The only minor remaining problem: 'o' moves are not detected, because there's no way I can find a way to link the realm to the source's entryUUID? The result is there is a stale oldname realm left, and a new newname realm created. On Mon, May 7, 2018 at 4:25 PM Martin van Es <mrva...@gmail.com> wrote:
> Fixed it. Setting 'Uid Attribute' = 'o', did the trick! > Thx! > Best regards, > Martin > On Mon, May 7, 2018 at 3:45 PM Martin van Es <mrva...@gmail.com> wrote: > > Thx for the answer. > > I inspected the resource-ldap-orgunit and discoverd the omission of the > > fullpath mapping for realms, which is mapped to LDAP l attribute. I've > > added an l attribute to my organisations and mapped that to fullpath, but > > then the persistence class complains about a malformed realm path: > > org.apache.syncope.core.persistence.api.dao.MalformedPathException: The > > provided realm path is malformed: Foobar > > What would the correct syntax of realm path look like? I don't see any > JEXL > > transformations for both fullpath or name in the resource-ldap-orgunit > > example? > > Some testing reveals the above Foobar is extracted from the o= attribute, > > which I mapped to 'name', which very much resembles the mapping of ou to > > name in the resource-ldap-orgunit example. > > What's wrong with that as a path? > > Here's the complete logging from my test setup: > > 13:36:46.230 DEBUG Enter: search(ObjectClass: __ACCOUNT__, null, > > org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy$2@aabea88 , > > OperationOptions: {PAGED_RESULTS_OFFSET:-1,ATTRS_TO_GET:[__NAME__,__UID__,l,__ENABLE__,o],PAGE_SIZE:100}) > > Method: search > > 13:36:46.232 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__, null, org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@5ba5c871 > , > > OperationOptions: {PAGED_RESULTS_OFFSET:-1,ATTRS_TO_GET:[__NAME__,__UID__,l,__ENABLE__,o],PAGE_SIZE:100}) > > Method: executeQuery > > 13:36:46.232 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not > > mapped to an LDAP attribute Method: getLdapAttribute > > 13:36:46.233 DEBUG Searching in [dc=scz,dc=vnet] with filter > > (&(objectClass=organization)(!(objectClass=dcObject))) and SearchControls: > > {returningAttributes=[l, o], scope=SUBTREE} Method: doSearch > > 13:36:46.240 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not > > mapped to an LDAP attribute Method: getLdapAttribute > > 13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobarb]}, > > ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: > > {Name=__NAME__, Value=[o=Foobarb,dc=scz,dc=vnet]}, Attribute: > > {Name=__UID__, Value=[Foobarb]}, Attribute: {Name=l, Value=[/Foobara]}, > > Attribute: {Name=__ENABLE__, Value= > > []}, Attribute: {Name=o, Value=[Foobarb]}], Name=Attribute: > {Name=__NAME__, > > Value=[o=Foobarb,dc=scz,dc=vnet]}} Method: handle > > 13:36:46.240 DEBUG Return: true Method: handle > > 13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobarb]}, > > ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: > > {Name=__NAME__, Value=[o=Foobarb,dc=scz,dc=vnet]}, Attribute: > > {Name=__UID__, Value=[Foobarb]}, Attribute: {Name=l, Value=[/Foobara]}, > > Attribute: {Name=__ENABLE__, Value= > > []}, Attribute: {Name=o, Value=[Foobarb]}], Name=Attribute: > {Name=__NAME__, > > Value=[o=Foobarb,dc=scz,dc=vnet]}} Method: handle > > 13:36:46.240 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is not > > mapped to an LDAP attribute Method: getLdapAttribute > > 13:36:46.240 DEBUG Enter: {Uid=Attribute: {Name=__UID__, Value=[Foobar2]}, > > ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute: > > {Name=__NAME__, Value=[o=Foobar2,dc=scz,dc=vnet]}, Attribute: > > {Name=__UID__, Value=[Foobar2]}, Attribute: {Name=l, Value=[/Foobar2]}, > > Attribute: {Name=__ENABLE__, Value= > > []}, Attribute: {Name=o, Value=[Foobar2]}], Name=Attribute: > {Name=__NAME__, > > Value=[o=Foobar2,dc=scz,dc=vnet]}} Method: handle > > 13:36:46.240 DEBUG Return: true Method: handle > > 13:36:46.241 DEBUG Exception: Method: handle > > org.apache.syncope.core.persistence.api.dao.MalformedPathException: The > > provided realm path is malformed: Foobarb > > ... > > On Mon, May 7, 2018 at 12:33 PM Francesco Chicchiriccò < > ilgro...@apache.org> > > wrote: > > > Hi Martin, > > > short answer: your Realm mapping is not correct, hence during pull there > > > is no way for Syncope to match the incoming data with existing Realms. > > > You normally "fix" incomplete mappings with Pull policies, but as you > > > already discovered, Pull policies do not apply to Realms. > > > Hence, you have no choice but providing a good mapping for Realms. > > > I'd suggest to take a look at how the resource-ldap-orgunit is defined: > > > you can check it either via > > > http://syncope-vm.apache.org:9080/syncope-console/ or by downloading and > > > running the standalone distribution. > > > Regards. > > > On 07/05/2018 11:23, Martin van Es wrote: > > > > Still stuck. > > > > It would be really nice if somebody could explain how to create a > REALM > > > > pull policy or tell me that it's not a possibility at the moment? > > > > > > > > I've created a new AnyType FOO of AnyTypeClass BaseUser, which gives > me > > the > > > > possibility to choose 'name' as PLAIN ATTRIBUTES Correlation Rule > > attribute > > > > in Pull Policy 'Realm' which I can apply to the REALM Resource that > > pulls > > > > in the realms, but I keep getting u_realm_name unique name constraints > > > > violations on all following pulls. > > > > > > > > Best regards, > > > > Martin > > > > On Thu, May 3, 2018 at 10:31 PM Martin van Es <mrva...@gmail.com> > wrote: > > > > > > > >> Ok, I'm a step further but still have problems. > > > >> I encountered the same problems when pull'ing users and it turned > out I > > > >> needed to create a pull policy for users and assign that to my > resource > > > > for > > > >> update conflict and correlation rules (I'm still learning the basics > > > > here). > > > >> Pull Update now works for users! > > > >> It turns out, I can't find anything like that for REALMS? In the pull > > > >> policy rule composer I can only choose USER or GROUP. When choosing > > USER, > > > > I > > > >> can only match on username, but the assigned internal REALM attribute > > is > > > >> called 'name'. For GROUPS I can choose 'name', but then the policy > > doesn't > > > >> work or apply? > > > >> Also, I tried add a REALM key to AnyTypes to contain the 'name' > > attribute, > > > >> but that's forbidden. > > > >> Best regards, > > > >> Martin > > > >> On Thu, May 3, 2018 at 2:12 PM Martin van Es <mrva...@gmail.com> > wrote: > > > >>> Hi, > > > >>> On Thu, May 3, 2018 at 12:43 PM Andrea Patricelli < > > > >>> andreapatrice...@apache.org> wrote: > > > >>>>> Realms created in the root realm: > > > >>>>> CREATE SUCCESS (key/name): > > > >> 3a3370df-3aa2-4787-b370-df3aa2278786///Foobar > > > >>>>> CREATE SUCCESS (key/name): > > > >>> 38d90785-ab9c-4fc8-9907-85ab9c2fc8e4///Foobar2 > > > >>>>> CREATE SUCCESS (key/name): > > > >>> b3c86117-400b-457d-8861-17400bf57d5d///Foobar3 > > > >>>> Please check if realm path is correctly created on Syncope. > > > >>> The Foobar realm's path is /Foobar, as expected. > > > >>>> [1] > > http://blog.tirasa.net/syncope-basics-manage-active-directory.html > > > >>> I've checked the blog and since it's intended for AD I have to mold > it > > > >> into > > > >>> LDAP only configuration a bit. Also, my realms come from > organizations > > > >>> instead of organizationalUnit, but I assume that doesn't matter for > > the > > > >>> excersice. I have done that to the best of my knowledge, knowing > that > > > >>> mapping organization only wouldn't apply the > (!(objectClass=dcObject)) > > > >>> filter, effectively resulting in one too many Realms, but I could > live > > > >> with > > > >>> that. The original problem however still remains: consecutively > > pulling > > > > in > > > >>> the Realms results in unique key violoations. > > > >>> Since I deployed Syncope from debian packages I'm not in a position > to > > > >>> develop, compile and deploy custom pull Actions. Also, I accept the > > > > Realms > > > >>> being inserted in a flat hierarchy, so I don't need any special > > mapping > > > > I > > > >>> hope? > > > >>> Best regards, > > > >>> Martin > > > > > > > > > > > >> -- > > > >> If 'but' was any useful, it would be a logic operator > > > > > > > > > > > -- > > > Francesco Chicchiriccò > > > Tirasa - Open Source Excellence > > > http://www.tirasa.net/ > > > Member at The Apache Software Foundation > > > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > > > http://home.apache.org/~ilgrosso/ > > -- > > If 'but' was any useful, it would be a logic operator > -- > If 'but' was any useful, it would be a logic operator -- If 'but' was any useful, it would be a logic operator