Hi again, Consider a scenario in witch an "incomplete" LINK pull task has been run. Consider that it added some groups but could not add their members' completely. In this case, is it possible to syncope remove some of AD group members in propagations? Does Syncope have any plan for rollback incomplete tasks?
On Mon, Jun 11, 2018 at 1:12 PM, Francesco Chicchiriccò <[email protected] > wrote: > Hi, > Matching rule: LINK means that if, during pull, an internal (e.g. > Syncope's) user is found to match an user coming from AD, such internal > user will be linked to the AD resource. > > As a result, any modification of such user in Syncope, for one of the > attributes mapped to Active Directory, will be automatically propagated to > AD. > > Referring to the log below, it seems that at 16.30 an update on Syncope > was made for the user mapped to the AD user CN=Elaheh > Panahi,OU=Tehran,OU=Non-Staff,OU=Users,OU=Accounts,DC= > internaldomain,DC=ir. > > You can find the details of which data were sent by Syncope to AD in the > Propagation Task. > > Regards. > > > On 11/06/2018 10:37, alireza ranjbaran wrote: > > Dear Francesco, > > I set FULL_RECONCILIATION pull mode, Matching rule: LINK, Unmatching rule: > PROVISION and I checked Allow create, Allow update, Allow delete, Sync > status. > > This is a sample of active directory logs shows my service-account removed > a member: > ------------------------------------------------------------ > --------------------------------------- > MSWinEventLog 1 Security 183680475 Sat Jun 09 16:30:14 2018 A member > was removed from a security-enabled global group. Subject: Security > ID: S-1-5-21-1480964169-1710879411-3095655000-64665 Account Name: > svc-24319 Account Domain: INTERNALDOMAIN Logon ID: 0x3eae1e4fb > Member: Security ID: S-1-5-21-1480964169-1710879411-3095655000-36774 > Account Name: CN=Elaheh Panahi,OU=Tehran,OU=Non-Staff, > OU=Users,OU=Accounts,DC=internaldomain,DC=ir Group: Security ID: > S-1-5-21-1480964169-1710879411-3095655000-22376 Group Name: fld-IS-L > Group Domain: INTERNALDOMAIN Additional Information: Privileges: - > 183680474", > ------------------------------------------------------------ > --------------------------------------- > > As you see the member removed at 16:30 but my pull task started at 14:21 > and finished at 16:15 . > I checked the user 'Propagation tasks' menu . there was an UPDATE > operation at 16:30! I have not changed the user and I have not create any > push task.. > > Screenshot of pull tasks and propagation tasks have been attached. Did i > do anything wrong? > > > On Mon, Jun 11, 2018 at 10:44 AM, Francesco Chicchiriccò < > [email protected]> wrote: > >> On 10/06/2018 14:26, alireza ranjbaran wrote: >> >>> Hi, >>> We have run a pull task on AD, it has removed some members of groups >>> from active directory. >>> We need to rollback and it requires membership remove logs. >>> >>> Who can I find membership propagation logs? >>> >> Hi, >> if you are *pulling* from AD, it means that you are either using the >> SEARCH or SYNC capability [1] (depending on the configured pull mode [2]) >> on the related connector: this means that you are only reading from AD, and >> such operation could not perform any modification on AD. >> Is there any detail about your configuration that you forgot to mention >> above? >> >> Regards. >> >> [1] https://syncope.apache.org/docs/reference-guide.html#connect >> or-instance-details >> [2] https://syncope.apache.org/docs/reference-guide.html#pull-mode >> >> -- >> Francesco Chicchiriccò >> >> Tirasa - Open Source Excellence >> http://www.tirasa.net/ >> >> Member at The Apache Software Foundation >> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail >> http://home.apache.org/~ilgrosso/ >> >> > > > -- > *Best Regards,* > > *Alireza Ranjbaran * > *ITS Security Operations Engineer at **MTN Irancell* > > > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, > PonyMailhttp://home.apache.org/~ilgrosso/ > > -- *Best Regards,* *Alireza Ranjbaran* *ITS Security Operations Engineer at **MTN Irancell*
