LDAP group membership sync

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP group membership sync

[TheResolvers] - Alex
Hello to everyone,
I’m trying to deploy Syncope as IDM to provision user on a openldap directory server.
The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships.
So I think I made some mistakes in the connid ldap connector.

Can anyone send me a base config to provision user membership for posixGroup (RFC2307)

I’m using syncope 2.0.1 with mysql backend

Thank you and merry christmas to everyone
Alex



--
Alex
The Resolvers s.r.l.s.
+0971 1750075
+39 388 1506886


Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

Rispetta l'ambiente. Non stampare questa mail se non è necessario.

Reply | Threaded
Open this post in threaded view
|

Re: LDAP group membership sync

ilgrosso
Administrator
On 23/12/2016 21:38, [TheResolvers] - Alex wrote:

> Hello to everyone,
> I’m trying to deploy Syncope as IDM to provision user on a openldap
> directory server.
> The push of users and group to the directory works without any
> problem, but I haven’t yet found the correct configuration to maintain
> user memberships.
> So I think I made some mistakes in the connid ldap connector.
>
> Can anyone send me a base config to provision user membership for
> posixGroup (RFC2307)
>
> I’m using syncope 2.0.1 with mysql backend

Hi,
you might want to take a look at Colm's post about pulling users and
groups from LDAP:

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: LDAP group membership sync

[TheResolvers] - Alex
Hi,
I think I haven’t exposed the problem in a clear way.

The idea isn’t to pull the group membership from ldap, but instead push the syncope group membership informations into ldap.

So the tutorial is exactly the opposite of what I need.


The funny thing is that apart from group sync, the rest of the setup is working out of box without any problem.


Thank you to everyone!
Alex
--
Alex
The Resolvers s.r.l.s.
+0971 1750075
+39 388 1506886


Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

Rispetta l'ambiente. Non stampare questa mail se non è necessario.

On 27 Dec 2016, at 11:04, Francesco Chicchiriccò <[hidden email]> wrote:

On 23/12/2016 21:38, [TheResolvers] - Alex wrote:
Hello to everyone,
I’m trying to deploy Syncope as IDM to provision user on a openldap directory server.
The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships.
So I think I made some mistakes in the connid ldap connector.

Can anyone send me a base config to provision user membership for posixGroup (RFC2307)

I’m using syncope 2.0.1 with mysql backend

Hi,
you might want to take a look at Colm's post about pulling users and groups from LDAP:

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Reply | Threaded
Open this post in threaded view
|

Re: LDAP group membership sync

ilgrosso
Administrator
On 27/12/2016 18:25, [TheResolvers] - Alex wrote:
Hi,
I think I haven’t exposed the problem in a clear way.

The idea isn’t to pull the group membership from ldap, but instead push the syncope group membership informations into ldap.

So the tutorial is exactly the opposite of what I need.


The funny thing is that apart from group sync, the rest of the setup is working out of box without any problem.

Some background: memberships are not managed by ConnId at framework level (ConnId has only the concept of objectClass [1]).

For this reason Syncope provides some utility classes (as propagation actions [3] and pull actions [4]) which can be put at work to overcome this limitation.

In your specific case, you'd need to include

org.apache.syncope.core.provisioning.java.propagation.LDAPMembershipPropagationActions

to the LDAP external resource.
This will extend the attributes passed from Syncope to LDAP with a special 'ldapGroups' attribute containing the list of DNs of the LDAP groups matching the Syncope groups each user is member of.
Then the LDAP connector code will take care of it.

Moreover, you'll also need to configure the underlying connector with POSIX group support (see available options at [4])

I'd suggest anyway to watch the core-connid.log file during propagations to see what is actually happening.

HTH
Regards.

[1] http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/common/objects/ObjectClass.html
[2] https://syncope.apache.org/docs/reference-guide.html#propagationactions
[3] https://syncope.apache.org/docs/reference-guide.html#pullactions
[4] https://connid.atlassian.net/wiki/display/BASE/LDAP

On 27 Dec 2016, at 11:04, Francesco Chicchiriccò <[hidden email]> wrote:

On 23/12/2016 21:38, [TheResolvers] - Alex wrote:
Hello to everyone,
I’m trying to deploy Syncope as IDM to provision user on a openldap directory server.
The push of users and group to the directory works without any problem, but I haven’t yet found the correct configuration to maintain user memberships.
So I think I made some mistakes in the connid ldap connector.

Can anyone send me a base config to provision user membership for posixGroup (RFC2307)

I’m using syncope 2.0.1 with mysql backend

Hi,
you might want to take a look at Colm's post about pulling users and groups from LDAP:

http://coheigea.blogspot.it/2016/08/pulling-users-and-groups-from-ldap-into.html

Regards.
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/