Re: LDAP group membership sync

Wed, 28 Dec 2016 02:32:47 -0800 

On 27/12/2016 18:25, [TheResolvers] - Alex wrote:

Hi,
I think I haven’t exposed the problem in a clear way.
The idea isn’t to pull the group membership from ldap, but instead push the syncope group membership informations into ldap. 

So the tutorial is exactly the opposite of what I need.
The funny thing is that apart from group sync, the rest of the setup is working out of box without any problem.
Some background: memberships are not managed by ConnId at framework level (ConnId has only the concept of objectClass [1]).
For this reason Syncope provides some utility classes (as propagation actions [3] and pull actions [4]) which can be put at work to overcome this limitation. 

In your specific case, you'd need to include

org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions

to the LDAP external resource.
This will extend the attributes passed from Syncope to LDAP with a special 'ldapGroups' attribute containing the list of DNs of the LDAP groups matching the Syncope groups each user is member of. 
Then the LDAP connector code will take care of it.
Moreover, you'll also need to configure the underlying connector with POSIX group support (see available options at [4])
I'd suggest anyway to watch the core-connid.log file during propagations to see what is actually happening. 

HTH
Regards.
[1] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/common/objects/ObjectClass.html 
[2] https://syncope.apache.org/docs/reference-guide.html#propagationactions
[3] https://syncope.apache.org/docs/reference-guide.html#pullactions
[4] https://connid.atlassian.net/wiki/display/BASE/LDAP
On 27 Dec 2016, at 11:04, Francesco Chicchiriccò <ilgro...@apache.org <mailto:ilgro...@apache.org>> wrote: 


On 23/12/2016 21:38, [TheResolvers] - Alex wrote:

Hello to everyone,
I’m trying to deploy Syncope as IDM to provision user on a openldap directory server. The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships. 
So I think I made some mistakes in the connid ldap connector.
Can anyone send me a base config to provision user membership for posixGroup (RFC2307) 

I’m using syncope 2.0.1 with mysql backend


Hi,
you might want to take a look at Colm's post about pulling users and groups from LDAP: 

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to