On 08/02/2013 17:55, Colm O hEigeartaigh wrote:
The basic idea is that for propagating / synchronizing users you need a ConnId
connector supporting ObjectClass.ACCOUNT (all available connector bundles)
while for propagating / synchronizing roles you need a ConnId connector
supporting ObjectClass.GROUP (only the LDAP connector bundle, currently).
Thanks for the explanation Francesco! I'll turn my attention to
experimenting with an LDAP backend so. What do you think about a JIRA to
query the underlying Connector to see whether it supports
ObjectClass.GROUP, and to disable the ability to add Role Mappings in the
Resource if it does not?
I am not sure whether ConnId provides a framework operation to check if
a given ObjectClass is supported nor to list the supported object
classes, hence I think a sort of guess should be put in place. But
disabling some console component because of such guess would be an hazard...
I will investigate next week to see if this check is feasible (and
reliable).
Have a nice WE.
Regards.
On Fri, Feb 8, 2013 at 4:18 PM, Francesco Chicchiriccò
<ilgro...@apache.org>wrote:
On 08/02/2013 17:10, Colm O hEigeartaigh wrote:
Hi all,
I'm experimenting with synchronizing roles into Syncope on trunk.
Firstly, what is the difference between a User mapping in a Resource where
you select "ROLE" as the entity, and the Role Mapping tab where you can
only select "ROLE"?
When you add a mapping item for users with ROLE entities, you are
propagating the value(s) of a role attribute as part of the user data. Here
you are managing an user (i.e. ObjectClass.ACCOUNT for ConnId).
When you add a mapping item for roles (only ROLE entities allowed), you
are propagating the role data. Here you are managing a role (i.e.
ObjectClass.GROUP for ConnId).
Let's say I have a database table with a Username, Password, some
attributes, and a Role name. I want to import this Role into Syncope and
also see that the User has this Role when I edit the User in the Console.
Is this possible?
The basic idea is that for propagating / synchronizing users you need a
ConnId connector supporting ObjectClass.ACCOUNT (all available connector
bundle) while for propagating / synchronizing roles you need a ConnId
connector supporting ObjectClass.GROUP (only the LDAP connector bundle,
currently).
Moreover, the use case you report above is for propagating memberships
(i.e. the fact that a user belongs to a role), not the role itself.
Propagating memberships is not supported by the ConnId framework; however,
I've developed some simple actions for achieving this goal, at least for
LDAP as part of SYNCOPE-26.
Hope this clarifies a bit.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
