AD Mapping User To Specific Groups

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

AD Mapping User To Specific Groups

imilosevic
Hi all,

I have an issue that happens when I try to push users to the Active Directory specific group, they instead are mapped only to the membership of the connector for that resource.
If I add multiple memberships to the connector, it will provision users to all groups that are part of it.
I have also tried to do the mapping but with no luck.

What is the right way of provisioning users to the wanted group?

Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

Fabio Martelli
Il 22/03/2017 14:02, imilosevic ha scritto:
Hi all,

I have an issue that happens when I try to push users to the Active
Directory specific group, they instead are mapped only to the membership of
the connector for that resource.
If I add multiple memberships to the connector, it will provision users to
all groups that are part of it.
I have also tried to do the mapping but with no luck.

What is the right way of provisioning users to the wanted group?

Thank you! 

--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105.html
Sent from the syncope-user mailing list archive at Nabble.com.

Hi, actually I have not got your point.

What are the "memberships" you are speaking of? Are you referring to the membership you can specify on the connector instance configuration panel?

If you want to perform membership provisioning you have to map active directory user groups with syncope groups and then use LDAPMembershipPropagationAction to manage groups and group memberships propagation.

So, you can

  1. configure propagation action for AD resource [1]
  2. provide a group mapping [2]
  3. create a new group (assign it to AD resource) and check if it is successfully propagated on AD
  4. assign a user to the group and check if it becomes member of the group on AD

If you need existing AD groups on Syncope you can synchronize them or replicate them manually and perform a push operation by providing the right matching rule (link).


Regards,

F.


[1] http://syncope.apache.org/docs/reference-guide.html#propagationactions

[2] http://syncope.apache.org/docs/reference-guide.html#mapping

-- 
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

imilosevic
Yes, I was referring membership in the connector configuration panel.

I want to propagate users from Apache Syncope into the AD groups that already exist.
 
I created a group in Syncope, that exists in AD, and performed the push operation with the matching rule (link)
It provisions users, but it doesn't place them in groups
When I open the properties of the group(AD), the members tab is empty.

Could you please tell me what am I missing?

Thank you

Regards,
IM
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

Fabio Martelli
Did you provide LDAPMembershipPropagationAction?

Il 22 marzo 2017 16:34:42 CET, imilosevic <[hidden email]> ha scritto:
Yes, I was referring membership in the connector configuration panel. 

I want to propagate users from Apache Syncope into the AD groups that
already exist.

I created a group in Syncope, that exists in AD, and performed the push
operation with the matching rule (link)
It provisions users, but it doesn't place them in groups
When I open the properties of the group(AD), the members tab is empty.

Could you please tell me what am I missing?

Thank you

Regards,
IM

--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709112.html
Sent from the syncope-user mailing list archive at Nabble.com.

--
Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

imilosevic
Yes I did.
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

imilosevic
This post was updated on .
In reply to this post by Fabio Martelli
Hello,

I have couple of AD groups and I want to provision different users to each of them. My groups on AD are HR, IT and Finance
My group location on AD for IT is: CN=IT,CN=Users,DC=apache,DC=com



How can I replicate users(any user) from Syncope to that specific group which is IT?


Thank you


Regards,
IM
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

Fabio Martelli

Il 24/03/2017 11:08, imilosevic ha scritto:
Hello,

I have couple of AD groups and I want to provision different users to each
of them. My groups on AD are HR, IT and Finance
My group location on AD for HR is: CN=IT,CN=Users,DC=apache,DC=com

<http://syncope-user.1051894.n5.nabble.com/file/n5709116/Screenshot_2.png> 

How can I replicate users(any user) *from Syncope* to that specific group
which is *IT*?

Hi, please do the following steps.

  1. Make sure to have configured a mapping for groups by providing connector object link expression (last tab of the provisioning rules for group objects).
    It should be something like as 'cn=' + name + ', CN=Users,DC=apache,DC=com'.
    Usually, into the mapping tab, a map for internal attribute name is enough (i.e. name -> cn)
  2. Make sure to have specified LDAPMembershipPropagationActions for your AD resource (into the resource configuration panel)
  3. Create user and assign IT group to it

If you have configured your connector instance correctly Syncope will propagate users and the specified membership towards AD: memberof attribute of the new user will be populated with the DN of the IT group and the member attribute of the group with the DN of the new user.

Provide screenshots of connector instance configuration, mappings and resource configuration if the problem persists.

Regards,

F.




Thank you


Regards,
IM

--
View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709116.html
Sent from the syncope-user mailing list archive at Nabble.com.


-- 
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

imilosevic
Hi, unfortunately it didn't solve the problem. IT group in AD is not populated with the user.



These are configurations of the connector instance, mappings and resource.

Connector:

___________________________________

___________________________________

___________________________________

___________________________________

___________________________________

___________________________________

Mappings:

___________________________________

___________________________________

___________________________________

___________________________________

Resource:


Thank you for support

Kind Regards,
IM
Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

Fabio Martelli
Hi, you forgot to provide the mapping for users.
Just entity provided with mapping will have a chance to be propagated.

Regards,
F.

Il 24/03/2017 13:33, imilosevic ha scritto:

> Hi, unfortunately it didn't solve the problem. IT group in AD is not
> populated with the user.
>
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/ad.png>
>
> These are configurations of the connector instance, mappings and resource.
>
> Connector:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con1.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con2.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con3.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con4.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con5.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/con6.png>
> ___________________________________
>
> Mappings:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map1.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map2.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map3.png>
> ___________________________________
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/map4.png>
> ___________________________________
>
> Resource:
> <http://syncope-user.1051894.n5.nabble.com/file/n5709118/res1.png>
>
> Thank you for support
>
> Kind Regards,
> IM
>
> --
> View this message in context: http://syncope-user.1051894.n5.nabble.com/AD-Mapping-User-To-Specific-Groups-tp5709105p5709118.html
> Sent from the syncope-user mailing list archive at Nabble.com.


--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/

Reply | Threaded
Open this post in threaded view
|

Re: AD Mapping User To Specific Groups

imilosevic
Thank you so much for your support, I have managed to solve this issue with your help!

Keep up the good work!


Best Regards,
IM