Thanks Andrea, I will try the configurations you recommended.
Thanks for the guidance! Cheers Michael On Tue, 27 Sep 2022, 01:55 Andrea Patricelli, <andreapatrice...@apache.org> wrote: > Hi Michael, > On 26/09/22 12:31, Michael Paxton wrote: > > Hi Andrea, > > Thanks for getting back to me. What we are trying to achieve (which may be > a misuse of Syncope - please let me know) is to ensure that all objects in > a directory (AD) (eg contacts) that are members of a designated group (eg > "Sync Allowed") are pushed into a designated OU on all other participating > directories. > > This is not a misuse, since Syncope is a provisioning engine, born also to > perform such pull/push operations. > > > The destination OU seems to be working but the group selection > (implemented by adding the group DN to the Memberships configuration item) > seems to work in some instances but not others. > > > When you say "LDAP Filter for Retrieving Accounts" the only similar field > I see is "Custom User Search Filter". Is this what you are referring to? I > did try it earlier (using a memberof filter in version 2.1.11) with no > success but will try again. > > Yes, on Active Directory connector the configuration parameter is the one > you addressed. > > I have separated push and pull into separate connectors so that I can > configure them separately - OU DNs, etc). Is this an error? should it be > one connector with two resources (one for pull, one for push) with > different connobjectlink? Could this be the cause of it moving an object > from the source OU to the destination OU in the same directory? > > I do not think so, you can even use two different connectors with separate > resources, what makes the difference is how you build the object sent to > the destination Active Directory. > > Bear also in mind that if you perform an update on a specific user > assigned to a specific resource (say source Active Directory) also a > propagation will be triggered, this is why you find entries propagated to > the source Active Directory. If you're not interested in propagating on the > source, when configuring the pull task you should set pull mode > FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get > users on Syncope, but not assigned to the source Active Directory resource. > > > I will check out the references you provided now - many thanks for that! > > I suppose one other question would be, is it possible to remove objects > from Syncope (eg get rid of objects that shouldn't have been pulled)? I > made the mistake of Deleting them and removing them from AD as well :) > > Yes, when deleting on Syncope, in order not to fire a DELETE propagation > towards Active Directory, just UNLINK these users from the resource and > delete or simply remove DELETE capability from Active Directory > connector(s). > > > Cheers, > michael. > > HTH, > Andrea > > > > > > > On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < > andreapatrice...@apache.org> wrote: > >> Hi Michael, >> >> On 25/09/22 12:23, Michael Paxton wrote: >> > Hello all, >> > >> > I have a configuration where I have two directories (AD) and want to >> > synchronise >> > certain objects between them. >> > >> > I want to only synch objects that are members of SynchGroup >> > >> > I want to pull objects from SourceOU in each directory and to push >> > objects to DestinationOU in each directory. This will keep local >> > objects separated from synchronised objects >> > >> > To do this I have done the following: >> > - created a connector for each directory dedicated to PULLing. This is >> > configured to look at SourceOU and has Memberships set to the DN of >> > SynchGroup >> > - created a connector for each directory dedicated to PUSHing. This is >> > configured to look at DestinationOU >> > >> > This works, in a fashion, but the following things are occurring: >> > - It pulls (and then subsequently pushes) objects that aren't a member >> > of SynchGroup >> >> In order to pull only specific users you can run a Filtered >> reconciliation [1] or set a LDAP filter directly on the connector in the >> "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity >> stores, synchronize means "pulling only the latest changes" based on the >> changelog, is this what you're looking for? >> >> > - It sporadically moves (i assume, by UPDATE?) local objects from >> > SourceOU to DestinationOU in the same directory >> >> In order to make Syncope write an object in a specific LDAP subtree you >> need to properly configure the mapping [2] and especially the >> "connObjectLink", a configuration field used as rule to build the DN of >> an entry by LDAP connectors. Please take a look at the shared doc and at >> the playground env here [3] (ApacheDS connector and resource-ldap >> resource). >> >> If you have to perform more complex computations while propagating, >> consider to implement your own Propagation actions class [4] to "hack" >> the attributes sent to the connector. >> >> > >> > I am relatively new to Syncope. I initially configured the tasks with >> > a highly conflicting schedule which may have causedrace conditions or >> > other unusual behaviour but the issues seem to persist even after >> > staggering the schedule more sensibly. >> > >> > Apologies if the above seems overly convoluted. Any advice would be >> > greatly appreciated. >> >> Don't worry ;) >> >> Best regards, >> Andrea >> >> > >> > Cheers, >> > Michael. >> >> [1] >> https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull >> >> [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping >> >> [3] https://syncope-vm2.apache.org/syncope-console >> >> [4] >> >> https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions >> >> -- >> Andrea Patricelli >> >> Tirasa - Open Source Excellence >> http://www.tirasa.net/ >> >> Member at The Apache Software Foundation >> Syncope >> >> -- > Andrea Patricelli > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope > >