syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (JIRA) <>
Subject [jira] [Resolved] (SYNCOPE-1182) Use Remote Key in the Mapping to fetch external entities
Date Tue, 01 Aug 2017 13:43:01 GMT


Francesco Chicchiriccò resolved SYNCOPE-1182.
    Resolution: Fixed

> Use Remote Key in the Mapping to fetch external entities
> --------------------------------------------------------
>                 Key: SYNCOPE-1182
>                 URL:
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>            Reporter: Francesco Chicchiriccò
>            Assignee: Francesco Chicchiriccò
>             Fix For: 2.0.5, 2.1.0
> For several operations, but in particular *before* and *after* executing a Propagation
Task, Syncope queries the External Resource to see if a matching item is found, and it does
that via ConnId's [GetApiOp|].
> Such operation is implemented at Framework level, e.g. before reaching out any effective
Connector, via a [plain search|]
where the key is the special {{\_\_UID__}} attribute and the value is the one passed as argument,
alongside with ObjectClass.
> Using {{GetApiOp}} used to make entirely sense in the old days of ConnId 1.3 and Syncope
1.1, when the Mapping Item identified as {{AccountId}} (now {{Remote Key}}) was forced to
[blank the external attribute name|]: in such cases, in fact,
{{\_\_UID__}} was used as external attribute.
> ConnId 1.4 slightly changed the way how the {{\_\_UID__}} attribute is managed: as a
result, since Syncope 1.2, it is mandatory to [specify an external attribute name for the
Remote Key|].
> To give an idea, the 1.1 sample would result in querying the External Resource for
> {{\_\_UID__ == 'ilgrosso'}}
> while the 2.0 sample from *should* result in
> {{uid == 'ilgrosso'}}
> but will instead produce the same query as in the past.
> The problem here is that what actually {{\_\_UID__}} means is left to any Connector's
implementation: LDAP configures that via the {{UidAttribute}} property (and {{GidAttribute}}
in 1.5.2-SNAPSHOT), AD does something similar, others do differently.
> From one side, in fact, the {{Remote Key}} is defined in Syncope at high level (e.g.
as part of the Resource configuration, in the Mapping), while the raw {{\_\_UID__}} is still
used under the hoods in some cases (before executing a Propagation Task, as said above, for
example), hence it is the low level configuration (not Resource's but Connector's) that comes
into play.
> The improvement is to get rid of {{GetApiOp}} and replace its usage in Syncope with search,
using as key the External attribute name defined in the mapping, rather than {{\_\_UID__}}.
> With reference to LDAP, in fact, with such change Users will be looked up by {{uid}},
Groups by {{cn}} and Realms by {{ou}} (if respective Mappings were set in these ways).

This message was sent by Atlassian JIRA

View raw message