Ritornello Migration - Sync Issues

[Antony Pulicken]

Thanks for the information Francesco.

We are able to successfully deploy  'Ritornello' on Tomcat/mySQL and the new version looks quite impressive with lot of changes (atleast from the version that we are using). Even though I was able to provision a user from Syncope to AD (with some minor issues), I'm yet to successfully synchronize a user from AD to syncope.  I can see from the logs that the sync job is getting connected to AD and picking up the delta successfully, but the users are not getting created in syncope. please find the log details below: Please let me know in case you need more details.

05:00:00.221 DEBUG org.identityconnectors.framework.api.operations.SyncApiOp.sync Enter: sync(ObjectClass: __ACCOUNT__, SyncToken: [B@b535934, org.syncope.core.propagation.ConnectorFacadeProxy$1@d056abb, null)
05:00:00.223 DEBUG org.connid.ad.sync.ADSyncStrategy.sync Search filter: (|(&(objectClass=user)(&(memberOf=CN=Guests,CN=Builtin,DC=poc,DC=demo,DC=com)(memberOf=CN=Admin Group,CN=Users,DC=poc,DC=demo,DC=com)(memberOf=CN=OIMAdmins,OU=Groups,DC=poc,DC=demo,DC=com)(memberOf=CN=Domain Guests,CN=Users,DC=poc,DC=demo,DC=com)(memberOf=CN=Domain Controllers,CN=Users,DC=poc,DC=demo,DC=com)))(&(objectClass=group)(|(distinguishedName=CN=Guests,CN=Builtin,DC=poc,DC=demo,DC=com)(distinguishedName=CN=Admin Group,CN=Users,DC=poc,DC=demo,DC=com)(distinguishedName=CN=OIMAdmins,OU=Groups,DC=poc,DC=demo,DC=com)(distinguishedName=CN=Domain Guests,CN=Users,DC=poc,DC=demo,DC=com)(distinguishedName=CN=Domain Controllers,CN=Users,DC=poc,DC=demo,DC=com)))(&(isDeleted=FALSE)(objectClass=user)))
05:00:00.223 DEBUG org.connid.ad.sync.ADSyncStrategy.sync Synchronization with token.
05:00:00.378 DEBUG org.connid.ad.sync.ADSyncStrategy.search Searching from DC=poc,DC=demo,DC=com
05:00:00.381 DEBUG org.connid.ad.sync.ADSyncStrategy.search Search found 3 items
05:00:00.381 DEBUG org.connid.ad.sync.ADSyncStrategy.search Response Controls: 1
05:00:00.381 DEBUG org.connid.ad.sync.ADSyncStrategy.search Latest sync token set to SyncToken: [B@703e68f4
05:00:00.381 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Object profile: {member;range=1-1=member;range=1-1: CN=syncope user11,CN=Users,DC=poc,DC=demo,DC=com, objectguid=objectGUID: [B@115ca4be}
05:00:00.382 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Modified group CN=Guests,CN=Builtin,DC=poc,DC=demo,DC=com
05:00:00.383 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Found users IN ...
05:00:00.383 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Object profile: {member;range=1-1=member;range=1-1: CN=syncope user11,CN=Users,DC=poc,DC=demo,DC=com, objectguid=objectGUID: [B@5943bed9}
05:00:00.384 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Modified group CN=Domain Guests,CN=Users,DC=poc,DC=demo,DC=com
05:00:00.385 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Found users IN ...
05:00:00.385 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Object profile: {member;range=1-1=member;range=1-1: CN=syncope user11,CN=Users,DC=poc,DC=demo,DC=com, objectguid=objectGUID: [B@6ea6c657}
05:00:00.386 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Modified group CN=Domain Controllers,CN=Users,DC=poc,DC=demo,DC=com
05:00:00.387 DEBUG org.connid.ad.sync.ADSyncStrategy.handleSyncDelta Found users IN ...
05:00:00.388 DEBUG org.identityconnectors.framework.api.operations.SyncApiOp.sync Return: null
05:00:00.418 DEBUG org.identityconnectors.framework.api.operations.SyncApiOp.getLatestSyncToken Enter: getLatestSyncToken(ObjectClass: __ACCOUNT__)
05:00:00.418 DEBUG org.identityconnectors.framework.api.operations.SyncApiOp.getLatestSyncToken Return: SyncToken: [B@703e68f4
05:00:00.463 DEBUG org.identityconnectors.framework.api.operations.ValidateApiOp.validate Enter: validate()
05:00:00.468 DEBUG org.identityconnectors.framework.api.operations.ValidateApiOp.validate Return: null

Thanks and Regards,
Antony.

2011/12/16 Francesco Chicchiriccò <chicch...@gmail.com>

On 16/12/2011 00:49, Antony Pulicken wrote:

Hi Fabio,

Good to see that 'Ritornello' is released ahead of schedule !! Hope what ever changes/fixes you made in last few days are already part of 'Ritornello'. We are starting the migration to 'Ritornello' from today. Please let us know your comments.

Great news: you will probably be the first migration in a production environment, so please let us know about your progresses!

Any change up to yesterday morning is on 0.7RC1 tag [1]: any other fix will be committed on 0_7_X branch [2] and released in a short while for 0.7RC2.

Please consider that AD features you discuss below are implemented by ConnId bundle 0.9 [3], while fixes are currently committed to trunk [4]: I think that in a short while we would be able to release 1.0: stay tuned on ConnId mailing lists for this.

Regards.

[1] http://syncope.googlecode.com/svn/tags/syncope-0.7RC1/
[2] http://syncope.googlecode.com/svn/branches/0_7_X/
[3] http://connid.googlecode.com/svn/bundles/ad/tags/org.connid.bundles.ad-0.9/
[4] http://connid.googlecode.com/svn/bundles/ad/trunk/

On Wed, Dec 14, 2011 at 10:12 PM, Fabio Martelli <fabio.m...@gmail.com> wrote:

Il giorno 14/dic/2011, alle ore 16.25, Antony Pulicken ha scritto:

Sure. Please send me a mail once you are done...and let me know which issue mentioned below is fixed... if the fix for first issue is in syncope, please let me know the files that you changed...we may have to apply that in the syncope version that we are using....!! thanks again for all the help....

1)user getting re-created in syncope when we remove the user from a group!
2)I took the latest syncope code from the trunk and when I try to configure a new connector (AD), lot of fields including 'Memberships' are not editable. Please see the attached screenshot for more details.

Some fixes in trunk (connid and syncope).

Please keep mailing list in touch.

Further updates tomorrow.....

Regards,

F.

-Antony.

On Wed, Dec 14, 2011 at 1:55 PM, Fabio Martelli <fabio.m...@gmail.com> wrote:

Il giorno 14/dic/2011, alle ore 09.24, Antony Pulicken ha scritto:

ok..thanks a lot...I will take the latest and try...do you have any sample configuration for AD con ?

I'm working on it. Just a few minutes ...

On Wed, Dec 14, 2011 at 1:48 PM, Fabio Martelli <fabio.m...@gmail.com> wrote:

Il giorno 14/dic/2011, alle ore 09.17, Antony Pulicken ha scritto:

sorry.send the previous mail bit early :-)

2)I took the latest syncope code from the trunk and when I try to configure a new connector (AD), lot of fields including 'Memberships' are not editable. Please see the attached screenshot for more details.

Hi Antony,

this issue has been closed.

I'm working on the number 1.

Regards,

F.

On Wed, Dec 14, 2011 at 1:46 PM, Antony Pulicken <antony....@gmail.com> wrote:

Hi Fabio,

Are you able to simulate both the issues ?

1)user getting re-created in syncope when we remove the user from a group!
2)

---------- Forwarded message ----------
From: Antony Pulicken <antony....@gmail.com>
Date: Tue, Dec 13, 2011 at 2:09 PM
Subject: Re: [syncope-users] 'Memberships' property of AD connector
To: syncop...@googlegroups.com

Cc: Fabio Martelli <fabio.m...@gmail.com>


Thanks Fabio. Were you able to re-produce the issue (user getting re-created in syncope when we remove the user from a group!).

I took the latest syncope code from the trunk and when I try to configure a new connector (AD), lot of fields including 'Memberships' are not editable. Please see the attached screenshot for more details.

Also, it would help if you can send me a screenshot that has your configuration for AD connector.

Thanks and Regards,
Antony.

On Mon, Dec 12, 2011 at 10:36 PM, Fabio Martelli <fabio.m...@gmail.com> wrote:

Il giorno 12/dic/2011, alle ore 12.08, Fabio Martelli ha scritto:

Il giorno 12/dic/2011, alle ore 11.55, Antony Pulicken ha scritto:

Hi,

1. Can you please tell me how/where to set the 'Memberships' property in syncope ? If any of you have already configured 'Memberships' in your local syncope environment, can you please send me the http://localhost:8080/syncope/rest/connector/list.xml ?

Using the Syncope trunk version you have to set 'Memberships' attribute specifying group DNs separated by a white space.

At the moment I cannot send you a configuration sample.

Hi Antony,

a new implementation of Syncope is available into the trunk: issue #245 has been closed.

Please, check it out and try again with that version.

In a meanwhile I will try to reproduce your issue.

Best regards,

F.

2. According to the 'Memberships' description in  wiki,  "The connector ignores any changes about users not member of indicated groups"
• Does it mean that if the user belongs to a group that is not configured (in AD), NO updates of the user will be synced (to Syncope) ?

Not exactly. This means that if user doesn't belong to each group specified in 'Memberships' attribute, NO updates of the user will be synced.

• In other words, when ever a group is added/deleted in AD, we have to update the 'Memberships' configuration in syncope, so as to get the updates during the sync operation ?

Of course: if a new group is created and members of this group must be synced, 'Memberships' attribute must be updated.

Regards,

F.

-- 
Francesco Chicchiriccò

"Computer Science is no more about computers than astronomy
is about telescopes." (E. W. Dijkstra)

[Fabio Martelli]

Il giorno 19/dic/2011, alle ore 07.05, Antony Pulicken ha scritto:

Thanks for the information Francesco.

We are able to successfully deploy  'Ritornello' on Tomcat/mySQL and the new version looks quite impressive with lot of changes (atleast from the version that we are using). Even though I was able to provision a user from Syncope to AD (with some minor issues), I'm yet to successfully synchronize a user from AD to syncope.  I can see from the logs that the sync job is getting connected to AD and picking up the delta successfully, but the users are not getting created in syncope. please find the log details below: Please let me know in case you need more details.

Hi Antony,

be sure to have well configured the property "Verify memberships in OR".

It seems that user CN=syncope user11,CN=Users,DC=poc,DC=demo,DC=com is ignored because its profile doesn't verify the filter.

This can mean two things:

1. you have specified a custom filter and "Syncope user11" doesn't verify it

2. you have memberships verification in AND and "Syncope user11" doesn't have all the groups you have specified.

Please, verify your configuration al let me know.

 

Regards,

F.