Il 12/06/2013 11:06, Fabio Martelli ha scritto:
Il 12/06/2013 10:45, Nik ha scritto:
Cheers Fabio,
I have not enabled "synchronization" (by using my ldap changelog)
because I believed reconciliation took care of making ALL changes
from the target
DB (ldap) to my syncope DB. If what you say is correct. If I delete
an object directly in ldap, then after a full reconciliation task
executes subsequently the delete(d) object(s) is not deleted from the
syncope DB, but the link to the ldap account is? Hence, all ldap
modifications of type DELETE are not reflected in syncope unless you
use the synchronization method with a changelog?
Exactly, no changes will be reflected on syncope in case of delete
operation.
... but ... this topic can suggest an improvement on syncope: maybe we
can implement a full reconciliation from syncope towards a certain
resource.
In this case we could implement several different/configurable
behaviors in case of unmatching (user found on syncope but not on the
resource):
* ignore;
* unlink the resource (keep user on syncope and remove resource link)
* create (create user on resource)
* remove (remove user on syncope)
I will propose this issue on jira asap.
The issue is https://issues.apache.org/jira/browse/SYNCOPE-392
So, I can suggest to you three different options:
1. active the changelog;
2. implement your own generic task to perform what described above;
3. take care of the issue I'm going to open.
I guessing the only way you can synchronize deletes at the moment, is
because the changelog is the only way syncope can know about them
explicitly and efficiently.
Another, way you could work out what was deleted (between full
recons) is the delta between the syncope entries with ldap account
links (before the full recon) and those after, the full recon, which
don't show these links anymore as valid and then remove these entries
from the syncope db.
May be but I prefer a second full recon, from syncope to the resource.
Perhaps we can still have option to activate/deactivate
create/update/delete triggering (like done for sync from resource to
sync).
Regards,
F.
rgds,
Nik
Il 11/06/2013 17:47, Nik ha scritto:
Hi Guys,
I have recently seen a comment on this alias that reconciliation
doesn't take care of deletions.
I would like to have a clear idea of what this means.
Does it mean; if I delete an ldap object (e.g. user) from my ldap
resource by ldap delete this deletion would not be reconciled back
to syncope?
Reading such comments, confuses me, because if I delete an object
in syncope and this object is linked by an ldap connector resource
to ldap.
The deletion via the ldap resource should be propagated to the ldap
backend, in such a case, reconciliation of the deletion is
meaningless, since
the syncope and ldap remain synchronized.
Hi Nik,
* reconciliation reconcile create/update/delete operation
* full reconciliation reconcile create/update (it is just a
exhaustive user search/read).
Use full reconciliation at pre-loading time or if and only if the
target resource doesn't provide changelog feature; use
sync/reconciliaion otherwise.
Best regards,
F.
