Hi Andrea, Thanks for getting back to me. What we are trying to achieve (which may be a misuse of Syncope - please let me know) is to ensure that all objects in a directory (AD) (eg contacts) that are members of a designated group (eg "Sync Allowed") are pushed into a designated OU on all other participating directories.
The destination OU seems to be working but the group selection (implemented by adding the group DN to the Memberships configuration item) seems to work in some instances but not others. When you say "LDAP Filter for Retrieving Accounts" the only similar field I see is "Custom User Search Filter". Is this what you are referring to? I did try it earlier (using a memberof filter in version 2.1.11) with no success but will try again. I have separated push and pull into separate connectors so that I can configure them separately - OU DNs, etc). Is this an error? should it be one connector with two resources (one for pull, one for push) with different connobjectlink? Could this be the cause of it moving an object from the source OU to the destination OU in the same directory? I will check out the references you provided now - many thanks for that! I suppose one other question would be, is it possible to remove objects from Syncope (eg get rid of objects that shouldn't have been pulled)? I made the mistake of Deleting them and removing them from AD as well :) Cheers, michael. On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < andreapatrice...@apache.org> wrote: > Hi Michael, > > On 25/09/22 12:23, Michael Paxton wrote: > > Hello all, > > > > I have a configuration where I have two directories (AD) and want to > > synchronise > > certain objects between them. > > > > I want to only synch objects that are members of SynchGroup > > > > I want to pull objects from SourceOU in each directory and to push > > objects to DestinationOU in each directory. This will keep local > > objects separated from synchronised objects > > > > To do this I have done the following: > > - created a connector for each directory dedicated to PULLing. This is > > configured to look at SourceOU and has Memberships set to the DN of > > SynchGroup > > - created a connector for each directory dedicated to PUSHing. This is > > configured to look at DestinationOU > > > > This works, in a fashion, but the following things are occurring: > > - It pulls (and then subsequently pushes) objects that aren't a member > > of SynchGroup > > In order to pull only specific users you can run a Filtered > reconciliation [1] or set a LDAP filter directly on the connector in the > "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity > stores, synchronize means "pulling only the latest changes" based on the > changelog, is this what you're looking for? > > > - It sporadically moves (i assume, by UPDATE?) local objects from > > SourceOU to DestinationOU in the same directory > > In order to make Syncope write an object in a specific LDAP subtree you > need to properly configure the mapping [2] and especially the > "connObjectLink", a configuration field used as rule to build the DN of > an entry by LDAP connectors. Please take a look at the shared doc and at > the playground env here [3] (ApacheDS connector and resource-ldap > resource). > > If you have to perform more complex computations while propagating, > consider to implement your own Propagation actions class [4] to "hack" > the attributes sent to the connector. > > > > > I am relatively new to Syncope. I initially configured the tasks with > > a highly conflicting schedule which may have causedrace conditions or > > other unusual behaviour but the issues seem to persist even after > > staggering the schedule more sensibly. > > > > Apologies if the above seems overly convoluted. Any advice would be > > greatly appreciated. > > Don't worry ;) > > Best regards, > Andrea > > > > > Cheers, > > Michael. > > [1] > https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull > > [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping > > [3] https://syncope-vm2.apache.org/syncope-console > > [4] > https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions > > -- > Andrea Patricelli > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope > >
