Hi,
I am afraid that the behavior you report below is expected.
The way how LDAPMembershipPullActions & SetUMembershipsJob work can be
summarized as follows:
1. when pulling groups, for each pulled group, read "uniquemember" value
(thus getting members users DN on LDAP) and save the association "user
DN -> groups on Syncope" for later processing
2. once pull is complete, attempt to convert user DNs into users on
Syncope, and obtain the new map "user on Syncope -> groups on Syncope",
and pass such map to SetUMembershipsJob
3. SetUMembershipsJob will go through the received map and patch each
user to add membership for the associated group(s)
The problem is that there is no point where Syncope can see which LDAP
memberships - coming from that specific resource from which it is
pulling - were actually removed, and thus patch users to *remove*
mamberships.
Hence, I believe there is no clean solution for the general case.
Naturally, for your specific use case - where you might have a single
LDAP resource, and be sure that all user memberships are coming from
LDAP - you could arrange things differently by implementing your own
version of LDAPMembershipPullActions or SetUMembershipsJob.
Hope this clarifies.
Regards.
On 15/08/2018 10:47, Alex123 wrote:
Hi!
I have Syncope 2.1.0 and Ldap connector 1.5.2. All works fine, but
THERE IS A PROBLEM:
When I remove attribute
'uniqueMember'='uid=myldapuser,ou=Users,o=client1,dc=xyz,dc=net' in one of
LDAP groups such as 'MyGroup' and then pull changes to Syncope, Syncope does
not remove 'myldapuser' to 'MyGroup' membership.
Syncope only add new memberships from LDAP but don't remove old memberships
(thous are removed in LDAP).
My Ldap connector has next settings:
- Group Name Attributes = 'cn'
- Group Member Attribute = 'uniqueMember'
- Maintain LDAP Group Membership = true
LdapSync resource has:
- Actions Selected = LDAPMembershipPropagationActions
- Capabilities - All
LdapSync Pull Task has:
- Pull Mode = ''FULL_RECONCILIATION"
- Remediation = false
- Actions Selected = LDAPMembershipPullActions
- Matching rule = update
- Unmatching rule = ASSIGN
- Allow create = true
- Allow update = true
- Allow delete = true
In debugger I see that Syncope has correct information about memberships
-org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions,
line 175, in field this.memberships (I see existing memberships and don't
see removed memberships)
BUT
I don't see that in
org.apache.syncope.core.provisioning.java.job.SetUMembershipsJob or in
org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions
Syncope drop any memberships
Thank you in advance for your help.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
