried two scenarios: the first with an existing user that needs to enter the date field where before it was empty, the second with a brand new user where he enter for the first time the information, but also in this case the date is not saved into the system. Could you please double check? Hi, I have just tried locally and it worked as expected; you could also try yourself with our public demo at http://syncope-vm.apache.org:9080/syncope-console/ http://syncope-vm.apache.org:9080/syncope-enduser/ The version deployed there is the latest 2.0.2-SNAPSHOT. Regards. On 13/01/2017 11:58, Francesco Chicchiriccò wrote: On 2017-01-12 14:50 (+0100), Francesco Chicchiriccò <ilgro...@apache.org> wrote: On 12/01/2017 14:27, Tech wrote: Dear experts, We added the date as custom field, we added it to the BaseUser class and after we added to the USER schema. During the self registration we are able to display the field, that is correctly displayed as Date (we can also see the calendar button). We can complete the registration procedure, but the information is not stored into the Database. We modified the Conversion-Pattern using -MM-dd, but this changes only the way the data is displayed in the interface, but we can't still store the information into the database. Hi, it seems you've spotted a bug in the Enduser UI; I have just performed the following steps: 1. from Admin UI, create new Date schema with conversion pattern '-MM-dd' and added to the base type for USER 2. perform self-registration via Enduser UI, provided a value for the new Date attribute 3. open the new user from Admin UI, no value found for the new Date attribute So, the bug is confirmed. Moreover, I also did: 4. from Admin UI, set a value for the new Date attribute on the new user 5. log into the Enduser UI as the new user, see the value set from Admin UI, then update the Date schema with a new value 6. from Admin UI, see the new value as provided via Enduser UI Hence the bug seems to occur only during self-registration. Would you mind opening an issue on https://issues.apache.org/jira/browse/SYNCOPE/ ? Hi, I have just committed a fix for SYNCOPE-992 (the issue you've opened as request above, thx). Such fix will be available with release of Apache Syncope 2.0.2; should you want to backport the fix on your local project, you will have to 1. create the directory enduser/src/main/java/org/apache/syncope/client/enduser/resources/ the download the class https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfCreateResource.java in the new created directory 2. replace the file content of enduser/src/main/webapp/app/js/directives/dynamicPlainAttribute.js with the content from https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/resources/META-INF/resources/app/js/directives/dynamicPlainAttribute.js Afterwards, naturally, you'll have to rebuild & redeploy. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Password reset procedure from enduser interface
On 18/01/2017 11:38, Tech wrote: Hello, we faced something that could be a bug in version 2.0.1 and version 2.0.2. We created a SecurityQuestion from the Admin interface and the user is prompted to enter one during the creation of his account. The SecurityQuestion is correctly stored into the DB. We "forget" the password and we try to recover it using the interface, but we cannot reset it. This is happening both for existing and new users. Could you please double-check? I assume you have already checked https://syncope.apache.org/docs/reference-guide.html#password-reset to understand how the password reset process is expected to work. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Date format on user self-registration
On 18/01/2017 10:23, Tech wrote: Hello, we created the new java files as requested, we modified the dynamicPlainAttribute.js , but we didn't resolve the situation yet. We tried two scenarios: the first with an existing user that needs to enter the date field where before it was empty, the second with a brand new user where he enter for the first time the information, but also in this case the date is not saved into the system. Could you please double check? Hi, I have just tried locally and it worked as expected; you could also try yourself with our public demo at http://syncope-vm.apache.org:9080/syncope-console/ http://syncope-vm.apache.org:9080/syncope-enduser/ The version deployed there is the latest 2.0.2-SNAPSHOT. Regards. On 13/01/2017 11:58, Francesco Chicchiriccò wrote: On 2017-01-12 14:50 (+0100), Francesco Chicchiriccò <ilgro...@apache.org> wrote: On 12/01/2017 14:27, Tech wrote: Dear experts, We added the date as custom field, we added it to the BaseUser class and after we added to the USER schema. During the self registration we are able to display the field, that is correctly displayed as Date (we can also see the calendar button). We can complete the registration procedure, but the information is not stored into the Database. We modified the Conversion-Pattern using -MM-dd, but this changes only the way the data is displayed in the interface, but we can't still store the information into the database. Hi, it seems you've spotted a bug in the Enduser UI; I have just performed the following steps: 1. from Admin UI, create new Date schema with conversion pattern '-MM-dd' and added to the base type for USER 2. perform self-registration via Enduser UI, provided a value for the new Date attribute 3. open the new user from Admin UI, no value found for the new Date attribute So, the bug is confirmed. Moreover, I also did: 4. from Admin UI, set a value for the new Date attribute on the new user 5. log into the Enduser UI as the new user, see the value set from Admin UI, then update the Date schema with a new value 6. from Admin UI, see the new value as provided via Enduser UI Hence the bug seems to occur only during self-registration. Would you mind opening an issue on https://issues.apache.org/jira/browse/SYNCOPE/ ? Hi, I have just committed a fix for SYNCOPE-992 (the issue you've opened as request above, thx). Such fix will be available with release of Apache Syncope 2.0.2; should you want to backport the fix on your local project, you will have to 1. create the directory enduser/src/main/java/org/apache/syncope/client/enduser/resources/ the download the class https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfCreateResource.java in the new created directory 2. replace the file content of enduser/src/main/webapp/app/js/directives/dynamicPlainAttribute.js with the content from https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/resources/META-INF/resources/app/js/directives/dynamicPlainAttribute.js Afterwards, naturally, you'll have to rebuild & redeploy. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Date format on user self-registration
On 12/01/2017 14:27, Tech wrote: Dear experts, We added the date as custom field, we added it to the BaseUser class and after we added to the USER schema. During the self registration we are able to display the field, that is correctly displayed as Date (we can also see the calendar button). We can complete the registration procedure, but the information is not stored into the Database. We modified the Conversion-Pattern using -MM-dd, but this changes only the way the data is displayed in the interface, but we can't still store the information into the database. Hi, it seems you've spotted a bug in the Enduser UI; I have just performed the following steps: 1. from Admin UI, create new Date schema with conversion pattern '-MM-dd' and added to the base type for USER 2. perform self-registration via Enduser UI, provided a value for the new Date attribute 3. open the new user from Admin UI, no value found for the new Date attribute So, the bug is confirmed. Moreover, I also did: 4. from Admin UI, set a value for the new Date attribute on the new user 5. log into the Enduser UI as the new user, see the value set from Admin UI, then update the Date schema with a new value 6. from Admin UI, see the new value as provided via Enduser UI Hence the bug seems to occur only during self-registration. Would you mind opening an issue onhttps://issues.apache.org/jira/browse/SYNCOPE/ ? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: How to distinguish Syncope 1.2.x and 2.x
On 12/01/2017 09:10, XiLai Dai wrote: Thanks Francesco! yes, I saw this /rest/platform api from the swagger doc of Syncope 2.0.1, but it's only existing from Syncope 2.x, for Syncope 1.2.x, it doesn't provide this api and nothing response returned when GET it. True, Syncope 1.2 does not provide anything similar. I got the impression from your text below that you were not even aware of the REST endpoint in 2.0 as you only mentioned the WADL content, hence I provided the related info. About 1.2, you might want to either add something similar to your own overlay or backport the 2.0 feature (possibly strimmed down) in the 1.2.10-SNAPSHOT. The former option has the advantage for you to be immediately available without waiting for the 1.2.10 release. Regards. *From:* Francesco Chicchiriccò <ilgro...@apache.org> *Sent:* Thursday, January 12, 2017 3:45:12 PM *To:* user@syncope.apache.org *Subject:* Re: How to distinguish Syncope 1.2.x and 2.x On 12/01/2017 08:35, XiLai Dai wrote: Hi, there, In our product we want to let it support both Syncope 1.2.x and the new 2.x, but seems there is no REST api e.g. "/rest/version" to get the version info. the only way I could find is get version from the WADL response xml of http://localhost:9080/syncope/rest/?_wadl <http://localhost:9080/syncope/rest/?_wadl> <http://localhost:9080/syncope/rest/?_wadl> Is there other more convenient way to get the version info? Thanks! Hi, you can look at GET /syncope/rest/platform the returned object has a 'version' field. You can check the REST reference [1][2] or exploit the Swagger extension [3] to get details about the available endpoints; Please consider that such call requires authentication (as it discloses several data about the given deployment); you can however empower the anonymousUser / anonymousKey values as specified in the security.properties file. HTH Regards. [1] http://syncope.apache.org/rest/2.0/index.html [2] http://localhost:9080/syncope/rest/ [3] https://syncope.apache.org/docs/reference-guide.html#swagger -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: How to distinguish Syncope 1.2.x and 2.x
On 12/01/2017 08:35, XiLai Dai wrote: Hi, there, In our product we want to let it support both Syncope 1.2.x and the new 2.x, but seems there is no REST api e.g. "/rest/version" to get the version info. the only way I could find is get version from the WADL response xml of http://localhost:9080/syncope/rest/?_wadl <http://localhost:9080/syncope/rest/?_wadl> <http://localhost:9080/syncope/rest/?_wadl> Is there other more convenient way to get the version info? Thanks! Hi, you can look at GET /syncope/rest/platform the returned object has a 'version' field. You can check the REST reference [1][2] or exploit the Swagger extension [3] to get details about the available endpoints; Please consider that such call requires authentication (as it discloses several data about the given deployment); you can however empower the anonymousUser / anonymousKey values as specified in the security.properties file. HTH Regards. [1] http://syncope.apache.org/rest/2.0/index.html [2] http://localhost:9080/syncope/rest/ [3] https://syncope.apache.org/docs/reference-guide.html#swagger -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSV resource
On 11/01/2017 11:01, Aniket Rohra wrote: Hello We have downloaded the standalone version of apache syncope 2.0.1 version for evaluation purpose . Issue : when we are running the Pull task ( CSV Task update matching ; provision unmatching ) we can see the list of users in the csv getting created in syncope . At the same we can also see the users are pushed to resource-testdb . Can someone help where we can change this setting as we want it to be pushed to another resource ? Hi, users pulled from CSV via the pull task referenced above are also propagated to resource-testdb because such pull task has a user template defined, which states so. If you haven't done that yet, I strongly suggest to read the chapter about the provisioning process, in our reference guide [2]. HTH Regards. [1] https://syncope.apache.org/docs/reference-guide.html#pull-templates [2] https://syncope.apache.org/docs/reference-guide.html#provisioning -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Update user from LDAP
On 04/01/2017 15:32, PSYND wrote: Dear Francesco, thank you for your support, we've been actually able to update users using the AD connector instead of the generic LDAP one. Good news, then: the ConnId Active Directory connector in fact fully supports SYNC [5]. Regards. On 2017-01-04 08:33, Francesco Chicchiriccò wrote: On 03/01/2017 19:39, PSYND wrote: Dear Experts, we connected our Syncope to an OpenLDAP. We are able to create users from OpenLDAP to Syncope, and we are able to list them from the dashboard. We update the user in the LDAP, we check using the Explore Resource and we can correctly display the change we made. That's good to hear. So we run the change as Incremental, but the logs say: JobExecutionException: While pulling from connector org.quartz.JobExecutionException: While pulling from connector [See nested exception: org.identityconnectors.framework.common.exceptions.ConnectorException: Unable to locate the replication change log. From the admin console please verify that the change log is enabled under Configuration: Replication: Supplier Settings and that the Retro Change Log Plugin is enabled under Configuration: Plug-ins: Retro Change Log Plugin] at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284) at org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60) at org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558) As I was saying recently [1], and as reported by the reference guide [2 <https://syncope.apache.org/docs/reference-guide.html#pull-mode>], the incremental pull mode requires the SYNC operation to be implemented on the related connector bundle, and the LDAP connector bundle implements that "only with Sun / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ" [3 <https://connid.atlassian.net/wiki/display/BASE/LDAP#LDAP-SupportedOperations>]. If you are using other implementations, say OpenLDAP, only full and filtered pull modes are effective. If we try this time with a Full Reconciliation, the event will be SUCCESS, but the log will display: Users [created/failures]: 0/0 [updated/failures]: 0/0 [deleted/failures]: 0/0 [no operation/ignored]: 1/0 Users no operation: NONE SUCCESS (key/name): acff92f7-00f9-4f9a-bf92-f700f9ff9a34/cros Any idea? The execution of the full reconciliation is SUCCESS because it succeeded without breaking errors. The result summary above states that the pull task execution has found a single user, and that the internal logic decided to not perform any operation on it. This happens, for example, when you have set the unmatching rule [4 <https://syncope.apache.org/docs/reference-guide.html#provisioning-pull>] to IGNORE on the pull task. HTH Regards. [1] https://lists.apache.org/thread.html/19ff0c439a68eebac36be2c19a3cf2d9e4bf5aab6a32fcd5aa356e5d@%3Cuser.syncope.apache.org%3E [2] https://syncope.apache.org/docs/reference-guide.html#pull-mode [3] https://connid.atlassian.net/wiki/display/BASE/LDAP#LDAP-SupportedOperations [4] https://syncope.apache.org/docs/reference-guide.html#provisioning-pull [5] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482#ActiveDirectory(JNDI)-SupportedOperations -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: LDAP group membership sync
On 27/12/2016 18:25, [TheResolvers] - Alex wrote: Hi, I think I haven’t exposed the problem in a clear way. The idea isn’t to pull the group membership from ldap, but instead push the syncope group membership informations into ldap. So the tutorial is exactly the opposite of what I need. The funny thing is that apart from group sync, the rest of the setup is working out of box without any problem. Some background: memberships are not managed by ConnId at framework level (ConnId has only the concept of objectClass [1]). For this reason Syncope provides some utility classes (as propagation actions [3] and pull actions [4]) which can be put at work to overcome this limitation. In your specific case, you'd need to include org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions to the LDAP external resource. This will extend the attributes passed from Syncope to LDAP with a special 'ldapGroups' attribute containing the list of DNs of the LDAP groups matching the Syncope groups each user is member of. Then the LDAP connector code will take care of it. Moreover, you'll also need to configure the underlying connector with POSIX group support (see available options at [4]) I'd suggest anyway to watch the core-connid.log file during propagations to see what is actually happening. HTH Regards. [1] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/common/objects/ObjectClass.html [2] https://syncope.apache.org/docs/reference-guide.html#propagationactions [3] https://syncope.apache.org/docs/reference-guide.html#pullactions [4] https://connid.atlassian.net/wiki/display/BASE/LDAP On 27 Dec 2016, at 11:04, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: On 23/12/2016 21:38, [TheResolvers] - Alex wrote: Hello to everyone, I’m trying to deploy Syncope as IDM to provision user on a openldap directory server. The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships. So I think I made some mistakes in the connid ldap connector. Can anyone send me a base config to provision user membership for posixGroup (RFC2307) I’m using syncope 2.0.1 with mysql backend Hi, you might want to take a look at Colm's post about pulling users and groups from LDAP: http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: LDAP group membership sync
On 23/12/2016 21:38, [TheResolvers] - Alex wrote: Hello to everyone, I’m trying to deploy Syncope as IDM to provision user on a openldap directory server. The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships. So I think I made some mistakes in the connid ldap connector. Can anyone send me a base config to provision user membership for posixGroup (RFC2307) I’m using syncope 2.0.1 with mysql backend Hi, you might want to take a look at Colm's post about pulling users and groups from LDAP: http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/