Hi Fabio, Thanks for your response. I have another question relating to:
http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html Let's say we create a User in Syncope and assign a Role to it, which has an attribute that gets mapped to a User Attribute in the resource (e.g. "memberOf"). The question is what the converse behaviour should be in the context of Syncope supporting Role synchronization properly. Let's say the memberOf attribute changes in the backend and a synchronization task takes effect in Syncope. Which of the following behaviours should apply? a) The Role attribute gets updated to the new value. b) The User gets assigned to a new Role that has an attribute that matches the updated resource attribute (if one exists). Thanks, Colm. On Tue, Aug 14, 2012 at 7:46 AM, Fabio Martelli <[email protected]>wrote: > Hi Colm, > please, find my comments/answers inline. > > Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto: > > Hi all, > > I am trying to get a handle on what is currently supported in Syncope with > respect to roles stored in an LDAP resource. > > One way of working with roles is given here in a previous thread: > > > http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html > > So you can map a role attribute to an LDAP memberOf attribute (for > example). I have the following questions: > > a) This works for propagation, but does it also work for synchronization? > So if the memberOf attribute changes in the backend, will the Role have the > updated attribute value? I think this doesn't work, but just want to check. > > > No, role attributes won't be synchronized: if memberOf attribute change > Syncope won't execute any update about the role attributes. > However, this shouldn't be the right behavior. We expect to synchronize > role and membership attributes also. > The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26. > > b) Must the Role (Group) pointed to already exist in LDAP or is there any > way of creating it from Syncope? > > > There isn't any way to create group or role on external resource. At the > moment Syncope provides only user provisioning features. > Role propagation/synchronization is in roadmap. See > https://issues.apache.org/jira/browse/SYNCOPE-172. > > c) Is there any way of importing roles from an LDAP backend via search? > So for example, your users do not have a "memberOf" attribute, but instead > you have some "ou=groups" with a "member" attribute pointing back to the > relevant users in the group. Is there any way of importing this group > information into Syncope? > > > No it isn't. This feature is really close to role mining. We expect to > have this soon, with role propagation/synchronization feature (see above). > At the moment, if you want to import role information from ldap you have > to implement a custom solution. > > Best regards, > F. > > Thanks, > > Colm. > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
