On 14/08/2012 08.46, Fabio Martelli wrote:
Hi Colm,
please, find my comments/answers inline.
Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
Hi all,
I am trying to get a handle on what is currently supported in Syncope
with respect to roles stored in an LDAP resource.
One way of working with roles is given here in a previous thread:
http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
So you can map a role attribute to an LDAP memberOf attribute (for
example). I have the following questions:
a) This works for propagation, but does it also work for
synchronization? So if the memberOf attribute changes in the backend,
will the Role have the updated attribute value? I think this doesn't
work, but just want to check.
No, role attributes won't be synchronized: if memberOf attribute
change Syncope won't execute any update about the role attributes.
However, this shouldn't be the right behavior. We expect to
synchronize role and membership attributes also.
The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26.
In the meanwhile, you could implement your own logic to be performed
during synchronization (see
https://cwiki.apache.org/confluence/display/SYNCOPE/SynchronizationActionsClass).
An idea could be to extend beforeUpdate() and add the code for
interpreting LDAP's memberOf values as Syncope memberships. we did
something similar for a customer.
b) Must the Role (Group) pointed to already exist in LDAP or is
there any way of creating it from Syncope?
There isn't any way to create group or role on external resource. At
the moment Syncope provides only user provisioning features.
Role propagation/synchronization is in roadmap. See
https://issues.apache.org/jira/browse/SYNCOPE-172.
c) Is there any way of importing roles from an LDAP backend via
search? So for example, your users do not have a "memberOf"
attribute, but instead you have some "ou=groups" with a "member"
attribute pointing back to the relevant users in the group. Is there
any way of importing this group information into Syncope?
No it isn't. This feature is really close to role mining. We expect to
have this soon, with role propagation/synchronization feature (see above).
At the moment, if you want to import role information from ldap you
have to implement a custom solution.
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
