Hi,
Matching rule: LINK means that if, during pull, an internal (e.g.
Syncope's) user is found to match an user coming from AD, such internal
user will be linked to the AD resource.
As a result, any modification of such user in Syncope, for one of the
attributes mapped to Active Directory, will be automatically propagated
to AD.
Referring to the log below, it seems that at 16.30 an update on Syncope
was made for the user mapped to the AD user CN=Elaheh
Panahi,OU=Tehran,OU=Non-Staff,OU=Users,OU=Accounts,DC=internaldomain,DC=ir.
You can find the details of which data were sent by Syncope to AD in the
Propagation Task.
Regards.
On 11/06/2018 10:37, alireza ranjbaran wrote:
Dear Francesco,
I set FULL_RECONCILIATION pull mode, Matching rule: LINK, Unmatching
rule: PROVISION and I checked Allow create, Allow update, Allow
delete, Sync status.
This is a sample of active directory logs shows my service-account
removed a member:
---------------------------------------------------------------------------------------------------
MSWinEventLog1Security183680475Sat Jun 09 16:30:14 2018 A member was
removed from a security-enabled global group. Subject: Security
ID: S-1-5-21-1480964169-1710879411-3095655000-64665 Account Name:
svc-24319 Account Domain: INTERNALDOMAIN Logon ID: 0x3eae1e4fb
Member: Security ID: S-1-5-21-1480964169-1710879411-3095655000-36774
Account Name: CN=Elaheh
Panahi,OU=Tehran,OU=Non-Staff,OU=Users,OU=Accounts,DC=internaldomain,DC=ir
Group: Security ID: S-1-5-21-1480964169-1710879411-3095655000-22376
Group Name: fld-IS-L Group Domain: INTERNALDOMAINAdditional
Information: Privileges: -183680474",
---------------------------------------------------------------------------------------------------
As you see the member removed at 16:30 but my pull task started at
14:21 and finished at 16:15 .
I checked the user 'Propagation tasks' menu . there was an UPDATE
operation at 16:30! I have not changed the user and I have not create
any push task..
Screenshot of pull tasks and propagation tasks have been attached. Did
i do anything wrong?
On Mon, Jun 11, 2018 at 10:44 AM, Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
On 10/06/2018 14:26, alireza ranjbaran wrote:
Hi,
We have run a pull task on AD, it has removed some members of
groups from active directory.
We need to rollback and it requires membership remove logs.
Who can I find membership propagation logs?
Hi,
if you are *pulling* from AD, it means that you are either using
the SEARCH or SYNC capability [1] (depending on the configured
pull mode [2]) on the related connector: this means that you are
only reading from AD, and such operation could not perform any
modification on AD.
Is there any detail about your configuration that you forgot to
mention above?
Regards.
[1]
https://syncope.apache.org/docs/reference-guide.html#connector-instance-details
<https://syncope.apache.org/docs/reference-guide.html#connector-instance-details>
[2] https://syncope.apache.org/docs/reference-guide.html#pull-mode
<https://syncope.apache.org/docs/reference-guide.html#pull-mode>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
<http://home.apache.org/%7Eilgrosso/>
--
/Best Regards,/
/Alireza Ranjbaran
/
/ITS Security Operations Engineer at //MTN Irancell/
/
/
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
