from:"Francesco Chicchiriccò"


On 01/08/2017 16:07, Mikael Ekblom wrote:


Hi,

I have tried to move some related logic for the whole realm to the 
DefaultLogicActions-implementation within our Syncope. Now though I 
can see that during the pull and the subsequent creation of the users, 
the defaultlogicaction beforeCreate, afterCreate etc. will never be 
triggered during actual pull and the subsequent creation. Updates 
after the pull (if a field changes) do trigger the suitable functions 
(beforeUpdate, afterupdate etc. ).


The action is specified for the realm, where I put the users during 
the pull. No error messages or anything indication a serious problem.


Am I missing something or should it just not be possible to do? I 
think the sync process should generate a create request towards the 
core at some point even if you pull the information from an external 
source?




Hi Mikael,
LogicActions are triggered when the Logic layer is involved, e.g. during 
REST calls.


https://syncope.apache.org/docs/reference-guide.html#overview

If you need to perform custom tasks during pull, use PullActions.

HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Syncope to Database


On 01/08/2017 15:59, Dino Mifsud wrote:
Thanks for your reply..but does the Search script need to return all 
records at once or the SearchScript is executed every time for each 
entry in the Syncope users?


Of course not: the search script should return only the records matching 
the passed query: see


https://github.com/apache/syncope/blob/2_0_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L76-L93

for example: it's Scripted REST (not Scripted SQL), but the concept is 
the same.


Regards.

On 01 Aug 2017, at 1:57 PM, Francesco Chicchiriccò 
<ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote:


On 01/08/2017 13:42, Dino Mifsud wrote:

Hi
I am trying to sync users from Syncope to a backend DB using 
scriptesql connector.
The users are being created (in the tables) but a subsequent call 
creates again the users duplicating them. Also I am getting this 
error in the Search script which I cannot solve. See stack trace below.

Can you help me please? much appreciated


Hi Dino,
glad to see that you are progressing.

The error below (and also the duplication of entries that you 
observe) derive from an incomplete / erroneous implementation of the 
search script: you must ensure that:


1. the search scripts effectively founds the item it was requested to 
(if such item is effectively existing in the external database): look 
in the core-connid.log right before the second, unwanted, create()


2. the search scripts returns all the attributes it was asked for by 
Syncope: you should find, prior to the error message below, in 
core-connid.log something like as


13:41:25.136 DEBUG Enter: search(ObjectClass: __ACCOUNT__, EQUALS: 
Attribute: {Name=fullname, Value=[17b7da3asyncope...@apache.org 
<mailto:17b7da3asyncope...@apache.org>]}, 
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy$2@6afd8683, 
OperationOptions: 
{ATTRS_TO_GET:[__NAME__,fullname,__UID__,__ENABLE__]})Method: search


in this case, Syncope is asking for 
[__NAME__,fullname,__UID__,__ENABLE__] to be available in the 
results: if not all attributes are included, you receive the "XXX was 
returned by the connector but failed to pass the framework filter. 
This seems like wrong implementation of the filter in the connector" 
error message.


HTH
Regards.


12:04:41.720 DEBUG Search script loadedMethod: executeQuery
12:04:41.720 DEBUG ObjectClass: __ACCOUNT__Method: executeQuery
12:04:41.720 INFO  Entering SEARCH Script**Method: run
12:04:41.722 INFO  GGOO SEARCH SCRIPT..Method: run
12:04:41.722 DEBUG Search okMethod: executeQuery
12:04:41.722 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, 
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: 
{Name=uid, Value=[administrator]}, Attribute: {Name=__NAME__, 
Value=[administrator]}, Attribute: {Name=cn, Value=[administrator]}, 
Attribute: {Name=__UID__, 
Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: 
{Name=__NAME__, Value=[administrator]}}Method: handle

12:04:41.722 DEBUG Exception:Method: handle
java.lang.IllegalStateException: Object {Uid=Attribute: 
{Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, 
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: 
{Name=__NAME__, Value=[administrator]}, Attribute: {Name=__UID__, 
Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: 
{Name=__NAME__, Value=[administrator]}} was returned by the 
connector but failed to pass the framework filter. This seems like 
wrong implementation of the filter in the connector.
at 
org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82) 
~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$AttributesToGetSearchResultsHandler.handle(SearchImpl.java:278) 
~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1.handle(SearchImpl.java:142) 
~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.SearchResultsHandlerLoggingProxy.handle(SearchResultsHandlerLoggingProxy.java:64) 
~[connector-framework-internal-1.4.2.0.jar:?]
at 
net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.processResults(ScriptedSQLConnector.java:586) 
~[?:?]
at 
net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:403) 
~[?:?]
at 
net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:61) 
~[?:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:193) 
~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130) 
~[connector-framework-internal-1.4.2.0.jar:?]

at sun.reflect.GeneratedMethodAcces

Re: Configuration of LDAP Identity Store

On 28/07/2017 09:15, Böhmer, Martin wrote:

Hi Francesco,

What you propose sounds good to me from my external view not being
able to follow all the technical details.

Looking forward to the implemented solution.

FYI: https://issues.apache.org/jira/browse/SYNCOPE-1182

The implementation is now available with latest 2.0.5-SNAPSHOT (which
should be available within hours).

Regards.

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Donnerstag, 27. Juli 2017 12:34
*An:* user@syncope.apache.org
*Betreff:* Re: Configuration of LDAP Identity Store

Hi Martin and Andrea,
sorry if I come late to the party.

First of all, I confirm that Andrea's approach is the correct one, at
this moment: the way how LDAPMembershipsPropagationActions is
architected requires that the same Resource is used for both Users and
Groups, and the configuration available in the test data for ApacheDS
works as long as uid and cn contain exactly the same value.
Hence, the suggestion to try out the LDAP connector 1.5.2-SNAPSHOT
(which can be downloaded from [0]) is the most logical, currently.

The issue originally described below is somehow related to some
thoughts I am elaborating about the usage that Syncope makes of ConnId
APIs, and I believe there is room for improvement.

I plan to write down a full proposal, but here's the raw idea.

For several operations, but in particular *before* and *after*
executing a Propagation Task, Syncope queries the External Resource to
see if a matching item is found, and it does that via ConnId's
GetApiOp [1].
Such operation is implemented at Framework level, e.g. before reaching
out any effective Connector, via a plain search [2] where the key is
the special __UID__ attribute and the value is the one passed as
argument, alongside with ObjectClass.

Using GetApiOp used to make entirely sense in the old days of ConnId
1.3 and Syncope 1.1, when the Mapping Item identified as "AccountId"
(now Remote Key) was forced to blank the external attribute name (see
[3]): in such cases, in fact, __UID__ was used as external attribute.

ConnId 1.4 slightly changed the way how the __UID__ attribute is
managed: as a result, since Syncope 1.2, it is mandatory to specify an
external attribute name for the Remote Key (see [4] in Syncope 2.0).

To give an idea, the sample from [3] would result in querying the
External Resource for "__UID__ == 'ilgrosso'", while the sample from
[4] *should* result in "uid == 'ilgrosso'" but will instead produce
the same query as in the past.

The problem here is that what actually __UID__ means is left to any
Connector's implementation: LDAP configures that via the UidAttribute
property (and GidAttribute in 1.5.2-SNAPSHOT), AD does something
similar, others do differently.

What I see here is that from one side the Remote Key is defined in
Syncope at high level (e.g. as part of the Resource configuration, in
the Mapping), while the raw __UID__ is still used under the hoods in
some cases (before executing a Propagation Task, as said above, for
example), hence it is the low level configuration (not Resource's but
Connector's) that comes into play.

My proposal is to simply get rid of GetApiOp and replace its usage in
Syncope with search, using as key the External attribute name defined
in the mapping, rather than __UID__.

This should solve your issue (and others) at a glance, as Users will
be looked up by uid, Groups by cn and Realms by ou (if your Mappings
were set in these ways).

Not sure if this clarifies, but I will make some work around such
concepts hopefully soon.

Regards.

[0]
https://oss.sonatype.org/content/repositories/snapshots/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ldap/1.5.2-SNAPSHOT/net.tirasa.connid.bundles.ldap-1.5.2-20170607.094522-5.jar
[1]
https://github.com/Tirasa/ConnId/blob/master/java/connector-framework/src/main/java/org/identityconnectors/framework/api/operations/GetApiOp.java
[2]
https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/GetImpl.java

[3] https://pasteboard.co/GCRf497.png
[4] https://pasteboard.co/GCRixXp.png

On 25/07/2017 14:12, Böhmer, Martin wrote:

Hi Andrea,

Your proposed solutions are greatly appreciated. Here are my comments:

1.I created a JIRA account to file an improvement request.
Unfortunately, I seem to lack the right to create an improvement
for the “LDAP bundle” component. The only components I can create
issues for are COMMONS, REST & OFFICE365. Am I doing something wrong?

2.I not sure, if I understood you correctly. Are you saying, there
is no chance LDAPMembershipPropagationAction will work out of the
box? Or that you aren’t you sure if it will work and it would be
worth setting this up and try it out? If it’s the second case, I
would try it you.

Regards,

Re: Syncope to Database

?:1.8.0_91]
at 
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at com.sun.proxy.$Proxy256.search(Unknown Source) ~[?:?]
at 
org.identityconnectors.framework.impl.api.local.operations.GetImpl.getObject(GetImpl.java:67)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_91]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91]
at 
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_91]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91]
at 
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) ~[?:?]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_91]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91]
at 
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at com.sun.proxy.$Proxy263.getObject(Unknown Source) ~[?:?]
at 
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getObject(AbstractConnectorFacade.java:261)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.getObject(AsyncConnectorFacade.java:104)
 ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke()
 ~[syncope-core-provisioning-java-2.0.4.jar:2.0.4]
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) 
~[spring-core-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
 ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
 ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at 
org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:115)
 ~[spring-aop-4.3.9.RELEASE.jar:4.3.9.RELEASE]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
~[?:1.8.0_91]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[?:1.8.0_91]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[?:1.8.0_91]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]
Caused by: java.lang.IllegalStateException: Object {Uid=Attribute: 
{Name=__UID__, Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}, 
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=__NAME__, 
Value=[administrator]}, Attribute: {Name=__UID__, 
Value=[17e4c35c-383f-1035-9abe-d7b00eb73b03]}], Name=Attribute: {Name=__NAME__, 
Value=[administrator]}} was returned by the connector but failed to pass the 
framework filter. This seems like wrong implementation of the filter in the 
connector.
at 
org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler.handle(FilteredResultsHandler.java:82)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$AttributesToGetSearchResultsHandler.handle(SearchImpl.java:278)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1.handle(SearchImpl.java:142)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at 
org.identityconnectors.framework.impl.api.SearchResultsHandlerLoggingProxy.handle(SearchResultsHandlerLoggingProxy.java:64)
 ~[connector-framework-internal-1.4.2.0.jar:?]
at 
net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.processResults(ScriptedSQLConnector.java:586)
 ~[?:?]
at 
net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector.executeQuery(ScriptedSQLConnector.java:403)
 ~[?:?]
... 35 more


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, Pon

Re: Notification page crashes in Console UI after e-mail config

2017-07-31 Thread Francesco Chicchiriccò

Hi Martin,
FYI the mail debugging feature is now fully enabled in 2.0.5-SNAPSHOT,
and the upgraded documentation

https://ci.apache.org/projects/syncope/2_0_X/reference-guide.html#e-mail-configuration

now features a couple of working samples.

Please note that with 2.0.4, while making STARTTLS work is possible (but
not trivial), mail debugging is not.

Regards.

On 28/07/2017 15:12, Böhmer, Martin wrote:

Hi Francesco,

Thanks for your feedback. I created an issues as requested:

https://issues.apache.org/jira/browse/SYNCOPE-1180

Regarding the documentation, I am still missing the information that I
would like to see in there. So I am kinda unable to contribute.

Regards,

Martin

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Donnerstag, 27. Juli 2017 11:16
*An:* user@syncope.apache.org
*Betreff:* Re: AW: Notification page crashes in Console UI after
e-mail config

On 21/07/2017 11:23, Böhmer, Martin wrote:

Hi Francesco,

I finally had the chance to give Syncope 2.0.4 a try on a fresh
machine as you suggested. Good news: I do not have any issues with
the notification page any more.

That's great to hear :-)

However, notifications are not working due to the email
configuration. I found the documentation in the reference guide
lacks of important details.

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

1.The reference guide only names the properties. This is fine for
user, host, etc., but the protocol needs some explanation. I you
have never worked with JavaMail, you’re lost. It would be really
helpful to have a link from the Syncope mail properties to the
JavaMail properties (if this link exists). Or just give examples
for SMTP with STARTSSL (there is no flag for enabling StartSSL!?)
and SMTPS scenarios.

Feel free to open a PR for improving the docs; in particular

https://github.com/apache/syncope/blob/2_0_X/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/emailconfiguration.adoc

If you would like to go along this way, please first take a look at

http://syncope.apache.org/contributing.html

and send an ICLA as specified, thanks!

2.Where to find the promised debug output when mailDebug is set to
true? I restarted tomcat and created a notification task. There is
no info on “handshake, authentication, delivery and disconnection”
in catalina.out or core.log or console.log

This would need some investigation: would you mind opening an issue on
JIRA? Thanks.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Syncing to database

2017-07-28 Thread Francesco Chicchiriccò


On 28/07/2017 10:26, Dino Mifsud wrote:

Hi
I have a scenario where I need to sync users from Syncope to database. The 
users in the database are not stored in one table so the mapping is not that 
straight forward. Is there a way in Syncope to use custom SQL scripts (not 
Groovy) to meet such requirements please?


If the users in the external database are not stored in a single table, 
you cannot unfortunately use the DatabaseTable connector, which is 
simpler and does not require any script.


The only option left is the Scripted SQL connector; template Groovy 
scripts are provided in


https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/scriptedsql

...or you might want to write down your own connector but, believe me, 
is way harder than customizing some Groovy scripts.


HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Configuration of LDAP Identity Store

  strange when creating a user in Syncope. On the result
screen of the user creation, the remote key is correctly
display. When I close that screen and open the “Manage
resources” dialog for that user, the remote key is gone
and thus propagation of updates to LDAP fails.

Any hints would be greatly appreciated!

Regards,

Martin

I’m using *_OpenLDAP_*. The tree looks like this

dc=example,dc=com

·ou=people

ouid=johndoe

o…

·ou=groups

ocn=testgroup

Here is the configuration of the *_LDAP connector_*
(properties not listed were not touched = default value)

Bundle



*net.tirasa.connid.bundles.ldap*

Host



*localhost*

TCP Port



389

Principal



*cn=syncope,dc=exmaple,dc=com*

Password



*/**/*

Base Contexts



*dc=exmaple,dc=com*

Password Attribute



userPassword

Account Object Classes



top, person, organizationalPerson, inetOrgPerson

Account User Name Attributes



uid, cn

Group Object Classes



top, groupOfuniqueNames

Group Name Attributes



cn

Group Member Attribute



uniqueMember

Maintain LDAP Group Membership



(Haken)

Password Hash Algorithm



*SSHA*

VLV Sort Attribute



*uid*

Uid Attribute



*entryUUID*

Read Schema



(Haken)

Base Contexts to Synchronize



(leer)

Object Classes to Synchronize



*inetOrgPerson, groupOfUniqueNames*

Attributes to Synchronize



(leer)

Remove Log Entry Object Class from Filter



(Haken)

Enable Password Synchronization



(Fehler)

Status management class



*net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement*

Capabilities



*/(all selected)/*

And this is the configuration of my *_LDAP resource_*:

Propagation Actions



*LDAPPAsswordPropagationAction*
*LDAPMembershipPropagationAction*

Override Capabilities?



(Fehler)

Account Policy



/(none)/

Password Policy



/(none)/

Pull Policy



/(none)/)

Finally, the *_mapping configuration_*

Type



/User/

Object Class



/__ACCOUNT__/

Mapping
username



/Int: username
ext: uid
Remote key: yes/

Mapping
email



/Int: email
Ext: mail/

Mapping
password



/Int: password
Ext: userPassword
Password: yes/

Object Link



/‘uid=’ + username + ‘,ou=people,dc=example,dc=com’/


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Pull users from LDAP


On 25/07/2017 00:48, justin.isenhour wrote:

Sasha,

I'm curious, were you able to resolve this issue?  I am facing a similar
issue myself.  For me the first time I run a pull task it works fine be then
fails because I have a mapping issue (not really related to this) but then
after that every time I try to run the pull task again I get this message
"org.identityconnectors.framework.common.exceptions.ConnectorException:
Operation Not Supported. Bad cookie".  If I recycle the JVM I can run it
again.  Can you provide any direction or insight into this?


Hi Justin,
it seems you are experiencing problems with the ConnId pagination APIs, 
introduced by


https://connid.atlassian.net/browse/BASE-14

and supported by the LDAP Connector Bundle with

https://connid.atlassian.net/browse/LDAP-16

Which LDAP server implementation are you using? Would you mind to share 
your Connector and Resource configurations?


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AW: Password Reset Token Generation Not Working After Upgrading to 2.0.4


Hi Martin and Justin,
would any of you open an issue for such a problem? Thanks.

Regards.

On 22/07/2017 00:15, Böhmer, Martin wrote:

I can confirm that something seems to go wrong when generating the token as it 
contains Asian characters and is way longer than expected.

I submitted a "forgot password" request via the enduser UI. This is the link it 
wants me to open to reset the password:

http://localhost:9080/syncope-enduser/app/#!/confirmpasswordreset?token=%F0%A3%81%A8%E9%90%81%F0%A4%97%A0%F0%A7%B9%A7%E3%A2%8C%EC%9F%9C%E4%A2%91%E7%9F%A5%F0%A3%B2%8C%E9%87%B2%E9%BB%B7%F0%A3%A7%B0%E3%A7%9B%F0%AB%96%B1%F0%A4%BC%B2%F0%A4%86%B4%E6%80%9B%E2%BC%93%E8%B3%81%E7%BD%B5%F0%A6%AB%B0%F0%A5%B9%B3%E1%80%80%F0%A7%B3%BD%F0%A1%9B%B5%F0%A3%B4%AC%F0%A1%A8%A3%F0%A7%AC%8C%EA%B6%8B%F0%A8%B9%A7%E3%BF%AD%EC%8D%B4%F0%A9%B0%B7%E6%9C%97%F0%96%A6%9A%F0%A2%AD%86%E2%80%91%E9%9F%98%EB%87%84%EA%BD%A8%F0%A7%8D%A9%E8%9C%99%E5%85%AA%F0%9D%88%93%F0%A6%AA%89%F0%A6%9C%96%E3%A9%8A%E5%96%9D%F0%A9%8A%98%F0%A9%BE%8C%F0%A7%BF%B8%F0%A0%8C%9B%F0%A9%B3%9B%F0%A7%A5%A5%F0%A2%BA%B9w%E0%BD%87%F0%A7%B9%89%F0%A0%99%BD%F0%A1%B0%AD%F0%A7%9B%85%E4%8C%8B%ED%89%9C%F0%A5%B6%A7%EA%9F%BB%EB%BB%80%F0%A7%BF%A4%EC%9A%91%F0%A8%B3%90%EB%9D%8D%E3%91%B8%EB%B2%9E%D5%99%E4%88%A0%F0%A8%9E%9A%EC%89%AF%F0%96%A2%B7%F0%AA%B3%B8%E8%BA%92%F0%A7%82%BB%F0%A5%94%9D%E9%A0%84%E9%A1%89%F0%A1%BE%97%EC%82%B4%EB%94%8A%F0%93%88%8F%EB%85%A8%F0%A2%AE%A6%F0%92%8A%B5%E6%BD%90%E5%A0%8E%E4%9C%B1%F0%AA%9F%B2%F0%A6%BA%9E%F0%92%88%B6%E4%9E%87%E5%A7%8B%F0%AA%9E%A2%E6%99%99%E6%8A%9E%E1%B8%97%F0%A4%B1%93%F0%AF%A2%8A%EF%AE%B9%E8%B6%AD%F0%A0%A7%90%F0%A7%8F%B8%E5%A1%A1%EC%A0%BB%E2%BC%B2%F0%A3%92%91%E3%81%A3%F0%A5%BB%9D%EB%93%93%F0%AA%B0%A2%E1%AE%A8%E7%B4%AC%F0%AA%81%95%E7%99%B0%F0%A3%84%90%E1%86%84%EB%B5%AD%E8%B4%8A%E8%A5%99%F0%A0%BD%BB%E6%85%81%F0%AA%97%B7%ED%92%AB%F0%A3%80%B3%E9%B3%AC%EA%8F%BD%E3%AA%B5%F0%A4%8B%8F%E5%AA%8A%F0%A1%A7%B9%EB%B4%AB%F0%96%A6%92%F0%A9%87%BD%F0%A2%9E%8D%E8%8C%8D%F0%A6%93%8D%F0%96%A6%BD%F0%AF%A4%AB%F0%9F%87%BA%E6%99%82%EC%97%BD%EB%95%BA%EB%A5%9C%EA%8B%BF%E8%B7%91%F0%A4%96%8E%E9%AC%91%E4%84%99%E7%B0%85%F0%A4%80%BE%E6%A1%9A%E6%89%AE%E8%A1%8B%EC%AD%8F%E1%92%9D%F0%A5%9B%B4%EB%85%8D%F0%A7%9D%98%D3%A7%EC%96%A3%E2%93%BE%E1%BB%A7%F0%A0%A7%97%F0%A9%A3%87%F0%AF%A3%BE%E2%A9%9B%F0%AA%B9%AA%E7%89%AB%EB%9D%8E%EC%9D%80%E4%92%87%F0%A2%BA%8E%EB%BB%BE%E9%8B%9D%E4%9E%B9%F0%A0%BD%8D%F0%A7%BB%A0%F0%93%83%B5%F0%A3%83%9B%F0%A7%83%97%EA%83%B9%F0%9F%92%BB%ED%99%86%F0%A0%83%8E%F0%A7%98%8C%F0%A2%AB%84%F0%A6%B4%B8%E8%83%95%F0%AB%99%B3%F0%A6%B3%85%E5%90%AB%F0%A3%B5%8E%E5%BF%A2%E2%8E%A5%F0%AA%B6%85%F0%A6%B7%BF%F0%A9%B1%92%F0%9D%90%BB%F0%A1%99%82%F0%9F%81%96%F0%A0%A4%B0%F0%A3%BA%A0%F0%AB%9D%A1%F0%A4%A8%BB%F0%92%81%8D%F0%A9%B2%9D%E8%91%BF%F0%AB%83%AA%EC%95%84%F0%A2%8A%83%F0%A3%9E%96%E6%97%A6%E5%B1%BC%E5%AF%A7%EB%AA%98%E2%8F%A4%F0%A2%B6%BB%F0%A1%94%86%E5%83%9A%F0%A6%8A%A6%E9%BE%AA%F0%A4%95%A9%F0%A9%B6%8A%E4%B1%89%F0%A3%B7%92%E4%8A%B8%CA%9E%E3%AA%A5%F0%A5%8C%A1%F0%A4%9F%89%F0%A9%9F%83%E6%89%96%E9%8F%81%F0%A8%BF%84%E7%AB%8F%F0%A3%82%BC%E7%89%AC%E4%B0%98%F0%A3%B3%A4%F0%9D%90%A3%F0%A6%A8%80%F0%A1%AA%8E%F0%A9%B9%8F%EB%90%87%E8%B1%B4%F0%A6%9C%BF%EF%B1%8C%EB%BB%90%F0%A1%B7%B4%EA%AC%AC

Regards,

Martin

-Ursprüngliche Nachricht-
Von: justin.isenhour [mailto:justin.isenh...@compass-usa.com]
Gesendet: Freitag, 21. Juli 2017 22:27
An: user@syncope.apache.org
Betreff: Password Reset Token Generation Not Working After Upgrading to 2.0.4

When I make a REST call to the User Self confirmPasswordReset API for a users I 
am getting a JPA persistence error.  It seems that it is not able to save the 
User object because of the token value, see value below.  I just recently 
upgrade to 2.0.4, prior to the upgrade this was working.  Anyone have any ideas 
on the issue and what we need to do to resolve it?


*JPA Exception:*
Caused by: org.apache.openjpa.persistence.PersistenceException: Incorrect 
string value: '\xF0\xA2\xA8\xAC\xEA\x92...' for column 'token' at row 1 
{prepstmnt 1197754412 UPDATE SyncopeUser SET lastChangeDate = ?, lastModifier = 
?, token = ?, tokenExpireTime = ? WHERE id = ?} [code=1366, state=HY000]

*Generate Token Value:*
ખ३¹ֽ·੕·੏߀½낵◭羐쒵࢙ꤿ쇟ॷ¬Ꮈ䥡ࡱ梭縶＝夾࡮¥࢏¼㷓ߎ¡ॎ¯ં«ｲ॓ᵲ㏉ચ¶੺认짃ㄘੰܪ㠄멼饖뵣ࢪ§डµ櫆ꄳ㋏ࢡ 
ਡ⋨޸¯搘級籰녣헶੶·䬇࠼¸҉뫫Ӈॠࡁ씜҅몋뚧цࣈ㧤㈰ং¸﮷ࣅឹ櫚઻ࠟ¢ঘૈꇽঀ©⤠ਪ¸顉宏ৈ䚻兮蠥胳鏏યਤ¦਎¼ੂऌથ°䰱ज±ओ¥뱐ਸº剾Є¿ટ
 
֦ºਚ੥¼ࡦ㦘৚¤ૉ㌳ꋂ㴹걲জ¿쨐व´ਭ§੾«࡞¢ࡵ⥮ਜ¯晶৫ू¬ッ࣓म¶݌ࡉ긱ঈ¼ú뵳Ｎ쩸L鎹ࣺএ丠䆵ɥ檵ইº੏³䌻峨躾च²뱛ਚ륋斴݌¶꼲݉ݍ«䅯媍੊¼║ࡥ½쐬ࡤણ·鸼ࡡ°݆¬ॾ曻狤鹳५¯ਨᏅਾº࣒³伡༽♦쪕㙳韍ऑ´さબ릊띸뚒Ҍ¤㗆ੴ㯙৓ৈ♥뛂赗놚੫¥屑઒퓐䂍簇踬濡਀¹૟£稹ृ±沽쪿࣢´㞿忟뾑甝ꈰࡻ¡➢ࡨª媉֨ঃ৴ⱚࢪ࢏®ࡰਉ燈ෝ∯ঘ¦邈৚¾ࣕӏ䐯埨넰৞ࡋਫ਼ࣈªࡺ龚婁錄


Thanks,
Justin Isenhour


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AW: Notification page crashes in Console UI after e-mail config

On 21/07/2017 11:23, Böhmer, Martin wrote:

Hi Francesco,

I finally had the chance to give Syncope 2.0.4 a try on a fresh
machine as you suggested. Good news: I do not have any issues with the
notification page any more.

That's great to hear :-)

However, notifications are not working due to the email configuration.
I found the documentation in the reference guide lacks of important
details.

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

1.The reference guide only names the properties. This is fine for
user, host, etc., but the protocol needs some explanation. I you have
never worked with JavaMail, you’re lost. It would be really helpful to
have a link from the Syncope mail properties to the JavaMail
properties (if this link exists). Or just give examples for SMTP with
STARTSSL (there is no flag for enabling StartSSL!?) and SMTPS scenarios.

Feel free to open a PR for improving the docs; in particular

https://github.com/apache/syncope/blob/2_0_X/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/emailconfiguration.adoc

If you would like to go along this way, please first take a look at

http://syncope.apache.org/contributing.html

and send an ICLA as specified, thanks!

2.Where to find the promised debug output when mailDebug is set to
true? I restarted tomcat and created a notification task. There is no
info on “handshake, authentication, delivery and disconnection” in
catalina.out or core.log or console.log

This would need some investigation: would you mind opening an issue on
JIRA? Thanks.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: [ANN] Apache Syncope 2.0.4

2017-07-17 Thread Francesco Chicchiriccò

ser_id LEFT OUTER
JOIN AccountPolicy t2 ON t1.ACCOUNTPOLICY_ID = t2.id 
<http://t2.id/> LEFT OUTER JOIN
Realm t3 ON t1.PARENT_ID = t3.id <http://t3.id/> LEFT OUTER 
JOIN PasswordPolicy t4 ON
t1.PASSWORDPOLICY_ID = t4.id <http://t4.id/> LEFT OUTER JOIN 
ExternalResource t7 ON
t6.resource_id = t7.id <http://t7.id/> LEFT OUTER JOIN 
AccountPolicy t8 ON
t7.ACCOUNTPOLICY_ID = t8.id <http://t8.id/> LEFT OUTER JOIN 
ConnInstance t9 ON
t7.CONNECTOR_ID = t9.id <http://t9.id/> LEFT OUTER JOIN 
PasswordPolicy t10 ON
t7.PASSWORDPOLICY_ID = t10.id <http://t10.id/> LEFT OUTER JOIN 
PullPolicy t11 ON

t7.PULLPOLICY_ID = t11.id <http://t11.id/>
WHERE t0.id <http://t0.id/> = ?
ORDER BY t6.user_id ASC
[params=(String) ]
39291  Master  TRACE  [main] openjpa.jdbc.SQL - 980801953> [5 ms] spent
39382  Master  TRACE  [main] openjpa.Runtime - Found datasource1: 
datasource 41260873 from configuration. StoreContext: 
org.apache.openjpa.kernel.BrokerImpl@261c5d1f 
<mailto:org.apache.openjpa.kernel.BrokerImpl@261c5d1f>
39382  Master  TRACE  [main] openjpa.Runtime - 
org.apache.openjpa.persistence.EntityManagerFactoryImpl@fbe70d8 
<mailto:org.apache.openjpa.persistence.EntityManagerFactoryImpl@fbe70d8> created 
EntityManager 
org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f 
<mailto:org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f>.
39382  Master  TRACE  [main] openjpa.DataCache - Cache hit while 
looking up key "USER".
39382  Master  TRACE  [main] openjpa.DataCache - Cache hit while 
looking up key "BaseUser".
39382  Master  TRACE  [main] openjpa.DataCache - Cache hit while 
looking up key "email".
39382  Master  TRACE  [main] openjpa.DataCache - Cache hit while 
looking up key "USER".
39382  Master  TRACE  [main] openjpa.jdbc.SQLDiag - load: class 
org.apache.syncope.core.persistence.jpa.entity.JPAAnyType oid: USER
39382  Master  TRACE  [main] openjpa.jdbc.SQLDiag - Eager relations: 
[org.apache.syncope.core.persistence.jpa.entity.JPAAnyType.classes]
39382  Master  TRACE  [main] openjpa.jdbc.SQL - 716294057> executing prepstmnt 1084093309

SELECT t0.kind, t1.anyType_id, t2.id <http://t2.id/>
FROM AnyType t0 LEFT OUTER JOIN AnyType_AnyTypeClass t1 ON t0.id 
<http://t0.id/> =
t1.anyType_id LEFT OUTER JOIN AnyTypeClass t2 ON 
t1.anyTypeClass_id =

t2.id <http://t2.id/>
WHERE t0.id <http://t0.id/> = ?
ORDER BY t1.anyType_id ASC
[params=(String) USER]
39382  Master  TRACE  [main] openjpa.jdbc.SQL - 716294057> [0 ms] spent
39382  Master  TRACE  [main] openjpa.jdbc.SQLDiag - Loading eager 
toMany: classes for 
org.apache.syncope.core.persistence.jpa.entity.JPAAnyType
39382  Master  TRACE  [main] openjpa.jdbc.JDBC - 716294057> [0 ms] close
39382  Master  TRACE  [main] openjpa.DataCache - Cache hit while 
looking up key "USER".
39382  Master  TRACE  [main] openjpa.Runtime - 
org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f.close 
<mailto:org.apache.openjpa.persistence.EntityManagerImpl@261c5d1f.close>() 
invoked.
11:41:26.337 [HikariPool-1 housekeeper] DEBUG 
com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Pool stats 
(total=11, active=1, idle=10, waiting=0)
11:41:56.339 [HikariPool-1 housekeeper] DEBUG 
com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Pool stats 
(total=11, active=1, idle=10, waiting=0)



referenced library :

**

**

refer attachment



2017. 7. 14. 오후 8:44에 "Changseok Keum" <keum...@gmail.com 
<mailto:keum...@gmail.com>>님이 작성:


Of course, I will send codes and logs after weekend.

Thanks a lot.

2017. 7. 14. 오후 8:31에 "Francesco Chicchiriccò"
<ilgro...@apache.org <mailto:ilgro...@apache.org>>님이 작성:

On 14/07/2017 13:23, Changseok Keum wrote:

Hi,

I recently updated the syncope version to 2.0.4 released
with views.xml and indexes.xml referenced by guide.


As testing, EntityManager.merge() not doing anything, no
error log when userDAO.save() called with parameterized
user added with some plainAttributes. (without
plainAttributes, there is no problem.)

The same codes works well before the version 2.0.3.
I think I did something wrong with updating, but I can not
proceed with debugging inside EntityManager merge function
so it is hard to find the reason.

Could you please give me some advice to solve this situations?


Hi,
can you share your code? Or some logs?

Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

2017-07-14 Thread Francesco Chicchiriccò


On 14/07/2017 16:17, justin.isenhour wrote:

Francesco,

I was finally able to upgrade Syncope to v2.0.4 and now the synchronization
of mustChangePassword is working as expected.  Thanks for your help with
this issue.


Glad to hear that :-)
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: [ANN] Apache Syncope 2.0.4

2017-07-14 Thread Francesco Chicchiriccò


On 14/07/2017 13:23, Changseok Keum wrote:

Hi,

I recently updated the syncope version to 2.0.4 released with 
views.xml and indexes.xml referenced by guide.



As testing, EntityManager.merge() not doing anything, no error log 
when userDAO.save() called with parameterized user added with some 
plainAttributes. (without plainAttributes, there is no problem.)


The same codes works well before the version 2.0.3.
I think I did something wrong with updating, but I can not proceed 
with debugging inside EntityManager merge function so it is hard to 
find the reason.


Could you please give me some advice to solve this situations?


Hi,
can you share your code? Or some logs?

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

[ANN] Apache Syncope 2.0.4

2017-07-06 Thread Francesco Chicchiriccò


The Apache Syncope team is pleased to announce the release of Syncope 2.0.4.

Apache Syncope is an Open Source system for managing digital identities
in enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
http://syncope.apache.org/downloads.html

Read the full change log is available here:
https://s.apache.org/syncope204

We welcome your help and feedback. For more information on how to report
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

Re: Notification page crashes in Console UI after e-mail config

2017-07-05 Thread Francesco Chicchiriccò

Hi Martin,
thanks for your willing to contribute.

PostgreSQL is my personal (and my company's) preferred choice for our
customers, when deploying Apache Syncope.
With such configuration, we are running Syncope in production in several
environments (most of them are Debian / Ubuntu, but also RedHat / CentOS).

Moreover, there is a work-in-progress about Syncope on Docker, currently
based on DEB distribution and Syncope 2.0.2 at

https://github.com/andrea-patricelli/syncope-docker/tree/2_0_X

All that to say that the problem you are experiencing is definitely not
something that should depend on the product itself but rather somehow on
your environment / configuration.

I have only found the following reference in Syncope:

https://issues.apache.org/jira/browse/SYNCOPE-606

where the problem was that the DataSource was manually enabled in
/etc/tomcat7/Catalina/localhost/syncope.xml
(/etc/tomcat8/Catalina/localhost/syncope.xml in your case).

Would you mind to try again in a fresh Debian / Ubuntu box (VM or Docker
image is just fine) by following the steps in

http://syncope.apache.org/docs/getting-started.html#debian-packages

and nothing more? I've just been through it and everything worked
flawlessly.

Regards.

On 04/07/2017 22:19, Böhmer, Martin wrote:

Hi Francesco,

I downloaded & installed the latest JDBC 4.2 driver (as I am running
Oracle Java 8). Unfortunately the problem stays exactly the same.

Here are some ideas from my side. They are just educated guesses and
may lead the wrong way as I am unable to further validate them due to
my lack of knowledge about Syncope’s implementation.

1.Quartz Scheduler configuration issue
(org.quartz.jobStore.dontSetAutoCommitFalse)

http://www.quartz-scheduler.org/documentation/quartz-2.2.x/configuration/ConfigJobStoreTX.html

2.Issue with Spring Batch an Postgres transactions
https://stackoverflow.com/questions/32113132/jdbc-auto-commit-not-working-with-postgresql-9-driver

Best regards,

Martin

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Dienstag, 4. Juli 2017 12:01
*An:* user@syncope.apache.org
*Betreff:* Re: Notification page crashes in Console UI after e-mail config

On 04/07/2017 10:33, Böhmer, Martin wrote:

Hi Francesco,

sorry to hear that.

PostgreSQL (provided by Ubuntu repos): 9.5+173

JDBC (shipped with PostgreSQL): postgresql-jdbc4-9.2.jar

This JDBC Driver is way too old for PostgreSQL 9.5; please download
the latest 42.1.1 for JDBC 4.1 (if using JDK 7) or for JDBC 4.2 (if
using JDK 8) from

https://jdbc.postgresql.org/download.html

Regards.

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Freitag, 30. Juni 2017 16:50
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: AW: Notification page crashes in Console UI after
e-mail config

Hi Martin,
I went through your logs and cannot guess much.

Only questions coming to my mind are:

* PostgreSQL DB version?
* PostgreSQL JDBC JAR version?

Regards.

On 29/06/2017 11:17, Böhmer, Martin wrote:

clearing the logs was exactly what I did to provide the core
and console log attached to my previous email.

Anyway, I did as you suggested and included all the logs from
Tomcat and Syncope. Please find them attached (access to
Pastebin from our company network is blocked).

Best regards,

Martin

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Donnerstag, 29. Juni 2017 09:10
*An**:*user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: Notification page crashes in Console UI after
e-mail config

Hi Martin,
see my replies below.

Regards.

On 28/06/2017 16:44, Böhmer, Martin wrote:

Hi,

I tried to activate the notification feature, but ran into
an error I am unable to tackle.

Here is what I did:

1.Adjusted mail.properties file according to our local
setup (i.e. changed the server name)

2.Via the Console UI I changed the parameter
“notificationjob.cronExpression” from empty string to: *
0/5 * * * ? *

3.Restarted Tomcat

4.Opened Notifications page in Console UI: Configuration
àNotifications (in order to create a notification task to
check e-mail config)

At step 4 I was redirected to the login screen showing the
message “Error while contacting Syncope core”.

I attached the Core and Console log files. Root cause
seems to be:

org.apache.syncope.common.lib.SyncopeClientException:
DataIntegrityViolation [Cannot commit when autoCommit is
enabled.]

Did I do something wrong?

No, you didn't.
The Admin Co

Re: Notification page crashes in Console UI after e-mail config

2017-07-04 Thread Francesco Chicchiriccò

On 04/07/2017 10:33, Böhmer, Martin wrote:

Hi Francesco,

sorry to hear that.

PostgreSQL (provided by Ubuntu repos): 9.5+173

JDBC (shipped with PostgreSQL): postgresql-jdbc4-9.2.jar

This JDBC Driver is way too old for PostgreSQL 9.5; please download the
latest 42.1.1 for JDBC 4.1 (if using JDK 7) or for JDBC 4.2 (if using
JDK 8) from

https://jdbc.postgresql.org/download.html

Regards.

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Freitag, 30. Juni 2017 16:50
*An:* user@syncope.apache.org
*Betreff:* Re: AW: Notification page crashes in Console UI after
e-mail config

Hi Martin,
I went through your logs and cannot guess much.

Only questions coming to my mind are:

* PostgreSQL DB version?
* PostgreSQL JDBC JAR version?

Regards.

On 29/06/2017 11:17, Böhmer, Martin wrote:

clearing the logs was exactly what I did to provide the core and
console log attached to my previous email.

Anyway, I did as you suggested and included all the logs from
Tomcat and Syncope. Please find them attached (access to Pastebin
from our company network is blocked).

Best regards,

Martin

Hi Martin,
see my replies below.

Regards.

On 28/06/2017 16:44, Böhmer, Martin wrote:

Hi,

I tried to activate the notification feature, but ran into an
error I am unable to tackle.

Here is what I did:

1.Adjusted mail.properties file according to our local setup
(i.e. changed the server name)

2.Via the Console UI I changed the parameter
“notificationjob.cronExpression” from empty string to: * 0/5 *
* * ? *

3.Restarted Tomcat

4.Opened Notifications page in Console UI: Configuration
àNotifications (in order to create a notification task to
check e-mail config)

At step 4 I was redirected to the login screen showing the
message “Error while contacting Syncope core”.

I attached the Core and Console log files. Root cause seems to be:

org.apache.syncope.common.lib.SyncopeClientException:
DataIntegrityViolation [Cannot commit when autoCommit is enabled.]

Did I do something wrong?

No, you didn't.
The Admin Console's behavior is due to an unhanded exception
raised by the Core. Unfortunately, the message above does not help
in recognizing what could have happened.

Can you please stop Tomcat, clear all logs, replicate the problem
and paste all of your logs via pastebin or similar?

My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK
1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu
16.04 LTS.

You might want to give a try to the latest 2.0.4-SNAPSHOT from:

https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-core/2.0.4-SNAPSHOT/
*

https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-console/2.0.4-SNAPSHOT/
*

https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-enduser/2.0.4-SNAPSHOT/

--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/>

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AW: Notification page crashes in Console UI after e-mail config

2017-06-30 Thread Francesco Chicchiriccò

Hi Martin,
I went through your logs and cannot guess much.

Only questions coming to my mind are:

* PostgreSQL DB version?
* PostgreSQL JDBC JAR version?

Regards.

On 29/06/2017 11:17, Böhmer, Martin wrote:

Hi Francesco,

clearing the logs was exactly what I did to provide the core and
console log attached to my previous email.

Anyway, I did as you suggested and included all the logs from Tomcat
and Syncope. Please find them attached (access to Pastebin from our
company network is blocked).

Best regards,

Martin

*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Donnerstag, 29. Juni 2017 09:10
*An**:*user@syncope.apache.org
*Betreff:* Re: Notification page crashes in Console UI after e-mail config

Hi Martin,
see my replies below.

Regards.

On 28/06/2017 16:44, Böhmer, Martin wrote:

Hi,

I tried to activate the notification feature, but ran into an
error I am unable to tackle.

Here is what I did:

1.Adjusted mail.properties file according to our local setup (i.e.
changed the server name)

2.Via the Console UI I changed the parameter
“notificationjob.cronExpression” from empty string to: * 0/5 * * * ? *

3.Restarted Tomcat

4.Opened Notifications page in Console UI: Configuration
àNotifications (in order to create a notification task to check
e-mail config)

At step 4 I was redirected to the login screen showing the message
“Error while contacting Syncope core”.

I attached the Core and Console log files. Root cause seems to be:

org.apache.syncope.common.lib.SyncopeClientException:
DataIntegrityViolation [Cannot commit when autoCommit is enabled.]

Did I do something wrong?

No, you didn't.
The Admin Console's behavior is due to an unhanded exception raised by
the Core. Unfortunately, the message above does not help in
recognizing what could have happened.

Can you please stop Tomcat, clear all logs, replicate the problem and
paste all of your logs via pastebin or similar?

My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK
1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu 16.04 LTS.

You might want to give a try to the latest 2.0.4-SNAPSHOT from:

*
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-core/2.0.4-SNAPSHOT/
*
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-console/2.0.4-SNAPSHOT/
*
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-deb-enduser/2.0.4-SNAPSHOT/

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Notification page crashes in Console UI after e-mail config

2017-06-29 Thread Francesco Chicchiriccò

Hi Martin,
see my replies below.

Regards.

On 28/06/2017 16:44, Böhmer, Martin wrote:

Hi,

I tried to activate the notification feature, but ran into an error I
am unable to tackle.

Here is what I did:

1.Adjusted mail.properties file according to our local setup (i.e.
changed the server name)

2.Via the Console UI I changed the parameter
“notificationjob.cronExpression” from empty string to: * 0/5 * * * ? *

3.Restarted Tomcat

4.Opened Notifications page in Console UI: Configuration
àNotifications (in order to create a notification task to check e-mail
config)

At step 4 I was redirected to the login screen showing the message
“Error while contacting Syncope core”.

I attached the Core and Console log files. Root cause seems to be:

org.apache.syncope.common.lib.SyncopeClientException:
DataIntegrityViolation [Cannot commit when autoCommit is enabled.]

Did I do something wrong?

No, you didn't.
The Admin Console's behavior is due to an unhanded exception raised by
the Core. Unfortunately, the message above does not help in recognizing
what could have happened.

Can you please stop Tomcat, clear all logs, replicate the problem and
paste all of your logs via pastebin or similar?

My setup is: Apache Syncope 2.0.3 Redhat distribution, JDK
1.8.0_131-b11 from Oracle, Tomcat 8.0.32-1ubuntu1, Ubuntu 16.04 LTS.

You might want to give a try to the latest 2.0.4-SNAPSHOT from:

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AW: Password not propagated when changed via enduser UI

2017-06-27 Thread Francesco Chicchiriccò


On 27/06/2017 09:19, Böhmer, Martin wrote:


Hi Francesco,

Thanks for you quick reply. You remarks were very helpful to better 
understand Syncope.




Glad to hear that :-)

I am running the 2.0.3 release of the Syncope Debian distribution. 
OpenLDAP version is 2.4.42+dfsg-2ubuntu3.


Can you estimate when release 2.0.4 will be available? There was no 
date set in JIRA.




Syncope 2.0.4 is already full of fixes, improvements and new features:

https://issues.apache.org/jira/projects/SYNCOPE/versions/12340328

Still a few are standing (mainly bugfixes, others can be moved to 
2.0.5); moreover, CXF 3.1.12 (which we use as foundation of Syncope REST 
layer, and more) in currently under vote.


Given such elements, I would estimate next release 2.0.4 to be available 
in 2-3 weeks time.


Regards.


*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Montag, 26. Juni 2017 17:42
*An:* user@syncope.apache.org
*Betreff:* Re: Password not propagated when changed via enduser UI

Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:

Hi,

I have setup an LDAP connector and LDAP resource that successfully
propagates changes to users and groups when changes are performed
via the console UI. So, I am able to consistently create, update
and delete users and groups in Syncope and LDAP. When I set/change
a user’s password via the console UI, it gets propagated to LDAP
as expected by an UPDATE propagation task.

However, when I log into the enduser interface and change the
password, it gets updated in Syncopes internal database, but not
in LDAP. Inspecting the propagation tasks afterwards reveals that
the change in the enduser UI has created a DELETE action for some
strange reason.


I have replicated your case with 2.0.4-SNAPSHOT (by using the sample 
ApacheDS LDAP resource available) and opened


https://issues.apache.org/jira/browse/SYNCOPE-1125


As mentioned in the reference guide and earlier posts, I already
made sure Syncope’s property ‘password.cipher.algorithm’ is set to
the same algorithm as specified in the LDAP connector. Both are
set to ‘SSHA’. Console log and core log do not show any errors.


Aligning the cipher algorithms is only needed when pulling or pushing 
password values as binary objects, and this only occurs during pull or 
push task execution.


Setting password via Admin Console or Enduser UI instead does not 
require such alignment, as the cleartext value is passed along with 
the REST invocation.



What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is
required to propagate the password change from the enduser
interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.

Best regards,

Martin

PS: The result of the password not being propagated is that I am
now able to log into the enduser interface using both the password
stored in Syncopes internal DB and the (old) password still
present in LDAP…


This is not possible unless you have defined an Account Policy [1] 
with LDAP for pass-through authentication [2].


[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] 
https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Password not propagated when changed via enduser UI

2017-06-26 Thread Francesco Chicchiriccò


Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:


Hi,

I have setup an LDAP connector and LDAP resource that successfully 
propagates changes to users and groups when changes are performed via 
the console UI. So, I am able to consistently create, update and 
delete users and groups in Syncope and LDAP. When I set/change a 
user’s password via the console UI, it gets propagated to LDAP as 
expected by an UPDATE propagation task.


However, when I log into the enduser interface and change the 
password, it gets updated in Syncopes internal database, but not in 
LDAP. Inspecting the propagation tasks afterwards reveals that the 
change in the enduser UI has created a DELETE action for some strange 
reason.




I have replicated your case with 2.0.4-SNAPSHOT (by using the sample 
ApacheDS LDAP resource available) and opened


https://issues.apache.org/jira/browse/SYNCOPE-1125

As mentioned in the reference guide and earlier posts, I already made 
sure Syncope’s property ‘password.cipher.algorithm’ is set to the same 
algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. 
Console log and core log do not show any errors.




Aligning the cipher algorithms is only needed when pulling or pushing 
password values as binary objects, and this only occurs during pull or 
push task execution.


Setting password via Admin Console or Enduser UI instead does not 
require such alignment, as the cleartext value is passed along with the 
REST invocation.



What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required 
to propagate the password change from the enduser interface to LDAP! 
My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.


Best regards,

Martin

PS: The result of the password not being propagated is that I am now 
able to log into the enduser interface using both the password stored 
in Syncopes internal DB and the (old) password still present in LDAP…




This is not possible unless you have defined an Account Policy [1] with 
LDAP for pass-through authentication [2].


[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] 
https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

2017-06-15 Thread Francesco Chicchiriccò

On 14/06/2017 19:40, justin.isenhour wrote:

Francesco,

Thanks for your reply. I have followed the steps you described but am not
getting the same result as you. If in ApacheDS password policy section I
have Allow Must Change flagged then when I try to create a new user the sync
with ApacheDS fails, it complains that there are 2 values being set for
attribute pwdReset. If I uncheck Allow Must Change flag then the
create/sync is successful, however, after that any attempt I make to toggle
Must Change Password on/off does not sync with ApacheDS. I tried toggling
this from the console as well as using the user self Patch API. In both of
these case there is no propagation task being created. The only propagation
task I see is the initial create. (making other updates does initiate a
propagation task and LDAP is updated as expected).

Any thoughts as to why changes to Must Change Password are not trigger a
propagation task?

Which Syncope version and distribution are you using?

You might want to download the latest 2.0.4-SNAPSHOT standalone
distribution [1] (instructions [2]) and try to perform the steps
reported previously with the embedded ApacheDS 2.0 M24 (which is exactly
what I did).

Regards.

[1]
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.0.4-SNAPSHOT/syncope-standalone-2.0.4-20170614.162350-94-distribution.zip

[2] https://ci.apache.org/projects/syncope/getting-started.html#standalone

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Error with openJPA multithreading

2017-06-14 Thread Francesco Chicchiriccò


Il 2017-06-14 18:43 justin.isenhour ha scritto:
Is anyone able to provide any insight into this issue as I am getting 
this
quite often during testing both from the syncope console and from 
direct API

calls.


Hi,
this error seldom appears to me as well, but it is so rare that I could 
not find a way to reproduce it.


Please, send more details about your environment, Syncope version and 
distribution, and operations that lead to such error.


Anyway, I made some fixes in the current 2.0.4-SNAPSHOT which should be 
preventing such errors to occur, maybe you'd want to give it a try.


Regards.
--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: error importing by Mastecontent.xml e postgres database dump

2017-06-07 Thread Francesco Chicchiriccò

questListenerInterface.java:241)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:248)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
~[wicket-request-7.4.0.jar:7.4.0]
 at
org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70)
~[wicket-native-websocket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
~[wicket-core-7.6.0.jar:7.6.0]
 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
~[tomcat8-catalina-8.0.32.jar:8.0.32]
 at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
~[tomcat8-coyote-8.0.32.jar:8.0.32]
 at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
~[tomcat8-coyote-8.0.32.jar:8.0.32]
 at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1504)
~[tomcat8-coyote-8.0.32.jar:8.0.32]
 at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1460)
~[tomcat8-coyote-8.0.32.jar:8.0.32]
 at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[?:1.8.0_131]
 at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[?:1.8.0_131]
 at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat8-util-8.0.32.jar:8.0.32]
 at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]


[1]
https://syncope.apache.org/docs/reference-guide.html#deal-with-internal-storage-export-import


--
View this message in context: 
http://syncope-user.1051894.n5.nabble.com/error-importing-by-Mastecontent-xml-e-postgres-database-dump-tp5709259.html
Sent from the syncope-user mailing list archive at Nabble.com.



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

2017-06-06 Thread Francesco Chicchiriccò


Hi,
here's what I did (after creating new Maven project, in embedded mode - 
it should be exactly the same with standalone distribution):


1. from Admin Console, I went to Topology > resource-ldap > edit 
provision rules

2. added a mapping item to USER / __ACCOUNT__, with
  * 'mustChangePassword' as internal attribute
  * 'pwdReset' as external attribute
  * JEXL transformer 'mustChangePassword == 1'
3. saved

After that, I have created a new user, and assigned 'resource-ldap': the 
user got created as expected on the embedded ApacheDS instance (e.g. the 
one behind 'resource-ldap' above), with 'pwdReset: false'.


Then, on the user row, I have clicked on the "set must change password" 
menu entry: an update was sent to ApacheDS and 'pwdReset' became true.
I clicked again on the same menu entry (which I have now changed to 
"toggle must change password"): another update to ApacheDS and 
'pwdReset' became false.


Is there anything different that  you were expecting?
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: cmd bundle framework filter bundle

2017-06-05 Thread Francesco Chicchiriccò


On 31/05/2017 10:16, Mikael Ekblom wrote:


Hi,

I need to ask you at Tirasa too, that have you seen this error 
regarding the cmd bundle and powershell?


java.lang.IllegalStateException: Object {Uid=Attribute: {Name=__UID__, 
Value=[backsee1]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=uid, Value=[x]}, Attribute: 
{Name=personnr, Value=[1029]}, Attribute: {Name=__NAME__, 
Value=[1029]}, Attribute: {Name=__UID__, Value=[]}, Attribute: 
{Name=__ENABLE__, Value=[true]}], Name=Attribute: {Name=__NAME__, 
Value=[1029]}} was returned by  by the connector but failed to pass 
the framework filter. This seems like wrong implementation of the 
filter in the connector.


I guess syncope sees these as regular strings. Searching goes fine, no 
problem there. All attributes can be viewed. But when you try to 
create, then s-t hits the fan. I have tested both the 0.2 version of 
the cmd bundle and I’m testing the 0.3-snapshot version also and I’m 
modifying the 0.3-version for troubleshooting purposes.


Both the 0.2-version and the 0.3-snapshot version gives the same 
result. Maybe I need to make my own version of execute sequence…J




Hi Mikael,
the exception above comes from [1], e.g. from the ConnId framework 
rather than the ConnId CMD bundle.


You need to provide more details about the error (e.g. longer 
stacktraces) in order to understand exactly which ConnId filter - which 
is set by Syncope code - is not allowing some search results to pass.


Regards.

[1] 
https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/FilteredResultsHandler.java#L82-L84


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

2017-06-05 Thread Francesco Chicchiriccò


On 01/06/2017 19:40, justin.isenhour wrote:

Hi All,

I am using the Syncope 2.0.3 with ApacheDS 2.0.0-M23 for identity store.  In
ApacheDS I have Must Change Password enabled for the password policy.  When
a new user is created the pwdReset flag is true.  How can I get Syncope to
change the flag to False?  Changing the Must Change Password attribute for
the UserTo doesn't impact this, neither does reset the users password.  So
far I have found no way to change this flag.  I tried adding a mapping
between mustChangePassword and pwdReset with a JEXL transformer to convert
Syncope's 0|1 value to ApacheDS's expected true|false.  With this in place
when I create a user with must change password as true the provisioning is
successful but when I try to create/update a user with value false the sync
fails.  ApacheDS complains that I am trying to set more than one value to
the pwdReset attribute that only accepts a single value.  Anyone have any
thoughts or recommendations?


Hi Justin,
thanks for your interest in Apache Syncope.

It seems you have come quite far with Syncope LDAP configuration, nice :-)

I am not very familiar with ApacheDS' pwdReset attribute: could you 
please point to me in which LDAP ObjectClass is that available? I would 
like to replicate your setup.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Bulk Deletion of Users using APIs

2017-05-29 Thread Francesco Chicchiriccò


On 29/05/2017 13:05, rajkumar wrote:

Hi,

Really thanks for your quick reply, But the URL you have shared given the
Java coding but i want to do this bulk deletion using any API client.


I see, ok.


Below
are the values i am using to achieve the same and let me know if am doing
any mistake here.

*URL *: http://52.58.169.64:8080/syncope/rest/users
*Type* : Delete
*Payload*: {
   "operation":"DELETE",
   "targets":[
 *"{id}"*
   ]
}
*content-type* - application/json


This cannot work.


But deleting single user is working fine with below details:

*URL *: http://52.58.169.64:8080/syncope/rest/users/{userId}
*Type* : Delete


This is fine, of course.


*Also please let me know, is there a way to run multiple HTTP request at
same time in postman.*


I would suggest to enable Swagger UI in your deployment and look at POST 
/user/bulk under _users; it should be something like as


*URL *: http://52.58.169.64:8080/syncope/rest/users/bulk
*Type* : POST
*Payload*: {
  "type":"DELETE",
  "targets":[
*"{key}"*
  ]
}

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Syncope .deb installation, no resources tab

2017-05-18 Thread Francesco Chicchiriccò

On 18/05/2017 17:32, Thomas Maerz wrote:

Question though,

In order to use the AD ConnID, should I deploy using Maven or will .deb work
fine?

If you are using .deb, just check the content of the directory

/var/lib/apache-syncope/bundles

to see if the AD connector bundle is already there.

Regards.

On May 18, 2017, at 10:30 AM, Thomas Maerz <thomasma...@kmnr.org> wrote:

Yes, sorry about that. I started on this in preparation for a migration project
and we proceeded without it. For now we have been manually synchronizing the
directories but it appears it will go on longer than anticipated so I’d like to
get something set up to eliminate human error.

Thank you for the response.

Thomas

On May 18, 2017, at 10:28 AM, Francesco Chicchiriccò <ilgro...@apache.org>
wrote:

Wow, a timebomb from 6 months ago :-)

There is no (yet) step-by-step tutorial for Syncope and AD available, but:

1. several other people seemed to succeed at it - see the recent [1] for
example - so I guess it shouldn't be hard for them to support you here
2. there is absolutely no point in starting a project with Syncope 1.2 today

Regards

[1]
https://lists.apache.org/thread.html/bc0a61c40790a4f7e13076b8b9d2a6073a76fffc29d9773bac7e265e@%3Cuser.syncope.apache.org%3E

On 18/05/2017 17:24, Thomas Maerz wrote:

So there is no documentation still for Syncope 2.0 working with AD?

If this is the case, would it be better for me to just use Syncope 1.x?

Thomas

On Nov 4, 2016, at 9:48 AM, Francesco Chicchiriccò <ilgro...@apache.org> wrote:

On 04/11/2016 15:44, Thomas Maerz wrote:

Hi,

I’ve just installed Syncope on Ubuntu Server 16.04 using the .deb packages. I
am looking to create an Active Directory Connector. The connector bundle is in
the bundles directory out of the box, but my installation does not have a
resources tab in the syncope-console. I’ve read the documentation and I don’t
know what I am doing wrong. Can the .deb installation not utilize resource
connectors or am I doing something wrong?

Hi Thomas,
which version are you running? It looks like you are looking at the wiki pages,
which are working for Syncope prior to 2.0 (e.g. 1.2, 1.1, ...), not for 2.0
and above.

I would suggest to take a look at the official docs:

https://syncope.apache.org/docs/getting-started.html
https://syncope.apache.org/docs/reference-guide.html

This tutorial might also be useful for your use case:

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Syncope Rest AccessToken 404

2017-05-13 Thread Francesco Chicchiriccò


On 2017-05-12 18:42 Hugo Cerdeira wrote:


Hi,

so I'm trying to log in to syncope via webservices, 
/syncope/rest/accessToken, but i get 404 error;
also the accessTokens tab doesn't show when I navigate on my browser to 
/syncope


guess you mean /syncope-console here


any ideas on whats going on?


Yes, you are not running Syncope 2.0.3 (access tokens were added in that 
version, which is the current stable).

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: No password propagation after User creation.

2017-05-12 Thread Francesco Chicchiriccò


This mapping item is wrong:


   {
"key": "d721e6e2-c9dd-4966-a1e6-e2c9dd0966ef",
"intAttrName": "password",
"extAttrName": "password",
"connObjectKey": false,
"password": false,
"mandatoryCondition": "true",
"purpose": "PROPAGATION",
"propagationJEXLTransformer": null,
"pullJEXLTransformer": null,
"mappingItemTransformerClassNames": [],
},


It should have been instead something like as:

  {
"key": "d721e6e2-c9dd-4966-a1e6-e2c9dd0966ef",
"intAttrName": "password",
"extAttrName": "__PASSWORD__",
"connObjectKey": false,
"password": true,
"mandatoryCondition": "true",
"purpose": "PROPAGATION",
"propagationJEXLTransformer": null,
"pullJEXLTransformer": null,
"mappingItemTransformerClassNames": [],
},

Note the difference in extAttrName and password fields.

This kind of mapping item is generated via Admin Console when you flag 
'Password'.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: No password propagation after User creation.

2017-05-12 Thread Francesco Chicchiriccò


On 12/05/2017 11:49, HugoCerdeira wrote:

yes, it does include the password: internal attribute=password; external
attribute=password; mandatory = true


Please provide more details about this mapping item: just read it via 
REST and paste the JSON content (or a screenshot from Admin Console).

Regards.


ilgrosso wrote

On 12/05/2017 11:31, Hugo Cerdeira wrote:

Hi,

I'm trying to propagate a User when creating it via rest services of
the syncope-core, I'm able to create him successfully but I get this
propagation error:

"propagationStatuses": [
   {
  "beforeObj": null,
  "afterObj": null,
  "resource": "ofbizUsersPropagation",
  "status": "FAILURE",
  "failureReason": "Not attempted because there are mandatory
attributes without value(s): [password]"
}

I'm sending the password on the rest services and the User is
correctly created since I can log in using it.
I've tried turning return.password.value true/false but didn't make
any difference, any tips?

What is the user mapping for that resource? Does it include password?


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: No password propagation after User creation.

2017-05-12 Thread Francesco Chicchiriccò


On 12/05/2017 11:31, Hugo Cerdeira wrote:

Hi,

I'm trying to propagate a User when creating it via rest services of 
the syncope-core, I'm able to create him successfully but I get this 
propagation error:


"propagationStatuses": [
  {
 "beforeObj": null,
 "afterObj": null,
 "resource": "ofbizUsersPropagation",
 "status": "FAILURE",
 "failureReason": "Not attempted because there are mandatory 
attributes without value(s): [password]"

}

I'm sending the password on the rest services and the User is 
correctly created since I can log in using it.
I've tried turning return.password.value true/false but didn't make 
any difference, any tips?


What is the user mapping for that resource? Does it include password?

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Storing Custom User variables and Unique Email constraint

2017-05-08 Thread Francesco Chicchiriccò


On 06/05/2017 00:23, Ravindra Singareddy wrote:


Hi All,

I need to store User Custom variables like firstName, MiddleName, and 
Last Name and using following code:



SyncopeClientFactoryBean clientFactory = new SyncopeClientFactoryBean().
   setAddress("http://localhost:8080/syncope/rest;).
   setDomain("Master").
 setContentType(SyncopeClientFactoryBean.ContentType.XML).
   setUseCompression(true);
SyncopeClient client = clientFactory.create("admin", "password");
UserService userService = client.getService(UserService.class);

UserTO userTo = new UserTO();
  userTo.setUsername(username);
userTo.setPassword(password);
userTo.setCreationDate(new Date());
userTo.setCreator("admin");
userTo.setRealm("/");
userTo.getPlainAttrs().add(new 
AttrTO.Builder().schema("email").value(email).build());
userTo.getPlainAttrs().add(new 
AttrTO.Builder().schema("firstName").value(firstName).build());
userTo.getPlainAttrs().add(new 
AttrTO.Builder().schema("middleName").value(middleName).build());
userTo.getPlainAttrs().add(new 
AttrTO.Builder().schema("lastName").value(lastName).build());

Response userResponse = userService.create(userTo,true);
System.out.println(userResponse.getStatus());

After Successful creation of user,  authenticated using email, with 
following code:


 client = clientFactory.
   setDomain("Master").create(email, password);
Pair<Map<String, Set>, UserTO> self = client.self();
 Object auth = self.getKey();
 UserTO selfUserTO = (UserTO)self.getValue();
System.out.println(selfUserTO);

First Question: selfUserTO is not retrieving firstName, middleName, 
and LastName from Plain Attributes.  What are changes needed to be 
done for storing these plain attributes values?


You need to create the related schemas (if you haven't done that yet) 
and then to assign such schemas to the AnyTypeClass for users.


More information:

https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer
https://syncope.apache.org/docs/reference-guide.html#type-management

Second Question: I am able to save email address and also able to 
retrieve (authenticate) using the email address. If I have created two 
users with the same email address, the system is not able to log in 
using this email address. Because the email address is not unique 
across all users.  How to make email address unique across all users.


You need to change the email schema definition and flag uniqueConstraint 
to true; you can do that either via Admin Console or REST.


Please be aware that, if there are users with the 'email' attribute set, 
such update is not possible: you'll need either to create another schema 
or to remove all the existing email values.


HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Scripted SQL resource

2017-05-08 Thread Francesco Chicchiriccò


On 08/05/2017 09:37, Mikael Ekblom wrote:


Hi,

Never mind, I found it. The groovy-script did not like the fact that 
the columns within the external db resource had different names than 
the attributes internally defined to be mapped for the user class itself.


I solved it by aliasing the columns from the external db within the 
query itself to match the provisioning rule.




Glad that you solved! :-)
Regards.


*From:* Mikael Ekblom [mailto:mikael.ekb...@arcada.fi]
*Sent:* torstai 4. toukokuuta 2017 16.51
*To:* user@syncope.apache.org
*Subject:* Scripted SQL resource

Hi,

We have a scripted sql resource set up to fetch data from our HR 
system. SEARCH and SYNC capabilities set. Now, as the lines tells us 
below, the search is returning values to the it-parameter set within 
the groovy sql eachRow command and its closure. The result array seems 
to be populated.


16:17:02.952 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[4377]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=Efternamn, Value=[Caspar Klaus Sönvis]}, 
Attribute: {Name=Fornamn, Value=[Berntzen]}, Attribute: 
{Name=__NAME__, Value=[4377]}, Attribute: {Name=__UID__, 
Value=[4377]}, Attribute: {Name=__ENABLE__, Value=[true]}], 
Name=Attribute: {Name=__NAME__, Value=[4377]}}Method: handle


16:17:02.952 DEBUG *Return: false* Method: handle

But, this is not the case when we try to search and sync from this 
resource. When we do a “Explore” through the resource and try to view 
the contents for this particular connector, only the pre-defined 
attributes __UID__,__NAME__ and __ENABLE__ are visible. The rest of 
the attributes we set to provision are not visible for some reason. I 
attached an example of this as a .png.


The attributes Efternamn and Fornamn should also be visible but no.

As the log states, it seems to state that *Return: false.*  Any 
pullactionhandler that we have created will confirm that this 
operation will not return anything but the __UID__,__NAME__ and __ENABLE__


. As such we cannot build the usernames accordingly only via this 
information.


When we connect to this same resource with a dbtable-configuration 
everything is mapping fine… This will not work in this case though. I 
first thought that do I now have some ISO-8859-1 conversion issue, but 
this seems not to be the case. Not for the Dbtable-resource at least.


Another scripted SQL groovy resource towards the same SQL-server and 
thus we use the same scripted sql bundle version. I set the fetched 
__UID__values a bit differently


16:21:01.956 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[170776-]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=Ort, Value=[Sibbo]}, Attribute: 
{Name=efternamn, Value=[Ekblom]}, Attribute: {Name=fornamn, 
Value=[Mikael]}, Attribute: {Name=Adress, Value=[xx]}, 
Attribute: {Name=__NAME__, Value=[170776-xxx]}, Attribute: 
{Name=__UID__, Value=[170776-]},  Attribute: {Name=__ENABLE__, 
Value=[true]}, Attribute: {Name=personbeteckning, 
Value=[170776-]}], Name=Attribute: {Name=__NAME__, 
Value=[170776-xxx]}}Method: handle


16:21:01.956 DEBUG *Return: true* Method: handle

With a similar scripted sql-resource through groovy, everything is 
visible from the built in variables to the other variables stated 
through the mapping rules. Column formats are the same.


The big question is: why is the example above stating *Return false* 
and the other, similar one, not? Has anyone seen this before? What 
makes a scripted groovy sql resource to return false except for the 
built in values that must be there?


At times like these, you wish that you could pay for support…J

Regards,

   Mikael


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Delegate admin for realms

2017-05-05 Thread Francesco Chicchiriccò


On 05/05/2017 06:06, Kwong,Vincent wrote:


Hi Francesco,

Tried with positive result, thanks a lot.



That's good to hear.

But the display is confusing, the add user button is available in all 
realms, and only display error when I am at the last step on create user.




I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073


Here is my comments:

1.Better to display the realms where the user have access only, in 
some situation I may not want the non-delegated sub-group visible 
especially they are individual companies




I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074


2.Some console display should reflect user access to avoid confusion



Please give more details, this is not clear.

Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]

*Sent:* Thursday, May 04, 2017 4:57 PM
*To:* user@syncope.apache.org
*Subject:* Re: Delegate admin for realms

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

I am new to syncope and going to evaulate the syncope
functionality for my coming project.

I am trying to setup a organization like this, but I cannot figure
out how I can achieve the delegated administration.

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) ->
Multiple Teams (e.g. /Group1/Team1)

1.Each team will have a admin to mange the user under that realm

2.Each sub-group will have another admin to look after all teams

3.Each admin have the control for their own sub-group / team only

I tried to createa role with some user/realm related access under
particular realm, but after I tried to login with the account with
that role, I can see/update the parent realm or other sub realm.

Is it possible for syncope to achieve what I want? Or anyone have
simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate 
your use case.


First, the realms: [1] where g1 and g2 are 'sub-groups' as you name 
them above (please beware that groups are a different concept in 
Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.


Then I have created some roles: [2], one for each of the realms above, 
with full entitlements about users, and REALM_LIST which is only 
required if you are planning to operate via Admin Console (as it seems).


Finally I have created some users in several realms, /g1/t11 [3], 
/g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you 
can see, there are plain users and admin users, where the username of 
the latter is given to show which realm they are actually managing, e.g.


* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which 
is granted the role 'Managing g1' and thus is allowed to manage users 
in /g1 [5]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org> 
which is granted the role 'Managing t11' and thus is allowed to 
manager users in /g1/t11 [3]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org> 
which is granted the role 'Managing t12' and thus is allowed to 
manager users in /g1/t12 [4]
* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which 
is granted the role 'Managing g2' and thus is allowed to manage users 
in /g2 [6]


Given such setup, everything is working as expected and every admin 
user can only see and manage the users contained by the realms he / 
she is granted by role.
The only quirk I could find is that the realms view always starts from 
/, but even in this case the only users shown are the expected.


HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Delegate admin for realms

2017-05-04 Thread Francesco Chicchiriccò


On 04/05/2017 04:59, Kwong,Vincent wrote:


Hi All,

I am new to syncope and going to evaulate the syncope functionality 
for my coming project.


I am trying to setup a organization like this, but I cannot figure out 
how I can achieve the delegated administration.


Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> 
Multiple Teams (e.g. /Group1/Team1)


1.Each team will have a admin to mange the user under that realm

2.Each sub-group will have another admin to look after all teams

3.Each admin have the control for their own sub-group / team only

I tried to createa role with some user/realm related access under 
particular realm, but after I tried to login with the account with 
that role, I can see/update the parent realm or other sub realm.


Is it possible for syncope to achieve what I want? Or anyone have 
simialr experience?ù




Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate 
your use case.


First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them 
above (please beware that groups are a different concept in Syncope) and 
t11 / t12 / t21 / t22 / t23 are 'teams'.


Then I have created some roles: [2], one for each of the realms above, 
with full entitlements about users, and REALM_LIST which is only 
required if you are planning to operate via Admin Console (as it seems).


Finally I have created some users in several realms, /g1/t11 [3], 
/g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can 
see, there are plain users and admin users, where the username of the 
latter is given to show which realm they are actually managing, e.g.


* admi...@syncope.apache.org which is granted the role 'Managing g1' and 
thus is allowed to manage users in /g1 [5]
* admin...@syncope.apache.org which is granted the role 'Managing t11' 
and thus is allowed to manager users in /g1/t11 [3]
* admin...@syncope.apache.org which is granted the role 'Managing t12' 
and thus is allowed to manager users in /g1/t12 [4]
* admi...@syncope.apache.org which is granted the role 'Managing g2' and 
thus is allowed to manage users in /g2 [6]


Given such setup, everything is working as expected and every admin user 
can only see and manage the users contained by the realms he / she is 
granted by role.
The only quirk I could find is that the realms view always starts from 
/, but even in this case the only users shown are the expected.


HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AdminPasswordAlgorithm

2017-05-01 Thread Francesco Chicchiriccò


[Please do not cross-post: user@ is enough]


On 2017-05-01 11:37 Ravindra Singareddy wrote:

Hi All,

Using BCRYPT as adminPasswordAlgorithm in security.properties as 
follows:



adminPassword=$2y$10$g.5bFpWp4j6SxSB6iGokT.Sq01SpgSSyBexppJtc9T4TlNfLWVp0q
adminPasswordAlgorithm=BCRYPT


But not able to login into syncope-console. Does BCRYPT password
algorithm is supported for admin user?


When setting

adminPassword=$2a$06$/LWhVDsRs7v3ldMdDzuAguJM5yli9AaSbUJYXC2DboPUwslJUrr/y
adminPasswordAlgorithm=BCRYPT

with has generated via [1] for 'password123', everything works as 
expected.


Regards.

[1] http://bcrypthashgenerator.apphb.com/?PlainText=password123

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Adding new fields over a MariaDB

2017-04-27 Thread Francesco Chicchiriccò


On 26/04/2017 19:16, Tech wrote:


Hello,

using the Syncope 203, when we try to add a new type, we get this 
error at the moment of saving the change.


Here we just try to add an additional email with an EmailValidator, 
but this happen with any new field that we try to add.


Regars

[...]
Caused by: org.apache.openjpa.lib.jdbc.ReportingSQLException: 
(conn:34) Incorrect arguments to mysqld_stmt_execute
Query is: INSERT INTO PlainSchema (id, cipherAlgorithm, 
conversionPattern, enumerationKeys, enumerationValues, 
mandatoryCondition, mimeType, multivalue, readonly, secretKey, type, 
uniqueConstraint, validatorClass, ANYTYPECLASS_ID) VALUES (?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?), parameters 
['psy_p_emailWork',,,<Buffer:''>,<Buffer:''>,'false',,0,0,,'String',0,'org.apache.syncope.core.persistence.jpa.attrvalue.validation.EmailAddressValidator',] 
{prepstmnt 894668994 INSERT INTO PlainSchema (id, cipherAlgorithm, 
conversionPattern, enumerationKeys, enumerationValues, 
mandatoryCondition, mimeType, multivalue, readonly, secretKey, type, 
uniqueConstraint, validatorClass, ANYTYPECLASS_ID) VALUES (?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?)} [code=1210, state=HY000]




Just google a bit and you will find that such error is often caused by 
some versions of the MySQL JDBC driver (I assume that is applicable to 
MariaDB) as well.


More generally, I do believe that most of the troubles you are 
experiencing lately are due to bad MySQL / MariaDB versions, tuning and 
configuration, as your errors are hardly reproducible with recent 
versions of MySQL, MariaDB or their respective JDBC drivers.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

[ANN] Apache Syncope 2.0.3

2017-04-18 Thread Francesco Chicchiriccò


The Apache Syncope team is pleased to announce the release of Syncope 2.0.3.

Apache Syncope is an Open Source system for managing digital identities
in enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
http://syncope.apache.org/downloads.html

Despite being a minor release, and besides the high number of fixes 
provided, this new release brings several new features and improvements.

Read the full change log is available here:
https://s.apache.org/syncope203

We welcome your help and feedback. For more information on how to report
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

Re: Windows server scripted sql + groovy

2017-04-04 Thread Francesco Chicchiriccò


Hi Mikael,
see my replies on-line.

Regards.

On 04/04/2017 09:35, Mikael Ekblom wrote:


Hi,

Ah, ok. The groovy-all.jar had to be moved into the syncope web-inf 
lib directory.So now we have two options: local file bundle and 
through the connid-server. Very well!


Another question by the way. We have our HR-system as a cloud 
solution. It will be configured as an external resource of course.


The thing now is that we are used to generate usernames according to 
an automated solution. We do not use firstname.lastname as the uid or 
samaccountname format.


A recursive function so to speak based on the firstname lastname 
combination that we get from HR and other duplication checks etc.


I cannot see that syncope will manage automated creation of username 
as for now from an external resource on the fly? Not even through 
transformations?




I 'd say you need to code a PullActions class

https://syncope.apache.org/docs/reference-guide.html#pullactions

e.g. something that is invoked around your pull task execution, with 
option to mangle its input / output data.


Please be aware that PullActions (as all other customizations) require 
to start with a Maven project:


https://syncope.apache.org/docs/reference-guide.html#customization

I think I will need to extend a connector for this task… and then the 
famous Office365 license thing that I think you had on the table too.




Exactly, my personal TODO list keeps growing, though... :-/


*From:*Marco Di Sabatino Di Diodoro [mailto:marco.disabat...@tirasa.net]
*Sent:* maanantai 3. huhtikuuta 2017 14.31
*To:* user@syncope.apache.org
*Subject:* Re: Windows server scripted sql + groovy

Hi

Il 03/04/2017 12:44, Mikael Ekblom ha scritto:

Hi,

We or I have been playing around with syncope for a while. I have
a question now regarding a scripted sql resource and groovy. What
we are trying to achieve here, is to get the student accounts over
from our home grown student administration system.

The scripted sql connector bundle is available as per definition
in the connid.properties file and is also available through the
administrative panel. But, the log is complaining about the
following:

“java.lang.IlegalArgumentException: Language not supported:
GROOVY” when the script language is defined.

Check if in your connector server instance the groovy-all jar is 
present. If not, try to copy it from Syncope in the connector server.


Regards
M


Some definition missing? I cannot pinpoint anything based on the
documentation. I even tried to install groovy separately on the
server itself, but it did not solve the problem. It would help a
lot to get this done natively. Otherwise I need to implement
another proxy repository for this task.

Regards,

Mikael


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: REST Web Service

2017-03-21 Thread Francesco Chicchiriccò


On 20/03/2017 15:45, Tech wrote:

Dear experts,

we are trying to configure a REST Web Service, but we don't how it 
should be deployed.


We found in the /test directory some groovy script to 
Create/Update/etc, but we don't understand in a real environment where 
these script should be copied before compiling.


Hi,
both the Scripted REST [1] and the Scripted SQL [2] connector bundles 
share the same approach: the actual implementation of the ConnId 
operations (e.g. the child classes of [3], as CREATE, UPDATE, DELETE, 
SEARCH, SYNC, AUTHENTICATE, ...) is delegated to individual Groovy scripts.


The immediate benefit of this approach is that you can adapt the actual 
logic for dealing with a specific REST service or a given database, thus 
achieving the maximum flexibility; the downside is that you need to code 
the scripts, and this requires some skills.


You can find some samples of scripts for the REST connector in the folder

core/src/test/resources/rest

of your generated Maven project, or at [4], and scripts for the Scripted 
SQL connector in the folder


core/src/test/resources/scriptedsql

of your generated Maven project, or at [5].
As you can easily figure out, the actual script content only makes sense 
when dealing with the specific REST service / database they were 
designed for, e.g. [6] and [7] respectively.


An important feature for speeding up the development of these scripts is 
the 'Reload Script On Execution' connector property: when set to true, 
each script is reloaded and recompiled every time it is called, e.g. 
every time that the corresponding ConnId operation is invoked by Syncope.
In this way one can immediately check if the script is running fine or 
find out errors.

Please do not forge to disable this property once running in production!

Finally, consider that each script can be passed - in the connector 
configuration - either as actual content or as absolute file path: this 
is the reason why there are "Create Script" and "Create Script 
Filename", "Update Script" and "Update Script Filename", etc.


Hope this clarifies.
Regards.

[1] https://connid.atlassian.net/wiki/display/BASE/REST
[2] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL
[3] 
http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/spi/operations/SPIOperation.html
[4] 
https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/rest
[5] 
https://github.com/apache/syncope/tree/2_0_X/fit/core-reference/src/test/resources/scriptedsql
[6] 
https://github.com/apache/syncope/blob/2_0_X/fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/UserService.java
[7] 
https://github.com/apache/syncope/blob/2_0_X/fit/build-tools/src/main/resources/testdb.sql#L46-L51


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Custom Attributes


On 20/03/2017 16:57, Vlad Zelenko wrote:
I can see the link.  It shows Viewing Restriction to You and Me, No 
EDIT restrictions.


I can add comments, and see no way to add/change page content.  :)


Please try again...

On Mon, Mar 20, 2017 at 11:53 AM Francesco Chicchiriccò 
<ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote:


Hi,
you should now be able to edit


https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer

Please let me know if it works.
Regards.

On 20/03/2017 15:23, Francesco Chicchiriccò wrote:
> On 20/03/2017 15:17, vladz wrote:
>> [...]
>> I'll say, an illustrated how-to document for most common tasks
involving
>> both the configuration and UI would eliminate questions like mine.
>> And to
>> put my "money" where my "mouth" is - I'd be happy to help with
that.  :)
>
> That's great to hear, Vlad!
>
> Please first review [1], then send an ICLA [2] and create an account
> on Confluence [3]; once done, please communicate your username
so that
> I can grant you with editing rights.
>
> FYI, the only resource available online providing some kind of HOWTO
> for Syncope 2.0 is [4], maybe it could be useful for you too.
>
> Regards.
>
> [1] http://syncope.apache.org/contributing.html
> [2] http://www.apache.org/licenses/#clas
> [3] https://cwiki.apache.org/confluence/signup.action
    > [4]

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Custom Attributes


Hi,
you should now be able to edit

https://cwiki.apache.org/confluence/display/SYNCOPE/Apache+Syncope+2.0+Primer

Please let me know if it works.
Regards.

On 20/03/2017 15:23, Francesco Chicchiriccò wrote:

On 20/03/2017 15:17, vladz wrote:

[...]
I'll say, an illustrated how-to document for most common tasks involving
both the configuration and UI would eliminate questions like mine.  
And to

put my "money" where my "mouth" is - I'd be happy to help with that.  :)


That's great to hear, Vlad!

Please first review [1], then send an ICLA [2] and create an account 
on Confluence [3]; once done, please communicate your username so that 
I can grant you with editing rights.


FYI, the only resource available online providing some kind of HOWTO 
for Syncope 2.0 is [4], maybe it could be useful for you too.


Regards.

[1] http://syncope.apache.org/contributing.html
[2] http://www.apache.org/licenses/#clas
[3] https://cwiki.apache.org/confluence/signup.action
[4] 
http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Custom Attributes


On 20/03/2017 15:17, vladz wrote:

[...]
I'll say, an illustrated how-to document for most common tasks involving
both the configuration and UI would eliminate questions like mine.  And to
put my "money" where my "mouth" is - I'd be happy to help with that.  :)


That's great to hear, Vlad!

Please first review [1], then send an ICLA [2] and create an account on 
Confluence [3]; once done, please communicate your username so that I 
can grant you with editing rights.


FYI, the only resource available online providing some kind of HOWTO for 
Syncope 2.0 is [4], maybe it could be useful for you too.


Regards.

[1] http://syncope.apache.org/contributing.html
[2] http://www.apache.org/licenses/#clas
[3] https://cwiki.apache.org/confluence/signup.action
[4] 
http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Custom Attributes


On 19/03/2017 20:49, vladz wrote:

While registering the new user, I'd like to be able to save additional data.
In the default installation, there was a 'plainAttrs' schema entry for
'email', which I replaced by lastname and firstname, both defined as String
types, not required, no validation, no integrity checks.

When I try to add user with these values set as "plainAttrs": [], the user
saves just fine.  When I add data there, as:

   "plainAttrs": [
   {
   "schema":"firstname",
   "values":["Test"]
   },
   {
   "schema":"lastname",
   "values":["Last"]
   }
   ]

it fails to save, the following error found in core-persistence.log:

14:16:39.348 WARN
org.apache.syncope.core.persistence.jpa.validation.entity.EntityValidationListener
- Bean validation errors found:
[ConstraintViolationImpl{rootBean=JPAUser[null], propertyPath='plainAttrs',
message='InvalidPlainAttr;lastname not allowed for this instance',
leafBean=JPAUser[null], value=JPAUser[null]}]

and core-rest.log contains more details:

15:35:35.729 ERROR
org.apache.syncope.core.rest.cxf.RestServiceExceptionMapper - Exception
thrown
org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException:
JPAUser [InvalidPlainAttr]
at
org.apache.syncope.core.persistence.jpa.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:71)
~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:1.8.0_66]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_66]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_66]
at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_66]
at
org.apache.openjpa.event.BeanLifecycleCallbacks.makeCallback(BeanLifecycleCallbacks.java:85)
~[openjpa-kernel-2.4.2.jar:2.4.2]


Then configuration for Plain Attrs looks like this:

(select id, `mandatoryCondition`, multivalue, readonly, type,
uniqueConstraint, validatorClass from PlainSchema where id like '%name')

id  mandatoryCondition  multivalue  readonlytype
uniqueConstraint
validatorClass
firstname   false   0   0   String  0   NULL
lastnamefalse   0   0   String  0   NULL

Why am I not able to save these 2 attributes during self-registration?


Hi,
short answer: from Admin Console, go to Configuration > Types > 
AnyTypesClasses, edit 'BaseUser' and add 'firstname' and 'lastname' there.


Long answer: invest some time in understanding how the type management 
works in Syncope:

https://syncope.apache.org/docs/reference-guide.html#type-management

HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Login Logic

2017-03-18 Thread Francesco Chicchiriccò

On 2017-03-17 23:06 vladz wrote:
I hope I am not getting on the wrong track... But here goes. Now that
I've

worked out the logic for Self-Registration, I am wondering If and How I
could manage the login process via Syncope.

I have not found any REST methods for "authenticating" the user. That
is,

sending in a combination of user name and password, receiving back an
identity key or user object.

How can the client app resolve the user stored in syncope via
self-registration where the app itself does not keep a separate user
store?

Up to Syncope 2.0.2 (e.g. the current stable version), the only
authentication method supported (at least, by default) is the HTTP Basic
Authentication: this means that each and every REST method invocation
requires an 'Authentication' HTTP header to be sent.
On the Syncope Core, such Authentication header is processed by the
Spring Security components, which verify the passed credentials against
the internal storage.

Starting with Syncope 2.0.3, however, the authentication process is
reviewed, and support for JSON Web Tokens is introduced: the new process
is described at [1]. Syncope 2.0.3 is expected to be release in some
time - say about one month from now.

FYI, the current REST features are described in [2].

Regards.

[1]
https://ci.apache.org/projects/syncope/reference-guide.html#rest-authentication-and-authorization
[2]
https://syncope.apache.org/docs/reference-guide.html#restful-services

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Self Registration help

2017-03-17 Thread Francesco Chicchiriccò


On 16/03/2017 22:27, Vlad Zelenko wrote:
Hey all.  I am evaluating syncope as IMS, and want to test the REST 
API.  For starters, I am using Swagger UI to test self-registration.


Hi Vlad,
glad of your interest in Apache Syncope.

1.  (POST /users/self)  When I execute it from the browser, I 
invariably receive CODE 403 with message "Access to the specified 
resource has been forbidden."


Question: what is the value of the 'selfRegistration.allowed' 
configuration parameter [1] in your Syncope deployment? (You can find it 
out from Admin Console under Configuration > Parameters).

E.g. was self-registration enabled at all?

When enabled, the "POST /users/self" endpoint requires to be invoked 
anonymously, e.g. without any 'Authorization' HTTP header.
Are you sure that you did not populate the username / password fields in 
the Swagger UI when attempting the "POST /users/self" invocation?


2.  When I use the suggested 'curl' line 
(http://localhost:8080/syncope/rest/users/self?storePassword=true, 
etc.), 'Access Denied' is seen in 'core-rest.log' of the application, 
but nothing comes back to the STDOUT of cURL.


Use "curl -v" and you will get all the response headers, including 
X-Application-Error-Code and X-Application-Error-Info.

More on available REST headers at [2].

3. When I use regular create user in Swagger UI (POST /users) with the 
same UserTO payload (see below), the user is created in syncope, code 
201 is returned with a Generated Key.


PAYLOAD:
{"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}


My question is, what is the correct way of performing 
Self-registration using REST API (I need this for our web 
application?)  Losing my mind over this...


It seems - for very valid reasons, I presume - that you are not 
interested in the Enduser application [3] nor in using the Java client 
library [4] for communicating via REST with Core (architectural 
reference available at [5]).
I would invite you anyway to carefully consider all the related security 
aspects: you can read from [6] how we did tackle them in the Enduser 
application.


Regards.

[1] 
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

[2] https://syncope.apache.org/docs/reference-guide.html#rest-headers
[3] 
https://syncope.apache.org/docs/reference-guide.html#customization-enduser

[4] https://syncope.apache.org/docs/reference-guide.html#client-library
[5] https://syncope.apache.org/docs/reference-guide.html#architecture
[6] http://blog.tirasa.net/syncope-enduser-security-features.html

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Hosted syncope provider

2017-03-15 Thread Francesco Chicchiriccò


On 14/03/2017 18:54, Amish Munshi wrote:

Hello All,

I wanted to introduce myself and had a couple of questions on syncope. I have 
been using multiple identity management products and have done several IDM 
deployment ranging upto 100 million users with 100 authentications/second and 
1000 authorizations/second.


Hi Amish,
well, your numbers look impressive, congratulations.


Syncope seems very interesting and I wanted to check whether its possible to 
provide a hosted syncope solution to my clients.


Glad to hear this!


Is there already an hosted syncope provider that we can subscribe to?


Not that I am aware of, at least none that declares that publicly.

If you want to taste Apache Syncope - only for evaluation - you could 
download the standalone distribution from


http://www.apache.org/dyn/closer.lua/syncope/2.0.2/syncope-standalone-2.0.2-distribution.zip

and read how to run it at

http://syncope.apache.org/docs/getting-started.html#standalone


Is it possible to host a single syncope implementation as multi tenant 
implementation?


Yes it is: since 2.0, Apache Syncope supports multi-tenancy via domains: 
more at


https://syncope.apache.org/docs/reference-guide.html#domains

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Creating a virtual schema type ->empty type list

2017-03-03 Thread Francesco Chicchiriccò


On 03/03/2017 08:49, Mikael Ekblom wrote:


Hi,

Sorry, I don't get this last point: FYI, Syncope can be deployed and 
run in Windows environments too.


I was referring to the fact that it might be that we will jump over to 
deploy Syncope on some Linux-distribution. But as you said, it is 
deployed already on a Windows server and works fine.


What we need to check is how to connect to office365 PowerShell and 
automatically assign licenses through the IDM if possible.


Synchronization with Azure AD should work out of the box through sync 
with AD ->  Azure AD connect , but assigning licenses is something 
else. This should also be role based. I must see what I can find for 
that or maybe write my own bundle




Now I understand, interesting.

FYI, verifying the connection with Office365 is on my (quite long ATM) 
TODO list, too :-)

Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* keskiviikko 1. maaliskuuta 2017 16.30
*To:* user@syncope.apache.org
*Subject:* Re: Creating a virtual schema type ->empty type list

On 01/03/2017 08:29, Mikael Ekblom wrote:

Hi,

OK, so that was the logic behind it!  Now I start to have all the
dependencies clear.  Tested it and now everything makes sense.


That's great to hear.


Our deployment is pretty small though. Only 200 + personnel + some
2000 students. But I’ll check the postgress option. The core seems
to be configured by default towards the Postgress option.


Yes, it is :-)


I like the way you can augment Syncope if needed in a strongly
typed language. Maybe we’ll even be able to remove the existing
php-based “IDM”, which is more of a plain sync engine with no
editable business logic capabilities what so ever. Not my
production though…

It might be that we will end up with a *nix environment in the end.


Sorry, I don't get this last point: FYI, Syncope can be deployed and 
run in Windows environments too.


Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* tiistai 28. helmikuuta 2017 17.54
*To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Subject:* Re: Creating a virtual schema type ->empty type list

On 28/02/2017 16:26, Mikael Ekblom wrote:

Hi,

We are currently evaluating Syncopy as a candidate for our
future IDM.


Hi,
glad to hear that :-)



We have some choices on the table and we are even considering
writing our own IDM from scratch, but that is something I
would like to avoid for practical reasons…J I think that would
be inventing the wheel again nowadays. Our neighbor Helsinki
University is implementing the same solution, so I thought
that I will join the community regarding this one.

Anyhow, I have a working Syncopy 2.0.2 running on a Windows
server 2012 R2 with mysql as the backbone. It is setup and
configured via Apache Maven and is running with Tomcat 8.5 as
the container.  Everything seems to be working.

I have managed to create the connector to our AD with the
built in/shipped connector. I have also assigned a resource to
that connector. Via that resource, we will pull information
from our AD as an initial test. The connector reports that it
works.


Very nice, indeed.

One note: while it is perfectly fine for evaluation, I would
personally prefer PostgreSQL over MySQL / MariaDB, as some of my
customers have been reporting complaints about search performances.
We have been constantly providing enhancements and fixes about
that, but there have been simply no issues in all the
PostgreSQL-based deployments - some of them being very large in
numbers.



One problem though. I have been able to create all schema
types but the virtual one. When I’m supposed to create a
virtual schema type for attributes that Syncope will not own
and set the ad-resource as the  de facto resource, the type
drop down list for the virtual schema is empty and just states
“Choose one”.

What am I missing here? Some schema definition topic missed
somewhere? This is not a panic question, as we are just
evaluating, but I figure that I might save some time to ask
via the mailing list first. I do have my own abstractions to
do for our own maybe to come IDM…J


I am assuming you are using the Admin UI here.
If so, you need first to select a Resource (among the ones
available) and then the Type combo will be populated with all the
provision rules defined for that Resource.
Finally, you will need to provide the external attribute to which
the new Virtual Schema's attributes will be linked.

More details available at:

https://syncope.apache.org/docs/reference-guide.html#virtual

HTH
    Regards.


--
Francesco Chicchiriccò

Re: Users Can't Save Answers to Security Questions

2017-03-02 Thread Francesco Chicchiriccò

Hi,
welcome to Syncope.

You'll find my comments embedded below.
Regards.

On 03/03/2017 01:20, Terrance A. Crow wrote:

I’m having an issue with both Syncope 2.0.1 and Syncope 2.0.2 where the
end-users can’t save their answers to security questions.

Steps to recreate:

1. Using syncope-console as admin, create a security question.
2. Log in to syncope-enduser as a normal (non-admin) user. Select the new
security question, specify an answer, click on Finish, click on Save, and enter
the correct captcha information.
3. Log back on using the same ID to syncope-enduser and observe that the answer
to the security question is blank.
4. Log into syncope-console as admin, add the security answer to the USER
Search screen, and observe a blank answer for the user in question.

Once set, the security answer is *never* reported, neither in Admin
Console nor in Enduser UI, to avoid potential security issues.
I have just added a note to the SNAPSHOT reference guide [1]: this
version will replace [2] once next release (2.0.3) will be out.

Thanks for reporting!

The password reset process, however, is not working properly until the
latest fixes already available in 2.0.3-SNAPSHOT, that will be publicly
available (alongside with others) with Syncope 2.0.3.

The ID’s the result of a self-registration.

Syncope’s running on CentOS 7 (patched to current) under Oracle Java JDK
1.8.0_121. The Tomcat version is 8.0.41.

I found a similar condition in Jira (SYNCOPE-942), but it’s not an exact match
and that issue’s closed.

Am I missing something obvious?

[1]
https://ci.apache.org/projects/syncope/reference-guide.html#password-reset-no-security-answer

[2] https://syncope.apache.org/docs/reference-guide.html#password-reset

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Creating a virtual schema type ->empty type list


On 01/03/2017 08:29, Mikael Ekblom wrote:


Hi,

OK, so that was the logic behind it!  Now I start to have all the 
dependencies clear.  Tested it and now everything makes sense.




That's great to hear.

Our deployment is pretty small though. Only 200 + personnel + some 
2000 students. But I’ll check the postgress option. The core seems to 
be configured by default towards the Postgress option.




Yes, it is :-)

I like the way you can augment Syncope if needed in a strongly typed 
language. Maybe we’ll even be able to remove the existing php-based 
“IDM”, which is more of a plain sync engine with no editable business 
logic capabilities what so ever. Not my production though…


It might be that we will end up with a *nix environment in the end.



Sorry, I don't get this last point: FYI, Syncope can be deployed and run 
in Windows environments too.


Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* tiistai 28. helmikuuta 2017 17.54
*To:* user@syncope.apache.org
*Subject:* Re: Creating a virtual schema type ->empty type list

On 28/02/2017 16:26, Mikael Ekblom wrote:

Hi,

We are currently evaluating Syncopy as a candidate for our future IDM.


Hi,
glad to hear that :-)


We have some choices on the table and we are even considering
writing our own IDM from scratch, but that is something I would
like to avoid for practical reasons…J I think that would be
inventing the wheel again nowadays. Our neighbor Helsinki
University is implementing the same solution, so I thought that I
will join the community regarding this one.

Anyhow, I have a working Syncopy 2.0.2 running on a Windows server
2012 R2 with mysql as the backbone. It is setup and configured via
Apache Maven and is running with Tomcat 8.5 as the container.
 Everything seems to be working.

I have managed to create the connector to our AD with the built
in/shipped connector. I have also assigned a resource to that
connector. Via that resource, we will pull information from our AD
as an initial test. The connector reports that it works.


Very nice, indeed.

One note: while it is perfectly fine for evaluation, I would 
personally prefer PostgreSQL over MySQL / MariaDB, as some of my 
customers have been reporting complaints about search performances.
We have been constantly providing enhancements and fixes about that, 
but there have been simply no issues in all the PostgreSQL-based 
deployments - some of them being very large in numbers.



One problem though. I have been able to create all schema types
but the virtual one. When I’m supposed to create a virtual schema
type for attributes that Syncope will not own and set the
ad-resource as the  de facto resource, the type drop down list for
the virtual schema is empty and just states “Choose one”.

What am I missing here? Some schema definition topic missed
somewhere? This is not a panic question, as we are just
evaluating, but I figure that I might save some time to ask via
the mailing list first. I do have my own abstractions to do for
our own maybe to come IDM…J


I am assuming you are using the Admin UI here.
If so, you need first to select a Resource (among the ones available) 
and then the Type combo will be populated with all the provision rules 
defined for that Resource.
Finally, you will need to provide the external attribute to which the 
new Virtual Schema's attributes will be linked.


More details available at:

https://syncope.apache.org/docs/reference-guide.html#virtual

HTH
Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Dynamic role - the task remains blocked

On 01/03/2017 15:08, Tech wrote:

Hello,

thank you for your feedback.

As described, we stopped already the AS and we restarted, but the
process was continuing to turn.

And did you check if there was any zombie java process around, after
stopping and *before* starting again?

The only solution it was to restore the database, but we know that
this situation it will repeat for sure, that's why we would like to
find a solution

As usual, you need to investigate in the logs what is the actual source
for the error, possibly trying to isolate as much as possible what makes
the system unstable.

Regards.

On 01/03/17 14:57, Francesco Chicchiriccò wrote:

Hi,
I am assuming that this e-mail is a duplicate of [1]: correct?

See my replies below.
Regards.

On 01/03/2017 10:35, Tech wrote:

Dear experts,

we want to report you something we detected in the Syncope-Console.

We are importing some information from a database where a column is
called "MYGROUP" and the content is "Employee".

We created a group into Syncope called MYGROUP and in the group we
defined a Dynamic group where the attribute.myrole == Employee, the
user is automatically assigned to the group.

When we check the users, we can validate that they are correctly
assigned to the group MYGROUP.

We perform some modification on the Database, we run again the pull,
but this time we see that from the Dashboard/Control/Available, we
see the pull still running, and also pushing on the Stop, the popup
will confirm us that the task has been performed correctly,

It seems that the pull task has entered into some kind of error
condition that cannot be stopped by the Quartz engine (an example
could be some kind of blocking I/O operation).

but also restarting Syncope, the task will be still running.

This is really odd: please try to

1. stop the Java EE container
2. check with ps if there is any hanging java process and kill -9 if so
3. start again the Java EE container

I think the actual problem is, as said above, something that prevents
the Java EE container to exit properly.

We are not able to run anymore any Pull, and we were forced to run a
restore of the database.

What should be done to avoid this?

[1]
https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Dynamic role - the task remains blocked

Hi,
I am assuming that this e-mail is a duplicate of [1]: correct?

See my replies below.
Regards.

On 01/03/2017 10:35, Tech wrote:

Dear experts,

we want to report you something we detected in the Syncope-Console.

We are importing some information from a database where a column is
called "MYGROUP" and the content is "Employee".

We created a group into Syncope called MYGROUP and in the group we
defined a Dynamic group where the attribute.myrole == Employee, the
user is automatically assigned to the group.

When we check the users, we can validate that they are correctly
assigned to the group MYGROUP.

We perform some modification on the Database, we run again the pull,
but this time we see that from the Dashboard/Control/Available, we see
the pull still running, and also pushing on the Stop, the popup will
confirm us that the task has been performed correctly,

It seems that the pull task has entered into some kind of error
condition that cannot be stopped by the Quartz engine (an example could
be some kind of blocking I/O operation).

but also restarting Syncope, the task will be still running.

This is really odd: please try to

1. stop the Java EE container
2. check with ps if there is any hanging java process and kill -9 if so
3. start again the Java EE container

I think the actual problem is, as said above, something that prevents
the Java EE container to exit properly.

We are not able to run anymore any Pull, and we were forced to run a
restore of the database.

What should be done to avoid this?

[1]
https://lists.apache.org/thread.html/6bef9e8a38a3635fe5144935e92f188a8b5b7032f8b3814de6f94e35@%3Cuser.syncope.apache.org%3E

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Assign group to user from DB

Hi,
are you sure that you are using the Scripted SQL connector?
The Database Table connector, in fact, only provides support for the
__ACCOUNT__ ObjectClass, e.g. only for users, as suggested by the error
below.

In order to use the Scripted SQL connector, you must also provide the
adequate Groovy scripts matching your own database schema; some samples
can be found under the

core/src/test/resources/scriptedsql

directory of your generated Maven project.

HTH
Regards.

On 27/02/2017 17:47, Tech wrote:

Hello,

coming back to this point: we prepared the code to integrate the group
propagation from a DB to Syncope but we encountered some problems.

Before integrating the code that we developed, we started to add the
concept of Group into our system.

* Our database has a column called "role", where the only content is
"GroupTest".
* We created the group "GroupTest" also in Syncope to have a 1:1
relation.
* We created the type "role" and we put it into the "BaseGroup" schema.
* We go back to the resources and we Edit provision rules, we add a
Group that we map with name:role.

Since now on, every Pull, also the one for the Users, will terminate
in a FAILURE with the error:

org.quartz.JobExecutionException: While pulling from connector [See
nested exception: java.lang.IllegalArgumentException: Operation
requires an Account ObjectClass.]
at
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284)
at
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60)
at
org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558)
at
org.apache.syncope.core.provisioning.java.job.AbstractSchedTaskJobDelegate.execute(AbstractSchedTaskJobDelegate.java:96)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

Removing the mapping of the group, everything will turn back to normality.

Any idea why this could happen?

Thanks!

On 06/02/17 17:58, Marco Di Sabatino Di Diodoro wrote:

Il 06/02/2017 17:41, Marco Di Sabatino Di Diodoro ha scritto:

Hi,

Il 06/02/2017 17:11, Tech ha scritto:

Dear experts,

we're pulling information from a database. We want to assign
automatically a group to a user.

The original table has a format like

-- "USERNAME" : "user01"

-- "ROLE": "employee"

In a pull task is possible to add a template. The template can be
used for setting default values on entities during a pull task.
To configure a template go to Topology --> select the external
resource to pull --> Pull Task and click the Template icon [1 Pull
Templates].

[1]
https://syncope.apache.org/docs/reference-guide.html#provisioning-pull

If a User is associated to a Group in your Database, and you like
assign the corresponding User as a member of the corresponding Group
in Syncope, you must implement a Pull Action [1]. Connid doesn't
implement the assignment of a membership, so to obviate we can use a
pull action.

[1] https://syncope.apache.org/docs/reference-guide.html#pullactions

We want the user being created into Syncope associated to the
already existing group "employee", but we don't see how to create
this association.

Is there any reference that we should check?

Thanks

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AD-sync errors


On 01/03/2017 10:52, g2hari wrote:

In between, is there any detailed Active directory sync document available ?

I followed the below documentation which was created in 5th June (outdated),
https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource


There is a pretty clear statement on top of the page that says:

Version Warning
The content below is for Apache Syncope <= 1.2 - for later versions the 
Reference Guide is available.


I suppose you are using Apache Syncope 2.0, no?


Many of them are not covered with the new interface, clarity missing on
Internal and external mapping for Active directory attributes.



There is no similar documentation yet for 2.0; the only related content 
(but for LDAP) can be found in


http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Creating a virtual schema type ->empty type list

2017-02-28 Thread Francesco Chicchiriccò


On 28/02/2017 16:26, Mikael Ekblom wrote:


Hi,

We are currently evaluating Syncopy as a candidate for our future IDM.



Hi,
glad to hear that :-)

We have some choices on the table and we are even considering writing 
our own IDM from scratch, but that is something I would like to avoid 
for practical reasons…J I think that would be inventing the wheel 
again nowadays. Our neighbor Helsinki University is implementing the 
same solution, so I thought that I will join the community regarding 
this one.


Anyhow, I have a working Syncopy 2.0.2 running on a Windows server 
2012 R2 with mysql as the backbone. It is setup and configured via 
Apache Maven and is running with Tomcat 8.5 as the container. 
 Everything seems to be working.


I have managed to create the connector to our AD with the built 
in/shipped connector. I have also assigned a resource to that 
connector. Via that resource, we will pull information from our AD as 
an initial test. The connector reports that it works.




Very nice, indeed.

One note: while it is perfectly fine for evaluation, I would personally 
prefer PostgreSQL over MySQL / MariaDB, as some of my customers have 
been reporting complaints about search performances.
We have been constantly providing enhancements and fixes about that, but 
there have been simply no issues in all the PostgreSQL-based deployments 
- some of them being very large in numbers.


One problem though. I have been able to create all schema types but 
the virtual one. When I’m supposed to create a virtual schema type for 
attributes that Syncope will not own and set the ad-resource as the 
 de facto resource, the type drop down list for the virtual schema is 
empty and just states “Choose one”.


What am I missing here? Some schema definition topic missed somewhere? 
This is not a panic question, as we are just evaluating, but I figure 
that I might save some time to ask via the mailing list first. I do 
have my own abstractions to do for our own maybe to come IDM…J




I am assuming you are using the Admin UI here.
If so, you need first to select a Resource (among the ones available) 
and then the Type combo will be populated with all the provision rules 
defined for that Resource.
Finally, you will need to provide the external attribute to which the 
new Virtual Schema's attributes will be linked.


More details available at:

https://syncope.apache.org/docs/reference-guide.html#virtual

HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Understanding connector agent in remote system

2017-02-23 Thread Francesco Chicchiriccò



Hi,
a ConnId Connector Server [1] can be essentially seen as a remote 
container for connector bundles.


Normally, Syncope is configured to look up for connector bundles from a 
local directory, but there are more options [2], including referencing 
connector servers.


Once a (Java or .Net) connector server is set up and running, Syncope 
will be able to use the connector bundles deployed there as if they were 
instead deployed in a local directory.


As you can imagine, this is especially useful when, for example, you are 
running Syncope on Linux but need to provision by using PowerShell 
scripts, which require to be run on Windows.

In this case, all you need is to

1. deploy a Java connector server on Windows
2. deploy the ConnId CMD bundle [3] onto such connector server
3. write the PowerShell scripts
4. configure Syncope (as explained in [2]) for using such connector server
5. use the Admin Console to configure the CMD bundle as if it was
   deployed locally

The communication between Syncope and ConnId connector servers is based 
on a TCP protocol defined by ConnId, which can also use SSL (as 
explained in [2]).


HTH
Regards.

On 22/02/2017 14:22, Tech wrote:


Dear experts,

we checked from the documentation that the conn bundles could be also 
deployed on the target system instead of that in Syncope.


We want to understand with you if it would be possible to configure a 
similar scenario and to validate if our understanding is correct:


  * Syncope is deployed on Server1 and the target system on the Server2.
  * Syncope calls the remote connector deployed on the Server2 (using
REST?)
  * The remote connector deployed on Server2 extracts the data (SELECT
FIRSTNAME, LASTNAME FROM USER;)
  * The remote connector caches the result of the query
  * Syncope extract the information from the remote connector and take
them to Server1.

Is that correct?

Thanks


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Bug to JEXL script using custom field with "-" propagating a "0"

2017-02-15 Thread Francesco Chicchiriccò

On 15/02/2017 16:18, Tech wrote: 




Dear Experts, 

we want to bring to your attention a bug that we detected into the admin 
console. 

If you create a custom field containing a dash "-" like "first-name", we 
detected that in the case we would like to apply some JEXL in the push (but 
maybe this might apply also in other cases), for example if we want to push our 
internal field "first-name" to Active Directory "email", the provisioning will 
just propagate "0". 

For example: 


* first-name + '@mydomain.local' 


will return 

* "0@mydomain.local" 
This error will disappear if the field will be named "first_name" or 
"firstname". 

Let us know if we should open a bug in Jira. 


This limitation actually comes from the fact that you are using a schema in a 
JEXL expression, and variables in JEXL (similarly as in Java) do not admit the 
minus character in their name; see 

https://commons.apache.org/proper/commons-jexl/reference/syntax.html 

for reference, under 'Identifiers / variables' 

Regards. 
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache 
Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail 
http://home.apache.org/~ilgrosso/

Re: Active Directory password propagation

2017-02-15 Thread Francesco Chicchiriccò

On 15/02/2017 13:56, Tech wrote: 



Hello, 

actually that field at that stage was not flagged. 

Checking them it's now working, but was generated confusion is that without 
checking them, the other information as FirstName, LastName etc are propagated. 

Is there a way to keep as default the check [v] active? 



No, but that panel will disappear once 2.0.3 will be out (see [1]), and the 
default behaviour will be as if every check was active. 

Regards. 

[1] https://issues.apache.org/jira/browse/SYNCOPE-991 


BQ_BEGIN

On 15/02/2017 12:07, Andrea Patricelli wrote: 

BQ_BEGIN


Good morning, 

we made a double check and password propagation on Active Directory was 
successful. 

In the user edit form (first tab of the wizard), beneath password and confirm 
password text areas, there are two (or more) checkboxes (depends on the number 
of resources associated to the user), have you flagged the AD checkbox? 
Please see image at [1]. 

HTH, 
Andrea 
[1] https://ibin.co/3CTCYNjuyWT7.png 

Il 13/02/2017 14:52, Tech ha scritto: 

BQ_BEGIN

Dear experts, 

We guess that there is a bug in the AD connector. 


1. We are able to set in SSL the connection 
2. we can create a user with a chosen password 
3. we login with success to the system using the chosen password 
4. we try to change any value from the user interface and these changes are 
immediately reflected to the AD 
5. we change the password, but it is not propagated 
6. we change the first name and it's correctly propagated, but the password 
is not 
7. we try to manually run the PushTask, and only in this case the password 
is correctly propagated 


We are able to automatically propagate all fields except the password (that 
requires a manual propagation), could you please double check? 
Thanks 




On 30/01/2017 16:02, Tech wrote: 

BQ_BEGIN

The value in 'password.cipher.algorithm' was SHA1. 

We updated to AES, we changed again the password for the user and we tried to 
login again to the enduser portal. 

It's working, we tried to connect to AD but without success. 

We realized after that the password, with a difference with the other fields, 
is not immediately propagate when changed, but it's only propagated by the 
scheduler. 

Can this be changed? 

Thanks for your support 









On 30/01/2017 15:24, Francesco Chicchiriccò wrote: 

BQ_BEGIN

On 30/01/2017 15:18, Tech wrote: 

BQ_BEGIN

Yes, I can confirm, right in this moment we are only performing manual 
provisioning. 

This is of course not the goal, but before moving to an automatic provision of 
accounts we want the manual one working 

BQ_END

What is your value for the 'password.cipher.algorithm' general configuration 
parameter? If not 'AES', pushing password values (as any other encrypted value) 
will not work anyway. 

The point is that Active Directory requires cleartext password values 
(encrypted via ConnId's GuardedString), which are normally available only 
during user update, not later. This unless AES (e.g. reversible encryption) is 
set for internal password values. 
Provisioning - via resource assignment - is part of user update, push occurs 
after user update. 

Regards. 


BQ_BEGIN

On 30/01/2017 15:14, Francesco Chicchiriccò wrote: 

BQ_BEGIN

On 30/01/2017 15:11, Tech wrote: 

BQ_BEGIN

We are associating using a manual provisioning 

BQ_END

Do you mean that you are only relying on a push task for provisioning to AD? 

Could you confirm that you are *not* assigning the AD resource directly to the 
users, neither via group membership or template? 


BQ_BEGIN

Here the main information: 



Connector version 1.3.2 

-SSL enabled 
-Retrieve deleted users enabled 
-Retrieve deleted groups enabled 
-Trust all certs enabled 

Entry object classes: 
-Top 
-person 
-organizationalPerson 
-inetOrgPerson 
-user 

Custom user search filter 
cn=* 

Rootsuffixes + base contexts + defaul people container: 
ou=myad,dc=test,dc=local 

uidAttribute 
- cn 

Object clases to synchronize 
- user 



Resource: 

username -> cn (remote key) 
password -> __PASSWORD__ (Password) 
email -> mail 
fn -> givenName 
ln -> sn 
username -> sAMAccountName 

Object link 
'CN='+username+',OU=myad,dc=test,dc=local' 




Push tasks: 

Active 
Matching rule : Update 
Unmatching rule: provision 
Allow Create, update, delete, sync status 







On 30/01/2017 15:01, Francesco Chicchiriccò wrote: 

BQ_BEGIN

On 30/01/2017 14:53, Tech wrote: 

BQ_BEGIN

This is what happen when I open the Password Manager, while when I update the 
password no log is generated. 

BQ_END

This is what I suspected: you could definitely find a confirmation if you are 
able to verify that the user on Active Directory has still the password set 
during create (while on Syncope the password value was changed). 

How are you associating the users to the AD resource? Directly or via group? 
Could you please enlist your full connector configuration (with *all* options) 
an

Re: Password reset procedure from enduser interface

2017-02-13 Thread Francesco Chicchiriccò

On 13/02/2017 18:59, Tech wrote:

Hello Francesco,

Thanks for your update, we created the notification in the parameters and the
template, but we get stuck before the point you were describing:

We went through the procedure, the user creates his own account, with an email
and a password.

For simplicity, we created only one security question.

Once he forget the password, he comes back to the EndUser interface and he
request to insert the challenge answer.

Even if the challenge answer is correct (and I can check that it's correctly
stored into the database), we receive an error saying:

18:44:20.883 ERROR
org.apache.syncope.client.enduser.resources.UserSelfPasswordReset - Error while
updating user
java.lang.Exception: A correct security answer should be provided
at
org.apache.syncope.client.enduser.resources.UserSelfPasswordReset.newResourceResponse(UserSelfPasswordReset.java:76)
~[syncope-client-enduser-2.0.2.jar:2.0.2]
[...]

But we know that the challenge answer is correct and all in lowercase like in
the database, I can't understand why it doesn't find the correct value.

Yes, there are a couple of bugs, already fixed with 2.0.3-SNAPSHOT:

https://issues.apache.org/jira/browse/SYNCOPE-1012
https://issues.apache.org/jira/browse/SYNCOPE-1013

I think you'd better move to 2.0.3-SNAPSHOT for your tests.
Regards.

BQ_BEGIN

On 19/01/2017 11:22, Francesco Chicchiriccò wrote:

BQ_BEGIN
On 18/01/2017 14:13, Francesco Chicchiriccò wrote:

BQ_BEGIN
On 18/01/2017 11:59, Francesco Chicchiriccò wrote:

BQ_BEGIN
On 18/01/2017 11:38, Tech wrote:

BQ_BEGIN
Hello,

we faced something that could be a bug in version 2.0.1 and version 2.0.2.

We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?

BQ_END

I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.

BQ_END

A fundamental part for the outlined procedure to be effective, is to have the
notifications in place; see

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

for details.

After that user has provided the correct answer to security question via
EndUser UI, a notification e-mail based on the 'requestPasswordReset' template
is sent; as you can see from the template, an URL for accessing the EndUser UI
(containing the unique token generated for such request) is contained in the
e-mail.

Once clicked there, the process can continue with input of the new password
value.

Finally, another notification e-mail based on the 'confirmPasswordReset'
template is sent out.

BQ_END

FYI I have updated the password reset information with the further comments
above; see

https://ci.apache.org/projects/syncope/reference-guide.html#password-reset

Regards.

BQ_END

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache
Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AnyType Role assignment to Groups

2017-02-07 Thread Francesco Chicchiriccò


On 07/02/2017 11:55, Colm O hEigeartaigh wrote:

Hi Francesco,

On Mon, Feb 6, 2017 at 10:31 AM, Francesco Chicchiriccò 
<ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote:



- OR create a condition "User U is dynamically assigned
CustomRole R because he is member of Group G”. I don’t find
the way how to define this condition in Syncope.


Only group memberships and role assignments can be static or dynamic.


Would it be possible to make this more flexible without changing a lot 
of code? If a user can have a UserCustomRole relationship to a 
CustomRole, then if the user is a member of group G then the 
relationship is dynamically defined between the user and CustomRole. 
It seems like a useful thing to be able to do to me or is there a 
technical reason why it can't be done?


So, you're essentially proposing to add the possibility to specify 
relationships between Groups and Any Objects (at the moment, only Users 
/ Any Objects and Any Objects / Any Objects).
The semantic should be that if group G has relationship R with Any 
Object A, all users and any objects in G will have such relationship with A.


It is indeed feasible, but it will require some modifications in the 
data model, JPA implementation, data binder and finally admin console.

Something not trivial but definitely doable.

Moreover, since it involves modifications in the database structure, I 
would see it for 2.1.0 at earliest.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: syncope-standalone maven artifact not available

2017-02-06 Thread Francesco Chicchiriccò


On 06/02/2017 19:56, Adrian Gonzalez wrote:

Hello,

I've the impression that syncope-standalone artifact is available only 
in SNAPSHOT repo.


It's available from here :
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/ 



But not from here 
:https://repo.maven.apache.org/maven2/org/apache/syncope/syncope-standalone/


Am I missing a repo ?


The release process [1] deploys to the central Maven repository only the 
artifacts that can be effectively used via Maven.


The standalone distribution, the Eclipse IDE Plugin, the CLI, the DEB 
packages and the GUI installer are instead downloadable via the ASF dist 
area [2], and links to ASF mirror infrastructure are provided in [3].


The SNAPSHOT repository is instead populated by our Jenkins jobs [4].

Hope this clarifies.
Regards.

[1] http://syncope.apache.org/release-process.html
[2] https://www.apache.org/dist/syncope/
[3] http://syncope.apache.org/downloads.html
[4] https://builds.apache.org/view/S-Z/view/Syncope/

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: AnyType Role assignment to Groups

2017-02-06 Thread Francesco Chicchiriccò


Hi Sabina,
my replies below.

Regards.

On 05/02/2017 22:29, Sabina Mirauta wrote:

Hi Syncope users,

We need to store in Syncope roles for users and groups.
Since the Syncope roles are meant only for internal usage, I created 
an own AnyType CustomRole.
I have also defined a relationship UserCustomRole and for users I am 
able to create UserCustomRole relationships to CustomRoles.


For usability reasons we need to assign roles to groups, so that all 
users from a group have a role.
I don’t find another way to assign the CustomRole to a Group, than 
making the CustomRole a (static or dynamic) member of the group. I 
don’t like the role to be member of the group, members should be only 
the users.


AnyType instances are given the possibility to me member of groups, as 
much as users.



Can someone tell me a simple and more natural way to
- assign an AnyType CustomRole to a Group without making the 
CustomRole member of the group


No, at least without creating any extension to the data model.

- OR create a condition "User U is dynamically assigned CustomRole R 
because he is member of Group G”. I don’t find the way how to define 
this condition in Syncope.


Only group memberships and role assignments can be static or dynamic.

Or maybe I can create and assign CustomRoles in Syncope in another 
way? Like without AnyTypes?


Detailed instructions would help me very much.

Thank you!

Sabina Mirauta


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Deploy MVN Syncope with Workflow

2017-02-02 Thread Francesco Chicchiriccò


On 02/02/2017 14:27, Tech wrote:
The point is that we create a brand new database (empty), we deploying 
using "-P all" and for some reason the database is already filled with 
some test data.


We see that there are already some connectors configured, some roles 
and moreover some users like "*Verdi*", "*Rossini*" and "*Vivaldi*" 
that we don't understand where they are coming from.


This is the test content coming from

core/src/test/resources/domains/MasterContent.xml

which is normally only loaded when starting in embedded mode; in 
production mode (e.g. with plain build) the content from


core/src/main/resources/domains/MasterContent.xml

is loaded instead.

You should identify which MasterContent.xml is actually loaded when 
starting with an empty database, and possibly why.


Normally, the test content is expected to be loaded exclusively in the 
in-memory H2 instance used by embedded mode.


Regards.


On 02/02/2017 12:25, Francesco Chicchiriccò wrote:

On 02/02/2017 12:21, Tech wrote:


Dear experts,

we would like to deploy syncope 2.0.2 using the workflows.

We are using this command:

  * mvn -P all clean verify -Dconf.directory=/opt/syncope/conf
-Dbundles.directory=/opt/syncope/bundles
-Dlog.directory=/opt/syncope/log

In the

  * core/src/main/resources/all/provisioning.properties and
  * core/src/main/resources/provisioning.properties

we configured

  * quartz.sql=tables_mariadb.sql

and in the

  * core/src/main/resources/domain/Master.properties

we configured our MariaDB, but we are still pointing to the H2, 
while deploying without the option "-P all" we can correctly point 
to our MariaDB.


Is there any other parameter that we should configure?


If you want to use, in the application deployed into the external 
Java EE container (for example)


core/src/main/resources/all/provisioning.properties
core/src/main/resources/all/workflow.properties

instead of

core/src/main/resources/provisioning.properties
core/src/main/resources/workflow.properties

you will need to copy

core/src/main/resources/all/provisioning.properties
core/src/main/resources/all/workflow.properties

to /opt/syncope/conf, as you have configured such directory to be the 
source for configuration.


HTH
Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Deploy MVN Syncope with Workflow

2017-02-02 Thread Francesco Chicchiriccò


On 02/02/2017 12:21, Tech wrote:


Dear experts,

we would like to deploy syncope 2.0.2 using the workflows.

We are using this command:

  * mvn -P all clean verify -Dconf.directory=/opt/syncope/conf
-Dbundles.directory=/opt/syncope/bundles
-Dlog.directory=/opt/syncope/log

In the

  * core/src/main/resources/all/provisioning.properties and
  * core/src/main/resources/provisioning.properties

we configured

  * quartz.sql=tables_mariadb.sql

and in the

  * core/src/main/resources/domain/Master.properties

we configured our MariaDB, but we are still pointing to the H2, while 
deploying without the option "-P all" we can correctly point to our 
MariaDB.


Is there any other parameter that we should configure?


If you want to use, in the application deployed into the external Java 
EE container (for example)


core/src/main/resources/all/provisioning.properties
core/src/main/resources/all/workflow.properties

instead of

core/src/main/resources/provisioning.properties
core/src/main/resources/workflow.properties

you will need to copy

core/src/main/resources/all/provisioning.properties
core/src/main/resources/all/workflow.properties

to /opt/syncope/conf, as you have configured such directory to be the 
source for configuration.


HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Active Directory password propagation


On 30/01/2017 16:02, Tech wrote:

The value in 'password.cipher.algorithm' was SHA1.

We updated to AES, we changed again the password for the user and we 
tried to login again to the enduser portal.


It's working, we tried to connect to AD but without success.

We realized after that the password, with a difference with the other 
fields, is not immediately propagate when changed, but it's only 
propagated by the scheduler.


No, this is not correct. The password is always sent along with all 
other attributes, both during propagation (automated provisioning) or 
push (manual provisioning).


The only difference is that, since the password values are never stored 
as cleartext into the internal storage, the actual value is available 
during propagation but must be retrieved from the internal storage 
during push. When using AES, the encrypted value from the internal 
storage can be decrypted and sent to AD.


Now, there could always be some bug that prevents the push flow to 
correctly retrieve and send password values: as soon as I'll have some 
available slots, I could take a look at this.


Regards.


On 30/01/2017 15:24, Francesco Chicchiriccò wrote:

On 30/01/2017 15:18, Tech wrote:
Yes, I can confirm, right in this moment we are only performing 
manual provisioning.


This is of course not the goal, but before moving to an automatic 
provision of accounts we want the manual one working


What is your value for the 'password.cipher.algorithm' general 
configuration parameter? If not 'AES', pushing password values (as 
any other encrypted value) will not work anyway.


The point is that Active Directory requires cleartext password values 
(encrypted via ConnId's GuardedString), which are normally available 
only during user update, not later. This unless AES (e.g. reversible 
encryption) is set for internal password values.
Provisioning - via resource assignment - is part of user update, push 
occurs after user update.


Regards.


On 30/01/2017 15:14, Francesco Chicchiriccò wrote:

On 30/01/2017 15:11, Tech wrote:

We are associating using a manual provisioning


Do you mean that you are only relying on a push task for 
provisioning to AD?


Could you confirm that you are *not* assigning the AD resource 
directly to the users, neither via group membership or template?



Here the main information:



Connector version 1.3.2

-SSL enabled
-Retrieve deleted users enabled
-Retrieve deleted groups enabled
-Trust all certs enabled

Entry object classes:
-Top
-person
-organizationalPerson
-inetOrgPerson
-user

Custom user search filter
cn=*

Rootsuffixes + base contexts + defaul people container:
ou=myad,dc=test,dc=local

uidAttribute
- cn

Object clases to synchronize
- user



Resource:

username -> cn (remote key)
password -> __PASSWORD__ (Password)
email -> mail
fn -> givenName
ln -> sn
username -> sAMAccountName

Object link
'CN='+username+',OU=myad,dc=test,dc=local'




Push tasks:

Active
Matching rule : Update
Unmatching rule: provision
Allow Create, update, delete, sync status







On 30/01/2017 15:01, Francesco Chicchiriccò wrote:

On 30/01/2017 14:53, Tech wrote:
This is what happen when I open the Password Manager, while when 
I update the password no log is generated.


This is what I suspected: you could definitely find a 
confirmation if you are able to verify that the user on Active 
Directory has still the password set during create (while on 
Syncope the password value was changed).


How are you associating the users to the AD resource? Directly or 
via group? Could you please enlist your full connector 
configuration (with *all* options) and resource mapping? 
Screenshots will also work via http://pasteboard.co/, for example.


Regards.

13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, 
Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: getObject
13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, 
LdapFilter[nativeFilter: (cn=user07); entryDN: null], 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, 
OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: executeQuery
13:43:57.478 WARN  Reading passwords not supported  Method: 
getAttributesToGet
13:43:57.478 WARN  Attribute __ENABLE__ of object class 
__ACCOUNT__ is not mapped to an LDAP attribute  Method: 
getLdapAttribute
13:43:57.478 DEBUG Options filter: {0} null Method: 
getInternalSearch

13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch
13:43:57.478 DEBUG Native filter: {0} (cn=user07)   Method: 
getInternalSearch

13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch
13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with 
filter 
(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(object

Re: Install Syncope


On 31/01/2017 11:39, Anas Asharat wrote:


Dear,

Kindly note I faced error in syncope installation “core deploy 
failed”, please check attached files for more information.




Have you verified to met all the prerequisites:

https://syncope.apache.org/docs/getting-started.html#installer-prerequisites

? In particular, about the Tomcat users under

$CATALINA_HOME/conf/tomcat-users.xml

Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* Tuesday, January 31, 2017 11:22 AM
*To:* user@syncope.apache.org
*Subject:* Re: Install Syncope

On 31/01/2017 10:10, Anas Asharat wrote:

Dears,

Also I have one question, can you send me the certificate sheet
for syncope with OS, oracle database release, etc..

Hi,
there is no "certificate sheet"; about DBMS, you need to trust the 
community documentation:


http://syncope.apache.org/docs/getting-started.html#internal-storage

About OS, anything modern enough to satisfy Java / Java EE container 
requirements:


http://syncope.apache.org/docs/getting-started.html#java

will work.

Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Install Syncope


On 31/01/2017 11:09, Anas Asharat wrote:


Thank you dear,

Ok I see the document but I have question here,

The below steps should be done before or after installation? Since no 
such file now, but I think I can find them after installation.




The steps below are due when using the Maven project (another 
installation method), and are automatically performed on your behalf by 
the GUI installer.




Oracle

|jpa.driverClassName=oracle.jdbc.OracleDriver|

|jpa.url=jdbc:oracle:thin:@localhost:1521:orcl|

|jpa.username=syncope|

|jpa.password=syncope|

|jpa.dialect=org.apache.openjpa.jdbc.sql.OracleDictionary|

|jpa.pool.validationQuery=SELECT 1| |FROM DUAL|

|#note: other connection pool settings can also be configured here, 
see persistenceContext.xml|


|quartz.jobstore=org.quartz.impl.jdbcjobstore.oracle.OracleDelegate|

|quartz.sql=tables_oracle.sql|

|audit.sql=audit_oracle.sql|

|database.schema=SYNCOPE|

This assumes that you have an Oracle instance running on localhost, 
listening on its default port 1521 with a database |syncope| under 
tablespace |SYNCOPE| fully accessible by user |syncope| with password 
|syncope|.


You will also need to

1.create directory

|core/src/main/resources/META-INF|

 2. download Oracle mapping file for the version you are building
(1_2_X

<https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=1_2_X>,
1.1.X

<https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=refs/heads/1_1_X>,
1.0.X

<https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob_plain;f=core/src/main/resources/META-INF/orm.xml.oracle;hb=refs/heads/1_0_X>)

3.rename it to

|orm.xml|

4.and copy it under the directory created above

also what document mean with oracle tablespace ? mean the default 
tablesapce for the user




The tablespace in which you have created the database that Syncope will 
use, possibly the default for the user.


Regards.



*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* Tuesday, January 31, 2017 11:22 AM
*To:* user@syncope.apache.org
*Subject:* Re: Install Syncope

On 31/01/2017 10:10, Anas Asharat wrote:

Dears,

Also I have one question, can you send me the certificate sheet
for syncope with OS, oracle database release, etc..

Hi,
there is no "certificate sheet"; about DBMS, you need to trust the 
community documentation:


http://syncope.apache.org/docs/getting-started.html#internal-storage

About OS, anything modern enough to satisfy Java / Java EE container 
requirements:


http://syncope.apache.org/docs/getting-started.html#java

will work.

Regards


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Install Syncope


On 31/01/2017 10:10, Anas Asharat wrote:


Dears,

Also I have one question, can you send me the certificate sheet for 
syncope with OS, oracle database release, etc..



Hi,
there is no "certificate sheet"; about DBMS, you need to trust the 
community documentation:


http://syncope.apache.org/docs/getting-started.html#internal-storage

About OS, anything modern enough to satisfy Java / Java EE container 
requirements:


http://syncope.apache.org/docs/getting-started.html#java

will work.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Install Syncope


On 31/01/2017 10:02, Anas Asharat wrote:


Dears,

Thanks for your reply, but really still not working.

In the installation document I see 3 approach for installation:

1-Stand alone



http://syncope.apache.org/docs/getting-started.html#standalone

As the doc says, "Not meant for any production environment."


2-Debian packages



http://syncope.apache.org/docs/getting-started.html#debian-packages

This is bound to Debian / Ubuntu and PostgreSQL, no Oracle.


3-GUI Installer



http://syncope.apache.org/docs/getting-started.html#gui-installer

As the doc says, "Getting up and running quickly on any supported DBMS 
and Java EE container, independently from the underlying operating system."


So, this supports Oracle.

Which one can configured with oracle database, and which one can be 
used for production environment?




Out of the 3 above, the last one (GUI Installer).

I need one clear documnet for all installation steps, am still 
confused with installation.




I hope that the indications above make things a bit more clear.

Regards.


*From:*Marco Di Sabatino Di Diodoro [mailto:marco.disabat...@tirasa.net]
*Sent:* Monday, January 30, 2017 6:24 PM
*To:* user@syncope.apache.org
*Subject:* Re: Install Syncope

Hi,

Il 30/01/2017 16:45, Anas Asharat ha scritto:

Dears,

I hope my email find you well.

Am new with Syncope, I tried to install Syncope  2.0.1 with oracle
database, I face installation failure every time I tried to
install the application.

Can you help me or give document with installing syncope with
oracle database?

You're looking at the old guide (Syncope 1.2). If you're using Apache 
Syncope 2.0.1 you can find the documentation here [1]

To install Syncope with Oracle take a look at the reference guide [2].

Regards
M

[1] https://syncope.apache.org/docs/ <https://syncope.apache.org/docs/>
[2] https://syncope.apache.org/docs/reference-guide.html#oracle-database

I used the below document:

*https://syncope.apache.org/downloads.html*


https://cwiki.apache.org/confluence/display/SYNCOPE/Install+Syncope+from+installer


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

[ANN] Apache Syncope 2.0.2 released


The Apache Syncope team is pleased to announce the release of Syncope 2.0.2.

Apache Syncope is an Open Source system for managing digital identities
in enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
http://syncope.apache.org/downloads.html

The full change log is available here:
https://s.apache.org/syncope202

We welcome your help and feedback. For more information on how to report
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

Re: Active Directory password propagation


On 30/01/2017 15:18, Tech wrote:
Yes, I can confirm, right in this moment we are only performing manual 
provisioning.


This is of course not the goal, but before moving to an automatic 
provision of accounts we want the manual one working


What is your value for the 'password.cipher.algorithm' general 
configuration parameter? If not 'AES', pushing password values (as any 
other encrypted value) will not work anyway.


The point is that Active Directory requires cleartext password values 
(encrypted via ConnId's GuardedString), which are normally available 
only during user update, not later. This unless AES (e.g. reversible 
encryption) is set for internal password values.
Provisioning - via resource assignment - is part of user update, push 
occurs after user update.


Regards.


On 30/01/2017 15:14, Francesco Chicchiriccò wrote:

On 30/01/2017 15:11, Tech wrote:

We are associating using a manual provisioning


Do you mean that you are only relying on a push task for provisioning 
to AD?


Could you confirm that you are *not* assigning the AD resource 
directly to the users, neither via group membership or template?



Here the main information:



Connector version 1.3.2

-SSL enabled
-Retrieve deleted users enabled
-Retrieve deleted groups enabled
-Trust all certs enabled

Entry object classes:
-Top
-person
-organizationalPerson
-inetOrgPerson
-user

Custom user search filter
cn=*

Rootsuffixes + base contexts + defaul people container:
ou=myad,dc=test,dc=local

uidAttribute
- cn

Object clases to synchronize
- user



Resource:

username -> cn (remote key)
password -> __PASSWORD__ (Password)
email -> mail
fn -> givenName
ln -> sn
username -> sAMAccountName

Object link
'CN='+username+',OU=myad,dc=test,dc=local'




Push tasks:

Active
Matching rule : Update
Unmatching rule: provision
Allow Create, update, delete, sync status







On 30/01/2017 15:01, Francesco Chicchiriccò wrote:

On 30/01/2017 14:53, Tech wrote:
This is what happen when I open the Password Manager, while when I 
update the password no log is generated.


This is what I suspected: you could definitely find a confirmation 
if you are able to verify that the user on Active Directory has 
still the password set during create (while on Syncope the password 
value was changed).


How are you associating the users to the AD resource? Directly or 
via group? Could you please enlist your full connector 
configuration (with *all* options) and resource mapping? 
Screenshots will also work via http://pasteboard.co/, for example.


Regards.

13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, 
Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: getObject
13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, 
LdapFilter[nativeFilter: (cn=user07); entryDN: null], 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, 
OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: executeQuery
13:43:57.478 WARN  Reading passwords not supported Method: 
getAttributesToGet
13:43:57.478 WARN  Attribute __ENABLE__ of object class 
__ACCOUNT__ is not mapped to an LDAP attribute  Method: 
getLdapAttribute
13:43:57.478 DEBUG Options filter: {0} null Method: 
getInternalSearch
13:43:57.478 DEBUG Search filter: {0} cn=*  Method: 
getInternalSearch
13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: 
getInternalSearch
13:43:57.478 DEBUG Membership filter: {0}   Method: 
getInternalSearch
13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with 
filter 
(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) 
and SearchControls: {returningAttributes=[cn, entryDN, givenName, 
mail, sAMAccountName, sn, unicodePwd, userAccountControl], 
scope=SUBTREE} Method: doSearch
13:43:57.479 DEBUG User Account Control: 512Method: 
createConnectorObject
13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=__PASSWORD__, 
Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, 
Attribute: {Name=userAccountControl, Value=[512]}, Attribute: 
{Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, 
Value=[user07@test.local]}, Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, 
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, 
Attribute: {Name=__UID__, Value=[user07]}, Attribute: 
{Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, 
Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: handle

13:43:57.479 DEBUG Return: falseMethod: handle
13:43:57.479 DEBUG Return   Method: executeQuery
13:43

Re: Active Directory password propagation


On 30/01/2017 15:11, Tech wrote:

We are associating using a manual provisioning


Do you mean that you are only relying on a push task for provisioning to AD?

Could you confirm that you are *not* assigning the AD resource directly 
to the users, neither via group membership or template?



Here the main information:



Connector version 1.3.2

-SSL enabled
-Retrieve deleted users enabled
-Retrieve deleted groups enabled
-Trust all certs enabled

Entry object classes:
-Top
-person
-organizationalPerson
-inetOrgPerson
-user

Custom user search filter
cn=*

Rootsuffixes + base contexts + defaul people container:
ou=myad,dc=test,dc=local

uidAttribute
- cn

Object clases to synchronize
- user



Resource:

username -> cn (remote key)
password -> __PASSWORD__ (Password)
email -> mail
fn -> givenName
ln -> sn
username -> sAMAccountName

Object link
'CN='+username+',OU=myad,dc=test,dc=local'




Push tasks:

Active
Matching rule : Update
Unmatching rule: provision
Allow Create, update, delete, sync status







On 30/01/2017 15:01, Francesco Chicchiriccò wrote:

On 30/01/2017 14:53, Tech wrote:
This is what happen when I open the Password Manager, while when I 
update the password no log is generated.


This is what I suspected: you could definitely find a confirmation if 
you are able to verify that the user on Active Directory has still 
the password set during create (while on Syncope the password value 
was changed).


How are you associating the users to the AD resource? Directly or via 
group? Could you please enlist your full connector configuration 
(with *all* options) and resource mapping? Screenshots will also work 
via http://pasteboard.co/, for example.


Regards.

13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, 
Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: getObject
13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, 
LdapFilter[nativeFilter: (cn=user07); entryDN: null], 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, 
OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: executeQuery
13:43:57.478 WARN  Reading passwords not supported Method: 
getAttributesToGet
13:43:57.478 WARN  Attribute __ENABLE__ of object class __ACCOUNT__ 
is not mapped to an LDAP attribute  Method: getLdapAttribute
13:43:57.478 DEBUG Options filter: {0} null Method: 
getInternalSearch
13:43:57.478 DEBUG Search filter: {0} cn=*  Method: 
getInternalSearch
13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method: 
getInternalSearch
13:43:57.478 DEBUG Membership filter: {0}   Method: 
getInternalSearch
13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with 
filter 
(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) 
and SearchControls: {returningAttributes=[cn, entryDN, givenName, 
mail, sAMAccountName, sn, unicodePwd, userAccountControl], 
scope=SUBTREE} Method: doSearch
13:43:57.479 DEBUG User Account Control: 512Method: 
createConnectorObject
13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=__PASSWORD__, 
Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, 
Attribute: {Name=userAccountControl, Value=[512]}, Attribute: 
{Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, 
Value=[user07@test.local]}, Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, 
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, 
Attribute: {Name=__UID__, Value=[user07]}, Attribute: 
{Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, 
Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}}   Method: handle

13:43:57.479 DEBUG Return: falseMethod: handle
13:43:57.479 DEBUG Return   Method: executeQuery
13:43:57.480 DEBUG Return: {Uid=Attribute: {Name=__UID__, 
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=__PASSWORD__, 
Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, 
Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: 
{Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, 
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, 
Attribute: {Name=__UID__, Value=[user07]}, Attribute: 
{Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, 
Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: getObject


On 30/01/2017 14:36, Francesco Chicchiriccò wrote:

On 30/01/2017 12:34, Tech wrote:
When we create the user we are able

Re: Active Directory password propagation


On 30/01/2017 14:53, Tech wrote:
This is what happen when I open the Password Manager, while when I 
update the password no log is generated.


This is what I suspected: you could definitely find a confirmation if 
you are able to verify that the user on Active Directory has still the 
password set during create (while on Syncope the password value was 
changed).


How are you associating the users to the AD resource? Directly or via 
group? Could you please enlist your full connector configuration (with 
*all* options) and resource mapping? Screenshots will also work via 
http://pasteboard.co/, for example.


Regards.

13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, 
Attribute: {Name=__UID__, Value=[user07]}, OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: getObject
13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, 
LdapFilter[nativeFilter: (cn=user07); entryDN: null], 
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f, 
OperationOptions: 
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]}) 
Method: executeQuery
13:43:57.478 WARN  Reading passwords not supported  Method: 
getAttributesToGet
13:43:57.478 WARN  Attribute __ENABLE__ of object class __ACCOUNT__ is 
not mapped to an LDAP attribute  Method: getLdapAttribute

13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch
13:43:57.478 DEBUG Search filter: {0} cn=*  Method: getInternalSearch
13:43:57.478 DEBUG Native filter: {0} (cn=user07)   Method: 
getInternalSearch

13:43:57.478 DEBUG Membership filter: {0}   Method: getInternalSearch
13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter 
(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*)) 
and SearchControls: {returningAttributes=[cn, entryDN, givenName, 
mail, sAMAccountName, sn, unicodePwd, userAccountControl], 
scope=SUBTREE} Method: doSearch
13:43:57.479 DEBUG User Account Control: 512Method: 
createConnectorObject
13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__, 
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=__PASSWORD__, 
Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, 
Attribute: {Name=userAccountControl, Value=[512]}, Attribute: 
{Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail, 
Value=[user07@test.local]}, Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, 
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, 
Attribute: {Name=__UID__, Value=[user07]}, Attribute: 
{Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, 
Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}}   Method: handle

13:43:57.479 DEBUG Return: falseMethod: handle
13:43:57.479 DEBUG Return   Method: executeQuery
13:43:57.480 DEBUG Return: {Uid=Attribute: {Name=__UID__, 
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__, 
Attributes=[Attribute: {Name=__PASSWORD__, 
Value=[org.identityconnectors.common.security.GuardedString@204e249b]}, 
Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: 
{Name=mail, Value=[user07@test.local]}, Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn, 
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, 
Attribute: {Name=__UID__, Value=[user07]}, Attribute: 
{Name=__ENABLE__, Value=[true]}, Attribute: {Name=givenName, 
Value=[ofn07updated]}], Name=Attribute: {Name=__NAME__, 
Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: getObject


On 30/01/2017 14:36, Francesco Chicchiriccò wrote:

On 30/01/2017 12:34, Tech wrote:
When we create the user we are able to initialize the correct 
password, connecting to the target system we can verify that Syncope 
did its job.


If the Admin tries to reset the password from the console, or if the 
user tries to change is password from the enduser interface, the 
password is still correctly updated into Syncope, but it's not 
propagated to AD, therefore the user will be able to login only 
using the old password.


Hi,
I am not completely familiar with AD password management internals, 
but I would examine what Syncope is actually sending to AD by 
watching the core-connid.log file both when creating new user and 
updating existing user, to determine if Syncope is effectively 
sending the updated password to AD during the latter phase.


Regards.


On 30/01/2017 12:28, Tech wrote:

I'm not sure about this step.

As mentioned we can already propagate changes as "email, "first 
name" and "last name".


The AD user that we are using is able to change the passwords of 
other AD users, create, update and delete other users.


I think that there is an additional step t

Re: Active Directory password propagation

On 30/01/2017 12:34, Tech wrote:
When we create the user we are able to initialize the correct
password, connecting to the target system we can verify that Syncope
did its job.

If the Admin tries to reset the password from the console, or if the
user tries to change is password from the enduser interface, the
password is still correctly updated into Syncope, but it's not
propagated to AD, therefore the user will be able to login only using
the old password.

Hi,
I am not completely familiar with AD password management internals, but
I would examine what Syncope is actually sending to AD by watching the
core-connid.log file both when creating new user and updating existing
user, to determine if Syncope is effectively sending the updated
password to AD during the latter phase.

Regards.

On 30/01/2017 12:28, Tech wrote:

I'm not sure about this step.

As mentioned we can already propagate changes as "email, "first name"
and "last name".

The AD user that we are using is able to change the passwords of
other AD users, create, update and delete other users.

I think that there is an additional step that was not performed in
Syncope.

On 27/01/2017 16:32, Fabio Martelli wrote:

Il 27/01/2017 15:53, Tech ha scritto:

Yes, we are connecting via SSL.

We know that the connection is working because we are still able to
propagate the user modification like firstname and lastname.

We can change the password and internally is working, but it's not
propagated to AD.
When you performed the change password by using the administration
console, did you select AD resource in the list provided after
password fields?
Are you sure that the user principal configured to perform updates
into AD owns all the needed entitlements?

the On 27/01/2017 15:42, Fabio Martelli wrote:

Hi, find my comment in-line.
Regards,
F.

Il 27/01/2017 12:12, Tech ha scritto:

Hello,

we are working on the password propagation using the AD connector.

We are able to check the connectivity both using plain and SSL,
we are able to create new users and to update information like
email, first name and last name.

We edit the connector:

* We check SSL
* we change the Server port to 636
* We enable Trust all certs

We run again some modification and the first name and last name
are still updated.

We try now to change the password, both from user and admin
interface.

The user can correctly access to Syncope using the new
credentials, while we detect that the password is not correctly
propagated to the target system.

Do you mean that you can still access with the previous one?
Please note that you can change password by working in SSL only [1].

Regards,
F.

[1]
https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482#ActiveDirectory(JNDI)-Configuration

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: CSVDir pull connector challenge

2017-01-24 Thread Francesco Chicchiriccò


On 24/01/2017 10:56, Martin van Es wrote:

On Tue, Jan 24, 2017 at 10:03 AM, Francesco Chicchiriccò<ilgro...@apache.org> 
wrote:

So, you suggest I turn to Connid now for my functional issues with CSVDir?

I would first clarify if there is something wrong ongoing (as suggested
above), then possibly report to ConnId.

I was referring to the required explicit __NAME_ or __UID__ remote key
mapping to make CSVDir actually work in syncope and/or the absence of
a selectable key attribute when configuring the mapping.


Ah ok, sure, why not.
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: CSVDir pull connector challenge

2017-01-24 Thread Francesco Chicchiriccò


On 23/01/2017 17:46, Martin van Es wrote:

On Mon, Jan 23, 2017 at 4:36 PM, Francesco Chicchiriccò
<ilgro...@apache.org> wrote:

but essentially, the "mandatory condition" can be specified both at Schema
level (hence value(s) must be provided globally) or at mapping level (hence
value(s) must be provided when provisioning to / from that external
resource).

Ok, that's clear.
But that doesn't explain why email wouldn't propagate from my CSVDir
source into Syncope when the mandatory flag was false?


You need to look at core-connid.log and the propagation task(s) 
generated for the given user(s) in order to have a better view of what 
is actually happening.



Anyway, as commented there, the real issue in only about the failure to
report the error message to Admin UI; the rest is about the way how the
ConnId CSVDir bundle works, so not any Syncope issue.

So, you suggest I turn to Connid now for my functional issues with CSVDir?


I would first clarify if there is something wrong ongoing (as suggested 
above), then possibly report to ConnId.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: CSVDir pull connector challenge

2017-01-23 Thread Francesco Chicchiriccò


On 23/01/2017 15:35, Martin van Es wrote:

On Mon, Jan 23, 2017 at 1:47 PM, Francesco Chicchiriccò
<ilgro...@apache.org> wrote:

I can't select target columns that are designated for key, status and
delete by the connector. Is this by-design?

I think it is somewhat by design, but I am not sure it is for good; for the
moment, please use:

* __NAME__ as value for key column
* __ENABLE__ as value for status column (you should not need to provide a
mapping for this, though, as it is done automatically)

Well that's contradictory to the error I reported (Unable to find
property: 'connObjectKeyValidation') but using your hint I am now able
to harvest accounts from the csv file, thx.

Another thing I noticed: I need to make email attribute mandatory for
it to appear in the provisioned user, while my assumption was that it
would provision email when available, but not break on absence? The
status attribute behaves differently (status false is correctly
updated to suspended and vice versa) while status -> __ENABLE_
mandotory field is set to false.


I invite you to read the details from

https://syncope.apache.org/docs/reference-guide.html#mapping

but essentially, the "mandatory condition" can be specified both at 
Schema level (hence value(s) must be provided globally) or at mapping 
level (hence value(s) must be provided when provisioning to / from that 
external resource).


As an example, this simply means that Syncope refuses to send out 
propagations to the CSVDir connector if email is not provided and 
mapping mandatory condition is set to 'true'.


When the mapping mandatory condition is set to 'false', instead, Syncope 
won't raise any error before propagating to the CSVDir connector if 
email is not provided.
What happens into the connector, in such case, depends on the connector 
bundle implementation.



I am able to replicate your error, please file an issue for this.

https://issues.apache.org/jira/browse/SYNCOPE-1000

(HA! 1000 is mine ;)


Nice catch :-)
Anyway, as commented there, the real issue in only about the failure to 
report the error message to Admin UI; the rest is about the way how the 
ConnId CSVDir bundle works, so not any Syncope issue.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: CSVDir pull connector challenge

2017-01-23 Thread Francesco Chicchiriccò

On 23/01/2017 13:30, Martin van Es wrote:

Hi,

Finally, I've taken the time and went ahead (re)installing Syncope to
try and play with 2.0.
First: it's a nice improvement (on the admin interface). Well done!

Thanks! :-)
Also glad for your enduring interest in Apache Syncope.

I've (re) created my test LDAP connector and am able to
provision/activate/enable/disable users and groups/groupMembership
from admin console.

Now I'd like to emulate an authoritative source connector (e.g. HR)
from CSVDir connector. I supply five columns in this file called
id,email,sn,status and delete. I inserted a header line designating
these columns and exactly one test account as 2nd line. Values are
separated by comma's.

I created the connector and resource to follow the columnames/order in
my file, but when I try to setup user provision rules, two thing
surprise me:

I can't select target columns that are designated for key, status and
delete by the connector. Is this by-design?

As far as I can read from the class implementing the ConnId SCHEMA
operation (e.g. the one that it is used to populate that Admin UI
autocomplete text fields):

https://github.com/Tirasa/ConnIdCSVDirBundle/blob/master/src/main/java/net/tirasa/connid/bundles/csvdir/methods/CSVDirSchema.java#L65

I think it is somewhat by design, but I am not sure it is for good; for
the moment, please use:

* __NAME__ as value for key column
* __ENABLE__ as value for status column (you should not need to provide
a mapping for this, though, as it is done automatically)

The delete column seems to be reserved for internal usage.

Second, when I finish the provisioning rules (mapping surname to sn
and email to email, because that's all that's available on target) by
clicking "Save" in the last dialog, Syncope fails with error: "Unable
to find property: 'connObjectKeyValidation'. Locale: null, style:
null"

The message you should get is "There must be exactly one AccountId",
which is anyway bad as 'AccountId' (up to 1_2_X) is now (from 2_0_X)
ConnObjectKey instead.

It complains that there must be exactly one mapping flagged as 'Remote key'.

I am able to replicate your error, please file an issue for this.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Password reset procedure from enduser interface

2017-01-19 Thread Francesco Chicchiriccò


On 18/01/2017 14:13, Francesco Chicchiriccò wrote:

On 18/01/2017 11:59, Francesco Chicchiriccò wrote:

On 18/01/2017 11:38, Tech wrote:

Hello,

we faced something that could be a bug in version 2.0.1 and version 
2.0.2.


We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?


I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.


A fundamental part for the outlined procedure to be effective, is to 
have the notifications in place; see


https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

for details.

After that user has provided the correct answer to security question 
via EndUser UI, a notification e-mail based on the 
'requestPasswordReset' template is sent; as you can see from the 
template, an URL for accessing the EndUser UI (containing the unique 
token generated for such request) is contained in the e-mail.


Once clicked there, the process can continue with input of the new 
password value.


Finally, another notification e-mail based on the 
'confirmPasswordReset' template is sent out.


FYI I have updated the password reset information with the further 
comments above; see


https://ci.apache.org/projects/syncope/reference-guide.html#password-reset

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Date format on user self-registration

On 18/01/2017 12:01, Francesco Chicchiriccò wrote:

On 18/01/2017 11:34, Tech wrote:

Hello,

thanks, in the version 2.0.2 the Date is working correctly.

Please be aware that there is no 2.0.2 yet, only 2.0.2-SNAPSHOT, which
is the ongoing work that will eventually bring the official 2.0.2.

The instructions I have you below are for
backMariaDB_ApplicationDataSourceporting the fix in 2.0.2-SNAPSHOT
into your local project based on 2.0.1.
I assume something went wrong in this process, I will update my
reference project at

https://github.com/Tirasa/syncopeOnJBoss

with such backport as soon as I got some spare time, maybe this could
help you.

FYI, I have just upgraded the reference project above (all the 2.0
branches, e.g. master, MariaDB_ContainerDataSource and
MariaDB_ApplicationDataSource) with the fix for SYNCOPE-992.

After building and new deployment to Wildfly, I have created two plain
schemas and added to the BaseUser class (via Admin Console):

1. 'sample date' with conversion pattern '-MM-dd'
2. 'sample date and time' with conversion pattern
'-MM-dd'T'HH:mm:ss.SSSZ'

Then I performed a self registration via EndUser and provided values for
the two date attributes just created.

As expected, the values where correctly reported either by the Admin
Console and by the EndUser UI.

HTH
Regards.

On 18/01/2017 10:31, Francesco Chicchiriccò wrote:

On 18/01/2017 10:23, Tech wrote:

Hello,

we created the new java files as requested, we modified the
dynamicPlainAttribute.js , but we didn't resolve the situation yet.

We tried two scenarios: the first with an existing user that needs to
enter the date field where before it was empty, the second with a
brand
new user where he enter for the first time the information, but
also in

this case the date is not saved into the system.

Could you please double check?

Hi,
I have just tried locally and it worked as expected; you could also
try yourself with our public demo at

http://syncope-vm.apache.org:9080/syncope-console/
http://syncope-vm.apache.org:9080/syncope-enduser/

The version deployed there is the latest 2.0.2-SNAPSHOT.

Regards.

On 13/01/2017 11:58, Francesco Chicchiriccò wrote:

On 2017-01-12 14:50 (+0100), Francesco ChicchiriccÃ²
<ilgro...@apache.org> wrote:

On 12/01/2017 14:27, Tech wrote:

Dear experts,

We added the date as custom field, we added it to the BaseUser
class

and after we added to the USER schema.

During the self registration we are able to display the field,
that is
correctly displayed as Date (we can also see the calendar button).

We can complete the registration procedure, but the information is
not
stored into the Database.

We modified the Conversion-Pattern using -MM-dd, but this
changes

only the way the data is displayed in the interface, but we can't
still store the information into the database.

Hi,
it seems you've spotted a bug in the Enduser UI; I have just
performed

the following steps:

1. from Admin UI, create new Date schema with conversion pattern
'-MM-dd' and added to the base type for USER
2. perform self-registration via Enduser UI, provided a value for
the

new Date attribute
3. open the new user from Admin UI, no value found for the new Date
attribute

So, the bug is confirmed.

Moreover, I also did:

4. from Admin UI, set a value for the new Date attribute on the new
user
5. log into the Enduser UI as the new user, see the value set from
Admin
UI, then update the Date schema with a new value
6. from Admin UI, see the new value as provided via Enduser UI

Hence the bug seems to occur only during self-registration.

Would you mind opening an issue
on

https://issues.apache.org/jira/browse/SYNCOPE/

Hi,
I have just committed a fix for SYNCOPE-992 (the issue you've opened
as request above, thx).

Such fix will be available with release of Apache Syncope 2.0.2;
should you want to backport the fix on your local project, you will
have to

1. create the directory

enduser/src/main/java/org/apache/syncope/client/enduser/resources/

the download the class

https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfCreateResource.java

in the new created directory

2. replace the file content of

enduser/src/main/webapp/app/js/directives/dynamicPlainAttribute.js

with the content from

https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/resources/META-INF/resources/app/js/directives/dynamicPlainAttribute.js

Afterwards, naturally, you'll have to rebuild & redeploy.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Label on custom attributes


On 18/01/2017 13:40, Tech wrote:


Dear all,

we need to create custom attributes in Syncope, but we realized the 
correspondence 1:1 with Key/Column/Label.


For example we might need to display some attributes that should not 
be read necessary in English and that could contain accents.


For example we imagine something like this:


firstname: {

"lang":"en" {

"value":"Name"

},

"lang":"fr": {

"value":"Prénom"

}

}


In this case we could keep a stick reference for the name, in our case 
"firstname", but after display in a different way (and language) and 
being able to implement also accents: is there a way to do it?




The EndUser UI already provides translation features: take a look at the 
JSON files available under


enduser/src/main/webapp/app/languages/

You have a directory for each language available, and two files in each 
directory: 'static.json' for application messages and 'dynamic.json' for 
labels (including attributes).


HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Date format on user self-registration

On 18/01/2017 11:34, Tech wrote:

Hello,

thanks, in the version 2.0.2 the Date is working correctly.

Please be aware that there is no 2.0.2 yet, only 2.0.2-SNAPSHOT, which
is the ongoing work that will eventually bring the official 2.0.2.

The instructions I have you below are for backporting the fix in
2.0.2-SNAPSHOT into your local project based on 2.0.1.
I assume something went wrong in this process, I will update my
reference project at

https://github.com/Tirasa/syncopeOnJBoss

with such backport as soon as I got some spare time, maybe this could
help you.

Regards.

On 18/01/2017 10:31, Francesco Chicchiriccò wrote:

On 18/01/2017 10:23, Tech wrote:

Hello,

we created the new java files as requested, we modified the
dynamicPlainAttribute.js , but we didn't resolve the situation yet.

We tried two scenarios: the first with an existing user that needs to
enter the date field where before it was empty, the second with a brand
new user where he enter for the first time the information, but also in
this case the date is not saved into the system.

Could you please double check?

Hi,
I have just tried locally and it worked as expected; you could also
try yourself with our public demo at

http://syncope-vm.apache.org:9080/syncope-console/
http://syncope-vm.apache.org:9080/syncope-enduser/

The version deployed there is the latest 2.0.2-SNAPSHOT.

Regards.

On 13/01/2017 11:58, Francesco Chicchiriccò wrote:

On 2017-01-12 14:50 (+0100), Francesco ChicchiriccÃ²
<ilgro...@apache.org> wrote:

On 12/01/2017 14:27, Tech wrote:

Dear experts,

We added the date as custom field, we added it to the BaseUser class
and after we added to the USER schema.

During the self registration we are able to display the field,
that is
correctly displayed as Date (we can also see the calendar button).

We can complete the registration procedure, but the information is
not
stored into the Database.

We modified the Conversion-Pattern using -MM-dd, but this changes
only the way the data is displayed in the interface, but we can't
still store the information into the database.

Hi,
it seems you've spotted a bug in the Enduser UI; I have just performed
the following steps:

1. from Admin UI, create new Date schema with conversion pattern
'-MM-dd' and added to the base type for USER
2. perform self-registration via Enduser UI, provided a value for the
new Date attribute
3. open the new user from Admin UI, no value found for the new Date
attribute

So, the bug is confirmed.

Moreover, I also did:

Hence the bug seems to occur only during self-registration.

Would you mind opening an issue
on

https://issues.apache.org/jira/browse/SYNCOPE/

Hi,
I have just committed a fix for SYNCOPE-992 (the issue you've opened
as request above, thx).

Such fix will be available with release of Apache Syncope 2.0.2;
should you want to backport the fix on your local project, you will
have to

1. create the directory

enduser/src/main/java/org/apache/syncope/client/enduser/resources/

the download the class

https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfCreateResource.java

in the new created directory

2. replace the file content of

enduser/src/main/webapp/app/js/directives/dynamicPlainAttribute.js

with the content from

https://github.com/apache/syncope/blob/eded0eb3af5b96b513d934f19509bdf4b06e9df0/client/enduser/src/main/resources/META-INF/resources/app/js/directives/dynamicPlainAttribute.js

Afterwards, naturally, you'll have to rebuild & redeploy.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Password reset procedure from enduser interface


On 18/01/2017 11:38, Tech wrote:

Hello,

we faced something that could be a bug in version 2.0.1 and version 2.0.2.

We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?


I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Date format on user self-registration