On 28/10/2015 19:12, Smith, Bruce (Mr) wrote:
Hi Francesco,
Thanks for the assistance.
I was configured for SHA1, I’ll switch over to AES and test. Sounds
like it is probably that. The flow is Postgres DB -> Syncope -> AD
using the LDAP connector to talk to the AD. The password comes out of
the Postgres DB in clear text, so I assume Syncope is doing a SHA1
hash as the user is created and that isn’t reversible to get a clear
password for the AD step.
For usage with AD, I'd suggest to replace the LDAP connector with the AD
connector - see basic configuration info:
https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource
and configuration reference:
https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
With reference to the 2^nd issue, the internal storage is also
Postgres,not MySQL.
Such issue with PostgreSQL was reported sometimes, but eventually
solved; you can find some references here:
https://issues.apache.org/jira/browse/SYNCOPE-606
http://syncope.markmail.org/message/h6p6mo7e7u5ygv5
HTH
Regards.
*From:* Francesco Chicchiriccò [mailto:[email protected]]
*Sent:* Wednesday, October 28, 2015 3:26 PM
*To:* [email protected]
*Subject:* Re: __PASSWORD__ error on re-propagation to LDAP
On 27/10/2015 17:28, Smith, Bruce (Mr) wrote:
Hi,
My setup is successfully pulling users from a ScriptedSQL resource
and links them to a LDAP resource. When the synchronization task
first creates a user on AD via the LDAP resource, it goes through
successfully. However if I go through the users and find those
that weren't propagated to AD, because of missing OUs or
containers, I cannot propagate because it complains about a
missing mandatory attribute __PASSWORD__. It does this as well if
I run the synchronization task with the Full Reconciliation button
ticked to try and redo all the users that were missed.
IllegalArgumentException: Not attempted because there are
mandatory attributes without value(s): [__PASSWORD__]
java.lang.IllegalArgumentException: Not attempted because there
are mandatory attributes without value(s): [__PASSWORD__]
If I look in the Syncope database, there is a password hash in the
database table.
Where should I be looking for this problem, at the connectors or
resource definitions?
Essentially, your flow is LDAP -> Syncope -> AD, right?
Unless you have selected AES as cipher algorithm, Syncope will not
have access to a cleartext password value to send to Active Directory,
thus the error reported above.
Solution: set 'AES' for 'password.cipher.algorithm' under general
configuration parameters.
I’m picking up another error message if I try to delete a user, it
pops up a red bar with "Cannot commit when autoCommit is enabled"
and doesn’t delete the user. I think it is related to the LDAP
resource because I get the same message if I remove the resource
from the user. The user is deleted from the AD and if I close the
edit user interface and reopen it, the resource is no longer
allocated to the user. I can then delete the user successfully.
This is more an annoyance right now than a major problem, but I’d
like to resolve it.
Are you using MySQL for internal storage? This sounds like an
inconsistency I've experienced before.
If so, be sure to work with InnoDB.
The ScriptedSQL resource is set up to only allow propagation from
the scripts into Syncope and I’ve only implemented the Schema,
Sync, Search and Test scripts. The LDAP resource is set up to only
allow propagation from Syncope to AD and not to create users and
roles in Syncope if they exist only on the AD.
I’d appreciate any help in guiding me here.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
