This seems strange to me, Fabio,
Are you saying when we remove the last role assignment on a user. The
user will be deleted! Why?
If exist the following relationships
User1/RoleA and RoleA/ResourceK
then you have defined indirectly the following one
User1/ResourceK
When you change something to remove this relationship Syncope will
interprets this operation like a de-provisioning request.
I mean, currently a resource unlinking aimplies a de-provisioning.
This behavior have to be changed; please, take a look at
https://issues.apache.org/jira/browse/SYNCOPE-393
Kind regards,
F.
So now I'm confused Fabio ;-)
1) I assign a role to a user
2) I remove the role from the user by membership
3) the user is not deprovisioned on ldap or syncope (as I would expect
and want)
(the capability one phase delete is ENABLED on the resource)
Am I missing your point?
rgds,
Nik
1)
[nik@anvil conf]$ curl -u admin:password -H "Content-Type:
application/json" -X GET
http://10.0.0.183:9090/syncope/cxf/users/?username={nik}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>surname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>userid</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>firstname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>fullname</schema>
<value>nik</value>
</attribute>
</attributes>
<derivedAttributes/>
<id>151</id>
<propagationStatuses/>
<virtualAttributes/>
<creationDate>2013-06-20T16:58:48.432Z</creationDate>
<failedLogins>0</failedLogins>
<memberships>
<membership>
<attributes/>
<derivedAttributes/>
<id>102</id>
<propagationStatuses/>
<virtualAttributes/>
<resources/>
<roleId>200</roleId>
<roleName>Collaborator</roleName>
</membership>
</memberships>
<password>91B23070527A73EB3B9E22E925CBB547D294464C</password>
<status>active</status>
<username>nik</username>
</user>
[nik@anvil conf]$
it gets propagated to ldap:
-bash-4.1# ldapsearch -p 1389 -D"cn=directory manager" -w welcome
-bou=people,o=usharesoft uid=nik isMemberOf
dn: uid=nik,ou=people,o=UShareSoft
isMemberOf: cn=Collaborator,ou=groups,o=usharesoft
2)
-bash-4.1#
[nik@anvil conf]$ curl -u admin:password -H "Content-Type:
application/xml" -X POST http://10.0.0.183:9090/syncope/cxf/users/{151}
-d @/tmp/nik.rolemod2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>surname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>userid</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>firstname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>fullname</schema>
<value>nik</value>
</attribute>
</attributes>
<derivedAttributes/>
<id>151</id>
<propagationStatuses>
<propagationStatus>
<afterObj>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>givenName</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__UID__</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__NAME__</schema>
<value>uid=nik,ou=people,o=usharesoft</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>sn</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__PASSWORD__</schema>
<value></value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>cn</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__ENABLE__</schema>
<value>true</value>
</attribute>
</attributes>
</afterObj>
<beforeObj>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>givenName</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__UID__</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__NAME__</schema>
<value>uid=nik,ou=people,o=usharesoft</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>sn</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__PASSWORD__</schema>
<value></value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>cn</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__ENABLE__</schema>
<value>true</value>
</attribute>
</attributes>
</beforeObj>
<resource>uforge_ldap</resource>
<status>SUCCESS</status>
</propagationStatus>
</propagationStatuses>
<virtualAttributes/>
<creationDate>2013-06-20T16:58:48.432Z</creationDate>
<failedLogins>0</failedLogins>
<memberships/>
<password>91B23070527A73EB3B9E22E925CBB547D294464C</password>
<status>active</status>
<username>nik</username>
</user>
[nik@anvil conf]$
[nik@anvil conf]$ cat /tmp/nik.rolemod2
<userMod>
<id>151</id>
<membershipsToBeRemoved><membership>102</membership></membershipsToBeRemoved>
</userMod>
[nik@anvil conf]$
3)
-bash-4.1# ldapsearch -p 1389 -D"cn=directory manager" -w welcome
-bou=people,o=usharesoft uid=nik isMemberOf
dn: uid=nik,ou=people,o=UShareSoft
-bash-4.1# -bash-4.1# ldapsearch -p 1389 -D"cn=directory manager" -w
welcome -bou=people,o=usharesoft uid=nik
dn: uid=nik,ou=people,o=UShareSoft
userPassword: {SHA}wLE3/i15JFnyb/djzORFdKW1qwM=
mail: [email protected]
givenName: nik
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
uid: nik
description: Active
cn: nik
sn: nik
-bash-4.1#
[nik@anvil conf]$ curl -u admin:password -H "Content-Type:
application/json" -X GET
http://10.0.0.183:9090/syncope/cxf/users/?username={nik}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>surname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>userid</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>firstname</schema>
<value>nik</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>fullname</schema>
<value>nik</value>
</attribute>
</attributes>
<derivedAttributes/>
<id>151</id>
<propagationStatuses/>
<virtualAttributes/>
<creationDate>2013-06-20T16:58:48.432Z</creationDate>
<failedLogins>0</failedLogins>
<memberships/>
<password>91B23070527A73EB3B9E22E925CBB547D294464C</password>
<status>active</status>
<username>nik</username>
</user>
[nik@anvil conf]$
