On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to the group
"local_group20" and run the PUSH task again, they appear in the LDAP group
members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use Syncope to
provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
4. you can see both users and group on LDAP, but no members for the group
5. you edit the 2 users in Syncope by adding group membership
6. the Push Task is run again, with expected result
Is all above correct? Can you provide answers?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/