Il giorno 22/apr/2013, alle ore 09.46, Nik ha scritto: > Hi Fabio, > > Thanks for the clarification of the roles creation. > > I'm still having difficulty understanding how to propagate > new roles to create ldap groups. I have never used the ldap > attribute ldapGroups in opendj before. Can you please give me an example if > you have one?
Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap schema). You can use it to propagate membership info. Not for role group propagation. To create a group on your OpenDJ you have to define a "role mapping" for your resource (OpenDJ) defined on syncope. Just crating a new role and assigning the OpenDJ resource to it a new group on the physical resource will be created. Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" (created by syncope or not). In order to create a membership with this group you have to propagate user info with ldapGroups valued with that DN. To propagate ldapGroups you have to define a specific mapping for this special attribute. To the user mapping defined for your OpenDJ resource add one for ldapGroups. For example, if you have a user attribute storing membership information (may be a specific user schema called "groups") you'll have: USER | UserSchema | groups | ldapGroups | .... | BOTH Please, consider that you can map a group/membership attribute as well. Usually I create a specific group schema (let me call it "groupDN") and than I add map for it into user mapping. Ex: GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH In this way, I can specify a value for multivalued ldapGroups just adding one or more syncope role to the user. Best regards, F. > > rgds, > Nik >> >> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto: >> >>> But I would like to create a new group (e.g. using the "secretary" role >>> from syncope) which should make >>> an ldap group like: >>> >>> >>> dn: cn=secretary,ou=Groups,o=usharesoft >>> uniqueMember: uid=toto,ou=people,o=usharesoft >>> cn: generators >>> objectClass: groupOfUniqueNames >>> objectClass: top >>> >>> So from what I have been able to work out, so far, is I should create the >>> syncope user titi using Users->"create new user" >>> >>> Fill in all the mandatory parts under Details/Attributes tab >>> Then >>> select the Resources tab and add my ldap resource from "Available" to >>> "Selected" >>> Then >>> select Roles tab and add the secretary role >>> and save >> >> Hi Nik, you cannot propagate a role creation just creating a membership on >> syncope. >> If the role doesn't exist yet on the resource, the steps are: >> 1. create role on syncope and propagate creation >> 2. create user on syncope, add role (on syncope) and propagate user and >> membership >> >> If the role already exist on the resource you can jump to the step 2 without >> performing 1. >> >> Remember that user memberships are propagate/read by ldapGroups attribute. >> >> Best regards, >> F. >> >
