Re: Synchronizing from an LDAP with hierarchical roles

Thu, 02 Jun 2016 06:20:14 -0700 

On 2016-06-01 14:44 Hermann Angstl wrote:
To synchronize user and role data from an LDAP backend into Syncope I set up connector, resource and synchronization task. 

The roles in my LDAP are organized hierarchically. Like this:

ou=roles, ou=system

+ ou=adminRoles, ou=roles, ou=system

+ cn=role1

+ cn=role2

+ cn=role3

+ ou=operatorRoles, ou=roles, ou=system

+ cn=role4

+ ou=auxRoles, ou=roles, ou=system

+ cn=role5

When my synchronization task runs I get the following issues:


(1) The hierarchical information is lost in Syncope - Syncope creates 
everything (flat) under "Roles". Is there a way to preserve 
hierarchical information in Syncope?



You need to extend the standard synchronization behavior by writing a 
custom SyncActions [1] that, in the beforeProvision() method, for 
example, will set the parent role of the role being synchronized 
according to its DN from LDAP.



(2) Every time my synchronization task runs it copies ALL roles from 
LDAP to Syncope again - so I end up having lots of duplicates.


Two issues here:


 2a - During synchronization, Apache Syncope can query the LDAP 
directory server in two distinct ways: either the full list of entries 
(that will need to be parsed in order to catch the actual modifications 
performed since last run) or just such actual modifications. As anyone 
can see, the latter is much more better than the former but its usage is 
limited due to the fact that the ConnId LDAP connector currently 
supports actual synchronization operation only from some servers (as Sun 
Directory Server, Oracle DSEE, RedHar 389 or OpenDJ).



Now, if you using one of supported servers, just flag "Full 
Reconciliation" off of the given resource; otherwise you might be 
consider contributing such long-waited feature for OpenLDAP to ConnId 
[2].



 2b - You get duplicates because the current definition of the resource 
mapping leads to this: either you need to fix it or to define an 
appropriate synchronization policy [3] which will allow matching 
existing roles during synchronization.


HTH
Regards.

[1] https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass
[2] https://connid.atlassian.net/browse/LDAP-1

[3] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Policies#Policies-SynchronizationPolicies

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer, PonyMail PPMC
http://home.apache.org/~ilgrosso/






















					Reply via email to