Thanks Andrea,
I will try the configurations you recommended.
Thanks for the guidance!
Cheers
Michael
On Tue, 27 Sep 2022, 01:55 Andrea Patricelli,
<andreapatrice...@apache.org> wrote:
Hi Michael,
On 26/09/22 12:31, Michael Paxton wrote:
Hi Andrea,
Thanks for getting back to me. What we are trying to achieve
(which may be a misuse of Syncope - please let me know) is to
ensure that all objects in a directory (AD) (eg contacts) that
are members of a designated group (eg "Sync Allowed") are pushed
into a designated OU on all other participating directories.
This is not a misuse, since Syncope is a provisioning engine, born
also to perform such pull/push operations.
The destination OU seems to be working but the group selection
(implemented by adding the group DN to the Memberships
configuration item) seems to work in some instances but not others.
When you say "LDAP Filter for Retrieving Accounts" the only
similar field I see is "Custom User Search Filter". Is this what
you are referring to? I did try it earlier (using a memberof
filter in version 2.1.11) with no success but will try again.
Yes, on Active Directory connector the configuration parameter is
the one you addressed.
I have separated push and pull into separate connectors so that I
can configure them separately - OU DNs, etc). Is this an error?
should it be one connector with two resources (one for pull, one
for push) with different connobjectlink? Could this be the cause
of it moving an object from the source OU to the destination OU
in the same directory?
I do not think so, you can even use two different connectors with
separate resources, what makes the difference is how you build the
object sent to the destination Active Directory.
Bear also in mind that if you perform an update on a specific user
assigned to a specific resource (say source Active Directory) also
a propagation will be triggered, this is why you find entries
propagated to the source Active Directory. If you're not
interested in propagating on the source, when configuring the pull
task you should set pull mode FULL_RECONCILIATION and
unmatching_rule: PROVISION: this way you'll get users on Syncope,
but not assigned to the source Active Directory resource.
I will check out the references you provided now - many thanks
for that!
I suppose one other question would be, is it possible to remove
objects from Syncope (eg get rid of objects that shouldn't have
been pulled)? I made the mistake of Deleting them and removing
them from AD as well :)
Yes, when deleting on Syncope, in order not to fire a DELETE
propagation towards Active Directory, just UNLINK these users from
the resource and delete or simply remove DELETE capability from
Active Directory connector(s).
Cheers,
michael.
HTH,
Andrea
On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli
<andreapatrice...@apache.org> wrote:
Hi Michael,
On 25/09/22 12:23, Michael Paxton wrote:
> Hello all,
>
> I have a configuration where I have two directories (AD)
and want to
> synchronise
> certain objects between them.
>
> I want to only synch objects that are members of SynchGroup
>
> I want to pull objects from SourceOU in each directory and
to push
> objects to DestinationOU in each directory. This will keep
local
> objects separated from synchronised objects
>
> To do this I have done the following:
> - created a connector for each directory dedicated to
PULLing. This is
> configured to look at SourceOU and has Memberships set to
the DN of
> SynchGroup
> - created a connector for each directory dedicated to
PUSHing. This is
> configured to look at DestinationOU
>
> This works, in a fashion, but the following things are
occurring:
> - It pulls (and then subsequently pushes) objects that
aren't a member
> of SynchGroup
In order to pull only specific users you can run a Filtered
reconciliation [1] or set a LDAP filter directly on the
connector in the
"LDAP Filter for Retrieving Accounts" field. BTW for LDAP
identity
stores, synchronize means "pulling only the latest changes"
based on the
changelog, is this what you're looking for?
> - It sporadically moves (i assume, by UPDATE?) local
objects from
> SourceOU to DestinationOU in the same directory
In order to make Syncope write an object in a specific LDAP
subtree you
need to properly configure the mapping [2] and especially the
"connObjectLink", a configuration field used as rule to build
the DN of
an entry by LDAP connectors. Please take a look at the shared
doc and at
the playground env here [3] (ApacheDS connector and
resource-ldap resource).
If you have to perform more complex computations while
propagating,
consider to implement your own Propagation actions class [4]
to "hack"
the attributes sent to the connector.
>
> I am relatively new to Syncope. I initially configured the
tasks with
> a highly conflicting schedule which may have causedrace
conditions or
> other unusual behaviour but the issues seem to persist even
after
> staggering the schedule more sensibly.
>
> Apologies if the above seems overly convoluted. Any advice
would be
> greatly appreciated.
Don't worry ;)
Best regards,
Andrea
>
> Cheers,
> Michael.
[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull
[2]
https://syncope.apache.org/docs/2.1/reference-guide.html#mapping
[3] https://syncope-vm2.apache.org/syncope-console
[4]
https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions
--
Andrea Patricelli
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope
--
Andrea Patricelli
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope
