Ritornello | Sync with 2 ADs

[Antony Pulicken]

Hi,

I'm trying to configure Syncope to synchronize from 2 ADs.

As the first step for that, I created another AD Connector instance in syncope that points to the second AD. One thing that I observed is 'Latest sync token' attribute is missing in the connector configuration screen. Any idea why is that? I don't think that is really the reason why it is still not working on my environment though.

I have created a resource and a sync task in the similar lines of first AD (which works fine). Do you think I should take care of any other configuration to achieve this? Any body has tested this scenario before? Please let me know

Regards,
Antony.

[Fabio Martelli]

Il giorno 20/dic/2011, alle ore 15.38, Antony Pulicken ha scritto:

> Hi,
>
> I'm trying to configure Syncope to synchronize from 2 ADs.
>
> As the first step for that, I created another AD Connector instance in syncope that points to the second AD. One thing that I observed is 'Latest sync token' attribute is missing in the connector configuration screen. Any idea why is that? I don't think that is really the reason why it is still not working on my environment though.

Latest sync token property has been removed from ADConfiguration class.

> I have created a resource and a sync task in the similar lines of first AD (which works fine). Do you think I should take care of any other configuration to achieve this? Any body has tested this scenario before? Please let me know

This scenario (2 ADs) has already been considered and verified.
You have to be sure that owner on syncope is not linked to both ADs unless you already have considered how to manage synchronization of the same syncope owner coming from different ADs.

Regards,
F.

[Antony Pulicken]

"This scenario (2 ADs) has already been considered and verified.
You have to be sure that owner on syncope is not linked to both ADs unless you already have considered how to manage synchronization of the same syncope owner coming from different ADs."

Sorry, I didn't quite understand it. Can you please elaborate ?

Thanks,
Antony.

[Fabio Martelli]

Il giorno 21/dic/2011, alle ore 00.31, Antony Pulicken ha scritto:

"This scenario (2 ADs) has already been considered and verified.
You have to be sure that owner on syncope is not linked to both ADs unless you already have considered how to manage synchronization of the same syncope owner coming from different ADs."

Sorry, I didn't quite understand it. Can you please elaborate ?

The owner is the user on syncope which is linked to one or more accounts on one or more external resources.

Your ADs are two external resources linked by syncope.

Synchronizing (with simple sync or initial loading) one AD you will load syncope with some users/owners.

If you start second synchronization involving the second AD, you will load syncope with other users/owners.

Btw, during the synchronization with the second AD, it can happen that some existing owners on syncope could match some users on the second AD. 

This implies that on syncope you will have an update instead of a simple create.

In particular, if each loaded user are automatically assigned to the resource from which has been retrieved (configuring a right sync policy), user updates and user deletes will be propagated on ADs (if you have checked the corresponding capabilities).

In general this shouldn't be a problem but you have to consider this scenario before.

Regards,

F.