Re: Question about configuration for object synch between directories
Sorry to bump this. Is there a known issue with how filters work in the AD connector or am I misconfiguring it? Any input greatly appreciated Cheers Michael On Wed, 19 Oct 2022, 16:00 Michael Paxton, wrote: > Hello all, > > So I just got a chance to work on this again. The fix for preventing users > being moved seems to work (will probably need to do more testing) but I > have set "Custom User Search Filter" to (memberOf=) and it is > still pulling users (contacts in this case) that are not members of the > designated group. Interestingly it doesnt pull *all* users that are not > members of the group - just some. > > I have tested the filter with ldapsearch and it seems to work fine. Am I > doing something incorrectly? > > Cheers, > Michael. > > On Tue, Sep 27, 2022 at 1:55 AM Andrea Patricelli < > andreapatrice...@apache.org> wrote: > >> Hi Michael, >> On 26/09/22 12:31, Michael Paxton wrote: >> >> Hi Andrea, >> >> Thanks for getting back to me. What we are trying to achieve (which may >> be a misuse of Syncope - please let me know) is to ensure that all objects >> in a directory (AD) (eg contacts) that are members of a designated group >> (eg "Sync Allowed") are pushed into a designated OU on all other >> participating directories. >> >> This is not a misuse, since Syncope is a provisioning engine, born also >> to perform such pull/push operations. >> >> >> The destination OU seems to be working but the group selection >> (implemented by adding the group DN to the Memberships configuration item) >> seems to work in some instances but not others. >> >> >> When you say "LDAP Filter for Retrieving Accounts" the only similar field >> I see is "Custom User Search Filter". Is this what you are referring to? I >> did try it earlier (using a memberof filter in version 2.1.11) with no >> success but will try again. >> >> Yes, on Active Directory connector the configuration parameter is the one >> you addressed. >> >> I have separated push and pull into separate connectors so that I can >> configure them separately - OU DNs, etc). Is this an error? should it be >> one connector with two resources (one for pull, one for push) with >> different connobjectlink? Could this be the cause of it moving an object >> from the source OU to the destination OU in the same directory? >> >> I do not think so, you can even use two different connectors with >> separate resources, what makes the difference is how you build the object >> sent to the destination Active Directory. >> >> Bear also in mind that if you perform an update on a specific user >> assigned to a specific resource (say source Active Directory) also a >> propagation will be triggered, this is why you find entries propagated to >> the source Active Directory. If you're not interested in propagating on the >> source, when configuring the pull task you should set pull mode >> FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get >> users on Syncope, but not assigned to the source Active Directory resource. >> >> >> I will check out the references you provided now - many thanks for that! >> >> I suppose one other question would be, is it possible to remove objects >> from Syncope (eg get rid of objects that shouldn't have been pulled)? I >> made the mistake of Deleting them and removing them from AD as well :) >> >> Yes, when deleting on Syncope, in order not to fire a DELETE propagation >> towards Active Directory, just UNLINK these users from the resource and >> delete or simply remove DELETE capability from Active Directory >> connector(s). >> >> >> Cheers, >> michael. >> >> HTH, >> Andrea >> >> >> >> >> >> >> On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < >> andreapatrice...@apache.org> wrote: >> >>> Hi Michael, >>> >>> On 25/09/22 12:23, Michael Paxton wrote: >>> > Hello all, >>> > >>> > I have a configuration where I have two directories (AD) and want to >>> > synchronise >>> > certain objects between them. >>> > >>> > I want to only synch objects that are members of SynchGroup >>> > >>> > I want to pull objects from SourceOU in each directory and to push >>> > objects to DestinationOU in each directory. This will keep local >>> > objects separated from synchronised objects >>> > >>> > To do this I have done the following: >>> > - created a connector for each directory dedicated to PULLing. This is >>> > configured to look at SourceOU and has Memberships set to the DN of >>> > SynchGroup >>> > - created a connector for each directory dedicated to PUSHing. This is >>> > configured to look at DestinationOU >>> > >>> > This works, in a fashion, but the following things are occurring: >>> > - It pulls (and then subsequently pushes) objects that aren't a member >>> > of SynchGroup >>> >>> In order to pull only specific users you can run a Filtered >>> reconciliation [1] or set a LDAP filter directly on the connector in the >>> "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity >>> stores, synchronize means "pulling only
Re: Question about configuration for object synch between directories
Hello all, So I just got a chance to work on this again. The fix for preventing users being moved seems to work (will probably need to do more testing) but I have set "Custom User Search Filter" to (memberOf=) and it is still pulling users (contacts in this case) that are not members of the designated group. Interestingly it doesnt pull *all* users that are not members of the group - just some. I have tested the filter with ldapsearch and it seems to work fine. Am I doing something incorrectly? Cheers, Michael. On Tue, Sep 27, 2022 at 1:55 AM Andrea Patricelli < andreapatrice...@apache.org> wrote: > Hi Michael, > On 26/09/22 12:31, Michael Paxton wrote: > > Hi Andrea, > > Thanks for getting back to me. What we are trying to achieve (which may be > a misuse of Syncope - please let me know) is to ensure that all objects in > a directory (AD) (eg contacts) that are members of a designated group (eg > "Sync Allowed") are pushed into a designated OU on all other participating > directories. > > This is not a misuse, since Syncope is a provisioning engine, born also to > perform such pull/push operations. > > > The destination OU seems to be working but the group selection > (implemented by adding the group DN to the Memberships configuration item) > seems to work in some instances but not others. > > > When you say "LDAP Filter for Retrieving Accounts" the only similar field > I see is "Custom User Search Filter". Is this what you are referring to? I > did try it earlier (using a memberof filter in version 2.1.11) with no > success but will try again. > > Yes, on Active Directory connector the configuration parameter is the one > you addressed. > > I have separated push and pull into separate connectors so that I can > configure them separately - OU DNs, etc). Is this an error? should it be > one connector with two resources (one for pull, one for push) with > different connobjectlink? Could this be the cause of it moving an object > from the source OU to the destination OU in the same directory? > > I do not think so, you can even use two different connectors with separate > resources, what makes the difference is how you build the object sent to > the destination Active Directory. > > Bear also in mind that if you perform an update on a specific user > assigned to a specific resource (say source Active Directory) also a > propagation will be triggered, this is why you find entries propagated to > the source Active Directory. If you're not interested in propagating on the > source, when configuring the pull task you should set pull mode > FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get > users on Syncope, but not assigned to the source Active Directory resource. > > > I will check out the references you provided now - many thanks for that! > > I suppose one other question would be, is it possible to remove objects > from Syncope (eg get rid of objects that shouldn't have been pulled)? I > made the mistake of Deleting them and removing them from AD as well :) > > Yes, when deleting on Syncope, in order not to fire a DELETE propagation > towards Active Directory, just UNLINK these users from the resource and > delete or simply remove DELETE capability from Active Directory > connector(s). > > > Cheers, > michael. > > HTH, > Andrea > > > > > > > On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < > andreapatrice...@apache.org> wrote: > >> Hi Michael, >> >> On 25/09/22 12:23, Michael Paxton wrote: >> > Hello all, >> > >> > I have a configuration where I have two directories (AD) and want to >> > synchronise >> > certain objects between them. >> > >> > I want to only synch objects that are members of SynchGroup >> > >> > I want to pull objects from SourceOU in each directory and to push >> > objects to DestinationOU in each directory. This will keep local >> > objects separated from synchronised objects >> > >> > To do this I have done the following: >> > - created a connector for each directory dedicated to PULLing. This is >> > configured to look at SourceOU and has Memberships set to the DN of >> > SynchGroup >> > - created a connector for each directory dedicated to PUSHing. This is >> > configured to look at DestinationOU >> > >> > This works, in a fashion, but the following things are occurring: >> > - It pulls (and then subsequently pushes) objects that aren't a member >> > of SynchGroup >> >> In order to pull only specific users you can run a Filtered >> reconciliation [1] or set a LDAP filter directly on the connector in the >> "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity >> stores, synchronize means "pulling only the latest changes" based on the >> changelog, is this what you're looking for? >> >> > - It sporadically moves (i assume, by UPDATE?) local objects from >> > SourceOU to DestinationOU in the same directory >> >> In order to make Syncope write an object in a specific LDAP subtree you >> need to properly configure the mapping [2] and especially
Re: Question about configuration for object synch between directories
You're welcome. Best regards, Andrea On 27/09/22 13:41, Michael Paxton wrote: Thanks Andrea, I will try the configurations you recommended. Thanks for the guidance! Cheers Michael On Tue, 27 Sep 2022, 01:55 Andrea Patricelli, wrote: Hi Michael, On 26/09/22 12:31, Michael Paxton wrote: Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories. This is not a misuse, since Syncope is a provisioning engine, born also to perform such pull/push operations. The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. Yes, on Active Directory connector the configuration parameter is the one you addressed. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I do not think so, you can even use two different connectors with separate resources, what makes the difference is how you build the object sent to the destination Active Directory. Bear also in mind that if you perform an update on a specific user assigned to a specific resource (say source Active Directory) also a propagation will be triggered, this is why you find entries propagated to the source Active Directory. If you're not interested in propagating on the source, when configuring the pull task you should set pull mode FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get users on Syncope, but not assigned to the source Active Directory resource. I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Yes, when deleting on Syncope, in order not to fire a DELETE propagation towards Active Directory, just UNLINK these users from the resource and delete or simply remove DELETE capability from Active Directory connector(s). Cheers, michael. HTH, Andrea On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli wrote: Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: > Hello all, > > I have a configuration where I have two directories (AD) and want to > synchronise > certain objects between them. > > I want to only synch objects that are members of SynchGroup > > I want to pull objects from SourceOU in each directory and to push > objects to DestinationOU in each directory. This will keep local > objects separated from synchronised objects > > To do this I have done the following: > - created a connector for each directory dedicated to PULLing. This is > configured to look at SourceOU and has Memberships set to the DN of > SynchGroup > - created a connector for each directory dedicated to PUSHing. This is > configured to look at DestinationOU > > This works, in a fashion, but the following things are occurring: > - It pulls (and then subsequently pushes) objects that aren't a member > of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? > - It sporadically moves (i assume, by UPDATE?) local objects from > SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP subtree you need to properly configure the mapping [2] and especially the "connObjectLink", a configuration
Re: Question about configuration for object synch between directories
Hi Michael, On 26/09/22 12:31, Michael Paxton wrote: Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories. This is not a misuse, since Syncope is a provisioning engine, born also to perform such pull/push operations. The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. Yes, on Active Directory connector the configuration parameter is the one you addressed. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I do not think so, you can even use two different connectors with separate resources, what makes the difference is how you build the object sent to the destination Active Directory. Bear also in mind that if you perform an update on a specific user assigned to a specific resource (say source Active Directory) also a propagation will be triggered, this is why you find entries propagated to the source Active Directory. If you're not interested in propagating on the source, when configuring the pull task you should set pull mode FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get users on Syncope, but not assigned to the source Active Directory resource. I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Yes, when deleting on Syncope, in order not to fire a DELETE propagation towards Active Directory, just UNLINK these users from the resource and delete or simply remove DELETE capability from Active Directory connector(s). Cheers, michael. HTH, Andrea On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli wrote: Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: > Hello all, > > I have a configuration where I have two directories (AD) and want to > synchronise > certain objects between them. > > I want to only synch objects that are members of SynchGroup > > I want to pull objects from SourceOU in each directory and to push > objects to DestinationOU in each directory. This will keep local > objects separated from synchronised objects > > To do this I have done the following: > - created a connector for each directory dedicated to PULLing. This is > configured to look at SourceOU and has Memberships set to the DN of > SynchGroup > - created a connector for each directory dedicated to PUSHing. This is > configured to look at DestinationOU > > This works, in a fashion, but the following things are occurring: > - It pulls (and then subsequently pushes) objects that aren't a member > of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? > - It sporadically moves (i assume, by UPDATE?) local objects from > SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP subtree you need to properly configure the mapping [2] and especially the "connObjectLink", a configuration field used as rule to build the DN of an entry by LDAP connectors. Please take a look at the shared doc and at the playground env here [3] (ApacheDS connector and resource-ldap resource). If you have to perform more complex computations while propagating, consider to implement your own Propagation actions class [4] to "hack" the attributes sent to the connector. > > I am relatively new to Syncope. I initially configured the tasks with > a highly conflicting schedule which may have causedrace conditions or > other unusual behaviour but the issues seem to persist
Re: Question about configuration for object synch between directories
Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories. The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Cheers, michael. On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < andreapatrice...@apache.org> wrote: > Hi Michael, > > On 25/09/22 12:23, Michael Paxton wrote: > > Hello all, > > > > I have a configuration where I have two directories (AD) and want to > > synchronise > > certain objects between them. > > > > I want to only synch objects that are members of SynchGroup > > > > I want to pull objects from SourceOU in each directory and to push > > objects to DestinationOU in each directory. This will keep local > > objects separated from synchronised objects > > > > To do this I have done the following: > > - created a connector for each directory dedicated to PULLing. This is > > configured to look at SourceOU and has Memberships set to the DN of > > SynchGroup > > - created a connector for each directory dedicated to PUSHing. This is > > configured to look at DestinationOU > > > > This works, in a fashion, but the following things are occurring: > > - It pulls (and then subsequently pushes) objects that aren't a member > > of SynchGroup > > In order to pull only specific users you can run a Filtered > reconciliation [1] or set a LDAP filter directly on the connector in the > "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity > stores, synchronize means "pulling only the latest changes" based on the > changelog, is this what you're looking for? > > > - It sporadically moves (i assume, by UPDATE?) local objects from > > SourceOU to DestinationOU in the same directory > > In order to make Syncope write an object in a specific LDAP subtree you > need to properly configure the mapping [2] and especially the > "connObjectLink", a configuration field used as rule to build the DN of > an entry by LDAP connectors. Please take a look at the shared doc and at > the playground env here [3] (ApacheDS connector and resource-ldap > resource). > > If you have to perform more complex computations while propagating, > consider to implement your own Propagation actions class [4] to "hack" > the attributes sent to the connector. > > > > > I am relatively new to Syncope. I initially configured the tasks with > > a highly conflicting schedule which may have causedrace conditions or > > other unusual behaviour but the issues seem to persist even after > > staggering the schedule more sensibly. > > > > Apologies if the above seems overly convoluted. Any advice would be > > greatly appreciated. > > Don't worry ;) > > Best regards, > Andrea > > > > > Cheers, > > Michael. > > [1] > https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull > > [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping > > [3] https://syncope-vm2.apache.org/syncope-console > > [4] > https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions > > -- > Andrea Patricelli > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope > >
Re: Question about configuration for object synch between directories
Hi Michael, On 25/09/22 12:23, Michael Paxton wrote: Hello all, I have a configuration where I have two directories (AD) and want to synchronise certain objects between them. I want to only synch objects that are members of SynchGroup I want to pull objects from SourceOU in each directory and to push objects to DestinationOU in each directory. This will keep local objects separated from synchronised objects To do this I have done the following: - created a connector for each directory dedicated to PULLing. This is configured to look at SourceOU and has Memberships set to the DN of SynchGroup - created a connector for each directory dedicated to PUSHing. This is configured to look at DestinationOU This works, in a fashion, but the following things are occurring: - It pulls (and then subsequently pushes) objects that aren't a member of SynchGroup In order to pull only specific users you can run a Filtered reconciliation [1] or set a LDAP filter directly on the connector in the "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity stores, synchronize means "pulling only the latest changes" based on the changelog, is this what you're looking for? - It sporadically moves (i assume, by UPDATE?) local objects from SourceOU to DestinationOU in the same directory In order to make Syncope write an object in a specific LDAP subtree you need to properly configure the mapping [2] and especially the "connObjectLink", a configuration field used as rule to build the DN of an entry by LDAP connectors. Please take a look at the shared doc and at the playground env here [3] (ApacheDS connector and resource-ldap resource). If you have to perform more complex computations while propagating, consider to implement your own Propagation actions class [4] to "hack" the attributes sent to the connector. I am relatively new to Syncope. I initially configured the tasks with a highly conflicting schedule which may have causedrace conditions or other unusual behaviour but the issues seem to persist even after staggering the schedule more sensibly. Apologies if the above seems overly convoluted. Any advice would be greatly appreciated. Don't worry ;) Best regards, Andrea Cheers, Michael. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping [3] https://syncope-vm2.apache.org/syncope-console [4] https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions -- Andrea Patricelli Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope
Question about configuration for object synch between directories
Hello all, I have a configuration where I have two directories (AD) and want to synchronise certain objects between them. I want to only synch objects that are members of SynchGroup I want to pull objects from SourceOU in each directory and to push objects to DestinationOU in each directory. This will keep local objects separated from synchronised objects To do this I have done the following: - created a connector for each directory dedicated to PULLing. This is configured to look at SourceOU and has Memberships set to the DN of SynchGroup - created a connector for each directory dedicated to PUSHing. This is configured to look at DestinationOU This works, in a fashion, but the following things are occurring: - It pulls (and then subsequently pushes) objects that aren't a member of SynchGroup - It sporadically moves (i assume, by UPDATE?) local objects from SourceOU to DestinationOU in the same directory I am relatively new to Syncope. I initially configured the tasks with a highly conflicting schedule which may have causedrace conditions or other unusual behaviour but the issues seem to persist even after staggering the schedule more sensibly. Apologies if the above seems overly convoluted. Any advice would be greatly appreciated. Cheers, Michael.
