Re: openJDK 17 compatibility
itGC -Djava.security.egd=file:/dev/./urandom and permission 755 then I've copied the war files: ./wa/target/syncope-wa.war ./core/target/syncope.war ./console/target/syncope-console.war ./enduser/target/syncope-enduser.war into apache-tomcat-9.0.87/webapps After launching bin/startup.sh the applications don't start at all (I suppose because core is unable to start) If I build the embedded version, everything works perfectly Glad to hear that embedded is working as expected. Consider that deploying into an external Java EE container is all but trivial task and can be failing for multiple reasons, including networking issues, missing JDBC driver etc. --- I'm sorry for the long post; I've included everything just in case there was something to review in the documentation However, I suppose I'm doing something wrong; about the maven installation, is there a step by step guide that permits a fully working syncope version ? Or is there's any suggestion on what I should fix on my installation procedure ? Thank you Marco Il giorno gio 11 apr 2024 alle ore 14:26 Francesco Chicchiriccò ha scritto: On 11/04/24 14:12, Marco Naimoli wrote: > Hello, I'm new to Apache Syncope; I've tried to test it using the standalone installation on a > vanilla debian linux bookworm, using openJDK 17.0.10 > It seems to work, but when I try to import a SAML IDP metadata it fails with the following error: > InvalidEntity: Location must not be null > Metadata are ok: using the embedded version built with maven, metadata are imported without problems. > Clicking on the button to download the SP metadata doesn't do anything > And the wa.log (don't know if it can be related) is full of the following error: > > ERROR org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task > java.lang.IllegalStateException: Syncope core is not yet ready > > I'm not sure, but I remember that the error "Location must not be null" was shown during some other operation, different from SAML configuration > > Any suggestions / help ? Hi Marco, glad of your interest in Apache Syncope. About JDK 17 compatibility, we have an active GitHub actions workflows on the 3_0_X branch (supposing you are running the latest stable 3.0.6). Moreover, my company is running several Syncope deployments on various flavors of OpenJDK 17. As far as I understand, all works as expected when you use the standalone ZIP but it fails when you deploy Syncope somewhere else. As suggested by the Getting Started guide [1], however you should be using the Maven archetype for an independent deployment, or the Docker images; there are further options, too, but it really depends on how much you are planning to customize or extend. Can you describe how did you get to deploy Syncope, including which components, which DBMS, which Java EE container, ... ? Regards. [1] https://syncope.apache.org/docs/3.0/getting-started.html#obtain-apache-syncope -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Propagation failure on update
On 11/04/24 10:30, Lionel SCHWARZ wrote: - Le 28 Mar 24, à 9:38, Lionel SCHWARZ lionel.schw...@in2p3.fr a écrit : - Le 27 Mar 24, à 8:19, Francesco Chicchiriccò ilgro...@apache.org a écrit : On 26/03/24 13:30, Lionel SCHWARZ wrote: Dear all, After reading https://syncope.apache.org/docs/reference-guide.html#propagation, I ask myself a question: is there a way to avoid a User (or AnyObject) to be modified in case the propagation task fails? Hi Lionel, that's exactly the purpose of setting a non-null priority onto an External Resource: the execution of a given set of tasks is halted (and global failure is reported) whenever the first sequential task fails would mean exactly that. Thanks Francesco, I'll try this. Hi Francesco and all, After investigations and tests, I could indeed check that the sequence of tasks stops when the first task fails. But there is a remaining question: the attribute on the Entity itself (the USER), the one which triggered the propagation, keeps changed. So we are in the situation where the User has an attribute different than values in the remote repos. Yes, this happens by design: over time, we observed that refusing to upgrade Syncope because of a propagation error, even on priority resource, was too tight. Is there a way to do kind of rollback on the USER update in this case? You will need to override a few components in order to do that, starting from UserLogic#update and following the flow. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: openJDK 17 compatibility
On 11/04/24 14:12, Marco Naimoli wrote: Hello, I'm new to Apache Syncope; I've tried to test it using the standalone installation on a vanilla debian linux bookworm, using openJDK 17.0.10 It seems to work, but when I try to import a SAML IDP metadata it fails with the following error: InvalidEntity: Location must not be null Metadata are ok: using the embedded version built with maven, metadata are imported without problems. Clicking on the button to download the SP metadata doesn't do anything And the wa.log (don't know if it can be related) is full of the following error: ERROR org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task java.lang.IllegalStateException: Syncope core is not yet ready I'm not sure, but I remember that the error "Location must not be null" was shown during some other operation, different from SAML configuration Any suggestions / help ? Hi Marco, glad of your interest in Apache Syncope. About JDK 17 compatibility, we have an active GitHub actions workflows on the 3_0_X branch (supposing you are running the latest stable 3.0.6). Moreover, my company is running several Syncope deployments on various flavors of OpenJDK 17. As far as I understand, all works as expected when you use the standalone ZIP but it fails when you deploy Syncope somewhere else. As suggested by the Getting Started guide [1], however you should be using the Maven archetype for an independent deployment, or the Docker images; there are further options, too, but it really depends on how much you are planning to customize or extend. Can you describe how did you get to deploy Syncope, including which components, which DBMS, which Java EE container, ... ? Regards. [1] https://syncope.apache.org/docs/3.0/getting-started.html#obtain-apache-syncope -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Propagation failure on update
On 26/03/24 13:30, Lionel SCHWARZ wrote: Dear all, After reading https://syncope.apache.org/docs/reference-guide.html#propagation, I ask myself a question: is there a way to avoid a User (or AnyObject) to be modified in case the propagation task fails? Hi Lionel, that's exactly the purpose of setting a non-null priority onto an External Resource: > the execution of a given set of tasks is halted (and global failure is reported) whenever the first sequential task fails would mean exactly that. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Dynamic USER assignment attribute value.
On 08/03/24 22:07, Fco. David Ferraes Feria wrote: Hi everyone, Thanks for the time you invested in this excellent tool. I have a quick question about the Dynamic USER assignment: Is it possible to use the value of the same group, like name, to match with the user assignment? Hi, sorry, I don't understand: can you please provide an example of what you are trying to achieve? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Overlapping dynamic realms doesn't get updated
On 21/02/24 08:52, Francesco Chicchiriccò wrote: Hi Federico, I wasn't personally aware that dynamic realms had some effective use cases, good to know :-) I will go ahead and approve your JIRA account request so that you can report this an issue. Hum, it seems you need to send a new JIRA account request. Sorry for inconvenience. Are you also willing to submit a PR to fix it? If so, please ensure to include some tests, at least in DynRealmTest and DynRealmITCase. Regards. On 20/02/24 17:45, Federico Brignola wrote: Hi, while trying to figure out how dynamics realms work, I think that I found a bug. I've created 2 dynamics realms (dynr1, dynr2) with the same conditions (for example "USER Dynamic Condition [ATTRIBUTE email NOT NULL]"). When I create or update a user only one dynamic realm is updated, while the other one remain outdated. Both Syncope 3.0.6 and Syncope 2.1.13 have the same behavior. Steps to reproduce: 1. run the following docker-compose environment 2. create a user "user1" with email "us...@example.com" 3. create a dynamic realm "dynr1" with condition "USER Dynamic Condition [ATTRIBUTE email NOT NULL]" 4. create another dynamic realm "dynr2" with the same condition of "dynr1" 5. // Check that both dynamic realms contain the user "user1" 6. create a new user "user2" with email "us...@example.com" 7. // Check that only the realm "dynr1" contains the user "user2" while the other doesn't That problem could be caused by the following function within the query at line 168 because that query doesn't filter by the current dynamic realm, so it returns every row where the "any" exists (even if in other dynamic realms). https://github.com/apache/syncope/blob/2dca716795497d4a73d75212964d5991eea01a2b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPADynRealmDAO.java#L162 <https://github.com/apache/syncope/blob/2dca716795497d4a73d75212964d5991eea01a2b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPADynRealmDAO.java#L162> The docker-compose environment: ``` version: '3.3' services: db: image: postgres:12 environment: POSTGRES_DB: syncope POSTGRES_USER: syncope POSTGRES_PASSWORD: syncope ports: - "5432:5432" syncope: image: apache/syncope:2.1.13 depends_on: - db ports: - "8081:8080" environment: DBMS: postgresql DB_URL: jdbc:postgresql://db:5432/syncope DB_USER: syncope DB_PASSWORD: syncope DB_POOL_MAX: 10 DB_POOL_MIN: 2 OPENJPA_REMOTE_COMMIT: sjvm syncope-console: image: apache/syncope-console:2.1.13 depends_on: - syncope ports: - "8082:8080" environment: CORE_SCHEME: http CORE_HOST: syncope CORE_PORT: 8080 ``` Regards Federico Brignola -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Overlapping dynamic realms doesn't get updated
Hi Federico, I wasn't personally aware that dynamic realms had some effective use cases, good to know :-) I will go ahead and approve your JIRA account request so that you can report this an issue. Are you also willing to submit a PR to fix it? If so, please ensure to include some tests, at least in DynRealmTest and DynRealmITCase. Regards. On 20/02/24 17:45, Federico Brignola wrote: Hi, while trying to figure out how dynamics realms work, I think that I found a bug. I've created 2 dynamics realms (dynr1, dynr2) with the same conditions (for example "USER Dynamic Condition [ATTRIBUTE email NOT NULL]"). When I create or update a user only one dynamic realm is updated, while the other one remain outdated. Both Syncope 3.0.6 and Syncope 2.1.13 have the same behavior. Steps to reproduce: 1. run the following docker-compose environment 2. create a user "user1" with email "us...@example.com" 3. create a dynamic realm "dynr1" with condition "USER Dynamic Condition [ATTRIBUTE email NOT NULL]" 4. create another dynamic realm "dynr2" with the same condition of "dynr1" 5. // Check that both dynamic realms contain the user "user1" 6. create a new user "user2" with email "us...@example.com" 7. // Check that only the realm "dynr1" contains the user "user2" while the other doesn't That problem could be caused by the following function within the query at line 168 because that query doesn't filter by the current dynamic realm, so it returns every row where the "any" exists (even if in other dynamic realms). https://github.com/apache/syncope/blob/2dca716795497d4a73d75212964d5991eea01a2b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPADynRealmDAO.java#L162 <https://github.com/apache/syncope/blob/2dca716795497d4a73d75212964d5991eea01a2b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPADynRealmDAO.java#L162> The docker-compose environment: ``` version: '3.3' services: db: image: postgres:12 environment: POSTGRES_DB: syncope POSTGRES_USER: syncope POSTGRES_PASSWORD: syncope ports: - "5432:5432" syncope: image: apache/syncope:2.1.13 depends_on: - db ports: - "8081:8080" environment: DBMS: postgresql DB_URL: jdbc:postgresql://db:5432/syncope DB_USER: syncope DB_PASSWORD: syncope DB_POOL_MAX: 10 DB_POOL_MIN: 2 OPENJPA_REMOTE_COMMIT: sjvm syncope-console: image: apache/syncope-console:2.1.13 depends_on: - syncope ports: - "8082:8080" environment: CORE_SCHEME: http CORE_HOST: syncope CORE_PORT: 8080 ``` Regards Federico Brignola -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: FIQL with relationships
Hi Lionel,
I think you are more than experienced enough to explore the code and find your
answers.
The method to investigate is:
https://github.com/apache/syncope/blob/3_0_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAnySearchDAO.java#L707-L732
or (in case of pgjsonb):
https://github.com/apache/syncope/blob/3_0_X/core/persistence-jpa-json/src/main/java/org/apache/syncope/core/persistence/jpa/dao/PGJPAJSONAnySearchDAO.java#L535-L561
Please share back your findings, thanks.
Regards.
On 15/02/24 15:25, Lionel SCHWARZ wrote:
Hi all,
Searching AnyObjects with a FIQL like
"$type==MYTYPE;$relationships==object2;$relationshipTypes==RELATION1" returns
the following object:
{
"result": [
{
"_class": "org.apache.syncope.common.lib.to.AnyObjectTO",
"type": "MYTYPE",
"name": "MyName",
"relationships": [
{
"type": "RELATION1",
"otherEndType": "TYPE1",
"otherEndKey": "01862789-75eb-7c2b-9907-0818a48910b7",
"otherEndName": "object1"
},
{
"type": "RELATION2",
"otherEndType": "TYPE2",
"otherEndKey": "01862789-75eb-7c2b-9907-0818a48910b7",
"otherEndName": "object2"
}
]
}
]
}
Is it a bug or a feature ;) ?
If it is a feature, I understand the query as "give me objects that have at least one relation of
type "RELATION1" and that also have at least one relation with "object2".
In this case, my question is: what is the FIQL for "give me objects that have a relationship of
type "RELATION1" on "object2" ? (this query should return empty result then).
Regards
Lionel
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Acitiviti tables "act_ru_actinst" too many
Hi, for 10k users with default settings, you are not expected to accumulate so many entries in the history tables, unless you are continuously updating them. Anyway, especially, if you are not using User Requests, cleaning up those tables provides no harm. Regards. On 06/02/24 14:50, yuefei@intelliprogroup.com wrote: Hi Francesco, I am using Apache Syncope version 3.0.5, database: pgsql 15 and running in a docker container, using the image apache/syncope:3.0.5 Best regards, yuefei.liu -- yuefei@intelliprogroup.com *From:* Francesco Chicchiriccò <mailto:ilgro...@apache.org> *Date:* 2024-02-05 17:30 *To:* user <mailto:user@syncope.apache.org> *Subject:* Re: Acitiviti tables "act_ru_actinst" too many Hi yuefei.liu, you should provide at least which Syncope version you are running, and also something about the environment (database? Tomcat? which versions?). Regards. On 04/02/24 06:40, yuefei@intelliprogroup.com wrote: Hello, I hope this email finds you well. I am currently using Apache Syncope as a user synchronization tool to sync user and user group information from one system to another. The number of users is approximately 10,000+. After running scheduled push and pull tasks for 2-3 months, I have noticed that the 'act_ru_actinst' table in the database has accumulated millions of records, leading to a slowdown in synchronization efficiency. I would like to inquire if it is safe to directly delete these data records. Your guidance on this matter would be greatly appreciated. Best regards, yuefei.liu -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Acitiviti tables "act_ru_actinst" too many
Hi yuefei.liu, you should provide at least which Syncope version you are running, and also something about the environment (database? Tomcat? which versions?). Regards. On 04/02/24 06:40, yuefei@intelliprogroup.com wrote: Hello, I hope this email finds you well. I am currently using Apache Syncope as a user synchronization tool to sync user and user group information from one system to another. The number of users is approximately 10,000+. After running scheduled push and pull tasks for 2-3 months, I have noticed that the 'act_ru_actinst' table in the database has accumulated millions of records, leading to a slowdown in synchronization efficiency. I would like to inquire if it is safe to directly delete these data records. Your guidance on this matter would be greatly appreciated. Best regards, yuefei.liu -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.6
The Apache Syncope team is pleased to announce the release of Syncope 3.0.6 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope306 Upgrading from 3.0.5? There are some notes about this process: https://s.apache.org/0ytql We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope for Linux User and Group management
On 22/12/23 13:26, Eugen Stan wrote: Hi, I wanted to ask if Syncope is / can be used to store linux group ID's . We have some users and groups in Azure AD and I would like to have available for linux systems - sync those users and groups - generate the grup GID for linux (integer in high range - 9000 - 3) - generate the UID for linux ( integer in high range - 9000 - 3) - generate the linux group name ?! - generate the linux user name (first part of email ?! ) - periodically sync the groups and users to all linux hosts - there is a project for this already that integrates with linux https://github.com/google/nsscache Has anyone done something similar with Syncope? Syncope seems to have most of the bits we need for this job. (edited) Is there a better way of handling this? Hi, the use case depicted above seems quite reasonable to me - and we've been implementing something similar with some our my company's customers as well. At high level, you need to define a few External Resources: 1. Azure AD (via Azure connector [1], bundled) for pull 2. Various Linux boxes (via CMD connector [2], bundled or UNIX connector [3], not bundled and unmantained but still functional), for propagation You could attach a Pull Actions class to resource (1) to take care of generating what needed for resources (2). As alternative for (2), you might instead configure a single LDAP resource (via LDAP connector [5]) to populate an OpenLDAP instance and configure all Linux boxes to get users and groups from there. HTH Regards. [1] https://github.com/Tirasa/ConnIdAzureBundle/ [2] https://github.com/Tirasa/ConnIdCMDBundle [3] https://github.com/Tirasa/ConnIdUNIXBundle [4] https://syncope.apache.org/docs/3.0/reference-guide.html#pullactions [5] https://github.com/Tirasa/ConnIdLDAPBundle -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CUSTOM events in Audit
On 27/11/23 16:01, Lionel SCHWARZ wrote: - Le 27 Nov 23, à 14:43, Lorenzo Di Cola a écrit : Hi Linonel, yes, using PostgreSQL JSONB means you're storing audit on db, as you said about "auditentry" table. You can take care about AnySearchDAO bean, you should use the one of type PGJPAJSONAnySearchDAO in order to use PostgreSQL feature. Sorry Lorenzo, I don't get your point at all, I have no idea what to do with this PGJPAJSONAnySearchDAO bean... As I explained in my first message, basically what I did is: 1. activated audit for "syncope.audit.[CUSTOM]:[]:[]:[MY_EVENT]:[SUCCESS]" 2. triggered the event "MY_EVENT" somewhere in my code 3. got empty list when requesting "/syncope/rest/audit/entries?type=CUSTOM" So my question is: is it normal that audit for CUSTOM events are not stored ? (audit is fine for non-custom event type) We have added a dedicated integration test case to check this condition: https://github.com/apache/syncope/blob/3_0_X/fit/core-reference/src/test/java/org/apache/syncope/fit/core/AuditITCase.java#L667 You might also want to have a look at the class that is actually triggering a custom audit event, for reference: https://github.com/apache/syncope/blob/3_0_X/fit/core-reference/src/test/resources/CustomAuditLogicActions.groovy HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: HTTP-Request in confirmpasswordrequest
Hi Timo,
what you describe below sounds like one of the typical problems of running
Tomcat (where I suppose your Enduser instance is deployed) behind an HTTP
reverse proxy which servers as TLS terminator.
It's plenty of references out there; in particular:
https://examples.javacodegeeks.com/java-development/enterprise-java/tomcat/apache-tomcat-reverse-proxy-configuration-tutorial/
Look at section 9.
Regards.
On 30/11/23 08:45, Timo Weber wrote:
Hi there,
we are using Syncope in Docker containers and are facing a strange issue. We
are not quite sure if it caused by our Apache server configuration or an
internal Syncope issue.
Syncope Version is 3.0.2
When the link for a password reset is clicked, the first request is of course a
https request which our apache routes to the enduser container. Then a redirect
occurs which is a http request an has an integer (a counter?) as first
parameter. I assume this is done by Syncope. This request is then again
redirected by our Apache Server to port 443.
In principle everything works but the insecure http request is forbidden in our
environment and stops the whole process.
Are there any additional instructions in the reverse proxy configuration which
are necessary for this to work?
Here is the relevant server log:
- my.domain.de:443 192.168.0.51 - [24/Apr/2023:08:56:02 +0200] "GET
/syncope-enduser/confirmpasswordreset?token=8kA1tw8sN...QEWNHL HTTP/1.1" 302 - "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
- my.domain.de:80 192.168.0.51 - [24/Apr/2023:08:56:03 +0200] "GET
/syncope-enduser/confirmpasswordreset?2=8kA1tw8sN...QEWNHL HTTP/1.1" 302 602 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
- my.domain.de:443 192.168.0.51 - [24/Apr/2023:08:56:03 +0200] "GET
/syncope-enduser/confirmpasswordreset?2=8kA1tw8sN...QEWNHL HTTP/1.1" 200 12738 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
The reverse proxy configuration contains amongst others already the following
lines:
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Forwarded-SSL expr=%{HTTPS}
RequestHeader set Sec-Fetch-Dest: "document"
RequestHeader set Sec-Fetch-Mode: "navigate"
RequestHeader set Sec-Fetch-Site: "none"
ProxyPreserveHost On
Any help would be appreciated.
Kind regards
Timo
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Potential userlogic update issue
On 28/11/23 18:19, GCHQDeveloper29 wrote:
Hi,
The updateAttr function in my prior email exists within my 'logic' class.
I.e. org.apache.syncope.core.logic.AttributeLogic
The second code block within the same email is what would/could exist within
the Rest-CXF class of the extension.
If I remove the @Transactional annotation on the updateAttr function, I start
getting 'Could not find EntityManager for domain Master' exceptions, from my
userDAO.findByUsername() call, (userDAO being autowired within the logic class).
I have also tried passing through the UserDAO from the LogicContext class
however that does not work either.
If the only reason to call
userDAO.findByUsername()
is to find the actual user uuid because your "key" variable " can either be the
username or the UUID of the user", then I would suggest to implement something like
AbstractAnyService#findActualKey [1] which is using only the method
userDAO.findKey()
which is itself annotated as @Transactional and can be used outside of any
transaction.
Alternatively, you can also leverage
userDAO.findUsername()
This will allow to remove @Transactional from the updateAttr method.
Regards.
[1]
https://github.com/apache/syncope/blob/3_0_X/core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/AbstractService.java#L64
On Tuesday, 28 November 2023 at 13:14, Francesco Chicchiriccò
wrote:
Hi,
I assume the code below lies inside a REST service implementation class.
Basically, it manipulates payload objects (UserCR, AttrPatch and so on) then
invokes UserLogic for actual processing.
If so, then you should remove @Transactional from such method as by doing so
you are essentially breaking the transaction mechanism as managed by UserLogic.
HTH
Regards.
On 28/11/23 11:53, GCHQDeveloper29 wrote:
Hi there,
I'm hoping to gain some advice (or report a bug in the case I've not just been
a fool!).
I'm currently on version 3.0.4, although plan to move to 3.0.5 soon, and am
using version 1.5.7 of the LDAP connector.
I have a slightly different version of the following function sat behind a rest
endpoint, but am observing peculiar behaviour when calling the rest endpoint
(hence triggering an update in userLogic).
```
@Transactional
public Response updateAttr(final UpdateAttrTO updateAttrTO, final String
attribute)
{
// key can either be the username or the UUID of the user
String key = updateAttrTO.getKey();
String attrVal = updateAttrTO.getAttrVal();
try {
// getUser gets the user object, first trying by username, then by UUID
User user = getUser(key);
String uuid = user.getKey();
String username = user.getUsername();
// Create the patch and user update request
Attr attr = new Attr.Builder(attribute)
.value(attrVal)
.build();
AttrPatch patch = new AttrPatch.Builder(attr)
.operation(attrVal == "" ? PatchOperation.DELETE : PatchOperation.ADD_REPLACE)
.build();
UserUR userUR = new UserUR.Builder(uuid)
.plainAttr(patch)
.build();
// Attempt to patch the user
ProvisioningResult provisioningResult = userLogic.update(userUR, false);
return Response.ok().build();
}
// Catch if a user cannot be found
catch (NotFoundException e)
{
return Response.status(400, e.getLocalizedMessage()).build();
}
// Catch any other unanticipated error
catch (Exception e)
{
return Response.status(500, e.getLocalizedMessage()).build();
}
}
```
The above function can be called as below (I use rest parameters in actuality):
```
UpdateAttrTO updateAttrTO = new UpdateAttrTO();
updateAttrTO.setKey("ExampleKey");
updateAttrTO.setAttrVal("ExampleAttrVal");
return updateAttr(updateAttrTO, "ExampleAttribute");
```
When I do this, the value gets updated within syncopes database, however the
propogation task (to an LDAP connector), updates the downstream resource with
the previous value.
For example, if I were to do the following for a user "user123", that does not initially
have "ExampleAttribute" set, the downstream resource is always one value behind:
```
//
// Syncope value - N/A
// Downstream LDAP resource - N/A
//
UpdateAttrTO updateAttrTO1 = new UpdateAttrTO();
updateAttrTO1.setKey("user123");
updateAttrTO1.setAttrVal("");
updateAttr(updateAttrTO1, "ExampleAttribute");
// -
// Syncope value - ""
// Downstream LDAP resource - N/A
// -
UpdateAttrTO updateAttrTO2 = new UpdateAttrTO();
updateAttrTO2.setKey("user123");
updateAttrTO2.setAttrVal("");
updateAttr(updateAttrTO2, "ExampleAttribute");
//
// Syncope value - ""
// Downstream LDAP resource - ""
// ----
```
Hopefully I explained the situation sufficiently, if not please let me know and
I can try to give some more detail.
Kind Regards,
GCHQDeveloper29.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Potential userlogic update issue
Hi,
I assume the code below lies inside a REST service implementation class.
Basically, it manipulates payload objects (UserCR, AttrPatch and so on) then
invokes UserLogic for actual processing.
If so, then you should remove @Transactional from such method as by doing so
you are essentially breaking the transaction mechanism as managed by UserLogic.
HTH
Regards.
On 28/11/23 11:53, GCHQDeveloper29 wrote:
Hi there,
I'm hoping to gain some advice (or report a bug in the case I've not just been
a fool!).
I'm currently on version 3.0.4, although plan to move to 3.0.5 soon, and am
using version 1.5.7 of the LDAP connector.
I have a slightly different version of the following function sat behind a rest
endpoint, but am observing peculiar behaviour when calling the rest endpoint
(hence triggering an update in userLogic).
```
@Transactional
public Response updateAttr(final UpdateAttrTO updateAttrTO, final String
attribute)
{
// key can either be the username or the UUID of the user
String key = updateAttrTO.getKey();
String attrVal = updateAttrTO.getAttrVal();
try {
// getUser gets the user object, first trying by username, then by UUID
User user = getUser(key);
String uuid = user.getKey();
String username = user.getUsername();
// Create the patch and user update request
Attr attr = new Attr.Builder(attribute)
.value(attrVal)
.build();
AttrPatch patch = new AttrPatch.Builder(attr)
.operation(attrVal == "" ? PatchOperation.DELETE :
PatchOperation.ADD_REPLACE)
.build();
UserUR userUR = new UserUR.Builder(uuid)
.plainAttr(patch)
.build();
// Attempt to patch the user
ProvisioningResult provisioningResult =
userLogic.update(userUR, false);
return Response.ok().build();
}
// Catch if a user cannot be found
catch (NotFoundException e)
{
return Response.status(400, e.getLocalizedMessage()).build();
}
// Catch any other unanticipated error
catch (Exception e)
{
return Response.status(500, e.getLocalizedMessage()).build();
}
}
```
The above function can be called as below (I use rest parameters in actuality):
```
UpdateAttrTO updateAttrTO = new UpdateAttrTO();
updateAttrTO.setKey("ExampleKey");
updateAttrTO.setAttrVal("ExampleAttrVal");
return updateAttr(updateAttrTO, "ExampleAttribute");
```
When I do this, the value gets updated within syncopes database, however the
propogation task (to an LDAP connector), updates the downstream resource with
the previous value.
For example, if I were to do the following for a user "user123", that does not initially
have "ExampleAttribute" set, the downstream resource is always one value behind:
```
//
// Syncope value - N/A
// Downstream LDAP resource - N/A
//
UpdateAttrTO updateAttrTO1 = new UpdateAttrTO();
updateAttrTO1.setKey("user123");
updateAttrTO1.setAttrVal("");
updateAttr(updateAttrTO1, "ExampleAttribute");
// -
// Syncope value - ""
// Downstream LDAP resource - N/A
// -
UpdateAttrTO updateAttrTO2 = new UpdateAttrTO();
updateAttrTO2.setKey("user123");
updateAttrTO2.setAttrVal("");
updateAttr(updateAttrTO2, "ExampleAttribute");
//
// Syncope value - ""
// Downstream LDAP resource - ""
//
```
Hopefully I explained the situation sufficiently, if not please let me know and
I can try to give some more detail.
Kind Regards,
GCHQDeveloper29.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Syncope 3.0.5 upgrade
On 25/10/23 20:36, Thomas Ryman wrote: Also is there any way to encrypt the keymaster.password=unencrypted-password and decrypt it during run time? Starting with 3.0, Apache Syncope components are all Spring Boot applications, so you are free to integrate something like https://github.com/ulisesbocchio/jasypt-spring-boot to achieve this goal. It would be anyway an interesting feature to add, please remember that contribution is always welcome! https://syncope.apache.org/contributing Regards. -- -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope 3.0.5 upgrade
Hi Thomas, as reported by https://syncope.apache.org/docs/3.0/reference-guide.html#upgrade-from-2-1 there is no supported upgrade path from 2.1 to 3.0. Please stick with the suggested migration approach. Regards. On 25/10/23 18:43, Thomas Ryman wrote: Hello, I am working on upgrading syncope from version 2 to version 3 however am having some issues. I am following instructions that were found before however it seems whenever I start syncope the logs show that I am missing a class and possibly some properties. Here is one of the current errors that I am investigating. Also if there is any full documentation out there on the proper process to upgrade from version 2 to version 3 a link would be very appreciated. Description: Field serviceOps in org.apache.syncope.common.keymaster.client.api.startstop.KeymasterStartStop required a bean of type 'org.apache.syncope.common.keymaster.client.api.ServiceOps' that could not be found. The injection point has the following annotations: - @org.springframework.beans.factory.annotation.Autowired(required=true) Action: Consider defining a bean of type 'org.apache.syncope.common.keymaster.client.api.ServiceOps'in your configuration. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: empty statuses in LogicActions.afterUpdate
So let me summarize what is happening. This step: - update the user so that the approval is needed is actually performed by calling PATCH /users/self/ or PATCH /users/ depending on whether the caller is the user themselveers or an administrator. Both invocations reach up to UserLogic#doUpdate that is where any matching LogicActions#afterUpdate is invoked. If the update as above is triggering an approval in the defined user workflow, any propagation is suspended. This step: - approve the update (I assume performed via Console) is instead calling POST /flowable/userRequests/forms/ As you can see from Swagger UI, this all is returning all the propagation statuses as expected. Hence, if you want to decorate the result of a form approval - similarly to what you are doing via LogicActions#afterUpdate for plain updates - you will have to code this into a workflow task, to be inserted in your definition right after approval. Hope this clarifies. Regards. On 24/10/23 09:48, Lionel SCHWARZ wrote: Hi Francesco, Thanks for your answer. You should be able to reproduce this with the UserWorkflow defined in the fit part of Syncope (which I used as a base for my customized workflow definition) and with the LogicActions implementation attached to the email: - declare the ExampleLogicAction in the default realm - create a user in the default realm with a resource - update the user so that the approval is needed - approve the update - check in the log that the afterUdate() receives empty List AND - update the user so that the approval is NOT needed - check in the log that the afterUdate() receives List with 1 item: the propagation of the resource Best regards Lionel - Le 24 Oct 23, à 8:44, Francesco Chicchiriccò ilgro...@apache.org a écrit : Hi Lionel, can you provide a simple project that reproduces this issue? It should be enough to create a new Maven project from latest stable version (3.0.5 at this time), change the workflow definition to match your case and finally provide the steps to reproduce in embedded mode. Regards. On 23/10/23 18:10, Lionel SCHWARZ wrote: To be more specific about the issue, I must tell that I have a flowable UserWorkflow with approval on user update operations (on certain circumstances). It seems that when the update needs approval, the afterUpdate() is called before approval with an empty List. When the update does not need approval, the afterUpdate() works fine. Lionel - Le 23 Oct 23, à 17:36, Lionel SCHWARZ lionel.schw...@in2p3.fr a écrit : Dear all, I have a customized LogicAction with afterUpdate() implementation, but this method receives an empty List when called. Nevertheless, the propagation works fine, and I get the correct REST response with propagationStatuses and beforeObg/afterObj. Am I missing something? Regards Lionel -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: empty statuses in LogicActions.afterUpdate
Hi Lionel, can you provide a simple project that reproduces this issue? It should be enough to create a new Maven project from latest stable version (3.0.5 at this time), change the workflow definition to match your case and finally provide the steps to reproduce in embedded mode. Regards. On 23/10/23 18:10, Lionel SCHWARZ wrote: To be more specific about the issue, I must tell that I have a flowable UserWorkflow with approval on user update operations (on certain circumstances). It seems that when the update needs approval, the afterUpdate() is called before approval with an empty List. When the update does not need approval, the afterUpdate() works fine. Lionel - Le 23 Oct 23, à 17:36, Lionel SCHWARZ lionel.schw...@in2p3.fr a écrit : Dear all, I have a customized LogicAction with afterUpdate() implementation, but this method receives an empty List when called. Nevertheless, the propagation works fine, and I get the correct REST response with propagationStatuses and beforeObg/afterObj. Am I missing something? Regards Lionel -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: CSVDIRConnector exception while pulling
"true"
],
"overridable": false
},
{
"schema": {
"name": "keyseparator",
"displayName": "Key separator",
"helpMessage": "Character used to separate keys in a multi-key scenario. Default is
\",\".",
"type": "java.lang.String",
"required": false,
"order": 12,
"confidential": false,
"defaultValues": [
","
]
},
"values": [
","
],
"overridable": false
},
{
"schema": {
"name": "multivalueSeparator",
"displayName": "Multi value separator",
"helpMessage": "Character used to separate values in a multi-value
scenario. Multivalue unsupported if not provided.",
"type": "java.lang.String",
"required": false,
"order": 13,
"confidential": false,
"defaultValues": []
},
"values": [],
"overridable": false
},
{
"schema": {
"name": "defaultStatusValue",
"displayName": "Default Status Value",
"helpMessage": "Enter the value for status in case of status not specified. Default
is \"true\".",
"type": "java.lang.String",
"required": false,
"order": 14,
"confidential": false,
"defaultValues": [
"true"
]
},
"values": [
"true"
],
"overridable": false
},
{
"schema": {
"name": "disabledStatusValue",
"displayName": "Disabled Status Value",
"helpMessage": "Specify a value for disabled status. Default is
\"false\".",
"type": "java.lang.String",
"required": false,
"order": 15,
"confidential": false,
"defaultValues": [
"false"
]
},
"values": [
"false"
],
"overridable": false
},
{
"schema": {
"name": "enabledStatusValue",
"displayName": "Enable Status Value",
"helpMessage": "Specify a value for enabled status. Default is
\"true\".",
"type": "java.lang.String",
"required": false,
"order": 16,
"confidential": false,
"defaultValues": [
"true"
]
},
"values": [
"true"
],
"overridable": false
},
{
"schema": {
"name": "statusColumn",
"displayName": "Status Column name",
"helpMessage": "Status column name.",
"type": "java.lang.String",
"required": false,
"order": 17,
"confidential": false,
"defaultValues": []
},
"values": [],
"overridable": false
},
{
"schema": {
"name": "objectClassColumn",
"displayName": "ObjectClass Column Name",
"helpMessage": "Column name identifying identity record type",
"type": "java.lang.String",
"required": false,
"order": 18,
"confidential": false,
"defaultValues": []
},
"values": [],
"overridable": false
},
{
"schema": {
"name": "objectClass",
"displayName": "Supported Object Classes",
"helpMessage": "Supported object classes (__ACCOUNT__ as default if
empty)",
"type": "[Ljava.lang.String;",
"required": false,
"order": 19,
"confidential": false,
"defaultValues": [
"__ACCOUNT__"
]
},
"values": [
"CONTRACT"
],
"overridable": false
}
],
"capabilities": [
"SEARCH"
],
"displayName": "remoteCSV",
"connRequestTimeout": 10,
"poolConf": null
}
]
Pulltask:
{
"prev": null,
"next": null,
"result": [
{
"_class": "org.apache.syncope.common.lib.to.PullTaskTO",
"key": "018b4347-f95c-7a42-bcbd-ef19f28934fb",
"start": "2023-10-18T16:54:37.881+02:00",
"end": "2023-10-18T16:54:38.058+02:00",
"latestExecStatus": "FAILURE",
"lastExecutor": "admin",
"executions": [
{
"start": "2023-10-18T16:54:37.881+02:00",
"end": "2023-10-18T16:54:38.058+02:00",
"key": "018b4348-0f39-7306-8fef-328f11f795fb",
"jobType": "TASK",
"refKey": "018b4347-f95c-7a42-bcbd-ef19f28934fb",
"refDesc": "PULL Task 018b4347-f95c-7a42-bcbd-ef19f28934fb
FullRecoPull",
"status": "FAILURE",
"message": "very long stacktrace",
"executor": "admin"
}
],
"startAt": null,
"cronExpression": null,
"jobDelegate": null,
"name": "FullRecoPull",
"description": null,
"lastExec": "2023-10-18T16:54:37.881+02:00",
"nextExec": null,
"active": true,
"resource": "TUCaNImportCSV",
"performCreate": true,
"performUpdate": true,
"performDelete": false,
"syncStatus": false,
"unmatchingRule": "IGNORE",
"matchingRule": "UPDATE",
"actions": [],
"concurrentSettings": null,
"pullMode": "FULL_RECONCILIATION",
"reconFilterBuilder": null,
"destinationRealm": "/",
"remediation": false,
"templates": {}
}
],
"page": 1,
"size": 1,
"totalCount": 1
}
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Upgrading a user to an new userWorkflow definition
Hi Lionel,
glad to read that you did solve.
Regards.
On 05/10/23 17:47, Lionel SCHWARZ wrote:
OK that was tricky but I finally found out that:
- I have to update table ACT_RU_ACTINST as well
- the UPDATE ACT_RU_EXECUTION is actually:
UPDATE ACT_RU_EXECUTION SET PROC_DEF_ID_ = 'userWorkflow:X:' WHERE PROC_INST_ID_
= ;
It seems to work like this
Sorry for the noise, best regards
Lionel
- Le 5 Oct 23, à 17:15, Lionel SCHWARZ lionel.schw...@in2p3.fr a écrit :
Dear all,
After deploying a new userWorkflow definition (PUT
/flowable/bpmnProcesses/userWorkflow), I tried to upgrade a user to this new
workflow, executing the following steps:
- stop Syncope
- connect to DB
- get the definition id of the new workflow:
SELECT ID_ FROM ACT_RE_PROCDEF WHERE KEY_ = 'userWorkflow' ORDER BY VERSION_
DESC;
- get the process instance of the user:
SELECT ID_ FROM ACT_RU_EXECUTION BUSINESS_KEY_ = concat('userWorkflow:',
)
- update both with the new definition id
UPDATE ACT_RU_EXECUTION SET PROC_DEF_ID_ = 'userWorkflow:X:' WHERE ID_ =
;
UPDATE ACT_RU_TASK SET PROC_DEF_ID_ = 'userWorkflow:X:' WHERE ID_ IS NOT
NULL AND PROC_INST_ID_ = ;
- restart Syncope
But it seems something is still missing because updating the user does seem to
use the new workflow...
Is there another table to update?
Regards
Lionel
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.5
The Apache Syncope team is pleased to announce the release of Syncope 3.0.5 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope305 Upgrading from 3.0.4? There are some notes about this process: https://s.apache.org/3pjc8 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: [ANN] Apache Syncope 3.0.4
The table TicketExpiration was renamed to TicketExpirationPolicy to follow the convention of all other policies. Thanks for reporting. Regards. On 17/08/23 15:27, Lionel SCHWARZ wrote: Dear all, After upgrading my Syncope 3.0.3 setup (Maven, MariaDB) to 3.0.4, it does not start anymore, something seems to be wrong in the database: java.sql.SQLException: Table "OIDCRPClientApp" has a foreign key to table "TicketExpiration" that has not been generated. You must run the schema generator on all inter-related tables at once. I also have seen the same error with tables "Realm" and "SAML2SPClientApp"... Is there anything more to do than what is described at https://s.apache.org/a0bl5 ? Best regards Lionel - Le 10 Juil 23, à 13:45, Francesco Chicchiriccò ilgro...@apache.org a écrit : The Apache Syncope team is pleased to announce the release of Syncope 3.0.4 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope304 Upgrading from 3.0.3? There are some notes about this process: https://s.apache.org/a0bl5 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.4
The Apache Syncope team is pleased to announce the release of Syncope 3.0.4 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope304 Upgrading from 3.0.3? There are some notes about this process: https://s.apache.org/a0bl5 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
[ANN] Apache Syncope 2.1.14
The Apache Syncope team is pleased to announce the release of Syncope 2.1.14 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2114 Upgrading from 2.1.13? There are some notes about this process: https://s.apache.org/uhxpz We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
[ANN] Apache Syncope 3.0.3
The Apache Syncope team is pleased to announce the release of Syncope 3.0.3 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope303 Upgrading from 3.0.2? There are some notes about this process: https://s.apache.org/fto4b We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Emails with attachments
On 02/05/23 12:01, Timo Weber wrote: Hi, this is about sending emails with templates. Right now there does not seem to exist a default way to send an email with attachments. What would be the best way to achieve this? I found the class DefaultNotificationJobDelegate where the MimeMessage is composed and where you could add an attachment. But I guess it's not so easy to configure the attachements in the template and propagate it all the way to this class. So I thought about extending the DefaultNotificationJobDelegate and more or less hard coding the attachments when creating the message. Can I just have my own ProvisioningContext and have the method notificationJobDelegate(...) return my extended class? Or is there a better way? Hi Timo, at least for time being, providing your own extension of DefaultNotificationJobDelegate which takes care of attachments is possibly the best solution. All you need is, in your own Maven project sources, to: 1. provide MyNotificationJobDelegate extends DefaultNotificationJobDelegate 2. create and setup a new configuration class by following [1] HTH Regards. [1] https://syncope.apache.org/docs/3.0/reference-guide.html#extending-configuration -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Issue with synchronizing group membership from Syncope to LDAP
Hi,
resurrecting this old thread to communicate that the requested feature is
planned for Syncope 3.0.3:
https://issues.apache.org/jira/browse/SYNCOPE-1748
Regards.
On 20/01/22 12:54, Francesco Chicchiriccò wrote:
Ah, here is why:
https://github.com/apache/syncope/blob/2_1_X/ext/scimv2/scim-rest-cxf/src/main/java/org/apache/syncope/ext/scimv2/cxf/service/GroupServiceImpl.java#L95
It seems the PATCH method was left intentionally not implemented.
As always, PRs welcome :-)
Regards.
On 20/01/22 12:49, fab...@fabln.ovh wrote:
I'm afraid no, can't see anything in other logs (regarding PATCH)
On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using PATCH
(via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to th
Re: Getting 404 when following the guides in syncope 3.x
Hi, please see my replies inline. Regards. On 01/04/23 01:58, alx wrote: Hi everyone, i am currently trying to deploy syncope 3.x on a Server to evaluate if it fits our Needs. Unfortunately following the getting started guide and than the reference guide i am not able to get syncope to work on the tomcat 10 on the Server. When ever i try to Access any syncope Service via http://host:8080/syncope(...)i am getting a 404 error. If you look carefully at the getting started guide, you might notice that Tomcat 10.x is not supported, but Tomcat 9.x is: https://syncope.apache.org/docs/3.0/getting-started.html#java-ee-container Changing the Tomcat version might be enough to fix your issue. Except for the Swagger Service where i am getting a 404 some json not found. All of my custom apps and tomcats own Services are reachable and working so i would assume the tomcat is Setup correctly. The logs do not indicate any Errors. I build the syncope wars via Maven and following the getting started guide. I than edited the *.properties according to the referenc guide. If deployed anywhere other than localhost does the discover url in the properties have to be http://host:8080 or localhost:8080? In anycase i tried Setting it to both and i am still getting a 404 error. Anyone got any hints on how to proceed? If your purpose is just evaluation, I'd rather go with Standalone Distribution: https://syncope.apache.org/docs/3.0/getting-started.html#standalone which comes pre-configured with a whole set of components and test data you can freely play with. Naturally, in case your evaluation is going positive, I'd recommend to switch to Docker images or to generate an empty Maven project to customize. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
TAC supporting Berlin Buzzwords
Hi All, The ASF Travel Assistance Committee is supporting taking up to six (6) people to attend Berlin Buzzwords In June this year. This includes Conference passes, and travel & accommodation as needed. Please see our website at https://tac.apache.org for more information and how to apply. Applications close on 15th April. Good luck to those that apply. Gavin McDonald (VP TAC) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: pull task only for a specific anyType
On 24/02/23 17:35, Lionel SCHWARZ wrote:
- Le 24 Fév 23, à 15:55, Lionel SCHWARZ lionel.schw...@in2p3.fr a écrit :
- Le 20 Fév 23, à 10:55, Francesco Chicchiriccò ilgro...@apache.org a écrit
:
Propagation works smoothly but during pull, I get the following error:
org.apache.syncope.core.provisioning.java.pushpull.InboundMatcher - Could not
match {Uid=Attribute: {Name=__UID__, Value=[1288]}, ObjectClass=ObjectClass:
IDMSERVICE, DeltaType=CREATE_OR_UPDATE, Token=SyncToken: ,
Object={Uid=Attribute: {Name=__UID__, Value=[1288]}, ObjectClass=ObjectClass:
IDMSERVICE, Attributes=[Attribute: {Name=__NAME__, Value=[idnum_service]},
Attribute: {Name=__UID__, Value=[1288]}], Name=Attribute: {Name=__NAME__,
Value=[idnum_service]}}, PreviousUid=null} with any existing SERVICE
java.lang.NullPointerException: null
at
org.apache.syncope.core.provisioning.api.jexl.JexlUtils.addFieldsToContext(JexlUtils.java:124)
~[syncope-core-provisioning-api-3.0.1.jar:3.0.1]
at
org.apache.syncope.core.provisioning.java.data.JEXLItemTransformerImpl.lambda$beforePull$1(JEXLItemTransformerImpl.java:179)
~[syncope-core-provisioning-java-3.0.1.jar:3.0.1]
at java.lang.Iterable.forEach(Iterable.java:75) ~[?:?]
at
org.apache.syncope.core.provisioning.java.data.JEXLItemTransformerImpl.beforePull(JEXLItemTransformerImpl.java:176)
~[syncope-core-provisioning-java-3.0.1.jar:3.0.1]
at
org.apache.syncope.core.provisioning.java.pushpull.InboundMatcher.matchByConnObjectKeyValue(InboundMatcher.java:230)
~[syncope-core-provisioning-java-3.0.1.jar:3.0.1]
at
org.apache.syncope.core.provisioning.java.pushpull.InboundMatcher.match(InboundMatcher.java:420)
~[syncope-core-provisioning-java-3.0.1.jar:3.0.1]
Looking at the code, I see that "null" is sent as an argument here:
https://github.com/apache/syncope/blob/syncope-3.0.1/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/InboundMatcher.java#L232
which seems to lead to the NPE
Nice spot, Lionel!
Fixed by:
https://github.com/apache/syncope/commit/71fa807fc666d2b5c9291ad6c2ea9386000a9cb4
The fix will be released with Syncope 3.0.3.
Meanwhile you should be able to backport it by copying the class
https://github.com/apache/syncope/blob/3_0_X/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlUtils.java
into your local Maven project.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.2
The Apache Syncope team is pleased to announce the release of Syncope 3.0.2 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope302 Upgrading from 3.0.1? There are some notes about this process: https://s.apache.org/ool4w We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: pull task only for a specific anyType
On 16/02/23 17:56, Lionel SCHWARZ wrote: Dear all, On my 3.0.1 syncope instance, I have defines a resource with 2 anyTypes (objectclasses). I'm trying to setup a pull task which would run only on 1 of these 2 anyTypes. I feel I have 2 solutions: 1. run a "filtered reconciliation" with my own ReconFilterBuilder implementation 2. rather use 2 different resources, one for each anyType Did I miss something more simple to do that? Hi Lionel, the simplest way to achieve your goal is definitely (2). (1) would be a way to filter which instances, for all object classes defined, shall be returned by pull so I don't think it applies. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Helm chart Syncope 3.0.1
Hi Michele, see my replies embedded below. Regards. On 13/02/23 12:19, Michele Andreoli wrote: Hi, I have 2 questions about Syncope 3 and Kubernates: 1. Where I can find an updated version of Helm chart of Syncope 3? In the links reported in the Syncope documentation I found these old files on github: syncope-3.0.1 <https://github.com/apache/syncope/tree/syncope-3.0.1/docker/src/main/resources/kubernetes/syncope> and main <https://github.com/apache/syncope/tree/master/docker/src/main/resources/kubernetes> (updated about 5 years ago) Nope, it seems no much people is using Syncope 3 with Kubernetes. 1. Are there Syncope 3 images for Kubernates that runs without root user? We currently build and publish to DockerHub our Docker images starting from Docker files [1][2][3][4][5] There is nothing there to allow running as non-root, but I don't believe it should be difficult to adapt, at least according to [6] (not sure if there are best practices around). Anyway, for both items, contributions are welcome ;-) [1] https://github.com/apache/syncope/blob/3_0_X/docker/core/src/main/resources/Dockerfile [2] https://github.com/apache/syncope/blob/3_0_X/docker/console/src/main/resources/Dockerfile [3] https://github.com/apache/syncope/blob/3_0_X/docker/enduser/src/main/resources/Dockerfile [4] https://github.com/apache/syncope/blob/3_0_X/docker/sra/src/main/resources/Dockerfile [5] https://github.com/apache/syncope/blob/3_0_X/docker/wa/src/main/resources/Dockerfile [6] https://stackoverflow.com/questions/72562483/is-it-safe-to-run-openjdk-images-like-eclipse-temurin-as-root -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: setting parameters by REST in 3.0.0 ?
On 03/02/23 11:49, Lionel SCHWARZ wrote: - Le 18 Nov 22, à 11:44, Francesco Chicchiriccò ilgro...@apache.org a écrit : Please note anyway that the preferred way to deal with configuration parameters from within Java code running inside a Syncope component is via the ConfParamOps interface [3]. Hi Francesco, I would like to use ConfParamOps to read configuration parameters from within a LogicActions implementation. Do you have an example how to use it? Hi, it should be to declare @Autowired private ConfParamOps confParamOps; in your LogicActions implementation. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Console error with 3.0.0 and 3.0.1
On 16/01/23 16:30, Lionel SCHWARZ wrote: Dear all, After upgrading my Syncope-3.0.0-M2 project (maven-built, deployed on Tomcat9) to 3.0.1, access to the console fails with a 500 ERROR "java.lang.NoClassDefFoundError: Could not initialize class org.apache.wicket.proxy.LazyInitProxyFactory" The same happens with Syncope-3.0.0 but the console works fine with Syncope-3.0.0-M2. Has anyone an idea what is wrong? I could not find what class is missing in the logs Hi, this is happening because you did generate your project before Syncope 3.0.0. Anyway, you just need to add -Dwicket.ioc.useByteBuddy=true to Tomcat env. See https://issues.apache.org/jira/browse/SYNCOPE-1707 for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.1
The Apache Syncope team is pleased to announce the release of Syncope 3.0.0 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope301 Upgrading from 3.0.0? There are some notes about this process: https://s.apache.org/i629t We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: role with "dynMembershipCond"
On 13/12/22 16:55, Lionel SCHWARZ wrote: - Le 13 Déc 22, à 16:13, Francesco Chicchiriccò ilgro...@apache.org a écrit : On 09/12/22 15:52, Lionel SCHWARZ wrote: Dear all, Could someone explain me how dynRoles works? because I found something strange and am not sure if I missed sthg or not... I have created a role with "dynMembershipCond" based on users having a certain relationship. This works fine as after creating the role, all users that have this relationship got the role in "dynRoles". However, when I then create a new user with such a relationship, it does not get the the role (and if I then update the role, the new user gets it!) Is there anything more I need to do at creation, or something I misconfigured? Hi Lionel, dynamic (group or role) membership is a weird feature, as it basically saves the results of a user query (e.g. the dynamic membership condition) every time that either the group / role or user are saved. Unfortunately, it has proven to perform decently only with small numbers. Every time a user gets saved, all existing Roles with dynamic conditions are considered to see if the user is matching so that the saved query results are updated. Similarly, when groups or roles with dynamic conditions are saved, a query for all users matching the condition is run, again to update the saved query results. The case you are describing above might be possibly not working because of the condition based on a "dependent" element as a relationship, so the matching process is failing in first place (e.g. when the user is created) but is succeeding later (e.g. when the role is updated). You might want to try using a different condition, based on a user attribute, to see if that works for new users as well. Thanks Francesco for your answer. What do you mean by "small numbers"? Should I forget about dynamic roles for a database of 5K users for example? The number that counts much in your case is the number of roles with dynamic membership condition. I'd suggest anyway to execute some performance tests to understand if the feature is actually fit for your use case. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: role with "dynMembershipCond"
On 09/12/22 15:52, Lionel SCHWARZ wrote: Dear all, Could someone explain me how dynRoles works? because I found something strange and am not sure if I missed sthg or not... I have created a role with "dynMembershipCond" based on users having a certain relationship. This works fine as after creating the role, all users that have this relationship got the role in "dynRoles". However, when I then create a new user with such a relationship, it does not get the the role (and if I then update the role, the new user gets it!) Is there anything more I need to do at creation, or something I misconfigured? Hi Lionel, dynamic (group or role) membership is a weird feature, as it basically saves the results of a user query (e.g. the dynamic membership condition) every time that either the group / role or user are saved. Unfortunately, it has proven to perform decently only with small numbers. Every time a user gets saved, all existing Roles with dynamic conditions are considered to see if the user is matching so that the saved query results are updated. Similarly, when groups or roles with dynamic conditions are saved, a query for all users matching the condition is run, again to update the saved query results. The case you are describing above might be possibly not working because of the condition based on a "dependent" element as a relationship, so the matching process is failing in first place (e.g. when the user is created) but is succeeding later (e.g. when the role is updated). You might want to try using a different condition, based on a user attribute, to see if that works for new users as well. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.1.13
The Apache Syncope team is pleased to announce the release of Syncope 2.1.13 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2113 Upgrading from 2.1.12? There are some notes about this process: https://s.apache.org/18gy2 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Bearer authentication for SCIM v2 extension endpoints?
On 09/12/22 11:40, Philipp Trenz wrote: Dear Syncope community, I’m searching for a solution to provision users from Azure AD into a local Windows AD. Syncope looks very promising for this use case and I’m about to setup a Proof of Concept. For configuring Azure AD against the SCIMv2 extension, a static bearer authentication token is required. The default authentication method for the scim endpoints seem to be JWT, though. TL;DR: How can I configure a static Bearer token for authentication against the SCIM v2 extension? Hi Philipp, glad of your interest in Apache Syncope. The authentication configuration for all REST endpoints exposed by Core is defined by [1] so, in case you really want to dig into this topic or override some bean definition(s) into your project, that is definitely the starting point. I am reading from [2] that Azure AD is using an OAuth 2.0 bearer token, which should still be in JWT format. If this is the case, my suggestion is to add to your project an implementation of JWTSSOProvider [3]. The purpose of a JWTSSOProvider is to: 1. validate the provided "Authorization: Bearer" value, in the verify() method 2. resolve the extracted claims into an internal Syncope User, in the resolve() method You can look at a sample implementation [4] or the one that is actually in use by default [5]. The typical use case for additional JWTSSOProvider implementations is to allow to use JWT values not generated by Syncope itself to authorize access to Syncope REST endpoints. HTH Regards. [1] https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java [2] https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication [3] https://syncope.apache.org/docs/3.0/reference-guide.html#jwtssoprovider [4] https://github.com/apache/syncope/blob/master/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java [5] https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: setting parameters by REST in 3.0.0 ?
On 18/11/22 10:25, Lionel SCHWARZ wrote: Hi List, Does anyone know which 3.0.0 REST endpoint has replaced the 2.1 /configuration endpoint? Hi Lionel, as you can read from [1], in Syncope 3.0 the new component Keymaster is used for: 1. dynamic service discovery 2. key / value store for configuration parameters 3. directory for defined domains (2) seems to be what you are looking for. In [1] it is also reported that Keymaster comes in two flavors: additional REST services for Core, or Zookeeper. Assuming you are with former option, the WADL description for such additional services is available under /syncope/rest/keymaster?_wadl See [2] for reference. Please note anyway that the preferred way to deal with configuration parameters from within Java code running inside a Syncope component is via the ConfParamOps interface [3]. HTH Regards. [1] https://syncope.apache.org/docs/3.0/reference-guide.html#keymaster [2] https://syncope-vm.apache.org/syncope/rest/keymaster?_wadl [3] https://syncope.apache.org/apidocs/3.0/org/apache/syncope/common/keymaster/client/api/ConfParamOps.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.0
The Apache Syncope team is pleased to announce the release of Syncope 3.0.0 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope300 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Docker restore from mastercontent.xml
Hi Christopher, I am afraid the issue is confirmed, only when running via Docker: https://issues.apache.org/jira/browse/SYNCOPE-1707 Regards. On 28/10/22 17:32, Christopher Brown wrote: Thanks, that worked. However with M1 when I try to create a schema a Plain schema entry in the console nothing happens. The logs show the following error: 2022-10-28 14:42:23.495 ERROR [IO-1 task-6] io.undertow.request : UT005023: Exception handling request to /syncope-console/wicket/bookmarkable/org.apache.syncope.client.console.pages.Types java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer at org.apache.wicket.proxy.cglib.CglibProxyFactory.createProxy(CglibProxyFactory.java:72) On Fri, Oct 14, 2022 at 9:41 AM Samuel Garofalo wrote: Hello Christopher, using version 3 of Apache Syncope you can mount a volume containing your MasterContent.xml file in the Syncope core image in the docker-compose.yml in this way: volumes: - "/opt/syncope/conf/domains:/opt/syncope/conf/domains" With this configuration you have to add your MasterConter.xml under /opt/syncope/conf/domains directory. here some example of docker-compose [1]. [1] https://syncope.apache.org/docs/3.0/getting-started.html#docker-compose-samples Best regards, Samuel Garofalo Il 14/10/22 15:20, Christopher Brown ha scritto: Hi, Is there a way to restore configuration when deploying via Docker using the mastercontent.xml file? I don't see the directories noted in the documentation. [1] Thanks! [1] - https://syncope.apache.org/docs/reference-guide.html#import -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.0-M2
The Apache Syncope team is pleased to announce the release of Syncope 3.0.0-M2 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope300M2 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: [ANN] Apache Syncope 3.0.0-M1
Hi Lionel, I'd rather start things again on 3.0.0-M1 now: when compared to 2.1, besides new features and components, it brings anyway several new deployment options (JDK 17, Spring Boot, ...) which would make your deployment more maintainable in the future. Regards. On 17/10/22 16:58, Lionel SCHWARZ wrote: Dear Syncope team, Considering we have started implementing our IDM solution with Syncope 2.1, but nothing is in production yet (we plan to release a first version by the end of the year), would you advise us to: - re-implement with Syncope 3.0.0-M1 now - keep on with Syncope 2.1 and move to 3.0.0 later Cheers Lionel - Le 17 Oct 22, à 9:36, Francesco Chicchiriccò ilgro...@apache.org a écrit : The Apache Syncope team is pleased to announce the release of Syncope 3.0.0-M1 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope300M1 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.0-M1
The Apache Syncope team is pleased to announce the release of Syncope 3.0.0-M1 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope300M1 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: AD Group Sync error
Hi Ashley, so you are failing to propagate Syncope group memberships to AD? e.g. if User U is member of group G in Syncope, let the U counterpart of AD be part of the G counterpart on AD? If so, please ensure that: 1. your AD resource is configured for both users and groups 2. you have configured the LDAPMembershipPropagationActions for the AD resource (both things are considered in the blog post I've shared below) Additionally, ensure to connect to AD via LDAPS (port 636), otherwise some features might not be working (for example, you will be creating disabled users). HTH Regards. On 11/10/22 11:17, Ashley Day wrote: Hi I've attached a bunch of pictures of the configuration for the AD connector and the mappings for users and groups. Wonder if you can see anything wrong here? Kind regards, Ashley. On Thu, Oct 6, 2022 at 4:49 PM Ashley Day wrote: Hi Francesco Do you know if Syncope has any sync issues with Server 2019? I'm still scratching my head at what could be causing the Group membership not to sync correctly. I am running Syncope 2.1.11 if that helps? Kind regards, Ashley. On Wed, Oct 5, 2022 at 10:58 AM Francesco Chicchiriccò wrote: On 05/10/22 11:50, Ashley Day wrote: Good Morning I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving; * AD user sync into Syncope. Works. * AD group sync into Syncope. Works * AD Group membership into Syncope. Works * Syncope created User sync into AD. Works (Although user is disabled) * Syncope created group sync into AD. Works * Add Group membership in Syncope sync into AD. Failure. I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope. Hi Ashley, glad of your interest in Apache Syncope. Have you already had a look at https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory ? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: AD Group Sync error
On 05/10/22 11:50, Ashley Day wrote: Good Morning I am trying to use Apache Syncope as a front end management tool for active directory so that people can self-provision themselves into groups they require, with authorisation from a team leader. Currently during my testing I am having difficulty with the group syncing from Syncope -> Active Directory. I’ll put some bullet points below on what is working and the issue I am receiving; * AD user sync into Syncope. Works. * AD group sync into Syncope. Works * AD Group membership into Syncope. Works * Syncope created User sync into AD. Works (Although user is disabled) * Syncope created group sync into AD. Works * Add Group membership in Syncope sync into AD. Failure. I imagine it has something to do with the attribute mapping, or I am not putting the correct task in, but I was wondering if you had any advice on how I might be able to get this sorted, as the Syncope Group syncing into AD is the main reason I would like to use Syncope. Hi Ashley, glad of your interest in Apache Syncope. Have you already had a look at https://www.tirasa.net/en/blog/syncope-basics-manage-active-directory ? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 3.0.0-M0
The Apache Syncope team is pleased to announce the release of Syncope 3.0.0-M0 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, reconciliation and reporting needs (as with earlier releases), access management and API management. The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope300M0 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
[ANN] Apache Syncope 2.1.12
The Apache Syncope team is pleased to announce the release of Syncope 2.1.12 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2112 Upgrading from 2.1.11? There are some notes about this process: https://s.apache.org/he0xc We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Locating log files
On 21/06/22 16:51, Lionel SCHWARZ wrote: Dear all, I feel a bit shameful, I cannot find any log files in my Syncope setup. I have created a Syncope project with Maven archetype, then built with Maven, and then copied war in Tomcat9. The application works fine, and I can watch logs in the console, but am unable to find an 'core.log' on the machine... I tried also to build with 'mvn -Dlog.directory=/tmp' but found nothing in /tmp... What did I miss? Hi Lionel, it seems you've missed the notice [1] which invites you to head to the Reference Guide "to understand how to configure, extend, customize and *deploy* your new Apache Syncope project". In particular, the explanation about Deployment Directories [2] and following instructions about how to build your project for deployment, e.g. mvn clean verify \ -Dconf.directory=/opt/syncope/conf \ -Dbundles.directory=/opt/syncope/bundles \ -Dlog.directory=/opt/syncope/log The WAR files generated by this command are configured differently than the ones built for embedded mode [3]. Hope this helps. Regards. [1] https://nightlies.apache.org/syncope/2_1_X/getting-started.html#moving-forward [2] https://syncope.apache.org/docs/reference-guide.html#deployment-directories [3] https://nightlies.apache.org/syncope/2_1_X/getting-started.html#embedded-mode -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope - FreeIPA module
On 06/06/22 18:33, Mike Mercier wrote: Hello, I came across a FreeIPA connid bundle for Syncope here: https://github.com/Tirasa/ConnIdFreeIPABundle I was wondering if anyone is still maintaining this module, or if there was ever a release? I've compiled it with Maven and have attempted to use it with seemingly no success. Hi Mike, AFAICT that the last effective commit [1] is about 8 years ago hence I don't believe it could work with recent Syncope versions without some work. Also, there are no releases [2]. I remember the idea behind such connector was to manipulate the underlying LDAP data, rather than directly invoking FreeIPA services. It seems there has been no much interest lately; nevertheless, contributions are welcome, as always. In case, reach out to the ConnId user group [3]. Regards. [1] https://github.com/Tirasa/ConnIdFreeIPABundle/commit/16641c2eafe6fec31161517aaf0c1b57ce29bc3c [2] https://github.com/Tirasa/ConnIdFreeIPABundle/releases [3] https://groups.google.com/forum/?fromgroups#!forum/connid-users -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: User certification on Syncope 2.1.x
On 12/05/22 09:46, Davide Ceravolo wrote: Hi Francesco, The use case is as follows, I would need cyclically to be able to run a flow where the various supervisors can tell whether the account is in use or not at the end of which it generates a report. With such requirements, I would base the implementation on Request Management [1]. Essentially, you can define a BPMN flow with multi-level approval where you can add Java Tasks fetching data from Syncope internal storage and attached Resources. (I know this sounds quite generic, but actual implementation is really dependent on details). Hope this gives initial food for thoughts. Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#request-management *Da:*Francesco Chicchiriccò *Inviato:* giovedì 12 maggio 2022 09:12 *A:* user@syncope.apache.org *Oggetto:* Re: User certification on Syncope 2.1.x On 12/05/22 08:52, Davide Ceravolo wrote: Goodmorning, The latest version that implements account certification is 2.0.16, in the 2.1.x versions it is not present. Is there an implementation planned? Hi Davide, we decided to drop the former implementation because it seemed too much naive and difficult to adapt to real use cases. In 2.1 (and upcoming 3.0) however, we have several additional tools to leverage in order to produce certification information: can you explain what would be your needs? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: User certification on Syncope 2.1.x
On 12/05/22 08:52, Davide Ceravolo wrote: Goodmorning, The latest version that implements account certification is 2.0.16, in the 2.1.x versions it is not present. Is there an implementation planned? Hi Davide, we decided to drop the former implementation because it seemed too much naive and difficult to adapt to real use cases. In 2.1 (and upcoming 3.0) however, we have several additional tools to leverage in order to produce certification information: can you explain what would be your needs? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Using Syncope REST endpoints with a OIDC authorizationCode
On 25/03/22 18:06, Lionel SCHWARZ wrote: Dear all, Considering I have enabled the OIDC extension and properly configured my OIDC provider (keycloak), and considering I am able to retrieve from this provider an AuthorizationCode, how it is possible for me to use the REST endpoints using this authorization code? Hi Lionel, the OpenID Connect client extension [1] is designed to work for UI (Console, Enduser), not for REST endpoints. In fact, the extension adds some components that from one side implement the OIDC protocol communications in the UI itself, while using existing Syncope constructs and components on the other side. The overall OIDC client authentication process initiated by Syncope Console or Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls to Core. FYI, the SAML 2.0 extension [2] works in the same way. It is indeed possible to authenticate REST calls by passing JWT values different than the ones generated by Syncope itself after authentication, by providing JTWSSOProvider [3] implementations. Essentially, an implementation will need to provide at least two things: 1. the JWT issuer value to match, for which the class will be invoked by Syncope 2. a mean to resolve the JWT claims into and existing Syncope user It can also do other things, like using a different signature verification. Syncope itself is using an implementation as such for default JWT format [4]. You can also look at an example in the test code [5]. Hope this helps. Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client [2] https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider [3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider [4] https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java [5] https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.1.11
The Apache Syncope team is pleased to announce the release of Syncope 2.1.11 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2111 Upgrading from 2.1.10? There are some notes about this process: https://s.apache.org/b9qvq We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: manually trigger CREATE on the underlying connector
On 10/03/22 16:39, Lionel SCHWARZ wrote:
Hi Francesco,
My understanding is that the PUSH operation does create on external resource a
user which exists in Syncope.
What if I want to create, on external resource, a user which is not in Syncope?
(Please ensure to actually reply to ML address)
Hi Lionel,
your understanding is correct: all operations managed by Syncope are involving
its internal storage and all the provisioning rules defined.
As provisioning manager, Syncope does not provide a way to manipulate External
Resources without passing through its internal storage, on purpose.
Hope this clarifies.
Regards.
- Le 10 Mar 22, à 16:21, Francesco Chicchiriccò ilgro...@apache.org a écrit
:
On 10/03/22 16:08, Lionel SCHWARZ wrote:
Dear all,
Reading the 2.1.10 reference guide, it is not clear for me if it is possible
(and how) to manually trigger a CREATE on an underlying connector, that is for
exemple create a new user on a defined resource.
The REST /resources/{key}/{anyTypeKey} does expose the POST operation but it
seems to be for dealing with sync tokens.
The REST /resources/{key}/{anyTypeKey}/{value} does not expose the DELETE
operation neither.
Is there a way to manually create/delete on external identity stores?
Hi Lionel,
if you need to manually send or delete several users to an External Resource,
you should be defining and running a Push Task [0][1] for the purpose.
You can also send or delete a single user to an External Resource from Admin
Console or via REST by calling the
POST /reconciliation/push
endpoint.
Please notice that in order to perform actual create / update or delete
operation, you will need to appropriately select the matching / unmatching
rules, as explained in the docs.
See REST reference [2] or public demo's Swagger UI [3] for more details.
HTH
Regards.
[0] https://syncope.apache.org/docs/2.1/reference-guide.html#provisioning-push
[1] https://syncope.apache.org/docs/2.1/reference-guide.html#tasks-push
[2] https://syncope.apache.org/rest/2.1/index.html
[3] https://syncope-vm.apache.org/syncope/swagger/
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Is this a BUG in Syncope-MySQL code? was Re: "java.lang.ClassCastException: java.time.LocalDateTime cannot be cast to java.util.Date" error when upgrading MySQL and MySQL Java connector to 8.0.28
tractInvoker.invoke(AbstractInvoker.java:96) ~[cxf-core-3.2.10.jar:3.2.10] at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) ~[cxf-rt-frontend-jaxrs-3.2.10.jar:3.2.10] at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) ~[cxf-rt-frontend-jaxrs-3.2.10.jar:3.2.10] If we downgrade the MySQL java connector back to 8.0.16, then the delete via Syncope Console works. Can anyone tell me why the Syncope Console doesn't work with the 8.0.28 MySQL Java connector? FYI, we are having to update both the MySQL and the Java connector due to a CVE/security vulnerability. Thanks, Jim -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: FIQL Query to get all the Users associated to a specific AnyObject
On 03/02/22 05:20, Vinay Kavala wrote: Hi Team, We have a requirement to obtain all the users that are associated to a specific AnyObject. But I don't find any documentation that gives the FIQL query to obtain the users list as in the below scenario.. 1. I created an AnyObject called Partner 2. I have associated 5 users in the same realm to that Partner using Partner_to_User relationship type 3. Now, I am trying to get the list of users(5 users) who are associated to the AnyObject Partner. Can someone please help with the FIQL query for the same.. Hi Vinay, I realize we have not published yet any sample for such a use case in the docs [1] hence I am going to add a few. 1. matches all users having a Relationship established with the AnyObject instance having name set to "Canon MF 8030cn" $relationships==Canon MF 8030cn 2. matches all AnyObjects of type PRINTER having a Relationship established with the AnyObject instance having name set to "Canon MF 8030cn" $relationships==Canon MF 8030cn;$type==PRINTER 3. matches all users having a RelationshipType "neighborhood" established $relationshipTypes==neighborhood From what you are writing above, I think your use case should get covered by the ample (3), .e.g. $relationshipTypes==Partner_to_User HTH Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#search -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Issue with synchronizing group membership from Syncope to LDAP
Ah, here is why:
https://github.com/apache/syncope/blob/2_1_X/ext/scimv2/scim-rest-cxf/src/main/java/org/apache/syncope/ext/scimv2/cxf/service/GroupServiceImpl.java#L95
It seems the PATCH method was left intentionally not implemented.
As always, PRs welcome :-)
Regards.
On 20/01/22 12:49, fab...@fabln.ovh wrote:
I'm afraid no, can't see anything in other logs (regarding PATCH)
On 2022-01-20 11:37, Francesco Chicchiriccò wrote:
On 20/01/22 12:36, fab...@fabln.ovh wrote:
hi Francesco,
It looks that the PATCH is not generating any logs
(/var/log/apache-syncope/core.log don't show anything when I am using PATCH
(via Curl or AAD)).
Is this not supported somehow ? Or it there any parameter to modify ?
Nothing in other Core log files, as core-rest.log, for example?
On 2022-01-20 06:56, Francesco Chicchiriccò wrote:
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0
extension, hence it is likely that the operation above is actually
hitting some part of the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core
logs when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or upda
Re: Issue with synchronizing group membership from Syncope to LDAP
On 19/01/22 16:07, fab...@fabln.ovh wrote:
Hi Francesco,
Yes, doing those 2 steps separately works. Which also works is to run a USER
Reconciliation, after this, any change to the group memberships (in the Syncope
Interface) is populated to LDAP.
I have a last question: I am now testing the SCIM from Azure AD (ultimately I
need to populate users/groups to LDAP grom AAD (via SCIM to Syncope)).
Users and groups are created fine, but no memberships. I saw in the Syncope
logs that AAD seems to create users and groups, and then to try to PATCH the
group to add the members, and I see a 501 error:
"PATCH /syncope/scim/v2/Groups/c4a04619-1b3e-41b9-a046-191b3e11b97f HTTP/1.1"
501 -
When I try to reproduce this and PATCH with curl, I also get a similar error.
For example, trying to remove a member fails:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "Remove",
"path": "members",
"value": [{
"$ref": null,
"value": "1519e2f5-eadb-4216-99e2-f5eadb52163d"
}]
}]
}
Is there any parameter to set up in Syncope ? Sorry I could not find any
documentation going through this process.
Honestly, I don't remember many real-case usages of the SCIM 2.0 extension,
hence it is likely that the operation above is actually hitting some part of
the code which was not thoroughly tested.
Could you please report as well the stacktrace you see in Syncope Core logs
when performing the operation above?
Regards.
On 2022-01-18 13:59, Francesco Chicchiriccò wrote:
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST
through standard endpoints), and the LDAP resource is configured
correctly, you get the expected result: users in LDAP, group in LDAP,
with members set.
This works because by default Syncope works with what we call
"implicit provisioning": when you assign a Resource to a Group, the
Group itself and all members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it
works by type: when you create / update / delete a User, you will get
a User propagated to the Resource; e.g. you cannot create or update a
Group and have Users propagated to LDAP, at least without adding some
customizations around.
I thin that, since you are updating a Group via SCIM endpoint by
assigning members, then propagation is not happening as expected in
the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members
Re: Issue with synchronizing group membership from Syncope to LDAP
On 14/01/22 13:54, fab...@fabln.ovh wrote:
Thanks Francesco.
Please find more explanations:
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
I created the users here manually in Syncope (REALMs / Users)
For example:
local_user1
Auxiliary Classes: BaseGroup
Groups: none at this stage
surname: local_user5
external resources: my_resource_LDAP
I also tested created the users via SCIM, and then doing a "reconciliation" in
the LDAP resource, that also works (users are added in LDAP).
after this step, the user local_user1 is synchronized and created in LDAP
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
Yes, going to Realms / Group / local_user20, clicking on "members" /User, I can
see the 2 members.
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
yes
4. you can see both users and group on LDAP, but no members for the group
correct, at least initially (when users and groups are created)
5. you edit the 2 users in Syncope by adding group membership
yes
6. the Push Task is run again, with expected result
yes
I just realized something actually:
- I create users
- synchronize those users in LDAP
- I create a group with members
- synchronize this group in LDAP, the group is created in LDAP but no members
are in it
- in Syncope, I then run a USER "reconciliation" in the LDAP resource, then the
members are synchronized in the GROUP in LDAP.
Is this actually the way to do ?
The simplest way to accomplish what I think is your goal is:
1. create group and assign the LDAP resource to it
2. create user(s) with membership of such group
If you perform such two steps from Syncope Console (or via REST through
standard endpoints), and the LDAP resource is configured correctly, you get the
expected result: users in LDAP, group in LDAP, with members set.
This works because by default Syncope works with what we call "implicit
provisioning": when you assign a Resource to a Group, the Group itself and all
members will be propagated to the Resource.
One important thing to remember about implicit provisioning is that it works by
type: when you create / update / delete a User, you will get a User propagated
to the Resource; e.g. you cannot create or update a Group and have Users
propagated to LDAP, at least without adding some customizations around.
I thin that, since you are updating a Group via SCIM endpoint by assigning
members, then propagation is not happening as expected in the default flow.
HTH
Regards.
On 2022-01-14 07:22, Francesco Chicchiriccò wrote:
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to t
Re: Issue with synchronizing group membership from Syncope to LDAP
On 14/01/22 00:35, fab...@fabln.ovh wrote:
Hi,
I am running Syncope version 2.1.10. I am trying to synchronize groups
membership via SCIM to SYNCOPE and then from SYNCOPE to LDAP (openldap).
The problem I have is that when I create users and then groups with members in
Syncope, the users and groups are created properly in LDAP but the group don't
have the members.
If I edit the users in Syncope and add them to the group, then the group in
LDAP is synchronized properly and contains the correct members.
Is it possible to synchronize from Syncope to LDAP group members from the group
in Syncope, or do the users in Syncope need to contain the group list ?
My configuration:
I created the users local_user1 and local_user2 in Syncope.
I have the file local_group20.json to create the group "local_group20" with the 2 members
"local_user1" and "local_user2" via SCIM:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"local_group20",
"externalId": "local_group20",
"members":[{
"value":"d5ecdf7e-de2a-4c6a-acdf-7ede2a9c6aaa",
"display":"local_user1"
},{
"value":"2366d4ee-700e-4578-a6d4-ee700e05787c",
"display":"local_user2"
}
]
}
I create the groups with the members in SYNCOPE via SCIM:
$ curl -k -vX POST -H "Accept: application/scim+json" -H "Content-Type:
application/scim+json" -H "Authorization: Bearer $TOKEN" -d @local_group20.json
http://localhost:18080/syncope/scim/v2/Groups
I can see the group "local_group20" is created fine in Syncope, with the 2
members in it.
I have an LDAP connector in Syncope, with a propagation action
"LDAPMembershipPropagationActions" and a PUSH task (note: there are no actions
available in the PUSH task).
When I run the PUSH task, the group is created in LDAP but without the members
local_user1 and local_user2.
If I edit the users local_user1 and local_user2 in Syncope, and add them to the group
"local_group20" and run the PUSH task again, they appear in the LDAP group
members.
Any idea ?
Hi Fabien,
it seems you went pretty far with your use case above: e.g. to use Syncope to
provision users, groups and memberships via SCIM2 to LDAP.
Let me recap the flow:
1. users are created in Syncope (how? via SCIM?), with the LDAP resource
assigned
2. group is created in Syncope via SCIM, with 2 members
first question: can you see the group membership in Syncope, for the 2 users
created at step 1?
3. the Push Task is run
second question: is the Push Task configured for both users and groups?
4. you can see both users and group on LDAP, but no members for the group
5. you edit the 2 users in Syncope by adding group membership
6. the Push Task is run again, with expected result
Is all above correct? Can you provide answers?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: searching users with different attributes
On 13/12/21 14:37, Marco Benucci wrote: Hi all, We are trying syncope on an Oracle DB (19c) with approximately 1M100K users. Searches (both via console and with the REST API) respond in acceptable times if you use the username as a search key, but using other fields, such as surname, the response generally takes a long time (several seconds) or goes timeout. Is there anything we can do to improve this? We performed the graphic installation, without any other particular precautions. Thank you all. Greetings, Marco Hi Marco, 1,1M users managed by an IdM is quite a number, congrats :-) I suppose you are running some 2.1.X version since GUI installer was removed from upcoming 3.0.0: am I correct? About search performance, my company has found [1] [2] that when going above 20.000 identities it is definitely worth to switch to Elasticsearch support. You will need to tweak the project as generated by GUI installer in order to enable the Elasticsearch extension [3]. In the same blog post we are also reporting that the best performance are obtained by using PostgreSQL with JSONB support (rather than Oracle DB) - see [4] about how to enable this in your project. HTH Regards. [1] https://www.tirasa.net/en/blog/benchmarking-apache-syncope-on-postgresql [2] https://tirasa.github.io/syncoperf/ [3] https://syncope.apache.org/docs/2.1/reference-guide.html#enable-the-elasticsearch-extension [4] https://syncope.apache.org/docs/2.1/reference-guide.html#postgresql-jsonb -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Need some discussion upfront before the invoice/payment goes off
Hi Vinay, I hope we can solve the payment issues soon. Until then, please send your questions to public mailing lists only, and don't forget that support there is provided best-effort, for free, by the community. Regards. On 23/10/21 05:50, Vinay Kavala wrote: Hi Fabio and Francesco, I have been informed that you are reached out to do the invoice/payment for the training of Apache Syncope to our Team. I have also understood that there is a slight issue in making the payment over. However, I would like to request you to see if you can answer my questions over email for certain questions we have in specific scenarios of our project. Let me know if that is something that you can accommodate. FYI - I have already posted couple of questions to the Dev community yesterday. I can attach those threads over here if you would like to look at it and respond. Thanks, Vinay -- Francesco Chicchiriccò Tel +393290573276 Amministratore unico @ Tirasa S.r.l. Viale Vittoria Colonna 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ "To Iterate is Human, to Recurse, Divine" (James O. Coplien, Bell Labs)
[ANN] Apache Syncope 2.1.10
The Apache Syncope team is pleased to announce the release of Syncope 2.1.10 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2110 Upgrading from 2.1.9? There are some notes about this process: https://s.apache.org/lc4y9 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: How share spring bean data about connector in high available environment?
Replying to this old thread just to notice that the issue was finally solved:
https://issues.apache.org/jira/browse/SYNCOPE-1628
Fix will be available with upcoming Syncope 2.1.10.
Regards.
On 04/04/18 07:32, Elena Hong wrote:
Thanks to your help :D
2018년 4월 3일 (화) 오전 1:29, Francesco Chicchiriccò mailto:ilgro...@apache.org>>님이 작성:
Hi Elena,
my personal congrats, it seems you've got most of the picture :-)
If your HA setup is correct, in fact, writing any data via REST on node A
and then read the same data from node B is perfectly fine.
When such data are in fact related to connector configuration (or even
resource configuration, if you are using override), things are effectively a
bit different, because the Spring bean associated to each connector gets
automatically refreshed only on the node where the REST create / update was
sent to.
So, if connector update was sent to node A, provisioning tasks occurring on
node B will still have the old configuration, you're right.
Workarounds:
* invoke POST /connectors/reload on node B - this will make all connector
Spring beans to refresh their configuration from the underlying db
* restart the Java EE container on node B
* disable Quartz jobs execution on node B [1]
The actual fix would be to implement a custom RemoteCommitListener [2]
which triggers the connector's Spring bean refresh on node B.
Let me finally add that normally this issue is not very important because
the connector configuration is rather stable as soon as the deployment reaches
out HA environments (as it was fine-tuned in lower environments).
Regards.
[1] http://syncope.apache.org/docs/reference-guide.html#quartz
<http://syncope.apache.org/docs/reference-guide.html#quartz>
[2]
http://openjpa.apache.org/builds/2.4.2/apidocs/org/apache/openjpa/event/RemoteCommitListener.html
<http://openjpa.apache.org/builds/2.4.2/apidocs/org/apache/openjpa/event/RemoteCommitListener.html>
On 02/04/2018 11:05, Elena Hong wrote:
oops, I have mistake in my question. sorry.
I have trouble when do provisioning not call read API.
As you say, read connector API is working well. It loads data from DB(Of
course My A and B server using same DB).
But during provisioning, Syncope loads data from spring bean factory is
managed in instance's InMemory(I guessed).
When run provisioning task, call doExecute method from
AbstractProvisioningJobDelegate.java
And it loads connector data via ConnectorFactory.java 's getConnector
method.
I can see getConnector method in ConnectorManager.java. It loads data from
beanFactory.
@Override
public Connector getConnector(final ExternalResource resource) {
// Try to re-create connector bean from underlying resource (useful for
managing failover scenarios)
if
(!ApplicationContextProvider.getBeanFactory().containsBean(getBeanName(resource)))
{
registerConnector(resource);
}
return (Connector)
ApplicationContextProvider.getBeanFactory().getBean(getBeanName(resource));
}
So, After I update connector via Syncope server A , It updates DB and own
spring bean.
Then read connector API works well and I can see the updated connector data
from management console.
But server B's bean is not updated yet. In this case, If provisioning run
in Server B, B has 'old' connector data.
2018-04-02 11:03 GMT+09:00 Elena Hong mailto:aheer...@gmail.com>>:
How can each syncope servers in high available environment share
connector which saved as spring bean at inmemory?
* My environment.
I set high available with two syncope servers called A, B and nginx.
* My problem
1. I call connector update api to nginx.
2. nginx call syncope server A, and update connector 'new' data in DB
and spring bean.
3. I call connector read api to nginx.
4. nginx call syncope server B, then B returned 'old' data at spring
bean.
How can I solved it..?
give me a tip please..
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Multiple admin users
Glad to hear that :-) Regards. On 08/10/21 03:01, Fco. David Ferraes Feria wrote: Sorry, i resolved it. Thank's. *Fco. David Ferraes Feria* Correo: da...@ferraes.mx Celular: +52 (55) 4350 3658 El 07/10/21 a las 19:56, Fco. David Ferraes Feria escribió: Hi, Is there any way to configure multiple admin users? Thank's in advance. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Reports Question
On 05/10/21 23:18, Caleb Mazure wrote:
Hi,
Thank you so much for your assistance so far. That makes sense, looking at the
code as well.
When using the UserTO() function within the swagger API. I can see that the
following is being produced.
|"memberships": [ { "groupKey": "b126a6fc-2bc0-4e5a-a6a6-fc2bc0ce5a1a", "groupName": "systems", "plainAttrs": [], "derAttrs": [], "virAttrs": []
}, { "groupKey": "f753222f-442b-4c2f-9322-2f442bcc2fe1", "groupName": "common-staff", "plainAttrs": [], "derAttrs": [], "virAttrs": [] } ],|
There are plainAttrs present, but they aren't being shown.
You will see plainAttrs only if the given memebrship does actually have
plainAttrs.
Take a look at
http://syncope.apache.org/docs/2.1/reference-guide.html#type-extensions
for more details.
FTR, dynamic memberships (e.g. the initial scope of this thread) are instead
defined in UserTO as
"dynMemberships": []
instead.
Regards.
*From:* Francesco Chicchiriccò
*Sent:* Monday, October 4, 2021 10:12 PM
*To:* user@syncope.apache.org
*Subject:* Re: Reports Question
Thanks,
Caleb
--
On 03/10/21 02:29, Caleb Mazure wrote:
Hey Francesco,
I have been able to display the dynamic memberships in the reports. I can't
seem to display the attributes of the memberships though. Is this feature
avaliable? Do I need to edit the UserTo class if so, could you point me in the
right direction?
Hi,
dynamic memberships have some limitations compared to standard memberships:
https://syncope.apache.org/docs/2.1/reference-guide.html#memberships-relationships
<https://syncope.apache.org/docs/2.1/reference-guide.html#memberships-relationships>
Among such limitations, dynamic memberships don't allow for attributes.
Regards.
*From:* Francesco Chicchiriccò
<mailto:ilgro...@apache.org>
*Sent:* Wednesday, September 29, 2021 9:00 PM
*To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
<mailto:user@syncope.apache.org>
*Subject:* Re: Reports Question
--
common/src/main/java/org/apache/syncope/common/lib
The second one, e.g.
core/src/main/java/org/apache/syncope/core/provisioning/java/job/report
is correct.
Regards.
On 28/09/21 23:51, Caleb Mazure wrote:
Thanks for the advice so far.
This is a screenshot
Re: Reports Question
On 03/10/21 02:29, Caleb Mazure wrote: Hey Francesco, I have been able to display the dynamic memberships in the reports. I can't seem to display the attributes of the memberships though. Is this feature avaliable? Do I need to edit the UserTo class if so, could you point me in the right direction? Hi, dynamic memberships have some limitations compared to standard memberships: https://syncope.apache.org/docs/2.1/reference-guide.html#memberships-relationships Among such limitations, dynamic memberships don't allow for attributes. Regards. *From:* Francesco Chicchiriccò *Sent:* Wednesday, September 29, 2021 9:00 PM *To:* user@syncope.apache.org *Subject:* Re: Reports Question -- common/src/main/java/org/apache/syncope/common/lib The second one, e.g. core/src/main/java/org/apache/syncope/core/provisioning/java/job/report is correct. Regards. On 28/09/21 23:51, Caleb Mazure wrote: Thanks for the advice so far. This is a screenshot after the Maven installation. Just confirming that I needed to create file structure for common/src/main/java/common/lib/src/main/java/org/apache/syncope/common/lib Thanks, Caleb -- *From:* Francesco Chicchiriccò <mailto:ilgro...@apache.org> *Sent:* Tuesday, September 28, 2021 7:33 PM *To:* user@syncope.apache.org <mailto:user@syncope.apache.org> <mailto:user@syncope.apache.org> *Subject:* Re: Reports Question On 28/09/21 03:37, Caleb Mazure wrote: Hi Francesco, That all makes sense, I am converting our original .deb packages deployment to Maven. I have moved the .war files produced from the maven build into /etc/tomcat8/Catalina/localhost/ which is being read by the server.xml file. It seemed to run off the tomcat server, but I then thought it was still using the original instillation. I removed the apt Apache-syncope-console, and it still seems to run fine (I still have suspicions). *For a basic Maven build, the only files required are the .war files, correct?* Hi, in your case it's /etc/tomcat8/Catalina/localhost/ because you're working on a Debian machine with Tomcat installed via the tomcat8 deb package but it could be also elsewhere if you had, for instance, download a more recent Tomcat release from https://tomcat.apache.org <https://tomcat.apache.org> (about this, the latest Tomcat 9.x is recommended). WAR files generated by Maven build can be deployed into all supported JavaEE containers including Tomcat, but please don't forget to read carefully [1] which explains how to build properly in order to define the deployment directories for ConnId bundles, configuration files and logs. HTH Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization <https://syncope.apache.org/docs/2.1/referen
Re: Reports Question
Sorry, bad copy / paste as it seems: the actual path should have been common/src/main/java/org/apache/syncope/common/lib The second one, e.g. core/src/main/java/org/apache/syncope/core/provisioning/java/job/report is correct. Regards. On 28/09/21 23:51, Caleb Mazure wrote: Thanks for the advice so far. This is a screenshot after the Maven installation. Just confirming that I needed to create file structure for common/src/main/java/common/lib/src/main/java/org/apache/syncope/common/lib Thanks, Caleb -- *From:* Francesco Chicchiriccò *Sent:* Tuesday, September 28, 2021 7:33 PM *To:* user@syncope.apache.org *Subject:* Re: Reports Question On 28/09/21 03:37, Caleb Mazure wrote: Hi Francesco, That all makes sense, I am converting our original .deb packages deployment to Maven. I have moved the .war files produced from the maven build into /etc/tomcat8/Catalina/localhost/ which is being read by the server.xml file. It seemed to run off the tomcat server, but I then thought it was still using the original instillation. I removed the apt Apache-syncope-console, and it still seems to run fine (I still have suspicions). *For a basic Maven build, the only files required are the .war files, correct?* Hi, in your case it's /etc/tomcat8/Catalina/localhost/ because you're working on a Debian machine with Tomcat installed via the tomcat8 deb package but it could be also elsewhere if you had, for instance, download a more recent Tomcat release from https://tomcat.apache.org <https://tomcat.apache.org> (about this, the latest Tomcat 9.x is recommended). WAR files generated by Maven build can be deployed into all supported JavaEE containers including Tomcat, but please don't forget to read carefully [1] which explains how to build properly in order to define the deployment directories for ConnId bundles, configuration files and logs. HTH Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization <https://syncope.apache.org/docs/2.1/reference-guide.html#customization> ------ *From:* Francesco Chicchiriccò <mailto:ilgro...@apache.org> *Sent:* Friday, September 24, 2021 6:44 PM *To:* user@syncope.apache.org <mailto:user@syncope.apache.org> <mailto:user@syncope.apache.org> *Subject:* Re: Reports Question On 23/09/21 23:28, Caleb Mazure wrote: Hello, I currently have setup an installation of syncope on a Linux based machine, using the Debian packages provided. *I want to create a report that shows the dynamic memberships of users. The default only shows memberships. * To do this I believe I need to create a new java class somewhere that would be like the default UserReportletConf but I am not sure how to go about this. Any advice would be great! Hi Caleb, as you are suggesting above, in order to create a new Reportlet [1] you will need to: 1. create a class named MyUserReportletConf extending [2], under common/src/main/java/common/lib/src/main/java/org/apache/syncope/common
Re: Reports Question
On 28/09/21 03:37, Caleb Mazure wrote: Hi Francesco, That all makes sense, I am converting our original .deb packages deployment to Maven. I have moved the .war files produced from the maven build into /etc/tomcat8/Catalina/localhost/ which is being read by the server.xml file. It seemed to run off the tomcat server, but I then thought it was still using the original instillation. I removed the apt Apache-syncope-console, and it still seems to run fine (I still have suspicions). *For a basic Maven build, the only files required are the .war files, correct?* Hi, in your case it's /etc/tomcat8/Catalina/localhost/ because you're working on a Debian machine with Tomcat installed via the tomcat8 deb package but it could be also elsewhere if you had, for instance, download a more recent Tomcat release from https://tomcat.apache.org (about this, the latest Tomcat 9.x is recommended). WAR files generated by Maven build can be deployed into all supported JavaEE containers including Tomcat, but please don't forget to read carefully [1] which explains how to build properly in order to define the deployment directories for ConnId bundles, configuration files and logs. HTH Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#customization -- *From:* Francesco Chicchiriccò *Sent:* Friday, September 24, 2021 6:44 PM *To:* user@syncope.apache.org *Subject:* Re: Reports Question On 23/09/21 23:28, Caleb Mazure wrote: Hello, I currently have setup an installation of syncope on a Linux based machine, using the Debian packages provided. *I want to create a report that shows the dynamic memberships of users. The default only shows memberships. * To do this I believe I need to create a new java class somewhere that would be like the default UserReportletConf but I am not sure how to go about this. Any advice would be great! Hi Caleb, as you are suggesting above, in order to create a new Reportlet [1] you will need to: 1. create a class named MyUserReportletConf extending [2], under common/src/main/java/common/lib/src/main/java/org/apache/syncope/common/lib/report 2. create a class named MyUserReportlet extending [3], annotated with @ReportletConfClass with class above, under core/src/main/java/org/apache/syncope/core/provisioning/java/job/report 3. once built and deployed, create a Java implementation of type REPORTLET for the class above - from Console, under Configuration > Implementations Naturally, this assumes you are working with a Maven project generated from archetype [4]: this the sole deployment method currently provided allowing for extension and customization. HTH Regards. [1] http://syncope.apache.org/docs/2.1/reference-guide.html#reportlets <http://syncope.apache.org/docs/2.1/reference-guide.html#reportlets> [2] https://github.com/apache/syncope/blob/syncope-2.1.9/common/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java <https://github.com/apache/syncope/blob/syncope-2.1.9/common/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java> [3] https://github.com/apache/syncope/blob/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/job/report/UserReportlet.java <https://github.com/apache/syncope/blob/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/job/report/UserReportlet.java> [4] http://syncope.apache.org/docs/2.1/getting-started.html#maven-project <http://syncope.apache.org/docs/2.1/getting-started.html#maven-project> -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Reports Question
On 23/09/21 23:28, Caleb Mazure wrote: Hello, I currently have setup an installation of syncope on a Linux based machine, using the Debian packages provided. *I want to create a report that shows the dynamic memberships of users. The default only shows memberships. * To do this I believe I need to create a new java class somewhere that would be like the default UserReportletConf but I am not sure how to go about this. Any advice would be great! Hi Caleb, as you are suggesting above, in order to create a new Reportlet [1] you will need to: 1. create a class named MyUserReportletConf extending [2], under common/src/main/java/common/lib/src/main/java/org/apache/syncope/common/lib/report 2. create a class named MyUserReportlet extending [3], annotated with @ReportletConfClass with class above, under core/src/main/java/org/apache/syncope/core/provisioning/java/job/report 3. once built and deployed, create a Java implementation of type REPORTLET for the class above - from Console, under Configuration > Implementations Naturally, this assumes you are working with a Maven project generated from archetype [4]: this the sole deployment method currently provided allowing for extension and customization. HTH Regards. [1] http://syncope.apache.org/docs/2.1/reference-guide.html#reportlets [2] https://github.com/apache/syncope/blob/syncope-2.1.9/common/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java [3] https://github.com/apache/syncope/blob/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/job/report/UserReportlet.java [4] http://syncope.apache.org/docs/2.1/getting-started.html#maven-project -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope - approval workflow visibility
On 15/06/21 17:52, Giulia Ferretti wrote: Hello everybody, me and my team have a problem with the approval process. The scenario is as follows: - two realms: RealmA, RealmB - two roles: RoleA (visibility on RealmA), RoleB (visibility on RealmB) We have created the two roles with the capabilities to see and manage user creation requests via approval. The problem we encounter is that if a user is created on RealmA, this approval request is presented not only to the user with RoleA, but also to the user with RoleB. Can you help us? Hi Giulia, glad of your interest in Apache Syncope. By default, if nothing is specified in the BPMN definition, user requests can be managed by any User owning the appropriate Entitlements. You can restrict the Users that can manage a given user request by enforcing Flowable's candidateUsers / candidateGroups constructs in their BPMN definition - see [1] for more details. If this is not enough to cover the scenario you are proposing above, I am afraid some additional code customization might be required. HTH Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#approval -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Global uniqueness requirement of username
On 17/05/21 08:06, Martin van Es wrote: On Fri, May 14, 2021 at 7:27 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote: At a first glance, there seems to be some difference between "membValue.toString()" from [4] - logged as uid=roger,ou=People,dc=flat,dc=https:/ /cloud,dc=services,dc=vnet and "membValue" as reported by log statement at [5] which is instead uid=roger,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet <https://cloud,dc=services,dc=vnet> Except for the newline, which was introduced by the console width of the tail of the core.log output I don't see any difference between the two DN's? I'd suggest you try to synchrise groupmembership for members living under a dc containing slashes to see if you can make it work. Like I said, if I only change the dc name and leave the rest of the config identical everything works as expected. Sorry, I don't have spare cycles to invest in such troubleshooting, maybe someone else (including you) can take some time to debug and attempt to provide some more insights, as I was suggesting in my previous response. I can of course help with fix. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Global uniqueness requirement of username
On 13/05/21 16:38, Martin van Es wrote:
On Mon, May 10, 2021 at 9:04 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote:
Got my Groovy script working, good progress!
Technically speaking, it's a Groovy *class*, not script.
There was still one thing lingering around that I forgot the come back to:
> Secondly, some of the organisation DN's contain (forward) slashes in the
dc part of their DN, which makes configuring the resource awkward (I need to
escape the slash using a backslash in the Base Contexts to Synchronize) but worse:
it renders membership matching impossible (the entryDN of the user can not be
found from the member DN in the group although the matching DN string is correct
as inspected from debug output) so I guess that's a bug to be solved in Syncope at
some time, because it works as expected for organisations without the slashes in
the dc part.
Realm names (as all other Entity keys) are set to match the NAME pattern:
https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/validation/entity/RealmValidator.java#L52
<https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/validation/entity/RealmValidator.java#L52>
hence forward slashes are not allowed: consider that the rationales behind
this constraint are that (1) NAME values are normally used in URLs and also
that (2) forward slash is used internally by Syncope as full path separator.
This is not about the Realm name. The problem is that if users lives below an entry containing
forward slashes (e.g. uid=test,ou=People,dc=http://test.org
<http://test.org>,dc=example,dc=org) in the source resource the groupmembership synchronisation
fails, because the group/user matching logic fails to match
"uid=test,ou=People,dc=http://test.org <http://test.org>,dc=example,dc=org" to any
existing user object link, even if that user clearly exists on the resource:
The pull action first succesfully synchronises one of the test users:
13:10:40.581 DEBUG org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler - Successfully handled {Uid=Attribute: {Name=__UID__, Value=[c0a8aa18-42a1-103b-99d3-9ff4281b3bc9]}, ObjectClass=ObjectClass: __ACCOUNT__, DeltaType=CREATE_OR_UPDATE, Token=SyncToken: , Object={Uid=Attribute: {Name=__UID__, Value=[c0a8aa18-42a1-103b-99d3-9ff4281b3bc9]}, ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: {Name=uid, Value=[roger]}, Attribute: {Name=mail, Value=[ro...@example.org <mailto:ro...@example.org>]}, Attribute: {Name=entryUUID, Value=[c0a8aa18-42a1-103b-99d3-9ff4281b3bc9]}, Attribute: {Name=__NAME__, Value=[uid=roger,ou=People,dc=flat,dc=https://cloud <https://cloud>,dc=services,dc=vnet]}, Attribute: {Name=cn, Value=[urn:roger]}, Attribute: {Name=sn, Value=[n/a]}, Attribute: {Name=__UID__, Value=[c0a8aa18-42a1-103b-99d3-9ff4281b3bc9]}, Attribute: {Name=__ENABLE__, Value=[]}], Name=Attribute: {Name=__NAME__,
Value=[uid=roger,ou=People,dc=flat,dc=https://cloud <https://cloud>,dc=services,dc=vnet]}}, PreviousUid=null}
And later, when the groups are pulled, the member(s) can't be related to any
existing user, even though the DN is correct:
13:10:41.168 DEBUG
org.apache.syncope.core.provisioning.java.pushpull.InboundMatcher - No
ObjectClass: __ACCOUNT__ found on JPAExternalResource[SRAM-Cloud] with __NAME__
uid=roger,ou=People,dc=flat,dc=https:/
/cloud,dc=services,dc=vnet
13:10:41.168 WARN
org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions - Could
not find matching user for uid=roger,ou=People,dc=flat,dc=https://cloud
<https://cloud>,dc=services,dc=vnet
This works flawlessly for any LDAP resource without the forward slashes in the
dc above ou=People. To me, this looks like a bug?
The log error above comes from [1]; the likely cause is that namevalue provided
as method argument was not matched by any LDAP user, when searching on LDAP a
few lines above.
This call comes from [2] which is essentially iterating over the values
provided by LDAP's uniquemember of the pulling Group: I would then start by
having a careful look at how such values actually look like in LDAP and how
they are received by method [3].
At a first glance, there seems to be some difference between
"membValue.toString()" from [4] - logged as
uid=roger,ou=People,dc=flat,dc=https:/
/cloud,dc=services,dc=vnet
and "membValue" as reported by log statement at [5] which is instead
uid=roger,ou=People,dc=flat,dc=https://cloud,dc=services,dc=vnet
Regards.
[1]
https://github.com/apache/syncope/blob/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/InboundMatcher.java#L154
[2]
https://github.com/apache/syncope/blob/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java
Re: Global uniqueness requirement of username
On 12/05/21 08:32, Martin van Es wrote: On Tue, May 11, 2021 at 4:52 PM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote: You can have a look at what can be done in a PropagationActions class by looking at matching classes under https://github.com/apache/syncope/tree/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation <https://github.com/apache/syncope/tree/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation> Ah! The Tasks cary the properties, this is very helpfull indeed. Thx for your patient replies! You're welcome. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Global uniqueness requirement of username
On 10/05/21 16:11, Martin van Es wrote:
Hi Francesco,
Ok, I can log debug statements!
When I inspect the entity object on any of the available methods for e.g.
org.apache.syncope.core.provisioning.api.pushpull.PushActions it seems to be of
class JPAUser.
Now, what I expect (but maybe I'm completely mistaken) is to be able to
manipulate the JPAUser object as it flows into the target resource. For
example, I expect some get'ers, and set'ers on (internal) attributes so that I
can inspect values, conditionally alter or add them and update the changes back
into the object to be provisioned. I know much of this can be done using
attribute mapping logic in the normal resource configuration, but what if the
logic was a bit more complicated? Are these groovy scripts meant and able to
manipulate attributes as I think they are? I've taken a look at the JPAUser API
documentation[1], and although the class is quite rich and supports e.g.
add(UPlainAttr attr) I don't see ways to get, set or update available
attributes on the object?
You can have a look at what can be done in a PropagationActions class by
looking at matching classes under
https://github.com/apache/syncope/tree/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation
About PushActions and PullActions you can check
https://github.com/apache/syncope/tree/2_1_X/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull
HTH
Regards.
[1]
http://syncope.apache.org/apidocs/2.0/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.html
<http://syncope.apache.org/apidocs/2.0/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.html>
Best regards.
Martin
On Mon, May 10, 2021 at 2:19 PM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote:
On 10/05/21 14:05, Martin van Es wrote:
On Mon, May 10, 2021 at 9:07 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote:
On 07/05/21 19:50, Martin van Es wrote:
Another question.
How would I print debug (core.log) statements in a Groovy propagation
action script?
Not very related to the subject, but you can find a relevant example
here:
https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104
<https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104>
Thx for your input!
This is the output when I blindly add log.info <http://log.info>() to a
test Groovy propagation action script:
11:57:53.811 DEBUG
org.apache.syncope.core.provisioning.java.ConnectorManager - Connector to be
registered:
ConnectorFacadeProxy{connector=org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl@63b8
d810
capabitilies=[UPDATE, DELETE, CREATE, SEARCH, AUTHENTICATE]}
11:57:53.811 DEBUG
org.apache.syncope.core.provisioning.java.ConnectorManager - Successfully
registered bean
connInstance-Master-3229BE00-2A72-4A78-A9BE-002A729A784D-service-cloud
11:57:53.813 DEBUG
org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate - Executing
push on JPAExternalResource[service-cloud]
11:57:54.063 DEBUG
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
Pushing USER with key 89b4b6da-1ef3-4720-b4b6-da1ef3072081 towards
JPAExternalResource[service-cloud]
11:57:56.666 ERROR
org.apache.syncope.core.provisioning.java.pushpull.OutboundMatcher - While
building JPAImplementation[My_Groovy_PropagationAction]
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
failed:
Script_591aa0a4f0c025faabe5fd7f86d74fb0.groovy: 39: [Static type checking]
- The variable [log] is undeclared.
@ line 39, column 5.
log.info <http://log.info>("Entering " + action + " Script");
^
The main problem here probably is that I'm not a hard-core Java developer
and I'm trying to create a maximum flexibility, zero-compilation identity
synchronisation setup for the team to work with. Simple syncope-console
editable Groovy scripts would help tremendously with that goal!
Sorry, I did not read well that you were not interested in Groovy scripts
for connectors but in Groovy Propagation Actions classes.
You can use Groovy's @Slf4j then:
import groovy.transform.CompileStatic
import groovy.util.logging.Slf4j
import org.apache.syncope.core.persistence.api.entity.task.PropagationTask
import
org.apache.syncope.core.provisioning.api.propagation.PropagationActions
import org.identityconnectors.framework.common.objects.ConnectorObject
@Slf4j
@CompileStatic
class MyPropagationActions implements PropagationActions {
@Override
void before(PropagationTask task, ConnectorObject beforeObj) {
log.error("About to run {}", task)
}
Re: Global uniqueness requirement of username
On 10/05/21 14:05, Martin van Es wrote:
On Mon, May 10, 2021 at 9:07 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote:
On 07/05/21 19:50, Martin van Es wrote:
Another question.
How would I print debug (core.log) statements in a Groovy propagation
action script?
Not very related to the subject, but you can find a relevant example here:
https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104
<https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104>
Thx for your input!
This is the output when I blindly add log.info <http://log.info>() to a test
Groovy propagation action script:
11:57:53.811 DEBUG org.apache.syncope.core.provisioning.java.ConnectorManager -
Connector to be registered:
ConnectorFacadeProxy{connector=org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl@63b8
d810
capabitilies=[UPDATE, DELETE, CREATE, SEARCH, AUTHENTICATE]}
11:57:53.811 DEBUG org.apache.syncope.core.provisioning.java.ConnectorManager -
Successfully registered bean
connInstance-Master-3229BE00-2A72-4A78-A9BE-002A729A784D-service-cloud
11:57:53.813 DEBUG
org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate - Executing
push on JPAExternalResource[service-cloud]
11:57:54.063 DEBUG
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
Pushing USER with key 89b4b6da-1ef3-4720-b4b6-da1ef3072081 towards
JPAExternalResource[service-cloud]
11:57:56.666 ERROR
org.apache.syncope.core.provisioning.java.pushpull.OutboundMatcher - While
building JPAImplementation[My_Groovy_PropagationAction]
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
Script_591aa0a4f0c025faabe5fd7f86d74fb0.groovy: 39: [Static type checking] -
The variable [log] is undeclared.
@ line 39, column 5.
log.info <http://log.info>("Entering " + action + " Script");
^
The main problem here probably is that I'm not a hard-core Java developer and
I'm trying to create a maximum flexibility, zero-compilation identity
synchronisation setup for the team to work with. Simple syncope-console
editable Groovy scripts would help tremendously with that goal!
Sorry, I did not read well that you were not interested in Groovy scripts for
connectors but in Groovy Propagation Actions classes.
You can use Groovy's @Slf4j then:
import groovy.transform.CompileStatic
import groovy.util.logging.Slf4j
import org.apache.syncope.core.persistence.api.entity.task.PropagationTask
import org.apache.syncope.core.provisioning.api.propagation.PropagationActions
import org.identityconnectors.framework.common.objects.ConnectorObject
@Slf4j
@CompileStatic
class MyPropagationActions implements PropagationActions {
@Override
void before(PropagationTask task, ConnectorObject beforeObj) {
log.error("About to run {}", task)
}
}
Logging statements will be sent to core.log.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Global uniqueness requirement of username
On 07/05/21 19:50, Martin van Es wrote: Another question. How would I print debug (core.log) statements in a Groovy propagation action script? Not very related to the subject, but you can find a relevant example here: https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104 Other samples from Groovy files in the same dir and scriptedsql sibling. Statements will go to core-connid.log Regards. On Fri, May 7, 2021 at 1:49 PM Martin van Es mailto:mrva...@gmail.com>> wrote: Hi, I've been playing around with Syncope again and was trying to sync a src LDAP scheme that contains multiple organizations, which contain multiple Groups and People branches. All of these branches contain organisation specific users, possibly sharing the same uid (login name). You might call this a multi-tennant lay-out. I was hoping Realms could keep these tennants separated and the usernames uniquely scoped to the realm (automatically). It turns out, that plainly assigning uid to internal attribute username won't work, for two reasons: 1. admin isn't allowed (in my docker test deploy) because there's already a global user called admin, even if I provision the user in a separate Realm?) 2. I can't reuse uid's assigned to username, even when I use a different Realm, so I'd have to assign entryUUID to username and create a separate user_id attribute mapped to uid for all users? Secondly, some of the organisation DN's contain (forward) slashes in the dc part of their DN, which makes configuring the resource awkward (I need to escape the slash using a backslash in the Base Contexts to Synchronize) but worse: it renders membership matching impossible (the entryDN of the user can not be found from the member DN in the group although the matching DN string is correct as inspected from debug output) so I guess that's a bug to be solved in Syncope at some time, because it works as expected for organisations without the slashes in the dc part. Best regards, Martin -- If 'but' was any useful, it would be a logic operator -- If 'but' was any useful, it would be a logic operator -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Global uniqueness requirement of username
On 07/05/21 13:49, Martin van Es wrote: Hi, I've been playing around with Syncope again and was trying to sync a src LDAP scheme that contains multiple organizations, which contain multiple Groups and People branches. All of these branches contain organisation specific users, possibly sharing the same uid (login name). You might call this a multi-tennant lay-out. I was hoping Realms could keep these tennants separated and the usernames uniquely scoped to the realm (automatically). It turns out, that plainly assigning uid to internal attribute username won't work, for two reasons: 1. admin isn't allowed (in my docker test deploy) because there's already a global user called admin, even if I provision the user in a separate Realm?) There is one pre-defined admin user: you can change such username to something different in core/src/main/resources/admin.properties via the "adminUser" property. 2. I can't reuse uid's assigned to username, even when I use a different Realm, so I'd have to assign entryUUID to username and create a separate user_id attribute mapped to uid for all users? Yes, Syncope's username is defined as unique for the SyncopeUser table. Currently, there is no predefined way to set the constraint "unique per Realm" on anything. Secondly, some of the organisation DN's contain (forward) slashes in the dc part of their DN, which makes configuring the resource awkward (I need to escape the slash using a backslash in the Base Contexts to Synchronize) but worse: it renders membership matching impossible (the entryDN of the user can not be found from the member DN in the group although the matching DN string is correct as inspected from debug output) so I guess that's a bug to be solved in Syncope at some time, because it works as expected for organisations without the slashes in the dc part. Realm names (as all other Entity keys) are set to match the NAME pattern: https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/validation/entity/RealmValidator.java#L52 hence forward slashes are not allowed: consider that the rationales behind this constraint are that (1) NAME values are normally used in URLs and also that (2) forward slash is used internally by Syncope as full path separator. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.1.9
The Apache Syncope team is pleased to announce the release of Syncope 2.1.9 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope219 Upgrading from 2.1.8? There are some notes about this process: https://s.apache.org/4ofso We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Syncope: Consolidated propagation report
On 10/03/21 13:30, utpal kas wrote: Another question, Is there any way to get the details of all the propagation happened today? Something like, if yes, can you please tell me which format I should send the date? /tasks/PROPAGATION?end= As you can find out by visiting the Tasks endpoint in Swagger UI, it is not possible to filter tasks by start / end date. Regards. On Wednesday, March 10, 2021, 02:50:30 AM EST, Francesco Chicchiriccò wrote: On 08/03/21 20:11, utpal kas wrote: Hello, We have set up the PULL task to execute auto-propagation to LDAP (external resource). After the PULL task's execution we are getting the Summary result by invoking *syncope/rest/tasks/executions/recent *endpoint. The summary shows, how many users are create/updated/deleted. I do see the *syncope/rest/tasks/executions/recent *endpoint**does show the *PROPAGATION *task related records but they are based on individual user. We like to have a summary report ( how many users are create/updated/deleted) generated for PROPAGATION task, is there any easy way? Hi Utpal, what you are asking for is not available OOTB: compared to Pull (which is related to a set of objects being received from an External Resource), Propagation is instead related to a single identity being sent from Syncope to External Resources. You might however extract the information you are looking for from the following REST endpoint: /tasks/PROPAGATION?page=1=25=end%20DESC=the-resource=USER=true this will return the first matching 25 propagation tasks for users on the "the-resource" External Resource, with executions (details), sorted by end date (completion). HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Syncope: Consolidated propagation report
On 08/03/21 20:11, utpal kas wrote: Hello, We have set up the PULL task to execute auto-propagation to LDAP (external resource). After the PULL task's execution we are getting the Summary result by invoking *syncope/rest/tasks/executions/recent *endpoint. The summary shows, how many users are create/updated/deleted. I do see the *syncope/rest/tasks/executions/recent *endpoint**does show the *PROPAGATION *task related records but they are based on individual user. We like to have a summary report ( how many users are create/updated/deleted) generated for PROPAGATION task, is there any easy way? Hi Utpal, what you are asking for is not available OOTB: compared to Pull (which is related to a set of objects being received from an External Resource), Propagation is instead related to a single identity being sent from Syncope to External Resources. You might however extract the information you are looking for from the following REST endpoint: /tasks/PROPAGATION?page=1=25=end%20DESC=the-resource=USER=true this will return the first matching 25 propagation tasks for users on the "the-resource" External Resource, with executions (details), sorted by end date (completion). HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Notifications and automatic emails
On 28/01/21 10:36, Stefano wrote: > Thank you for the explanation! > > ilgrosso wrote >> it seems you've gone quite far with your tests, cool :-) > Indeed, it has been quite smooth so far. > > > ilgrosso wrote >> In particular, you should check the value set for >> >> notificationjob.cronExpression >> >> from Console under Configuration > Parameters (if not found, go on and >> create it with type String); as explained in the linked docs, ensure to >> set a sensible value for it, as >> >> 0/20 * * * * ? >> >> for example. > Classic example of Read The Manual issue, thanks for the pointers. Your > string works like a charm for a 20s update rate. Glad to hear that it worked! Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Notifications and automatic emails
Hi Stefano, it seems you've gone quite far with your tests, cool :-) For background information, please have a look at http://syncope.apache.org/docs/2.1/reference-guide.html#notifications http://syncope.apache.org/docs/2.1/reference-guide.html#e-mail-configuration In particular, you should check the value set for notificationjob.cronExpression from Console under Configuration > Parameters (if not found, go on and create it with type String); as explained in the linked docs, ensure to set a sensible value for it, as 0/20 * * * * ? for example. HTH Regards. On 2021/01/26 17:35:50, Stefano Speretta - LR wrote: > Dear all, > I am trying to set-up automatic emails to users when a new user self > registers under Syncope. I am running the official apache docker image > (2.1.8) under Docker-compose as in here: > https://syncope.apache.org/docs/2.0/getting-started.html#docker-compose-samples > > I am running postfix on the host and generating email notifications from the > core syncope container: I can successfully send emails when users are > self-created and I go under the notification tasks window and start the task > manually. Is there a way to automatically start those tasks? > > According to this > (http://syncope-user.1051894.n5.nabble.com/Notifications-td5706516.html), > tasks should run automatically but in my case this seems not to happen at all > (checked after 1h and no automatic email was sent). All users, after > self-create, go into active state. > > Looking in core.log does not lead to any error from NotificationJob (or > errors in general) so I am not sure I am missing some specific setting. Any > idea how to solve this? > > Thanks, > Stefano > > > Stefano Speretta > Assistant Professor > > Delft University of Technology > Aerospace Engineering Faculty > Room 8.20 > Kluyverweg 1 > 2629 HS Delft - The Netherlands > Phone: 0031 (0)15 27 81967 > >
Re: Syncope and Hikari
On 07/01/21 19:04, utpal kas wrote: > Hello, > > We are facing an unique situation, > > The Master.properties file kept under > (/apache_home/webapps/syncope/WEB-INF/classes/domains) folder has following > connection properties defined. > > Master.pool.maxActive=20 > Master.pool.minIdle=4 > > We enabled the debug log for hikari, and during the provision process we > observed the syncope/hikari is using only 8 active connections, not sure from > where this number is coming (MasterDomain.xml's default maxConnection value > updated to 20 as well). > We are getting timeout failures when the load is around 20K users or so and > the processing sometimes totally stops midway after throwing connection not > available exception or sometimes continue (may be due to remediation check > box is true in pull task), dont know why. We tried both Full and Incremental > mode. > > Anything wrongly set interms of connection setting? We are using 2.1.5 v. > Your guidance is appreciated. Hi Utpal, nothing unexpected is happening here. When you did build your Maven Syncope-based project to generate WAR artifacts for deploy, you should have passed some arguments to mvn, then copied the relevant configuration files to the chose deployment directories, as indicated by [1], e.g. $ mvn clean verify \ -Dconf.directory=/opt/syncope/conf \ -Dbundles.directory=/opt/syncope/bundles \ -Dlog.directory=/opt/syncope/log $ cp core/target/classes/*properties /opt/syncope/conf $ cp console/target/classes/*properties /opt/syncope/conf $ cp enduser/target/classes/*properties /opt/syncope/conf $ cp enduser/target/classes/customFormAttributes.json /opt/syncope/conf $ cp enduser/target/classes/customTemplate.json /opt/syncope/conf This means that the relevant Master.properties file (where the Hikari pool parameters are set) is *not* the one inside the WAR but rather the one under the configured conf.directory - /opt/syncope/conf in the sample above. Same applies to all other files. Hope this clarifies. Regards. [1] http://syncope.apache.org/docs/2.1/reference-guide.html#deployment-directories -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
[ANN] Apache Syncope 2.1.8
The Apache Syncope team is pleased to announce the release of Syncope 2.1.8 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope218 Upgrading from 2.1.7? There are some notes about this process: https://s.apache.org/s29ad We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
Re: Role dynamic memberships do not work after importing MasterContent
On 04/11/20 10:36, te...@net-c.com wrote: > Hi, > > I use syncope 2.1.7 > > I have exported then imported a MasterContent.xml on a new platform. > > On this new platform, after deployment, I see that every role has dynamic > membership set (using GROUP_MEMBERSHIP IN) as expected. > > Then I add my users (using the REST API) with the right group memberships as > it was previously. > > Finally I log-in with my users just added, but I see that nobody has any > role, it seems that role dynamic memberships are not taken into account > somehow. This is checked by viewing "members" for every role. No role has a > member. > > In order to workaround this, it seems necessary to "reload" roles by "edit -> > finish" on every role. After that, users have their roles as planned. Hi, this sounds quite odd. Nothing connected to users is included in export (for both security and practical reasons), including static and dynamic membership information, but as soon as an user gets saved, their dynamic membership information are set [1]. The workaround you are suggesting above does actually force a refresh for all existing users, upon Role save [2]; I wonder what happens to users getting created *after* the Role workaround save is performed: do they become dynamic members of the Role? Regards. [1] https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPARoleDAO.java#L180 [2] https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPARoleDAO.java#L104 -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: language and label edition regression in 2 =?UTF-8?Q?.1.7=20when=20having=20"_"=20??=
On 28/10/20 10:22, te...@net-c.com wrote:
> HI all,
>
> in 2.1.7, language id having a "_" in their name (like "fr_CA") makes schemas
> not editable and leads to an exception:
> In the same way, impossible to create a label for these languages.
>
> java.lang.ArrayIndexOutOfBoundsException: 2
> at org.apache.syncope.common.lib.to.SchemaTO.toLocale(SchemaTO.java:63)
> at
> org.apache.syncope.client.console.panels.SchemaTypeWizardBuilder$Labels.lambda$new$0(SchemaTypeWizardBuilder.java:139)
> at java.util.LinkedHashMap.forEach(LinkedHashMap.java:684)
> at
> org.apache.syncope.client.console.panels.SchemaTypeWizardBuilder$Labels.(SchemaTypeWizardBuilder.java:138
> <https://schematypewizardbuilder.java:138/>
>
> It works well in 2.1.6.
> When trying to add a label for these kind of language the REST payload looks
> weird like:
>
> {"@class":"org.apache.syncope.common.lib.to.PlainSchemaTO","key":"test","anyTypeClass":null,"labels":{"*fr;CA*;":"test"},"type":"String","mandatoryCondition":"false","multivalue":false,"uniqueConstraint":false,"readonly":false,"conversionPattern":null,"validator":null,"enumerationValues":"","enumerationKeys":"","secretKey":null,"cipherAlgorithm":null,"mimeType":null}
Hi.
this is already captured as
https://issues.apache.org/jira/browse/SYNCOPE-1590
and fixed in 2.1.8-SNAPSHOT.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: custom reportlet and reportletConf do not appear on console
Hi, the steps you mention below are normally not needed: there must be something in your Maven project or settings that are impeding the normal behavior. Regards. On 22/10/20 10:06, te...@net-c.com wrote: > Hi, > > Finally found how to do it. > > For those having same troubles: > > You need to place your Conf in: > core/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java > AND IN > console/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java > > Then your reportlet in > core/src/main/java/org/apache/syncope/core/provisioning/java/job/report/myReportlet.java > > Then finally you also need to have (it does not build if it is not here) > core/src/main/java/org/apache/syncope/core/persistence/api/DomainHolder.java > Whom the content can be taken on github > > Enjoy. > >> De : te...@net-c.com >> À : user@syncope.apache.org >> Sujet : custom reportlet and reportletConf do not appear on console >> Date : 21/10/2020 19:37:36 Europe/Paris >> >> Hi, >> >> I developed my own reportlet class and reportletConf that I put in: >> >> core/src/main/java/org/apache/syncope/core/provisioning/java/job/report/myReportlet.java >> core/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java >> >> Maven build runs well and I see my classes like: >> ./core/target/syncope/WEB-INF/classes/org/apache/syncope/core/provisioning/java/job/report/myReportlet.class >> ./core/target/syncope/WEB-INF/classes/org/apache/syncope/common/lib/report/myReportletConf.class >> >> However, no way to see them on console when I go to Configuration -> >> implementation -> reportlets -> [add] >> >> Did I miss something ?? >> >> Thanks -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Role layouts does not work when using dynamic membership
On 22/10/20 09:30, Francesco Chicchiriccò wrote: > Hi, > layout information is fetched by the Realm page [1] via AnyLayoutUtils#fetch > [2]. > > As you can see from [2]: > > 1. only static Roles (not dynamic Roles) are currently considered > 2. the first non-null layout associated to an owned Role is taken > > About (1), I think it would not be difficult to include dynamic Roles as > well. FYI: https://github.com/apache/syncope/commit/d146706121e6fb8d05e8fff09b9ef6e676f5e178 > About (2), I don't think it's easy to merge different AnyLayout information > coming from different Roles > > Hope this clarifies. > Regards. > > [1] > https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/panels/Realm.java#L166-L167 > [2] > https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/layout/AnyLayoutUtils.java#L73-L96 > > On 20/10/20 15:36, te...@net-c.com wrote: >> Another thing which could go in the same topic is when a user belongs to >> multiple roles each having its different layout and domains. >> >> It seems that only the first role layout (by order in the selection list) is >> applied anyway the domain where the action is done. >> >> >>> De : te...@net-c.com >>> À : user@syncope.apache.org >>> Sujet : Role layouts does not work when using dynamic membership >>> Date : 20/10/2020 12:08:12 Europe/Paris >>> >>> Hi, >>> >>> I use syncope 2.1.7 >>> >>> I defined wizard builder layouts for all of my roles. >>> For each role I use dynamic membership in order to set the role to users >>> member of some groups. >>> >>> I see that when I use dynamic role membership, the builder wizard layouts >>> defined for the role are not applied to my users in, but if I set like >>> statically the role to my users then the layouts work properly. >>> >>> Is it a normal behavior ? >>> >>> Thanks. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Role layouts does not work when using dynamic membership
Hi, layout information is fetched by the Realm page [1] via AnyLayoutUtils#fetch [2]. As you can see from [2]: 1. only static Roles (not dynamic Roles) are currently considered 2. the first non-null layout associated to an owned Role is taken About (1), I think it would not be difficult to include dynamic Roles as well. About (2), I don't think it's easy to merge different AnyLayout information coming from different Roles Hope this clarifies. Regards. [1] https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/panels/Realm.java#L166-L167 [2] https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/layout/AnyLayoutUtils.java#L73-L96 On 20/10/20 15:36, te...@net-c.com wrote: > Another thing which could go in the same topic is when a user belongs to > multiple roles each having its different layout and domains. > > It seems that only the first role layout (by order in the selection list) is > applied anyway the domain where the action is done. > > >> De : te...@net-c.com >> À : user@syncope.apache.org >> Sujet : Role layouts does not work when using dynamic membership >> Date : 20/10/2020 12:08:12 Europe/Paris >> >> Hi, >> >> I use syncope 2.1.7 >> >> I defined wizard builder layouts for all of my roles. >> For each role I use dynamic membership in order to set the role to users >> member of some groups. >> >> I see that when I use dynamic role membership, the builder wizard layouts >> defined for the role are not applied to my users in, but if I set like >> statically the role to my users then the layouts work properly. >> >> Is it a normal behavior ? >> >> Thanks. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Fwd: How to generate swagger documentation
On 14/10/20 11:06, Dmitriy Brashevets wrote: > > Hi Franchesco. > > > > My fault. > > I’m running Apache Syncope *2.1.6* instead of *2.0.16.* > > Sorry again for this typo. > No problems :-) About 2.1.6 (and 2.1.7 of course) we have several running projects, all with Swagger UI enabled, all working fine. I'd suggest anyway to proceed as indicated below to check your generated openapi.json. Regards. > *From:* Francesco Chicchiriccò > *Sent:* Wednesday, October 14, 2020 10:27 AM > *To:* user@syncope.apache.org > *Subject:* Re: Fwd: How to generate swagger documentation > > > > Hi Dmitriy, > I have just generated a new Syncope 2.0.16 project following > > http://syncope.apache.org/docs/2.0/getting-started.html#create-project > > > > then built via > > > > mvn -Pall clean install > > > > and finally run via > > > > cd enduser > mvn -Pall,embedded > > > > Swagger UI worked fine after accessing > > http://localhost:9080/syncope/swagger/ > > > > and making some sample queries. > > > > Coming to your issue, I would suggest first to check that you have been > actually following > > > > https://syncope.apache.org/docs/2.0/reference-guide.html#customization-core > > and not > > https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core > > > > as you are writing below. > > > > Secondly, try to access > > [protocol]://[host]:[port]/syncope/rest/openapi.json > > > > and see what result you get; naturally, watch the Core logs as well. > > > > HTH > Regards. > > > > On 13/10/20 16:39, Dmitriy Brashevets wrote: > > Hi Apache Syncope guys. > > What version of Apache Syncope are you running? > I’m trying to run the *Apache Syncope 2.0.16* on *Tomcat 9.0.39*. > > I’m able run the Apache Syncope Core and I also enabled Swagger extension > like described here > <https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core>, > but when I’m accessing swagger I’m having an error: > > > > Uncaught SyntaxError: Invalid regular expression: > /[A-Za-z\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-Ë�ˆ-Ë‘Ë > -ˤˬˮͰ-ʹͶͷͺ-ͽͿΆΈ-ΊΌΎ-ΡΣ-ϵϷ-Ò�ÒŠ-Ô¯Ô±-Õ–Õ™Õ¡-Ö‡×�-תװ-×²Ø > -يٮٯٱ-Û“Û•Û¥Û¦Û®Û¯Ûº-Û¼Û¿Ü�Ü’-ܯÝ�-ޥޱߊ-ßªß´ßµßºà €-à •à šà ¤à > ¨à¡€-ࡘࢠ> -ࢴऄ-हऽà¥�क़-ॡॱ-ঀঅ-ঌà¦�à¦�ও-নপ-রলশ-হঽৎড়à§�য়-ৡৰৱਅ-ਊà¨�à¨�ਓ-ਨਪ-ਰਲਲ਼ਵਸ਼ਸਹਖ਼-ੜਫ਼ੲ-ੴઅ-àª�àª�-ઑઓ-નપ-રલળવ-હઽà«�à« > > ૡૹଅ-ଌà¬�à¬�ଓ-ନପ-ରଲଳଵ-ହଽàœà�àŸ-à¡à±à®ƒà®…-ஊஎ-à®�à®’-கஙசஜஞடணதந-பம-ஹà¯�à°…-ఌఎ-à°�à°’-నప-హఽౘ-ౚౠ> ౡಅ-ಌಎ-à²�ಒ-ನಪ-ಳವ-ಹಽೞೠ> ೡೱೲഅ-ഌഎ-à´�à´’-ഺഽൎൟ-ൡൺ-ൿඅ-ඖක-නඳ-රලව-à·†à¸�-ะาำเ-ๆàº�ຂຄງຈຊàº�ດ-ທນ-ຟມ-ຣລວສຫàº-ະາຳຽເ-ໄໆໜ-ໟༀཀ-ཇཉ-ཬྈ-ྌက-ဪဿá��-á�•á�š-á��á�¡á�¥á�¦á�®-á�°á�µ-á‚�á‚Žá‚ > -ჅჇáƒ�áƒ�-ჺჼ-ቈቊ-á‰�á‰�-ቖቘቚ-á‰�በ> -ኈኊ-áŠ�áŠ�-ኰኲ-ኵኸ-ኾዀዂ-ዅወ-ዖዘ-áŒ�ጒ-ጕጘ-á�šáŽ€-áŽ�Ꭰ> -á�µá�¸-á�½á��-ᙬᙯ-ᙿáš�-áššáš -ᛪᛱ-ᛸᜀ-ᜌᜎ-ᜑᜠ-ᜱá�€-á�‘á� > -á�¬á�®-á�°áž€-ឳៗៜá > -ᡷᢀ-ᢨᢪᢰ-ᣵᤀ-ᤞá¥�-á¥á¥°-ᥴᦀ-ᦫᦰ-ᧉᨀ-ᨖᨠ> -ᩔᪧᬅ-ᬳá…-á‹á®ƒ-á® > ᮮᮯᮺ-ᯥᰀ-á°£á±�-á±�ᱚ-ᱽᳩ-ᳬᳮ-ᳱᳵᳶᴀ-ᶿḀ-ἕἘ-á¼�á¼ > -ὅὈ-á½�á½�-ὗὙὛá½�Ὗ-ώᾀ-ᾴᾶ-ᾼιῂ-ῄῆ-á¿Œá¿�-á¿“á¿–-Ίῠ> > -Ῥῲ-ῴῶ-ῼâ�±â�¿â‚�-ₜℂℇℊ-â„“â„•â„™-â„�ℤΩℨK-â„ℯ-ℹℼ-â„¿â……-ⅉⅎↃↄⰀ-Ⱞⰰ-ⱞⱠ> -ⳤⳫ-ⳮⳲⳳⴀ-ⴥⴧâ´â´°-ⵧⵯⶀ-ⶖⶠ> -ⶦⶨ-ⶮⶰ-ⶶⶸ-ⶾⷀ-ⷆⷈ-â·Žâ·�-â·–â·˜-ⷞⸯ々〆〱-〵〻〼ã��-ã‚–ã‚�-ã‚Ÿã‚¡-ヺー-ヿㄅ-ã„ㄱ-ㆎㆠ> -ㆺㇰ-ㇿã�€-䶵一-鿕ꀀ-ê’Œê“�-ꓽꔀ-ꘌê˜�-ꘟꘪꘫꙀ-ꙮꙿ-êš�êš > -ꛥꜗ-ꜟꜢ-ꞈꞋ-êžêž°-ꞷꟷ-ê �ê ƒ-ê …ê ‡-ê Šê Œ-ê > ¢ê¡€-ꡳꢂ-ꢳꣲ-ꣷꣻꣽꤊ-ꤥꤰ-ê¥†ê¥ -ꥼꦄ-ꦲê§�ê§ > -ꧤꧦ-ꧯꧺ-ꧾꨀ-ꨨꩀ-ê©‚ê©„-ê©‹ê© > -ꩶꩺꩾ-ꪯꪱꪵꪶꪹ-ꪽꫀꫂꫛ-ê«�ê« > -ꫪꫲ-ê«´ê¬�-ꬆꬉ-ꬎꬑ-ê¬–ê¬ > -ꬦꬨ-ꬮꬰ-êšêœ-ê¥ê°-ꯢ가-힣ힰ-ퟆퟋ-ퟻ豈-ï©ï©°-龎ff-stﬓ-ﬗï¬�ײַ-ﬨשׁ-זּטּ-לּמּï€ï�ïƒï„ï†-ﮱﯓ-ï´½ïµ�-ï¶�ﶒ-ﷇﷰ-ﷻﹰ-ﹴﹶ-ﻼA-Zï½�-zヲ-하-ᅦᅧ-ï¿�ï¿’-ï¿—ï¿š-ï¿œ0-9Ù > > -Ù©Û°-۹߀-߉०-९০-৯੦-੯૦-૯à¦-à¯à¯¦-௯౦-౯೦-೯൦-൯෦-à·¯à¹�-๙à»�-໙༠> -༩á�€-á�‰á‚�-႙០-៩á �-á > ™á¥†-á¥�á§�-᧙᪀-᪉áª�-᪙á�-á™á®°-᮹᱀-᱉á±�-á±™ê˜ > -꘩ê£�-꣙꤀-꤉ê§�-꧙꧰-꧹ê©�-ê©™
Re: Fwd: How to generate swagger documentation
-ኈኊ-áŠ�áŠ�-ኰኲ-ኵኸ-ኾዀዂ-ዅወ-ዖዘ-áŒ�ጒ-ጕጘ-á�šáŽ€-áŽ�Ꭰ> -á�µá�¸-á�½á��-ᙬᙯ-ᙿáš�-áššáš -ᛪᛱ-ᛸᜀ-ᜌᜎ-ᜑᜠ-ᜱá�€-á�‘á� > -á�¬á�®-á�°áž€-ឳៗៜá > -ᡷᢀ-ᢨᢪᢰ-ᣵᤀ-ᤞá¥�-á¥á¥°-ᥴᦀ-ᦫᦰ-ᧉᨀ-ᨖᨠ> -ᩔᪧᬅ-ᬳá…-á‹á®ƒ-á® > ᮮᮯᮺ-ᯥᰀ-á°£á±�-á±�ᱚ-ᱽᳩ-ᳬᳮ-ᳱᳵᳶᴀ-ᶿḀ-ἕἘ-á¼�á¼ > -ὅὈ-á½�á½�-ὗὙὛá½�Ὗ-ώᾀ-ᾴᾶ-ᾼιῂ-ῄῆ-á¿Œá¿�-á¿“á¿–-Ίῠ> > -Ῥῲ-ῴῶ-ῼâ�±â�¿â‚�-ₜℂℇℊ-â„“â„•â„™-â„�ℤΩℨK-â„ℯ-ℹℼ-â„¿â……-ⅉⅎↃↄⰀ-Ⱞⰰ-ⱞⱠ> -ⳤⳫ-ⳮⳲⳳⴀ-ⴥⴧâ´â´°-ⵧⵯⶀ-ⶖⶠ> -ⶦⶨ-ⶮⶰ-ⶶⶸ-ⶾⷀ-ⷆⷈ-â·Žâ·�-â·–â·˜-ⷞⸯ々〆〱-〵〻〼ã��-ã‚–ã‚�-ã‚Ÿã‚¡-ヺー-ヿㄅ-ã„ㄱ-ㆎㆠ> -ㆺㇰ-ㇿã�€-䶵一-鿕ꀀ-ê’Œê“�-ꓽꔀ-ꘌê˜�-ꘟꘪꘫꙀ-ꙮꙿ-êš�êš > -ꛥꜗ-ꜟꜢ-ꞈꞋ-êžêž°-ꞷꟷ-ê �ê ƒ-ê …ê ‡-ê Šê Œ-ê > ¢ê¡€-ꡳꢂ-ꢳꣲ-ꣷꣻꣽꤊ-ꤥꤰ-ê¥†ê¥ -ꥼꦄ-ꦲê§�ê§ > -ꧤꧦ-ꧯꧺ-ꧾꨀ-ꨨꩀ-ê©‚ê©„-ê©‹ê© > -ꩶꩺꩾ-ꪯꪱꪵꪶꪹ-ꪽꫀꫂꫛ-ê«�ê« > -ꫪꫲ-ê«´ê¬�-ꬆꬉ-ꬎꬑ-ê¬–ê¬ > -ꬦꬨ-ꬮꬰ-êšêœ-ê¥ê°-ꯢ가-힣ힰ-ퟆퟋ-ퟻ豈-ï©ï©°-龎ff-stﬓ-ﬗï¬�ײַ-ﬨשׁ-זּטּ-לּמּï€ï�ïƒï„ï†-ﮱﯓ-ï´½ïµ�-ï¶�ﶒ-ﷇﷰ-ﷻﹰ-ﹴﹶ-ﻼA-Zï½�-zヲ-하-ᅦᅧ-ï¿�ï¿’-ï¿—ï¿š-ï¿œ0-9Ù > > -Ù©Û°-۹߀-߉०-९০-৯੦-੯૦-૯à¦-à¯à¯¦-௯౦-౯೦-೯൦-൯෦-à·¯à¹�-๙à»�-໙༠> -༩á�€-á�‰á‚�-႙០-៩á �-á > ™á¥†-á¥�á§�-᧙᪀-᪉áª�-᪙á�-á™á®°-᮹᱀-᱉á±�-á±™ê˜ > -꘩ê£�-꣙꤀-꤉ê§�-꧙꧰-꧹ê©�-꩙꯰-꯹ï¼�-ï¼™\-]/: > Range out of order in character class > > at new RegExp () > > at Object.r (Autolinker.js:1384) > > at Object. (swagger-ui-bundle.js:133) > > at n (bootstrap:19) > > at Object. (linkify.js:11) > > at n (bootstrap:19) > > at Object. (parser_core.js:22) > > at n (bootstrap:19) > > at Object. (index.js:9) > > at n (bootstrap:19) > > (index):1 Unchecked runtime.lastError: Could not establish connection. > Receiving end does not exist. > > (index):61 Uncaught ReferenceError: SwaggerUIBundle is not defined > > at window.onload ((index):61) > > > > Mapping for Swagger is working for > me[protocol]://[host]:[port]/syncope/swagger/ > > But Swagger’s functionality doesn’t work. > I’m still trying to figure out where is an issue. > > > > Any ideas why this happens? Haven’t you faced with such an error? > > Kind Regards, > Dmitriy Brashevets > > > > *From:* Andrea Patricelli > *Sent:* Thursday, June 25, 2020 12:33 PM > *To:* user@syncope.apache.org > *Subject:* Re: Fwd: How to generate swagger documentation > > > > Sorry, my bad. > The correct swagger url is > > [protocol]://[host]:[port]/syncope/swagger/ > > Best regards, > Andrea > > Il 25/06/20 11:30, Andrea Patricelli ha scritto: > > Hi Anmol > > Il 24/06/20 18:22, Anmol Sharma ha scritto: > > Hi, > > > > I'm a new user exploring the Maven project workflow for Apache > Syncope. I tried to use the `syncope-ext-swagger-ui` to generate the swagger > documentation. > > > > When I run mvn clean package in the core module, I do not see > swagger-ui docs or config generated. I also ran the build with the `all` > profile but it did not notice any difference. > > > > I'm wondering if you could point me to some documentation on how to > enable / generate swagger docs for a standalone deployment of the core module? > > Her you can find some docs about building Syncope in general [1]. To > enable the swagger extension please follow [2], "Enable the Swagger > extension" section. You can find swagger docs available at > [protocol]://[host]:[port]/syncope-swagger/ > > > > Thanks > > anmol > > HTH, > Andrea > > [1] https://syncope.apache.org/building > > [2] > https://syncope.apache.org/docs/2.1/reference-guide.html#customization-core > > > > > > > -- > > - Anmol > > -- > > Dott. Andrea Patricelli > > Tel. +39 3204524292 > > > > Engineer @ Tirasa S.r.l. > > Viale Vittoria Colonna 97 - 65127 Pescara > > Tel +39 0859116307 / FAX +39 085973 > > http://www.tirasa.net > > > > Apache Syncope PMC Member > > -- > Dott. Andrea Patricelli > Tel. +39 3204524292 > > Engineer @ Tirasa S.r.l. > Viale Vittoria Colonna 97 - 65127 Pescara > Tel +39 0859116307 / FAX +39 085973 > http://www.tirasa.net > > Apache Syncope PMC Member -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Resource specific counters in Syncope
On 07/10/20 14:45, Martin van Es wrote: > Hi Francesco, > > Thx for the quick reply! > > On Wed, Oct 7, 2020 at 11:18 AM Francesco Chicchiriccò <mailto:ilgro...@apache.org>> wrote: > > Hi Martin, > so you'd want to keep different counters for different External > Resources, and inject appropriate values from such counters during > propagation, to populate attributes like as uidNumber and gidNumber, for > example. > > > Yes > > I think it can be as straightforward as (1) defining appropriate > configuration parameters to hold counter values and (2) creating > PropagationActions classes to implement the value injection and counter > increment logic. > > > Which implies development effort (albeit a little)? Would there be a > "lightweight" possibility via scripts? Yes, you can implement PropagationActions [1] in Groovy. > Would the configuration parameters be like External Resource specific > variables that can be manipulated at will? My suggestion was to add an manipulate some additional Configuration Parameters [2], beyond the predefined set. Regards. [1] http://syncope.apache.org/docs/2.1/reference-guide.html#propagationactions [2] http://syncope.apache.org/docs/2.1/reference-guide.html#configuration-parameters -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Apples OpenDirectory
On 30/09/20 11:16, Henri44 wrote: > Sorry, the LDAPS question is still open, I misclicked somewhat... To solve this you should simply import the LDAPS certificate (or the CA certificate that signed the LDAPS certificate) into the configured trust store for Tomcat, or even into JDK's cacerts. HTH Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Apples OpenDirectory
On 30/09/20 09:43, Henri44 wrote: > Hi Francesco, > > I fix it in the meantime, thanks, will now try the password stuff. Glad to hear this! Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
