Hi Michael,
On 25/09/22 12:23, Michael Paxton wrote:
Hello all,
I have a configuration where I have two directories (AD) and want to
synchronise
certain objects between them.
I want to only synch objects that are members of SynchGroup
I want to pull objects from SourceOU in each directory and to push
objects to DestinationOU in each directory. This will keep local
objects separated from synchronised objects
To do this I have done the following:
- created a connector for each directory dedicated to PULLing. This is
configured to look at SourceOU and has Memberships set to the DN of
SynchGroup
- created a connector for each directory dedicated to PUSHing. This is
configured to look at DestinationOU
This works, in a fashion, but the following things are occurring:
- It pulls (and then subsequently pushes) objects that aren't a member
of SynchGroup
In order to pull only specific users you can run a Filtered
reconciliation [1] or set a LDAP filter directly on the connector in the
"LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity
stores, synchronize means "pulling only the latest changes" based on the
changelog, is this what you're looking for?
- It sporadically moves (i assume, by UPDATE?) local objects from
SourceOU to DestinationOU in the same directory
In order to make Syncope write an object in a specific LDAP subtree you
need to properly configure the mapping [2] and especially the
"connObjectLink", a configuration field used as rule to build the DN of
an entry by LDAP connectors. Please take a look at the shared doc and at
the playground env here [3] (ApacheDS connector and resource-ldap resource).
If you have to perform more complex computations while propagating,
consider to implement your own Propagation actions class [4] to "hack"
the attributes sent to the connector.
I am relatively new to Syncope. I initially configured the tasks with
a highly conflicting schedule which may have causedrace conditions or
other unusual behaviour but the issues seem to persist even after
staggering the schedule more sensibly.
Apologies if the above seems overly convoluted. Any advice would be
greatly appreciated.
Don't worry ;)
Best regards,
Andrea
Cheers,
Michael.
[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull
[2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping
[3] https://syncope-vm2.apache.org/syncope-console
[4]
https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions
--
Andrea Patricelli
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope
