On 04/11/2014 20:41, Manfredo Hopp wrote:
Franceso, neither P or C: G (gov)
I was meaning Proof-of-Concept :-)
Anywyay, just keep us updated as far as you are allowed to.
Last questions regarding this configuration: what is the need of
username beeing mandatory if there is an accountid check (which
itself is mandatory)? Isnt accountId a kind of username replacement?
Maybe a more accurate explanation should arise from documents.
Username is mandatory because it is required for log-in. Account id on a
given resource might or might not be mapped to username.
Account id is just the system-generated identifier for the user object.
When propagating or pushing (Syncope -> external resource) users,
username is not necessarily needed.
When synchronizing (external resource -> Syncope, as in your case)
username is required to be provided either via mapping, user template or
synchronization action.
Take a look at wiki's concepts section for some more explanation:
documentation needs to be improved for sure, but this is an Open Source
community so your contribution is very welcome :-)
Regards.
2014-11-04 14:36 GMT-03:00 Francesco Chicchiriccò <[email protected]
<mailto:[email protected]>>:
Eh eh eh, thank you :-)
Please keep us updated with the outcomes of your Syncope
experiments (PoC?).
Regards.
On 04/11/2014 17:23, Manfredo Hopp wrote:
OK Francesco THANKS TO YOU!
youre IL GROSSO
:)
2014-11-04 13:20 GMT-03:00 Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>>:
On 04/11/2014 17:16, Manfredo Hopp wrote:
I made it work creating a mapping for username which seems
to be mandatory in order to create users,
Oh, nice idea! Where did you get it from? ;-)
so why not include it as mandatory in the mapping screen, or
with default mapping value when I know that task is creating
users!
To me it looks like a configuration error, instead.
Anyway, if you think this is an improvement, feel free to
open an issue on JIRA and provide a patch.
Regards.
2014-11-04 12:53 GMT-03:00 Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>>:
On 04/11/2014 16:23, Manfredo Hopp wrote:
Thanks Francesco for prompt reply!
Ok for your testing, in my case the mentioned account
policy is directly attached to resource used in a
syncronization task where mapping of accountId is with
__NAME__ (primary key of resource is Long)
through a resource, so maybe there is a difference in
how accounts are created.
Manfredo,
when looking at the log below that says
"username=<null>" I'd say that the problem is the
resource user mapping (or the user template); the
account policy says that username is not valid because
it is null.
HTH
Regards.
12:19:31.067 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
- Process CREATE_OR_UPDATE for 33 as ObjectClass:
__ACCOUNT__
12:19:31.133 DEBUG
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
- Transformed:
org.apache.syncope.common.to.UserTO@364b2379[
memberships=[]
status=<null>
token=<null>
tokenExpireTime=<null>
username=<null>
lastLoginDate=<null>
changePwdDate=<null>
failedLogins=<null>
securityQuestion=<null>
securityAnswer=<null>
resources=[sarauth2]
propagationStatusTOs=[]
id=0
derAttrs=[]
virAttrs=[]
attrs=[org.apache.syncope.common.to.AttributeTO@7f05f8c7[
schema=nombre
values=[Daniel]
readonly=false
], org.apache.syncope.common.to.AttributeTO@611011f7[
schema=usrnum
values=[33]
readonly=false
], org.apache.syncope.common.to.AttributeTO@660ba0e9[
schema=apellido
values=[]
readonly=false
], org.apache.syncope.common.to.AttributeTO@5715556[
schema=usrnum
values=[33]
readonly=false
]]
creator=<null>
creationDate=<null>
lastModifier=<null>
lastChangeDate=<null>
]
12:19:31.303 ERROR
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
- Could not create USER 33
org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
SyncopeUser [Standard, InvalidUsername]
Regards
2014-11-04 11:23 GMT-03:00 Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>>:
On 04/11/2014 14:16, Manfredo Hopp wrote:
HI Francesco, our user database has account ids
expressed in digits and the idea is having the
same id in syncope, but it seems that digits are
not accepted since an expression like [0-9]+ throws
19:45:50.464 ERROR
org.apache.syncope.core.sync.impl.AbstractSyncopeResultHandler
- Could not create USER 69
org.apache.syncope.core.persistence.validation.entity.InvalidEntityException:
SyncopeUser [Standard, InvalidUsername]
at
org.apache.syncope.core.persistence.validation.entity.EntityValidationListener.validate(EntityValidationListener.java:49)~[EntityValidationListener.class:?]
at
sun.reflect.GeneratedMethodAccessor156.invoke(Unknown
Source) ~[?:?]
Hi Manfredo,
I cannot replicate this problem.
In embedded mode from a fresh generated
1.2.1-SNAPSHOT project I have:
1. created an account policy "onlyDigits" with
only option for pattern ([0-9]+)
2. created a role "roleForOnlyDigits" and set it
with the account policy above
3. created a new user, assigned the
roleForOnlyDigits role, set username to "test" -
got validation error, as expected
4. changed username to "12345678" - create
completed successfully
This specific issue is also checked by
org.apache.syncope.core.policy.AccountPolicyEnforcerTest#testExplicitPattern
- see [2].
Regards.
2014-11-04 3:29 GMT-03:00 Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>>:
On 03/11/2014 23:03, Manfredo Hopp wrote:
Hello, I want to create accounts ids
composed only by digits, and get
InvaledUserName as result of
EntityValidationListener.validate.
My guess is that validation is controlled
by AccountPolicies where I can see an
entry for regular expressions, which is
not documented,
Entering a regular expression doesnt
change anithing, so waht is that item for?
And where can I control name ids?
Hi,
you are right, the pattern option for account
policies - introduced with 1.2.0 - is not yet
reported at [1].
When you define a policy (account, password,
sync) you also need to configure for which
users such policy is going to be applied: if
created as GLOBAL policy it will be applied to
all users, otherwise you will need to
associate it to a role or a resource in order
to make it effective (for users owning that
role or assigned to that resource, clearly).
Additional information: when not specified,
the pattern for user names is "[a-zA-Z0-9-_@.
]+" <mailto:[a-zA-Z0-9-_@.]+>.
Could you please provide more details of what
you are doing?
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-AccountPolicies
[2]
https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/src/test/java/org/apache/syncope/core/policy/AccountPolicyEnforcerTest.java;h=97b9d99a0ce1754d19ce49704ba8c6613326d1c0;hb=1_2_X#l87
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
