On 07/05/21 13:49, Martin van Es wrote:
Hi,
I've been playing around with Syncope again and was trying to sync a src LDAP
scheme that contains multiple organizations, which contain multiple Groups and
People branches. All of these branches contain organisation specific users,
possibly sharing the same uid (login name). You might call this a multi-tennant
lay-out.
I was hoping Realms could keep these tennants separated and the usernames
uniquely scoped to the realm (automatically).
It turns out, that plainly assigning uid to internal attribute username won't
work, for two reasons:
1. admin isn't allowed (in my docker test deploy) because there's already a
global user called admin, even if I provision the user in a separate Realm?)
There is one pre-defined admin user: you can change such username to something
different in
core/src/main/resources/admin.properties
via the "adminUser" property.
2. I can't reuse uid's assigned to username, even when I use a different Realm,
so I'd have to assign entryUUID to username and create a separate user_id
attribute mapped to uid for all users?
Yes, Syncope's username is defined as unique for the SyncopeUser table.
Currently, there is no predefined way to set the constraint "unique per Realm"
on anything.
Secondly, some of the organisation DN's contain (forward) slashes in the dc
part of their DN, which makes configuring the resource awkward (I need to
escape the slash using a backslash in the Base Contexts to Synchronize) but
worse: it renders membership matching impossible (the entryDN of the user can
not be found from the member DN in the group although the matching DN string is
correct as inspected from debug output) so I guess that's a bug to be solved in
Syncope at some time, because it works as expected for organisations without
the slashes in the dc part.
Realm names (as all other Entity keys) are set to match the NAME pattern:
https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/validation/entity/RealmValidator.java#L52
hence forward slashes are not allowed: consider that the rationales behind this
constraint are that (1) NAME values are normally used in URLs and also that (2)
forward slash is used internally by Syncope as full path separator.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
