On 09/05/2016 14:58, Shagun Akarsh wrote:
Hello,
I am using ldap-connector (1.4.0) with syncope (1.2.7) and openLdap
(2.4.40) to synchronize user repository but it shows a "?" (undefined
status) symbol when external resource (ldap) is added to a user.
LDAP as protocol does not provide a standardized way to determine user
status, so the LDAP connector allows to specify a statusManagementClass
for the purpose.
If you set it to
net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement
then Syncope will transparently handle it by using the "description"
attribute.
More information on
https://connid.atlassian.net/wiki/display/BASE/LDAP#Configuration
(one of last properties there).
Although it is able to create new entries in ldap & syncope mysql db,
but it fails to update on openLdap when we update an existing entry
using GUI.
This is probably due to some misconfiguration in the connector; please
take a look at this - for Syncope 1.1 but easily adaptable to 1.2 - old
post of mine for some recipes:
http://blog.tirasa.net/unlock-full-ldap-features-in.html
Moreover reading
<https://connid.atlassian.net/wiki/display/BASE/LDAP#LDAP-Installation> about
ldap-connector I found this "Sync (only with Sun Directory Server
Enterprise Edition)", so is this the reason for the issue of sync with
openLdap ? Do we need to write custom connector for full ldap
synchronization ?
From the "Changelog" chapter in the post above:
During synchronization, Apache Syncope can query the LDAP directory
server in two distinct ways: either the full list of entries (that
will need to be parsed in order to catch the actual modifications
performed since last run) or just such actual modifications.
As anyone can see, the latter is much more better than the former but
its usage is limited due to the fact that the ConnId LDAP connector
currently supports actual synchronization operation only from some
servers (as Sun Directory Server or OpenDJ).
Unfortunately, no one has yet provided the necessary contribution to
enhance the LDAP connector with support for actual synchronization in
OpenLDAP, as you can also read from
https://connid.atlassian.net/browse/LDAP-1
At the moment, then, you can definitely pull users (and groups) from
OpenLDAP, but there is no yet support for SyncRepl (RFC 4533).
AFAICT the ConnId project would be glad to receive such contribution ;-)
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC,
Olingo PMC, CXF Committer, OpenJPA Committer
http://home.apache.org/~ilgrosso/
