1) Apache DS
The basic scenario is that we have a directory that stores user and role information that we would like to import into Apache Syncope. In the previous tutorial, we only imported User data into Syncope. For the purposes of this tutorial, we will work with Apache DS. The first step is to download and launch Apache DS. I recommend installing Apache Directory Studio for an easy way to view the data stored in your directory.
Import the following ldif file into your Apache DS instance. Essentially this describes two users, "cn=alice,ou=users,ou=system" and "cn=bob,ou=users,ou=system", as well as two groups, "cn=employee,ou=groups,ou=system" and "cn=boss,ou=groups,ou=system". Both Alice and Bob are employees, but only Alice is the boss. We will import this user information into Syncope as per tutorial II. However, this time we will go further and import the group information as roles into Syncope. This will enable us to perform authorization checks against Syncope, as will be described in the next tutorial.
2) Synchronize user data into Apache Syncope
The next task is to import (synchronize) the user data from Apache DS into Apache Syncope. See the Syncope wiki for more information on this topic, as well as the following blog post. Launch Apache Syncope as per tutorial I/II.
a) Define a Connector
The first thing to do is to define a Connector. In tutorial I we configured two Connector bundles to use for Syncope, one for a DB backend, and one for an LDAP backend. In this section we select the LDAP Connector, and configure it to connect to the DS instance we have set up above. Go to "Resources/Connectors", and create a new Connector of name "org.connid.bundles.db.ldap". In the "Configuration" tab select:
- Host: localhost
- TCP Port: 10389
- Principal: uid=admin,ou=system
- Password: <password>
- Base Contexts: ou=users,ou=system and ou=groups,ou=system
- LDAP Filter for retrieving accounts: cn=*
- groupObjectClasses: groupOfNames
- Group member attribute: member
- Uid attribute: cn
- Base Context to Synchronize: ou=users,ou=system and ou=groups,ou=system
- Object Classes to Synchronize: inetOrgPerson and groupOfNames
- Status Management Class: org.connid.bundles.ldap.commons.AttributeStatusManagement
- Tick "Retrieve passwords with search".
b) Define a Resource
Next we need to define a Resource that uses the LDAP Connector. The Resource essentially defines how we use the Connector to map information from the backend into Syncope Users and Roles. Go into the "Resources" tab and select "Create New Resource". In the "Resource Details" tab select:
- Name: (Select a name)
- Connector: (Connector display name you have configured previously)
- Enforce mandatory condition
- Propagation Primary
- Propagation Mode (see here): ONE_PHASE
- Select "LDAPMembershipPropagationActions" for the "Actions class"
c) Create a synchronization task
Having defined a Connector and a Resource to use that Connector, with mappings to map User/Role information to and from the backend, it's time to import the backend information into Syncope. Go to "Tasks" and select the "Synchronization Tasks" tab. Click on "Create New Task". On the "Profile" tab enter:
- Name: (Select a name)
- Resource Name: (The Resource name you have created above)
- Actions Class: LDAPMembershipSyncActions
- Create new identities
- Updated matched identities
- Delete matching identities
- Full reconciliation