On 20/11/2015 16:53, Manfredo Hopp wrote:
Hi, changing memberships of an account assigned to db resource doesnt
result in propagation.
It should be possible to update an account's attribute (eg reflecting
memberships) just as with LDAPMemberShipPropagation action class for
LDAP resources.
The "membership" (e.g. the fact that an user is member of a role)
concept is not part of the entities managed at framework-level by ConnId.
The LDAP and AD connectors supports this feature via a non-standard
special attribute ("ldapGroups") to be sent along with user's data,
which is expected to contain the DN of groups (provisioned by roles in
Syncope) such user belongs to.
Based on this non-standard feature, LDAPMembershipPropagationActions [1]
and LDAPMembershipSyncActions [2] utilities are provided, which
transparently handle the "ldapGroups" management, and works OOTB for
most cases.
You are instead working with "db resource" - which should be using the
Scripted SQL connector (the other db-related connector, db-table, can
only manage users, so it can't really be the case); such connector is
extremely powerful, in the sense that gives complete control of data
exchange with Syncope, via Groovy scripts.
This also means that there cannot be anything similar to "ldapGroups"
implemented by default, but also gives you the power to introduce such
management ("scriptedSQLGroups"?) on your own Groovy scripts; naturally,
you will also need to create something similar to [1] and [2] to act as
counterparts on Syncope-side.
Regards.
[1]
https://github.com/apache/syncope/blob/1_2_X/core/src/main/java/org/apache/syncope/core/propagation/impl/LDAPMembershipPropagationActions.java
[2]
https://github.com/apache/syncope/blob/1_2_X/core/src/main/java/org/apache/syncope/core/sync/impl/LDAPMembershipSyncActions.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
