On 05/03/2015 05:41, Alan D. Cabrera wrote:
On 03/03/2015 23:03, Alan D. Cabrera wrote:
So, I’m working on using Syncope to wrap all the disparate data that needs to
be managed at ASF. Where should I start? I’m thinking LDAP, podlings.xml, and
committers.txt. Thoughts?
Wow, this is worth a new thread actually!
First of all, you shouldn't need to build Syncope from source but create your
own project as explained in [4].
Then, as in any IdM project you need to identify:
1. the resources you want to deal with (LDAP, podlings.xml, and committers.txt
as you suggest above)
1.1 does a connector exist for all identified resources?
LDAP : yes (I’m pretty sure)
podlings.xml: no, I have to write one
committers.txt: no, I have to write one
It would be much easier if you could actually avoid writing new
connectors and empower - by providing your own scripts - the CMD
connector [8].
1.2 are there authoritative resources?
Yes
"Authoritative" in this context means that, after the initial load, when
the IdM system is fully operational, a change occurring on the
authoritative resource(s) needs to be propagated to all other resources,
possibly overwriting the mapped values.
Example: changing e-mail address in LDAP (via ldapmodify, for example)
will cause Syncope to overwrite the e-mail address on committers.txt.
Generally speaking, one should possibly have as less authoritative
resources as possible, because they induct a non-standard data flow:
normally data should be managed via Syncope (in the sample above, one
should change the e-mail address in Syncope - either via admin console
or REST, not via ldapmodify).
Anyway, authoritative resources are supported.
2. the data flows, for each resource against Syncope:
2.1 do you want to deal with users only? or you need also to take into
account groups / roles?
all of the above
2.2 will Syncope be only reading / only writing / reading & writing from that
particular resource?
reading and writing. Think about what it takes to add a podling to the
incubator:
podlings.xml needs to be updated w/ podling, mentors
committers.txt needs to be updated
svn/git need to be provisioned
jira needs to be provisioned
etc.
Agree, but shouldn't this mean that you are writing to all connected
resources (after the initial load for which you have all user and role
data in Syncope)?
BTW, how is the SVN / GIT / JIRA provisioning working? Don't you need to
define additional resources?
3. the attribute schema to define in Syncope and the attribute mapping for each resource
(how the "givenName" LDAP attribute relate to corresponding attribute(s) on
other resource(s)?)
That, I’m going to have to do. Does Syncope require a complete mapping or can
I incrementally add stuff as processes are discovered?
You can naturally proceed incrementally.
In particular regarding connectors:
* for LDAP we rely on the well-established LDAP connector [5] but it would be
anyway useful to be aware of the actual technology: OpenLDAP? ApacheDS? other?
* for podlings.xml and committers.txt there might be the need to built custom
connectors from scratch, unless
** you are able to report data to CSV [6] / other XML format [7] or
** you provide some (bash?) scripts to manipulate such files and empowers the
CMD connector [8] (suggested)
Regards.
[1] https://travis-ci.org/apache/syncope/builds/52704980
[2] https://travis-ci.org/apache/syncope/builds/52896946
[3] https://paste.apache.org/0slX
[4]
https://cwiki.apache.org/confluence/display/SYNCOPE/Create+a+new+Syncope+project
[5] https://github.com/Tirasa/ConnIdLDAPBundle
[6] https://github.com/Tirasa/ConnIdCSVDirBundle
[7] http://openicf.forgerock.org/connectors/index.html#XML_File_Connector
[8] https://github.com/Tirasa/ConnIdCMDBundle
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
