On 15/06/2016 15:02, Hermann Angstl wrote:
Hi there,
I recently asked how to synchronize hierarchical roles from LDAP to Syncope.
Francesco replied:
You need to extend the standard synchronization behavior by writing a custom
SyncActions that, in the beforeProvision() method,
for example, will set the parent role of the role being synchronized
according to its DN from LDAP.
To follow up on this:
(1) What is necessary to synchronize (propagate) the other way: From Syncope to
LDAP?
A custom PropagationActions implementation: see [1] [2].
(2) I don't get how this will be working at all (Syncope -> LDAP as well as LDAP -> Syncope) for hierarchical
structures, because in "Resources"/"Role Mapping", under "Account Link", there has to
be something like this: 'cn=' + name + ',ou=groups,dc=example,dc=com'. So a very specific location in the LDAP, no
wildcards, no hierarchies.
This is the default behaviour, e.g. you can defined a JEXL expression
(which does have some flexibility, BTW) which will be evaluated for the
actual object to be sent to LDAP.
The purpose of the two interfaces above instead (actually, the
possibility of providing custom implementations for them) is to alter
the ordinary information flow, both during propagation (Syncope -> LDAP)
and synchronization (now "pull" for 2.0.0, LDAP -> Syncope).
More specifically, when a propagation occurs, Syncope first stores all
details required in a PropagationTask [3], then execute it via the
configured PropagationTaskExecutor [4] (default implementation: [5]).
During execution, right before invoking the underlying connector layer
for effective operations, the configured PropagationActions instances
are invoked.
For your use case, take into account the before() method, which receives
the current PropagationTask as first argument: there you can alter the
task as you need; in particular, look for the __NAME__ special
attribute, which contains the actual DN for the object to be created in
LDAP, and change it according to your needs.
During synchronization, I would suggest instead to inject your own logic
in SyncActions#beforeProvision, where an instance of UserTO (during user
synchronization) or RoleTO (during role synchronization) is passed as
'subject': this instance is built by Syncope from the data received from
LDAP and modified according to the provided mapping; moreover, the
SyncDelta parameter contains the original data received from LDAP,
including __NAME__ (e.g. once more, the DN).
At this point you can set RoleTO#parent according to your needs.
HTH
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/PropagationActionsClass
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass
[3]
https://github.com/apache/syncope/blob/1_2_X/console/src/main/java/org/apache/syncope/console/pages/panels/PropagationTasks.java
[4]
https://github.com/apache/syncope/blob/1_2_X/core/src/main/java/org/apache/syncope/core/propagation/PropagationTaskExecutor.java
[5]
https://github.com/apache/syncope/blob/1_2_X/core/src/main/java/org/apache/syncope/core/propagation/impl/PriorityPropagationTaskExecutor.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer, PonyMail PPMC
http://home.apache.org/~ilgrosso/
