On 19/04/2013 09:34, Martin van Es wrote:
Hi Francesco,
On Fri, Apr 19, 2013 at 8:27 AM, Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
On 18/04/2013 20:12, Martin van Es wrote:
On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
On 16/04/2013 14:26, Martin van Es wrote:
I was wondering if it's possible to automatically
provisioin certain resource for one account based on a
condition (attribute) set in the source resource.
Hi Martin,
I've understood that you want to assign upon synchronization
role A, B or C to users from a CSVDir resource where A has
assigned a LDAP resource, B a DB resource and C both. Is this
correct?
If so, you need to define a SyncJobActionsClass [1] or
SyncActionsClass [2] (depending on the Syncope version you
are running) and implement the logic "assign role A, B or C
to synchronizing user" in the before() method.
I was googling on syncope role membership and found this snippet
on [1]
> The possible implementations could be:
> 1. I could ignore role/membership attribute mappings during
synchronization (this is
the current implementation ---> no issue to open)
> 2. I can try to synchronize these information also:
> a. Role attribute mappings could be used to assign syncope roles
dynamically during
synchronization
Example, again: let's suppose we are synchronizing an LDAP user user1
with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope
will try to assign role B (i.e. Syncope role with same value of
"membershipsOnLDAP") to Syncope user matching user1 on LDAP.
This would match my question for conditional resources. Since you
participated in this thread and it's more than a year old, can you tell me what
the status of implementation 2 is? Is it completely off radar?
Basically, with LDAP and Active Directory connectors, you can
actually propagate / synchronize memberships from / to Syncope by
empowering two specific action classes
(LDAPMembershipPropagationActions and LDAPMembershipSyncActions),
and a good schema mapping that will include both user and role
mapping.
This is nog what I mean, the part of the thread I'm referring to is
the example: By being member of "cn=B,ou=groups,dc=tirasa,dc=net",
Syncope would try to assign role B to syncope user, based on the match
in the role attribute membershipsOnLDAP. If this was implemented (and
extended to a role attribute value in the synchronisation source e.g.)
I would have a way of conditionally provision resources to users (by
mapping resources to the matched role). I see your objections further
in the discussion that it would be a very complicated logistic process
managing all requirements of mandatory attributes following the role
assignment, but in the simple case it would be a very handy way of
conditionally propagating users to resources (not memberships on
resources).
Nope: if this is what you are asking, I can only repeat my first answer
above: implement this logic in a SyncActionsClass.
As said, LDAP is a very particular case, because of the extended
capabilities of the associated connector.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
