Re: Issue with synchronizing group membership from Syncope to LDAP
Hi,
resurrecting this old thread to communicate that the requested feature is
planned for Syncope 3.0.3:
https://issues.apache.org/jira/browse/SYNCOPE-1748
Regards.
On 20/01/22 12:54, Francesco Chicchiriccò wrote:
Ah, here is why:
https://github.com/apache/syncope/blob/2_1_X/ext/scimv2/scim-rest-cxf/src/main/java/org/apache/syncope/ext/scimv2/cxf/service/GroupServiceImpl.java#L95
It seems the PATCH method was left intentionally not implemented.
As always, PRs welcome :-)
Regards.
On 20/01/22 12:49, fab...@fabln.ovh wrote:
I'm afraid no, can't see anything in other logs (regarding PATCH)
On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using PATCH
(via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagate
Re: Issue with synchronizing group membership from Syncope to LDAP
Ah, here is why:
https://github.com/apache/syncope/blob/2_1_X/ext/scimv2/scim-rest-cxf/src/main/java/org/apache/syncope/ext/scimv2/cxf/service/GroupServiceImpl.java#L95
It seems the PATCH method was left intentionally not implemented.
As always, PRs welcome :-)
Regards.
On 20/01/22 12:49, fab...@fabln.ovh wrote:
I'm afraid no, can't see anything in other logs (regarding PATCH)
On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using PATCH
(via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assign
Re: Issue with synchronizing group membership from Syncope to LDAP
I'm afraid no, can't see anything in other logs (regarding PATCH)
On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using
PATCH (via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to
run a USER Reconciliation, after this, any change to the group
memberships (in the Syncope Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD
(ultimately I need to populate users/groups to LDAP grom AAD (via
SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the
Syncope logs that AAD seems to create users and groups, and then to
try to PATCH the group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f
HTTP/1.1" 501 -
When I try to reproduce this and PATCH with curl, I also get a
similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find
any documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope
Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a
"reconciliation" in the LDAP resource, that also works (users are
added in LDAP).
after this step, the user local_user1 is synchronized and created
in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for
the 2 users created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members"
/User, I can see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and
groups?
yes
4. you can see both users and group on LDAP, but no members for
the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but
no members are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP
resource, then the members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in
LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that
it
works by type: when you create / update / delete a User, you will
get
a User propagated to the Resource; e.g. you cannot create or update
a
Group and have Users propagated to LDAP, at least without adding
some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize
groups membership via SCIM to SYNCO
Re: Issue with synchronizing group membership from Syncope to LDAP
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using PATCH
(via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the us
Re: Issue with synchronizing group membership from Syncope to LDAP
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using
PATCH (via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run
a USER Reconciliation, after this, any change to the group memberships
(in the Syncope Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD
(ultimately I need to populate users/groups to LDAP grom AAD (via SCIM
to Syncope)).
Users and groups are created fine, but no memberships. I saw in the
Syncope logs that AAD seems to create users and groups, and then to
try to PATCH the group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f
HTTP/1.1" 501 -
When I try to reproduce this and PATCH with curl, I also get a similar
error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find
any documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a
"reconciliation" in the LDAP resource, that also works (users are
added in LDAP).
after this step, the user local_user1 is synchronized and created in
LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for
the 2 users created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members"
/User, I can see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and
groups?
yes
4. you can see both users and group on LDAP, but no members for the
group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but
no members are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP
resource, then the members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that
it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize
groups membership via SCIM to SYNCOPE and then from SYNCOPE to
LDAP (openldap).
The problem I have is that when I create users and then groups
with members in Syncope, the users and groups are created properly
in LDAP but the group don't have the members.
If I e
Re: Issue with synchronizing group membership from Syncope to LDAP
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0 extension,
hence it is likely that the operation above is actually hitting some part of
the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core logs
when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configurati
Re: Issue with synchronizing group membership from Syncope to LDAP
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a
USER Reconciliation, after this, any change to the group memberships (in
the Syncope Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD
(ultimately I need to populate users/groups to LDAP grom AAD (via SCIM
to Syncope)).
Users and groups are created fine, but no memberships. I saw in the
Syncope logs that AAD seems to create users and groups, and then to try
to PATCH the group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f
HTTP/1.1" 501 -
When I try to reproduce this and PATCH with curl, I also get a similar
error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Regards,
Fabien
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a
"reconciliation" in the LDAP resource, that also works (users are
added in LDAP).
after this step, the user local_user1 is synchronized and created in
LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the
2 users created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members"
/User, I can see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and
groups?
yes
4. you can see both users and group on LDAP, but no members for the
group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no
members are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource,
then the members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize
groups membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP
(openldap).
The problem I have is that when I create users and then groups with
members in Syncope, the users and groups are created properly in
LDAP but the group don't have the members.
If I edit the users in Syncope and add them to the group, then the
group in LDAP is synchronized properly and contains the correct
members.
Is it possible to synchronize from Syncope to LDAP group members
from the group in Syncope, or do the users in Syncope need to
contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group
"local_group20" with the 2 members "local_user1" and "local_user2"
via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "loca
Re: Issue with synchronizing group membership from Syncope to LDAP
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST through
standard endpoints), and the LDAP resource is configured correctly, you get the
expected result: users in LDAP, group in LDAP, with members set.
This works because by default Syncope works with what we call "implicit
provisioning": when you assign a Resource to a Group, the Group itself and all
members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it works by
type: when you create / update / delete a User, you will get a User propagated
to the Resource; e.g. you cannot create or update a Group and have Users
propagated to LDAP, at least without adding some customizations around.
I thin that, since you are updating a Group via SCIM endpoint by assigning
members, then propagation is not happening as expected in the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to the group
"local_group20" and run the PUSH task again, they appear in the LDAP group
members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use
Syncope to provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the
Re: Issue with synchronizing group membership from Syncope to LDAP
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a
"reconciliation" in the LDAP resource, that also works (users are added
in LDAP).
after this step, the user local_user1 is synchronized and created in
LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2
users created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members"
/User, I can see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the
group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no
members are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource,
then the members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
Regards,
Fabien
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP
(openldap).
The problem I have is that when I create users and then groups with
members in Syncope, the users and groups are created properly in LDAP
but the group don't have the members.
If I edit the users in Syncope and add them to the group, then the
group in LDAP is synchronized properly and contains the correct
members.
Is it possible to synchronize from Syncope to LDAP group members from
the group in Syncope, or do the users in Syncope need to contain the
group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20"
with the 2 members "local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H
"Content-Type: application/scim+json" -H "Authorization: Bearer
$TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with
the 2 members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no
actions available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the
members local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add
them to the group "local_group20" and run the PUSH task again, they
appear in the LDAP group members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use
Syncope to provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP
resource assigned
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2
users created at step 1?
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
4. you can see both users and group on LDAP, but no members for the
group
5. you edit the 2 users in Syncope by adding group membership
6. the Push Task is run again, with expected result
Is all above correct? Can you provide answers?
Regards.
Re: Issue with synchronizing group membership from Syncope to LDAP
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to the group
"local_group20" and run the PUSH task again, they appear in the LDAP group
members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use Syncope to
provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
4. you can see both users and group on LDAP, but no members for the group
5. you edit the 2 users in Syncope by adding group membership
6. the Push Task is run again, with expected result
Is all above correct? Can you provide answers?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Issue with synchronizing group membership from Syncope to LDAP
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with
members in Syncope, the users and groups are created properly in LDAP
but the group don't have the members.
If I edit the users in Syncope and add them to the group, then the group
in LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from
the group in Syncope, or do the users in Syncope need to contain the
group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20"
with the 2 members "local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d
@local_group20.json http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the
2 members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no
actions available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the
members local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them
to the group "local_group20" and run the PUSH task again, they appear in
the LDAP group members.
Any idea ?
Many Thanks,
Fabien
