Il giorno 22/apr/2013, alle ore 15.14, Nik ha scritto: > Thanks Fabio. > > Things are beginning to get a bit clearer, but I am hitting many issues all > at once. > > I'll split the issues up into separate emails for brevity: > > - For some reason I cannot get the ldap resource (uforge_resource) to link > with the > role I create in syncope (see Selection_107.png - Selection_111.png) > > steps taken > ->Roles > -> select "Tree" > -> Add child > -> set name to deafaultRole > -> Resource > -> choose uforge_resource for "selected box" > "save" result is shown in Selection_111.png (resource is not > assigned/selected anymore)
Hi Nik, strange behavior! I need more info. Please, send core logs (core.log, core-rest.log, core-persistence.log, core-connid.log). > > some log trace: > 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:33 +0200] "GET > /syncope-console/wicket/page?20-1.IBehaviorListener.1-RoleForm-rolePanel-details-name-textField&q=defaultRole&_=1366635393066 > HTTP/1.1" 200 19 > 0:0:0:0:0:0:0:1 - - [22/Apr/2013:14:56:37 +0200] "POST > /syncope-console/wicket/page?20-1.IBehaviorListener.0-RoleForm-rolePanel-details-name-textField > HTTP/1.1" 200 5950 > 127.0.0.1 - - [22/Apr/2013:14:57:22 +0200] "POST /syncope/rest/role/create > HTTP/1.1" 201 477 > > > > rgds, > Nik > >> >> Hi Nik, ldapGroups is a special attribute (it doesn't exist into the ldap >> schema). >> You can use it to propagate membership info. Not for role group propagation. >> >> To create a group on your OpenDJ you have to define a "role mapping" for >> your resource (OpenDJ) defined on syncope. >> Just crating a new role and assigning the OpenDJ resource to it a new group >> on the physical resource will be created. >> >> Now, let's suppose to have a group on your OpenDJ, with DN "cn=groupA,o=isp" >> (created by syncope or not). >> In order to create a membership with this group you have to propagate user >> info with ldapGroups valued with that DN. >> To propagate ldapGroups you have to define a specific mapping for this >> special attribute. To the user mapping defined for your OpenDJ resource add >> one for ldapGroups. >> For example, if you have a user attribute storing membership information >> (may be a specific user schema called "groups") you'll have: >> >> USER | UserSchema | groups | ldapGroups | .... | BOTH >> >> Please, consider that you can map a group/membership attribute as well. >> Usually I create a specific group schema (let me call it "groupDN") and than >> I add map for it into user mapping. Ex: >> >> GROUP | RoleSchema | groupDN | ldapGroups | ... | BOTH >> >> In this way, I can specify a value for multivalued ldapGroups just adding >> one or more syncope role to the user. >> >> Best regards, >> F. >> >>> >>> rgds, >>> Nik >>>> >>>> Il giorno 19/apr/2013, alle ore 14.03, Nik ha scritto: >>>> >>>>> But I would like to create a new group (e.g. using the "secretary" role >>>>> from syncope) which should make >>>>> an ldap group like: >>>>> >>>>> >>>>> dn: cn=secretary,ou=Groups,o=usharesoft >>>>> uniqueMember: uid=toto,ou=people,o=usharesoft >>>>> cn: generators >>>>> objectClass: groupOfUniqueNames >>>>> objectClass: top >>>>> >>>>> So from what I have been able to work out, so far, is I should create the >>>>> syncope user titi using Users->"create new user" >>>>> >>>>> Fill in all the mandatory parts under Details/Attributes tab >>>>> Then >>>>> select the Resources tab and add my ldap resource from "Available" to >>>>> "Selected" >>>>> Then >>>>> select Roles tab and add the secretary role >>>>> and save >>>> >>>> Hi Nik, you cannot propagate a role creation just creating a membership on >>>> syncope. >>>> If the role doesn't exist yet on the resource, the steps are: >>>> 1. create role on syncope and propagate creation >>>> 2. create user on syncope, add role (on syncope) and propagate user and >>>> membership >>>> >>>> If the role already exist on the resource you can jump to the step 2 >>>> without performing 1. >>>> >>>> Remember that user memberships are propagate/read by ldapGroups attribute. >>>> >>>> Best regards, >>>> F. >>>> >>> >> > > <Selection_107.png><Selection_108.png><Selection_109.png><Selection_110.png><Selection_111.png>
