On 22/04/2013 10:19, Fabio Martelli wrote:
Il giorno 22/apr/2013, alle ore 09.46, Nik ha scritto:
Hi Fabio,
Thanks for the clarification of the roles creation.
I'm still having difficulty understanding how to propagate
new roles to create ldap groups. I have never used the ldap
attribute ldapGroups in opendj before. Can you please give me an
example if
you have one?
Hi Nik, ldapGroups is a special attribute (it doesn't exist into the
ldap schema).
You can use it to propagate membership info. Not for role group
propagation.
To create a group on your OpenDJ you have to define a "role mapping"
for your resource (OpenDJ) defined on syncope.
Just crating a new role and assigning the OpenDJ resource to it a new
group on the physical resource will be created.
Now, let's suppose to have a group on your OpenDJ, with DN
"cn=groupA,o=isp" (created by syncope or not).
In order to create a membership with this group you have to propagate
user info with ldapGroups valued with that DN.
To propagate ldapGroups you have to define a specific mapping for this
special attribute. To the user mapping defined for your OpenDJ
resource add one for ldapGroups.
For example, if you have a user attribute storing membership
information (may be a specific user schema called "groups") you'll have:
USER | UserSchema | groups | ldapGroups | .... | BOTH
Please, consider that you can map a group/membership attribute as
well. Usually I create a specific group schema (let me call it
"groupDN") and than I add map for it into user mapping. Ex:
GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH
In this way, I can specify a value for multivalued ldapGroups just
adding one or more syncope role to the user.
In this approach suggested by Fabio you are directly dealing with the
internal mechanism provided by the ConnId LDAP connector.
Alternatively, you can empower
1. LDAPMembershipPropagationActions as propagation actions class
(choose this for "Actions class" when defining the LDAP resource from
the admin console)
2. LDAPMembershipSyncActions as synchronization actions class (choose
this for "Actions class" when defining the synchronization task from the
admin console)
This approach works under the assumption that:
1. you are using the same resource for both users and roles (e.g. you
have provided both user and role mapping for the resource)
2. you did not map the special attribute ldapGroups (as opposite of
the approach suggested by Fabio)
I know this should be better documented, it's already in my (long) TODO
list :-)
Regards.
Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto:
But I would like to create a new group (e.g. using the "secretary"
role from syncope) which should make
an ldap group like:
dn: cn=secretary,ou=Groups,o=usharesoft
uniqueMember: uid=toto,ou=people,o=usharesoft
cn: generators
objectClass: groupOfUniqueNames
objectClass: top
So from what I have been able to work out, so far, is I should
create the syncope user titi using Users->"create new user"
Fill in all the mandatory parts under Details/Attributes tab
Then
select the Resources tab and add my ldap resource from
"Available" to "Selected"
Then
select Roles tab and add the secretary role
and save
Hi Nik, you cannot propagate a role creation just creating a
membership on syncope.
If the role doesn't exist yet on the resource, the steps are:
1. create role on syncope and propagate creation
2. create user on syncope, add role (on syncope) and propagate user
and membership
If the role already exist on the resource you can jump to the step 2
without performing 1.
Remember that user memberships are propagate/read by ldapGroups
attribute.
Best regards,
F.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
