On 11/05/2016 09:39, Shagun Akarsh wrote:
Thanks Francesco.
In my scenario I am trying to synchronizing user information from
central user repository (openLdap) to application database (MySQL) and
vice-versa using Syncope. But my applications (web application)
databases can be on different datacenters and are behind firewall and
thus cannot establish direct DB connections, so instead I need to sync
it over http/REST based APIs.
We need external cloud Identity Management connector that can connect
to application's public REST or http based API's to update
application's linked DB. I found a similar project
<https://wiki.evolveum.com/display/midPoint/Google+summer+of+code+2016#Googlesummerofcode2016-Project:CloudIdentitymanagement>
in Midpoint IdM's project list, so this hints that I need to write a
connector for connecting to my external web service (behind which
application DB is present).
Understand. writing your own REST connector is definitely an option;
another option is to extend / customize the ConnId SOAP connector.
https://connid.atlassian.net/wiki/display/BASE/SOAP
https://github.com/Tirasa/ConnIdSOAPBundle
To create a connector for our web service I read this connId
documentation
https://connid.atlassian.net/wiki/display/BASE/Create+new+connector. I
get the following error on running maven command:
Failed to execute goal
org.apache.maven.plugins:maven-archetype-plugin:2.4:generate
(default-cli) on project standalone-pom: The desired archetype does
not exist (net.tirasa.connid:connector-archetype:1.4.3.0).
This question pertains more the ConnId user list, but I can provide help
here as well.
ConnId 1.4.3.0 is not released yet, so for the time being the command to
execute for generating a project from archetype is instead
mvn archetype:generate \
-DarchetypeGroupId=net.tirasa.connid \
-DarchetypeArtifactId=connector-archetype \
-DarchetypeRepository=https://oss.sonatype.org/content/repositories/snapshots/
\
-DarchetypeVersion=1.4.3.0-SNAPSHOT
Then you can edit the generated pom.xml by replacing any
1.4.3.0-SNAPSHOT occurrence with 1.4.2.0.
For your reference, here is a connector my company Tirasa is
contributing to the CHOReVOLUTION project, which implements its methods
by invoking a remote REST service:
https://tuleap.ow2.org/plugins/git/chorevolution/connid-federation-server
HTH
Regards.
On Mon, May 9, 2016 at 7:00 PM, Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
On 09/05/2016 14:58, Shagun Akarsh wrote:
Hello,
I am using ldap-connector (1.4.0) with syncope (1.2.7) and
openLdap (2.4.40) to synchronize user repository but it shows a
"?" (undefined status) symbol when external resource (ldap) is
added to a user.
LDAP as protocol does not provide a standardized way to determine
user status, so the LDAP connector allows to specify a
statusManagementClass for the purpose.
If you set it to
net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement
then Syncope will transparently handle it by using the
"description" attribute.
More information on
https://connid.atlassian.net/wiki/display/BASE/LDAP#Configuration
(one of last properties there).
Although it is able to create new entries in ldap & syncope mysql
db, but it fails to update on openLdap when we update an existing
entry using GUI.
This is probably due to some misconfiguration in the connector;
please take a look at this - for Syncope 1.1 but easily adaptable
to 1.2 - old post of mine for some recipes:
http://blog.tirasa.net/unlock-full-ldap-features-in.html
Moreover reading
<https://connid.atlassian.net/wiki/display/BASE/LDAP#LDAP-Installation>
about ldap-connector I found this "Sync (only with Sun Directory
Server Enterprise Edition)", so is this the reason for the issue
of sync with openLdap ? Do we need to write custom connector for
full ldap synchronization ?
From the "Changelog" chapter in the post above:
During synchronization, Apache Syncope can query the LDAP
directory server in two distinct ways: either the full list of
entries (that will need to be parsed in order to catch the actual
modifications performed since last run) or just such actual
modifications.
As anyone can see, the latter is much more better than the former
but its usage is limited due to the fact that the ConnId LDAP
connector currently supports actual synchronization operation
only from some servers (as Sun Directory Server or OpenDJ).
Unfortunately, no one has yet provided the necessary contribution
to enhance the LDAP connector with support for actual
synchronization in OpenLDAP, as you can also read from
https://connid.atlassian.net/browse/LDAP-1
At the moment, then, you can definitely pull users (and groups)
from OpenLDAP, but there is no yet support for SyncRepl (RFC 4533).
AFAICT the ConnId project would be glad to receive such
contribution ;-)
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC,
Olingo PMC, CXF Committer, OpenJPA Committer
http://home.apache.org/~ilgrosso/
