On 11/11/2013 00:22, jeverling wrote:
Hello Ilgrosso,
After struggling for a while with the LDAP and AD connectors I kept wondering why the LDAP
connector doesn't search for groups with "Group Name Attributes" instead of "Uid
Attribute".
I was hoping you can illustrate me why it searches on "Uid Attribute" it makes
me curious.
Hi,
if you are interested in ConnId LDAP connector internals, I'd suggest to
subscribe [email protected] and move this discussion there.
Also it seems for me now, that the only way to set up a succesful user and
group (de)prov with one connector is by using a cn as your username in Syncope
itself (and probably in LDAP aswell for best practice). When using the uid
value it creates a strange search query (see below). As cn=Guus Geluk it won't
find any results since it is searching for the uid value (uid=guus).
From the log below I see that the search is being performed with filter
(besides object classes):
(&&(cn=guus)(uid=*))
which looks correct, e.g. searching for any user with any value for uid
and 'guus' as cn.
AFAIK there is no need to have LDAP cn == Syncope username - I'd
recommend it, though.
I haven't found a connector configuration which fixes this yet, so I thought
you might have any idea. Since I also haven't seen any other questions about
this scenario, so I am starting to wonder if this is such a unique scenario
to use uid's aswell in Syncope as well as in LDAP.
When using two connectors the user and group (de)prov goes well. Except the
memberships don't seem to get propagated or synchronized from the LDAP server.
I will try a bit harder to get this (and the one connector) setup
working this week. If you like I can keep you posted.
As recently remembered in this mailing list [1], the 'membership'
concept is not handled by ConnId, so you need some additional setup in
Syncope to keep memberships when propagating and / or synchronizing.
In case of LDAP you need to:
1. choose
org.apache.syncope.core.propagation.impl.LDAPMembershipPropagationActions as
Actions Class in the External Resource configuration
2. choose org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions
as Actions Class in the Synchronization Task configuration
These steps are illustrated in the suggested LDAP configuration of my
post [2] where, however, I'm using a single resource for either users
and roles.
The configuration suggested in that post has been checked and proven
working, so it should be a good starting base.
HTH
Regards.
23:55:25.647 DEBUG
org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch Searching in
[ou=Persons,dc=apds,dc=test,dc=nl, ou=Groups,dc=apds,dc=test,dc=nl] with
filter
(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=extensibleObject))(cn=guus)(uid=*))
and SearchControls: {returningAttributes=[cn, description, email, gidNumber,
givenName, homeDirectory, sn, uidNumber, userPassword], scope=SUBTREE}
[1]
http://syncope-user.1051894.n5.nabble.com/Synchronizing-role-membership-with-the-scripted-SQL-connector-tp5707397p5707403.html
[2]
http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
