Il 28/06/2016 12:08, Jonas Israelsson ha scritto:
On 24/06/16 14:05, Francesco Chicchiriccò wrote:
On 24/06/2016 14:00, Francesco Chicchiriccò wrote:
On 24/06/2016 13:58, Jonas Israelsson wrote:
Running 2.0.0-M3 and have hooked up a connector to my openldap server.
First sync, no problem all users are placed in the local storage.
Second sync however, even though the sync is marked as successful
I see from the logs syncope are trying to reinsert all entrys to
the local storage and fail due to key violation. I have set the
matching rule to update, and use the uid as remote key, mapped to
the local username field.
Can I create this behaviour by misconfiguration, or do we have a
bug here ?
It is quite common to fall into such issues when configuring an
LDAP resource; please take this (quite old, but still applying)
post of mine as reference:
http://blog.tirasa.net/unlock-full-ldap-features-in.html
Please let me know if that improves the situation.
That blog post explains how to setup an ldap-connector, under the
impression I'm beyond that point. If I miss the obvious may I
please ask you to elaborate ?
I have no problem (via the connector) getting the data from my
directory service. My problem is I fail to convince syncope not to
add already synced users a new ones.
The post explains how to correctly setup the connector AND the
resource mapping so that you can avoid the problem you have above
(plus some additional things, BTW).
In particular, I would check the value provided for 'Uid Attribute'
in the connector configuration - which is safe to set to 'cn' when
managing both users and groups.
Please check all other parameters as well.
While I have got this somewhat working, it does not work as I'd like
it to. The problem (with key violation) occurs when leaving 'Uid
Attribute' to it's default value entryUUID. Not sure I have fully
understood the meaning of the 'Uid Attribute' but if it's meant to
create a local unique identifier mapped to the remote entry, the
entryUUID would in my humble opinion be the best candidate. By the
way, if 'Uid Attribute' is meant to be used for this correlation, of
what usage is then the remote key on the field mapping ?
When not using entryUUID I'm not quite sure how syncope should be
configured to be compatible with a directory service layout using
different rdn such as uid for users and cn for groups. I though I
could work around this by creating two resources with different 'uid
attribute'. However with this approach I found no way on how to
populate the groups with members.
So to sum things up.
Hi Jonas,
1) Is the entryUUID as 'Uid Attribute' by design not supposed to work
in syncope ?
entryUUID should work in Syncope very well. Probably, the trouble that
you have is in your mapping.
I mean, if you are using the default 'Uid Attribute' you have to map it
as remote key by specifying entryUUID as "External attribute" and by
checking "Remote key" flag for it.
2) If so, is there a way to join data from different resources (user
from one with groups from another) ?
Yes, you can but you have to provide an ad-hoc synchronization action class.
I'm quite sure you cannot use the once provided by default as is.
Best regards,
F.
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/