Hi,
I had to reconsider:
https://issues.apache.org/jira/browse/SYNCOPE-1356
By looking at code in 1_2_X, the missing feature seemed to work.
Regards.
On 16/08/2018 11:06, Francesco Chicchiriccò wrote:
Hi,
I am afraid that the behavior you report below is expected.
The way how LDAPMembershipPullActions & SetUMembershipsJob work can be
summarized as follows:
1. when pulling groups, for each pulled group, read "uniquemember"
value (thus getting members users DN on LDAP) and save the association
"user DN -> groups on Syncope" for later processing
2. once pull is complete, attempt to convert user DNs into users on
Syncope, and obtain the new map "user on Syncope -> groups on
Syncope", and pass such map to SetUMembershipsJob
3. SetUMembershipsJob will go through the received map and patch each
user to add membership for the associated group(s)
The problem is that there is no point where Syncope can see which LDAP
memberships - coming from that specific resource from which it is
pulling - were actually removed, and thus patch users to *remove*
mamberships.
Hence, I believe there is no clean solution for the general case.
Naturally, for your specific use case - where you might have a single
LDAP resource, and be sure that all user memberships are coming from
LDAP - you could arrange things differently by implementing your own
version of LDAPMembershipPullActions or SetUMembershipsJob.
Hope this clarifies.
Regards.
On 15/08/2018 10:47, Alex123 wrote:
Hi!
I have Syncope 2.1.0 and Ldap connector 1.5.2. All works fine, but
THERE IS A PROBLEM:
When I remove attribute
'uniqueMember'='uid=myldapuser,ou=Users,o=client1,dc=xyz,dc=net' in
one of
LDAP groups such as 'MyGroup' and then pull changes to Syncope,
Syncope does
not remove 'myldapuser' to 'MyGroup' membership.
Syncope only add new memberships from LDAP but don't remove old
memberships
(thous are removed in LDAP).
My Ldap connector has next settings:
- Group Name Attributes = 'cn'
- Group Member Attribute = 'uniqueMember'
- Maintain LDAP Group Membership = true
LdapSync resource has:
- Actions Selected = LDAPMembershipPropagationActions
- Capabilities - All
LdapSync Pull Task has:
- Pull Mode = ''FULL_RECONCILIATION"
- Remediation = false
- Actions Selected = LDAPMembershipPullActions
- Matching rule = update
- Unmatching rule = ASSIGN
- Allow create = true
- Allow update = true
- Allow delete = true
In debugger I see that Syncope has correct information about memberships
-org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions,
line 175, in field this.memberships (I see existing memberships and
don't
see removed memberships)
BUT
I don't see that in
org.apache.syncope.core.provisioning.java.job.SetUMembershipsJob or in
org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions
Syncope drop any memberships
Thank you in advance for your help.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
