Hi Giancarlo, there are some configurations that you have to change.
Please, find my comments in-line.
Il 10/06/2013 17:03, Giancarlo Dessena ha scritto:
Hi Fabio,
thank you for your reply :)
Maybe I should try to explain in more detail what I want to Achieve,
to avoid misunderstandings:
+------------------------------------------+
| |
| Syncope +---------------+ | +--------+
| | | | |
|
| +---->| DB-Resource A
|+---->| DB A |
| | | | | |
|
| +--------------|--+ | | | |
|
| | LDAP Service | | +---------------+
| +--------+
+---------+ | +--------------|--+ |
| | | | | | |
| Forum | Authentication | | CN=de,CN=co | | |
| +--------------------->| OU=Extern --+ | +---------------+
| +--------+
| | | | | | | | | |
|
+---------+ | | +---->| DB-Resource B
|+---->| DB B |
| | | | | | |
|
| +-----------------+ | | | |
|
| +---------------+ | +--------+
+------------------------------------------+
I Have a couple of registered users sparse across multiple postgresql
databases.
There are now a couple of applications which these users need access
to (i.e. a forum).
To achieve this I want to setup an LDAP Service for authentication
purposes (read only access).
The user tables in the databases look as follows
+--------------------+
| email | password |
|--------------------|
| ... | ... |
+--------------------+
So according to your help I restarted setting up syncope:
1. Setup a DB Connector for Database A
Step 1 cause your sync problem.
I suppose you missed connector capabilities (last tab on connector
configuration modal page).
If you want to perform a full reconciliation on this connector you have
to check "search" capability.
If you think to be able to perform a sync (remember changelog column)
you can also check "sync" capability".
Anyway, "search" capability is mandatory in any case: provisioning
(create/update/delete - one/two phase) and sync.
Keep all capabilities unchecked if you want to disable operations onto
the resource.
2. Added a new Resource referencing Connector A called "Users DB A"
3. Created a Mapping for the Resource "Users DB A"
+----------------------------------------------------------------------------------------------------+
| entity | internal mapping types | Internal Attributes | External
Attributes | Mandatory | AccounId |
|--------+------------------------+---------------------+---------------------+-----------+----------|
| user | UserId | - | - | true
| YES |
| | | | |
| |
| user | Password | - | - | -
| - |
| | | | |
| |
| user | UserSchema | email | email |
true | - |
| | | | |
| |
| user | UserSchema | fullname | email |
true | - |
| | | | |
| |
| user | UserSchema | surname | email |
true | - |
| | | | |
| |
+--------+------------------------+---------------------+---------------------+-----------+----------+
This mapping is not so correct (at least from semantic point of view).
I suggest you to map needed attributes only.
+----------------------------------------------------------------------------------------------------+
| entity | internal mapping types | Internal Attributes | External
Attributes | Mandatory | AccounId |
|--------+------------------------+---------------------+---------------------+-----------+----------|
| user | UserId | - | -
| true | YES |
| | | |
| | |
| user | Password | - | -
| - | - |
+--------+------------------------+---------------------+---------------------+-----------+----------+
Anyway, this is not your sync problem (see step 1).
4. Add a new LDAP Resource + Account Link
Have you instantiate an ldap connector for this resource?
5. Added the sync tasks(this is the point where I'm stuck):
I've setup a task called "sync users A", which for now should do a
full reconciliation of Database A:
+---------------------------------------------+
| | |
| name | sync users A |
| | |
| resource name | Users DB A |
| | |
| action class | Default Sync Action |
| | |
| create new identities | check |
| | |
| updating identities | check |
| | |
| full reconcilliation | check |
| | |
+---------------------------------------------+
Then I edited the user template. To keep it simple all attributes were
set to email
Change email with userId: it is the only one I suggested to map (see step 3)
+---------------------------------------------+
| Details Tab |
|---------------------------------------------|
| | |
| Username | email |
| | |
| password | password |
+---------------------------------------------+
| Attributes Tab |
|---------------------------------------------|
| | |
| email | email |
| | |
| fullname | email |
| | |
| surname | email |
| | |
| userId | email |
+---------------------------------------------+
| Resources Tab |
|---------------------------------------------|
| Selected Resources | Users DB A |
+---------------------------------------------+
Try again with suggested changes (be sure to take care of capabilities)
.... Now, it should work fine.
Best regards,
F.
Unforutunately no users are added during sync. see log:
Users [created/failures]: 0/0 [updated/failures]: 0/0
[deleted/failures]: 0/0
Roles [created/failures]: 0/0 [updated/failures]: 0/0
[deleted/failures]: 0/0
Users created:
Users updated:
Users deleted:
Roles created:
Roles updated:
Roles deleted:
I feel so close to solving this riddle, must be some little detail I'm
missing.
Do you see what it could be?
Greetings Carlo
Am 10.06.2013 um 11:05 schrieb Fabio Martelli
<[email protected] <mailto:[email protected]>>:
Il 10/06/2013 10:25, Giancarlo Dessena ha scritto:
So i reduced the default schema to just userid and password to see
if it could be a mapping error.
unfortunately I still get the errors :/
Does anybody have a sample setup for the default standalone schema?
Hi Giancarlo, I cannot understand your scenario.
Are you trying to synchronize users between sql (postgresql) and ldap?
May be I'm wrong but It seems that you have specified a single target
resource to achieve this.
Let me summarize (at high level abstraction) the steps to sync a db
resource with an ldap resource:
1. add and configure your db connector
2. add a new resource referencing the connector above
3. create your mapping (DO NOT specify any AccountLink)
4. add and configure a new ldap connector
5. add a new resource referencing the ldap connector above
6. create your ldap mapping and specify the account link
If you want to sync from resource A and propagate synced users on B
you have to change the configuration of the A's user template by
specifying B as the resource to be assigned by default to each synced
user (resource tab of A's user template).
If you want to sync from a DB resource you need a changelog column on
your db.
If you don't have any changelog column you cannot perform an
incremental sync but just a full reconciliation (configure it on
resource configuration). Please, consider that a full reconciliation
won't synchronize delete operations.
Go on step-by-step and let me know about your progress.
Best regards,
F.
Greetings Carlo
Am 07.06.2013 um 18:50 schrieb Giancarlo Dessena
<[email protected]
<mailto:[email protected]>>:
Okay did some research myself,
I'm pretty sure that I'm just missing a little detail.
I tried experimenting with trying to execute the propagation and
synchronization tasks
When I try to run the Propagation Task i got the following exception:
org.identityconnectors.framework.common.exceptions.ConnectorException:
Creation failed
When I try to synchronize i get the following exception
org.quartz.JobExecutionException: While syncing on connector [See
nested exception: java.lang.IllegalArgumentException: Changelog
column name configuration property is empty.]
Some additional info to my setup:
The connector I have configured connects against a postgresql database.
The resource has been tried out with the action Classes
DefaultPropagationAction and LDAPMembershipPropagationActions.
I tried Setting and unsetting the account link to a custom OU.
None of the above configuration changes got me near to populating
the LDAP with the users from the database.
I should point out that, besides adding the Connector and the
Resource, no changes where made to the default setup of the
Standalone package.
I'm wondering if I'm missing some vital detail of the Syncope
concept. When adding an external resource can I really expect it to
be populated to the LDAP shipped within the default package?
I'm totally lost here some hints would be nice
Thank you
Carlo :)
Am 07.06.2013 um 14:09 schrieb Giancarlo Dessena
<[email protected]
<mailto:[email protected]>>:
Hello everybody,
I have to anticipate that I'm pretty new to LDAP and Syncope,
so please forgive me if I'm not using the right wording and/or
have misunderstood some of the concepts.
Now to my problem:
I have an external database, which contains users that have to be
integrated into LDAP.
To do achieve this i have downloaded the the Syncope standalone
package.
I have already setup a DB Connector which seems to work fine.
In the next step I have setup a resource that uses the previously
defined connector.
In User mapping i have set the Account link to 'uid=' + username +
',ou=people,o=bk'
but when reloading the ldap tree the resource does not appear.
Any suggestions what is going wrong here?
Greetings Carlo
