*Von:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Gesendet:* Donnerstag, 27. Juli 2017 12:34
*An:* user@syncope.apache.org
*Betreff:* Re: Configuration of LDAP Identity Store
Hi Martin and Andrea,
sorry if I come late to the party.
First of all, I confirm that Andrea's approach is the correct one, at
this moment: the way how LDAPMembershipsPropagationActions is
architected requires that the same Resource is used for both Users and
Groups, and the configuration available in the test data for ApacheDS
works as long as uid and cn contain exactly the same value.
Hence, the suggestion to try out the LDAP connector 1.5.2-SNAPSHOT
(which can be downloaded from [0]) is the most logical, currently.
The issue originally described below is somehow related to some
thoughts I am elaborating about the usage that Syncope makes of ConnId
APIs, and I believe there is room for improvement.
I plan to write down a full proposal, but here's the raw idea.
For several operations, but in particular *before* and *after*
executing a Propagation Task, Syncope queries the External Resource to
see if a matching item is found, and it does that via ConnId's
GetApiOp [1].
Such operation is implemented at Framework level, e.g. before reaching
out any effective Connector, via a plain search [2] where the key is
the special __UID__ attribute and the value is the one passed as
argument, alongside with ObjectClass.
Using GetApiOp used to make entirely sense in the old days of ConnId
1.3 and Syncope 1.1, when the Mapping Item identified as "AccountId"
(now Remote Key) was forced to blank the external attribute name (see
[3]): in such cases, in fact, __UID__ was used as external attribute.
ConnId 1.4 slightly changed the way how the __UID__ attribute is
managed: as a result, since Syncope 1.2, it is mandatory to specify an
external attribute name for the Remote Key (see [4] in Syncope 2.0).
To give an idea, the sample from [3] would result in querying the
External Resource for "__UID__ == 'ilgrosso'", while the sample from
[4] *should* result in "uid == 'ilgrosso'" but will instead produce
the same query as in the past.
The problem here is that what actually __UID__ means is left to any
Connector's implementation: LDAP configures that via the UidAttribute
property (and GidAttribute in 1.5.2-SNAPSHOT), AD does something
similar, others do differently.
What I see here is that from one side the Remote Key is defined in
Syncope at high level (e.g. as part of the Resource configuration, in
the Mapping), while the raw __UID__ is still used under the hoods in
some cases (before executing a Propagation Task, as said above, for
example), hence it is the low level configuration (not Resource's but
Connector's) that comes into play.
My proposal is to simply get rid of GetApiOp and replace its usage in
Syncope with search, using as key the External attribute name defined
in the mapping, rather than __UID__.
This should solve your issue (and others) at a glance, as Users will
be looked up by uid, Groups by cn and Realms by ou (if your Mappings
were set in these ways).
Not sure if this clarifies, but I will make some work around such
concepts hopefully soon.
Regards.
[0]
https://oss.sonatype.org/content/repositories/snapshots/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ldap/1.5.2-SNAPSHOT/net.tirasa.connid.bundles.ldap-1.5.2-20170607.094522-5.jar
[1]
https://github.com/Tirasa/ConnId/blob/master/java/connector-framework/src/main/java/org/identityconnectors/framework/api/operations/GetApiOp.java
[2]
https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/GetImpl.java
[3] https://pasteboard.co/GCRf497.png
[4] https://pasteboard.co/GCRixXp.png
On 25/07/2017 14:12, Böhmer, Martin wrote:
Hi Andrea,
Your proposed solutions are greatly appreciated. Here are my comments:
1.I created a JIRA account to file an improvement request.
Unfortunately, I seem to lack the right to create an improvement
for the “LDAP bundle” component. The only components I can create
issues for are COMMONS, REST & OFFICE365. Am I doing something wrong?
2.I not sure, if I understood you correctly. Are you saying, there
is no chance LDAPMembershipPropagationAction will work out of the
box? Or that you aren’t you sure if it will work and it would be
worth setting this up and try it out? If it’s the second case, I
would try it you.
Regards,
Martin
*Von:*Andrea Patricelli [mailto:andreapatrice...@apache.org]
*Ge**sendet:*Montag, 24. Juli 2017 11:33
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: AW: AW: Configuration of LDAP Identity Store
Hi Martin,
I perfectly understand your situation.
Please see my responses inline.
Il 22/07/2017 00:53, Böhmer, Martin ha scritto:
Yes, I have set a group mapping. It’s kinda simple:
Type
/User/
Object Class
/__GROUP__/
Mapping
name
/Int: name
ext: cn
Remote key: yes/
Object Link
/‘cn=’ + name + ‘,ou=groups,dc=example,dc=com’/
//
I had a look at the working example you provided. Using “cn”
as the uidAttribute and in the DN for both users and groups
worked fine in my test installation. But, this is only going
to work in case I can influence the way the DNs are
structured, so I am able to harmonise user and group DNs. True
for my test environment, but it is not going to work with our
production LDAP.
On the production LDAP server, user DNs are structured “uid=…”
and group DNs “cn=…”. As a result, the “cn” attribute for
users is not a unique identifier, as two different persons can
have the same “cn” in our environment (they will get different
uids and email addresses, etc). There is no way I can
change/harmonise the structure of the DNs (for various reasons).
Setting the uidAttriute to “cn” proved not work with our
production LDAP server - even though the Object Links of the
mappings reflect the differences of the DNs (see above and
below). I do not understand why the uidAttribute of the
connector config influences the remote key generation as the
remote key could be generated only by just evaluating the
different ObjectLink JEXL expressions…
You are right, uidAttribute is only used to retrieve the entity
from the LDAP server, i.e. the connector will search entities by
uidAttribute (cn, uid, etc.). For this reason you see the user
correctly propagated to LDAP, but not correctly linked on Syncope.
So, any ideas on how to get the sync work with the different DNs?
I see two solutions:
1. Implement an improvement on ConnID LDAP connector in order to
manage two (or more) different uidAttributes (at least one for
USER and another for GROUP), as done for Active Directory
connector. You could open an issue (improvement) at [1].
2. Define two different resources, one for USER and the other for
GROUP, and set uidAttribute as *Override* while configuring the
connector. With this solution you'll be able to define for each
resource your specific uidAttribute.
Solution 2 unfortunately has a drawback:
LDAPMembershipPropagationAction could not work anymore and
probably needs to be reviewed in order to work with entities
related to two different resources.
HTH,
Andrea
[1]
https://connid.atlassian.net/projects/BASE/issues/BASE-56?filter=allopenissues
Regards,
Martin
*Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net]
*Gesendet:* Freitag, 21. Juli 2017 15:35
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: AW: Configuration of LDAP Identity Store
Have you set a mapping for GROUP? Could you share it?
Pay attention to the object link for groups. It should be
something like this: 'cn=' + name + ',ou=groups,dc=sample,dc=com'
If it is correct (as I thisnk) try to use as uidAttribute an
attribute that both USER and GROUP have, and is mapped to any
of Syncope attributes. cn for example.
You have a working example at [1] (Apache DS, resource-ldap).
Best regards,
Andrea
[1] http://syncope-vm.apache.org:9080/syncope-console
Il 21/07/2017 13:15, Böhmer, Martin ha scritto:
Hi Andrea,
Thank you for the quick reply!
I changed the uidAttribute as you suggested and sync works
for users. However, now I have the very same problem with
groups whose remote IDs happen to be empty.
So, when I change the uidAttribute to „uid“, will the same
connector also work for groups? Or do I need to create a
second connector for synchronizing groups?
I am asking, because groups have the attribute “cn” in
their dn instead of “uid” (see below).
Regards,
Martin
*Von:*Andrea Patricelli [mailto:andrea.patrice...@tirasa.net]
*Gesendet:* Freitag, 21. Juli 2017 12:29
*An:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Betreff:* Re: Configuration of LDAP Identity Store
Hi Martin,
try to change, in connector configuration, the
uidAttribute value to *uid* instead of "*entryUUID*".
BTW if this does not work could you attach core-connid.log
file?
HTH,
Andrea
Il 21/07/2017 12:00, Böhmer, Martin ha scritto:
HI,
I cannot get the configuration of my LDAP Identity
Store right. What I want is a synchronization of user,
groups and group memberships, meaning that everything
change in Syncope is propagated to LDAP and vice-versa.
With my current configuration below, I am able to pull
users from LDAP (pull task) and propagate new users to
LDAP when created in Syncope. What is not working is
the synchronization of users existing in both systems.
Syncope claims about a missing remote key. This is
particularly strange when creating a user in Syncope.
On the result screen of the user creation, the remote
key is correctly display. When I close that screen and
open the “Manage resources” dialog for that user, the
remote key is gone and thus propagation of updates to
LDAP fails.
Any hints would be greatly appreciated!
Regards,
Martin
I’m using *_OpenLDAP_*. The tree looks like this
dc=example,dc=com
·ou=people
ouid=johndoe
o…
·ou=groups
ocn=testgroup
Here is the configuration of the *_LDAP connector_*
(properties not listed were not touched = default value)
Bundle
*net.tirasa.connid.bundles.ldap*
Host
*localhost*
TCP Port
389
Principal
*cn=syncope,dc=exmaple,dc=com*
Password
*/******/*
Base Contexts
*dc=exmaple,dc=com*
Password Attribute
userPassword
Account Object Classes
top, person, organizationalPerson, inetOrgPerson
Account User Name Attributes
uid, cn
Group Object Classes
top, groupOfuniqueNames
Group Name Attributes
cn
Group Member Attribute
uniqueMember
Maintain LDAP Group Membership
(Haken)
Password Hash Algorithm
*SSHA*
VLV Sort Attribute
*uid*
Uid Attribute
*entryUUID*
Read Schema
(Haken)
Base Contexts to Synchronize
(leer)
Object Classes to Synchronize
*inetOrgPerson, groupOfUniqueNames*
Attributes to Synchronize
(leer)
Remove Log Entry Object Class from Filter
(Haken)
Enable Password Synchronization
(Fehler)
Status management class
*net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement*
Capabilities
*/(all selected)/*
And this is the configuration of my *_LDAP resource_*:
Propagation Actions
*LDAPPAsswordPropagationAction*
*LDAPMembershipPropagationAction*
Override Capabilities?
(Fehler)
Account Policy
/(none)/
Password Policy
/(none)/
Pull Policy
/(none)/)
Finally, the *_mapping configuration_*
Type
/User/
Object Class
/__ACCOUNT__/
Mapping
username
/Int: username
ext: uid
Remote key: yes/
Mapping
email
/Int: email
Ext: mail/
Mapping
password
/Int: password
Ext: userPassword
Password: yes/
Object Link
/‘uid=’ + username + ‘,ou=people,dc=example,dc=com’/
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ <http://home.apache.org/%7Eilgrosso/>