Sorry to bump this. Is there a known issue with how filters work in the AD connector or am I misconfiguring it?
Any input greatly appreciated Cheers Michael On Wed, 19 Oct 2022, 16:00 Michael Paxton, <paxto...@gmail.com> wrote: > Hello all, > > So I just got a chance to work on this again. The fix for preventing users > being moved seems to work (will probably need to do more testing) but I > have set "Custom User Search Filter" to (memberOf=<group_dn>) and it is > still pulling users (contacts in this case) that are not members of the > designated group. Interestingly it doesnt pull *all* users that are not > members of the group - just some. > > I have tested the filter with ldapsearch and it seems to work fine. Am I > doing something incorrectly? > > Cheers, > Michael. > > On Tue, Sep 27, 2022 at 1:55 AM Andrea Patricelli < > andreapatrice...@apache.org> wrote: > >> Hi Michael, >> On 26/09/22 12:31, Michael Paxton wrote: >> >> Hi Andrea, >> >> Thanks for getting back to me. What we are trying to achieve (which may >> be a misuse of Syncope - please let me know) is to ensure that all objects >> in a directory (AD) (eg contacts) that are members of a designated group >> (eg "Sync Allowed") are pushed into a designated OU on all other >> participating directories. >> >> This is not a misuse, since Syncope is a provisioning engine, born also >> to perform such pull/push operations. >> >> >> The destination OU seems to be working but the group selection >> (implemented by adding the group DN to the Memberships configuration item) >> seems to work in some instances but not others. >> >> >> When you say "LDAP Filter for Retrieving Accounts" the only similar field >> I see is "Custom User Search Filter". Is this what you are referring to? I >> did try it earlier (using a memberof filter in version 2.1.11) with no >> success but will try again. >> >> Yes, on Active Directory connector the configuration parameter is the one >> you addressed. >> >> I have separated push and pull into separate connectors so that I can >> configure them separately - OU DNs, etc). Is this an error? should it be >> one connector with two resources (one for pull, one for push) with >> different connobjectlink? Could this be the cause of it moving an object >> from the source OU to the destination OU in the same directory? >> >> I do not think so, you can even use two different connectors with >> separate resources, what makes the difference is how you build the object >> sent to the destination Active Directory. >> >> Bear also in mind that if you perform an update on a specific user >> assigned to a specific resource (say source Active Directory) also a >> propagation will be triggered, this is why you find entries propagated to >> the source Active Directory. If you're not interested in propagating on the >> source, when configuring the pull task you should set pull mode >> FULL_RECONCILIATION and unmatching_rule: PROVISION: this way you'll get >> users on Syncope, but not assigned to the source Active Directory resource. >> >> >> I will check out the references you provided now - many thanks for that! >> >> I suppose one other question would be, is it possible to remove objects >> from Syncope (eg get rid of objects that shouldn't have been pulled)? I >> made the mistake of Deleting them and removing them from AD as well :) >> >> Yes, when deleting on Syncope, in order not to fire a DELETE propagation >> towards Active Directory, just UNLINK these users from the resource and >> delete or simply remove DELETE capability from Active Directory >> connector(s). >> >> >> Cheers, >> michael. >> >> HTH, >> Andrea >> >> >> >> >> >> >> On Mon, Sep 26, 2022 at 7:15 PM Andrea Patricelli < >> andreapatrice...@apache.org> wrote: >> >>> Hi Michael, >>> >>> On 25/09/22 12:23, Michael Paxton wrote: >>> > Hello all, >>> > >>> > I have a configuration where I have two directories (AD) and want to >>> > synchronise >>> > certain objects between them. >>> > >>> > I want to only synch objects that are members of SynchGroup >>> > >>> > I want to pull objects from SourceOU in each directory and to push >>> > objects to DestinationOU in each directory. This will keep local >>> > objects separated from synchronised objects >>> > >>> > To do this I have done the following: >>> > - created a connector for each directory dedicated to PULLing. This is >>> > configured to look at SourceOU and has Memberships set to the DN of >>> > SynchGroup >>> > - created a connector for each directory dedicated to PUSHing. This is >>> > configured to look at DestinationOU >>> > >>> > This works, in a fashion, but the following things are occurring: >>> > - It pulls (and then subsequently pushes) objects that aren't a member >>> > of SynchGroup >>> >>> In order to pull only specific users you can run a Filtered >>> reconciliation [1] or set a LDAP filter directly on the connector in the >>> "LDAP Filter for Retrieving Accounts" field. BTW for LDAP identity >>> stores, synchronize means "pulling only the latest changes" based on the >>> changelog, is this what you're looking for? >>> >>> > - It sporadically moves (i assume, by UPDATE?) local objects from >>> > SourceOU to DestinationOU in the same directory >>> >>> In order to make Syncope write an object in a specific LDAP subtree you >>> need to properly configure the mapping [2] and especially the >>> "connObjectLink", a configuration field used as rule to build the DN of >>> an entry by LDAP connectors. Please take a look at the shared doc and at >>> the playground env here [3] (ApacheDS connector and resource-ldap >>> resource). >>> >>> If you have to perform more complex computations while propagating, >>> consider to implement your own Propagation actions class [4] to "hack" >>> the attributes sent to the connector. >>> >>> > >>> > I am relatively new to Syncope. I initially configured the tasks with >>> > a highly conflicting schedule which may have causedrace conditions or >>> > other unusual behaviour but the issues seem to persist even after >>> > staggering the schedule more sensibly. >>> > >>> > Apologies if the above seems overly convoluted. Any advice would be >>> > greatly appreciated. >>> >>> Don't worry ;) >>> >>> Best regards, >>> Andrea >>> >>> > >>> > Cheers, >>> > Michael. >>> >>> [1] >>> >>> https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-pull >>> >>> [2] https://syncope.apache.org/docs/2.1/reference-guide.html#mapping >>> >>> [3] https://syncope-vm2.apache.org/syncope-console >>> >>> [4] >>> >>> https://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions >>> >>> -- >>> Andrea Patricelli >>> >>> Tirasa - Open Source Excellence >>> http://www.tirasa.net/ >>> >>> Member at The Apache Software Foundation >>> Syncope >>> >>> -- >> Andrea Patricelli >> >> Tirasa - Open Source Excellencehttp://www.tirasa.net/ >> >> Member at The Apache Software Foundation >> Syncope >> >>
