On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST through
standard endpoints), and the LDAP resource is configured correctly, you get the
expected result: users in LDAP, group in LDAP, with members set.
This works because by default Syncope works with what we call "implicit
provisioning": when you assign a Resource to a Group, the Group itself and all
members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it works by
type: when you create / update / delete a User, you will get a User propagated
to the Resource; e.g. you cannot create or update a Group and have Users
propagated to LDAP, at least without adding some customizations around.
I thin that, since you are updating a Group via SCIM endpoint by assigning
members, then propagation is not happening as expected in the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to the group
"local_group20" and run the PUSH task again, they appear in the LDAP group
members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use
Syncope to provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2
users created at step 1?
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
4. you can see both users and group on LDAP, but no members for the group
5. you edit the 2 users in Syncope by adding group membership
6. the Push Task is run again, with expected result
Is all above correct? Can you provide answers?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/