group membership via cmd-connector

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

group membership via cmd-connector

Jonas Israelsson
Greetings.

I have an old propriety system that I need to include in the
provisioning. The only way I will be able to communicate with it, is via
the cmd-connector.

While I have got creation and deletion of both users ans groups working,
I fail to figure out how to get a hold of the group membership.

I don't understand how or what to map for the membership to be presented
to the connector.

If anyone could point me in the right direction, I would be most grateful.

Brgds Jonas


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: group membership via cmd-connector

ilgrosso
Administrator
On 08/09/2016 22:51, Jonas Israelsson wrote:

> Greetings.
>
> I have an old propriety system that I need to include in the
> provisioning. The only way I will be able to communicate with it, is
> via the cmd-connector.
>
> While I have got creation and deletion of both users ans groups
> working, I fail to figure out how to get a hold of the group membership.
>
> I don't understand how or what to map for the membership to be
> presented to the connector.
>
> If anyone could point me in the right direction, I would be most
> grateful.

Hi,
great that you've been able to put the CMD connector at work, it's not
an easy beast.

The concept of "memberships" as assignment of users to groups is absent
in ConnId, it's more something that Syncope adds on top.

Some connectors (LDAP, Active Directory, ...) provide "special
attributes" with purpose of carrying out such information, but this
needs anyway some sort of special handling on Syncope side, e.g.
Propagation [1] and Pull [2] actions.

Example: the LDAP connector can be instructed, when querying for users,
to return the LDAP_GROUPS special attribute for each user, which
contains all the DNs of the groups that user is member of.
Conversely, when creating / updating an user on LDAP, Syncope can
populate the LDAP_GROUPS attribute, and the LDAP connector will take
care of assigning at LDAP level.

You can take a look at how the membership action classes work for LDAP:
[3] when sending during propagation and [4] when pulling users and groups.

HTH
Regards.

[1] http://syncope.apache.org/docs/reference-guide.html#propagationactions
[2] http://syncope.apache.org/docs/reference-guide.html#pullactions
[3]
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java
[4]
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/pushpull/LDAPMembershipPullActions.java

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer, PonyMail PPMC
http://home.apache.org/~ilgrosso/


Loading...