On 27/10/2015 17:28, Smith, Bruce (Mr) wrote:
Hi,
My setup is successfully pulling users from a ScriptedSQL resource and
links them to a LDAP resource. When the synchronization task first
creates a user on AD via the LDAP resource, it goes through
successfully. However if I go through the users and find those that
weren't propagated to AD, because of missing OUs or containers, I
cannot propagate because it complains about a missing mandatory
attribute __PASSWORD__. It does this as well if I run the
synchronization task with the Full Reconciliation button ticked to try
and redo all the users that were missed.
IllegalArgumentException: Not attempted because there are mandatory
attributes without value(s): [__PASSWORD__]
java.lang.IllegalArgumentException: Not attempted because there are
mandatory attributes without value(s): [__PASSWORD__]
If I look in the Syncope database, there is a password hash in the
database table.
Where should I be looking for this problem, at the connectors or
resource definitions?
Essentially, your flow is LDAP -> Syncope -> AD, right?
Unless you have selected AES as cipher algorithm, Syncope will not have
access to a cleartext password value to send to Active Directory, thus
the error reported above.
Solution: set 'AES' for 'password.cipher.algorithm' under general
configuration parameters.
I’m picking up another error message if I try to delete a user, it
pops up a red bar with "Cannot commit when autoCommit is enabled" and
doesn’t delete the user. I think it is related to the LDAP resource
because I get the same message if I remove the resource from the user.
The user is deleted from the AD and if I close the edit user interface
and reopen it, the resource is no longer allocated to the user. I can
then delete the user successfully. This is more an annoyance right now
than a major problem, but I’d like to resolve it.
Are you using MySQL for internal storage? This sounds like an
inconsistency I've experienced before.
If so, be sure to work with InnoDB.
The ScriptedSQL resource is set up to only allow propagation from the
scripts into Syncope and I’ve only implemented the Schema, Sync,
Search and Test scripts. The LDAP resource is set up to only allow
propagation from Syncope to AD and not to create users and roles in
Syncope if they exist only on the AD.
I’d appreciate any help in guiding me here.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
