Thx for the answer.
I inspected the resource-ldap-orgunit and discoverd the omission of the
fullpath mapping for realms, which is mapped to LDAP l attribute. I've
added an l attribute to my organisations and mapped that to fullpath, but
then the persistence class complains about a malformed realm path:
org.apache.syncope.core.persistence.api.dao.MalformedPathException: The
provided realm path is malformed: Foobar
What would the correct syntax of realm path look like? I don't see any JEXL
transformations for both fullpath or name in the resource-ldap-orgunit
example?
Some testing reveals the above Foobar is extracted from the o= attribute,
which I mapped to 'name', which very much resembles the mapping of ou to
name in the resource-ldap-orgunit example.
What's wrong with that as a path?
Here's the complete logging from my test setup:
13:36:46.230 DEBUG Enter: search(ObjectClass: __ACCOUNT__, null,
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy$2@aabea88,
OperationOptions:
{PAGED_RESULTS_OFFSET:-1,ATTRS_TO_GET:[__NAME__,__UID__,l,__ENABLE__,o],PAGE_SIZE:100})
Method: search
13:36:46.232 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, null,
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@5ba5c871,
OperationOptions:
{PAGED_RESULTS_OFFSET:-1,ATTRS_TO_GET:[__NAME__,__UID__,l,__ENABLE__,o],PAGE_SIZE:100})
Method: executeQuery
13:36:46.232 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not
mapped to an LDAP attribute Method: getLdapAttribute
13:36:46.233 DEBUG Searching in [dc=scz,dc=vnet] with filter
(&(objectClass=organization)(!(objectClass=dcObject))) and SearchControls:
{returningAttributes=[l, o], scope=SUBTREE} Method: doSearch
13:36:46.240 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not
mapped to an LDAP attribute Method: getLdapAttribute
13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobarb]},
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute:
{Name=__NAME__, Value=[o=Foobarb,dc=scz,dc=vnet]}, Attribute:
{Name=__UID__, Value=[Foobarb]}, Attribute: {Name=l, Value=[/Foobara]},
Attribute: {Name=__ENABLE__, Value=
[]}, Attribute: {Name=o, Value=[Foobarb]}], Name=Attribute: {Name=__NAME__,
Value=[o=Foobarb,dc=scz,dc=vnet]}} Method: handle
13:36:46.240 DEBUG Return: true Method: handle
13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobarb]},
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute:
{Name=__NAME__, Value=[o=Foobarb,dc=scz,dc=vnet]}, Attribute:
{Name=__UID__, Value=[Foobarb]}, Attribute: {Name=l, Value=[/Foobara]},
Attribute: {Name=__ENABLE__, Value=
[]}, Attribute: {Name=o, Value=[Foobarb]}], Name=Attribute: {Name=__NAME__,
Value=[o=Foobarb,dc=scz,dc=vnet]}} Method: handle
13:36:46.240 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not
mapped to an LDAP attribute Method: getLdapAttribute
13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobar2]},
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute:
{Name=__NAME__, Value=[o=Foobar2,dc=scz,dc=vnet]}, Attribute:
{Name=__UID__, Value=[Foobar2]}, Attribute: {Name=l, Value=[/Foobar2]},
Attribute: {Name=__ENABLE__, Value=
[]}, Attribute: {Name=o, Value=[Foobar2]}], Name=Attribute: {Name=__NAME__,
Value=[o=Foobar2,dc=scz,dc=vnet]}} Method: handle
13:36:46.240 DEBUG Return: true Method: handle
13:36:46.241 DEBUG Exception: Method: handle
org.apache.syncope.core.persistence.api.dao.MalformedPathException: The
provided realm path is malformed: Foobarb
...
On Mon, May 7, 2018 at 12:33 PM Francesco Chicchiriccò <ilgro...@apache.org>
wrote:
> Hi Martin,
> short answer: your Realm mapping is not correct, hence during pull there
> is no way for Syncope to match the incoming data with existing Realms.
> You normally "fix" incomplete mappings with Pull policies, but as you
> already discovered, Pull policies do not apply to Realms.
> Hence, you have no choice but providing a good mapping for Realms.
> I'd suggest to take a look at how the resource-ldap-orgunit is defined:
> you can check it either via
> http://syncope-vm.apache.org:9080/syncope-console/ or by downloading and
> running the standalone distribution.
> Regards.
> On 07/05/2018 11:23, Martin van Es wrote:
> > Still stuck.
> > It would be really nice if somebody could explain how to create a REALM
> > pull policy or tell me that it's not a possibility at the moment?
> >
> > I've created a new AnyType FOO of AnyTypeClass BaseUser, which gives me
the
> > possibility to choose 'name' as PLAIN ATTRIBUTES Correlation Rule
attribute
> > in Pull Policy 'Realm' which I can apply to the REALM Resource that
pulls
> > in the realms, but I keep getting u_realm_name unique name constraints
> > violations on all following pulls.
> >
> > Best regards,
> > Martin
> > On Thu, May 3, 2018 at 10:31 PM Martin van Es <mrva...@gmail.com> wrote:
> >
> >> Ok, I'm a step further but still have problems.
> >> I encountered the same problems when pull'ing users and it turned out I
> >> needed to create a pull policy for users and assign that to my resource
> > for
> >> update conflict and correlation rules (I'm still learning the basics
> > here).
> >> Pull Update now works for users!
> >> It turns out, I can't find anything like that for REALMS? In the pull
> >> policy rule composer I can only choose USER or GROUP. When choosing
USER,
> > I
> >> can only match on username, but the assigned internal REALM attribute
is
> >> called 'name'. For GROUPS I can choose 'name', but then the policy
doesn't
> >> work or apply?
> >> Also, I tried add a REALM key to AnyTypes to contain the 'name'
attribute,
> >> but that's forbidden.
> >> Best regards,
> >> Martin
> >> On Thu, May 3, 2018 at 2:12 PM Martin van Es <mrva...@gmail.com> wrote:
> >>> Hi,
> >>> On Thu, May 3, 2018 at 12:43 PM Andrea Patricelli <
> >>> andreapatrice...@apache.org> wrote:
> >>>>> Realms created in the root realm:
> >>>>> CREATE SUCCESS (key/name):
> >> 3a3370df-3aa2-4787-b370-df3aa2278786///Foobar
> >>>>> CREATE SUCCESS (key/name):
> >>> 38d90785-ab9c-4fc8-9907-85ab9c2fc8e4///Foobar2
> >>>>> CREATE SUCCESS (key/name):
> >>> b3c86117-400b-457d-8861-17400bf57d5d///Foobar3
> >>>> Please check if realm path is correctly created on Syncope.
> >>> The Foobar realm's path is /Foobar, as expected.
> >>>> [1]
http://blog.tirasa.net/syncope-basics-manage-active-directory.html
> >>> I've checked the blog and since it's intended for AD I have to mold it
> >> into
> >>> LDAP only configuration a bit. Also, my realms come from organizations
> >>> instead of organizationalUnit, but I assume that doesn't matter for
the
> >>> excersice. I have done that to the best of my knowledge, knowing that
> >>> mapping organization only wouldn't apply the (!(objectClass=dcObject))
> >>> filter, effectively resulting in one too many Realms, but I could live
> >> with
> >>> that. The original problem however still remains: consecutively
pulling
> > in
> >>> the Realms results in unique key violoations.
> >>> Since I deployed Syncope from debian packages I'm not in a position to
> >>> develop, compile and deploy custom pull Actions. Also, I accept the
> > Realms
> >>> being inserted in a flat hierarchy, so I don't need any special
mapping
> > I
> >>> hope?
> >>> Best regards,
> >>> Martin
> >
> >
> >> --
> >> If 'but' was any useful, it would be a logic operator
> >
> >
> --
> Francesco Chicchiriccò
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
--
If 'but' was any useful, it would be a logic operator
