29 Nov 2013
 

Configure Active Directory in Apache Syncope 1.1.5

Written by fabio

Apache Syncope can manage users, groups and memberships (memberOf/member attribute) on external Active Directory via ConnId's Active Directory (JNDI) connector. Think you manage users and roles on Apache Syncope as centralized IdM, and have all these entities automatically kept in sync with your Active Directory users and groups: few simple steps onto the Apache Syncope administration console will help you to succesfully aim your goals ....

Step 1: Add your custom synchronization action to synchronize memberships

Memberships won't be synchronized without adding an ad-hoc synchronization action.

The simplest way to implement your sync action is to extend org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions by overriding getGroupMembershipAttrName() method.

This method have to be returned the value of the connector configuration property groupMemberReferenceAttribute.

See the sample below.

              protected String getGroupMembershipAttrName(
              final Connector connector) {
              final ConnInstance instance =
              connector.getActiveConnInstance();
              final Iterator<ConnConfProperty> itor =
              instance.getConfiguration().iterator();

              String name = null;

              while (name == null && itor.hasNext()) {
              final ConnConfProperty prop = itor.next();
              final String sc = prop.getSchema().getName();

              if ("groupMemberReferenceAttribute"
              .equals(sc)
                && prop.getValues() != null
                && !prop.getValues().isEmpty()) {
              name = (String) prop.getValues().get(0);
              }
              }

              return name == null ? "member" : name;
              }

Step 2: Create and configure your Active Directory connector instance

Apache Syncope 1.1.5 comes with ConnId Active Directory (JNDI) connector bundle 1.1.1. Since this version doesn't support group management you have to download org.connid.bundles.ad-1.1.2.jar (strongly recommended) and install it into your bundles location.

Go under Resources > Connectors and click the Create new connector button on bottom: a window will appear.

Set the name you like as Display name, choose the Location where your Active Directory (JNDI) connector bundle is.

Then move to the Configuration tab and configure your connector instance (see below a complete example).

SSL true
Server hostname teak.tirasa.net
Server port 636
Principal pocadmin@tirasa.net
Principal password password
Base contexts for user entry searches CN=Users,DC=tirasa,DC=net
Base contexts for group entry searches CN=Users,DC=tirasa,DC=net
Default people container CN=Users,DC=tirasa,DC=net
Default group container CN=Users,DC=tirasa,DC=net
Entry object classes

top
person
organizationalPerson
user

Root suffixes DC=tirasa,DC=net
Object classes to synchronize user
Retrieve deleted users true
Retrieve deleted groups true
Trust all certs true
Null token is the latest true

Next, move to the Capabilities tab and check everything.

Finally click the Save button.

Step 3: Configure your Active Directory external resource

Move back to the Resources tab and click the Create new resource button on bottom: a window will appear.

Set the name you like and choose the Connector created in the step above.

Select Propagation mode ONE_PHASE.

Select Propagation primary.

Configure mappigs (User mapping) between syncope user profile attributes and Active Directory user profile attributes.

Configure mappigs (Role mapping) between syncope role profile attributes and Active Directory group profile attributes.

After setting user and role mappings (see above for an example) click the Save button.

User mapping sample

You may need to define some attribute schema on Apache Syncope before being able to complete the configuration below.


Role mapping sample


Step 4: Propagation testing

With configuration above Apache Syncope is fully enabled to manage users and roles on Active Directory:

  • create user user1, fill all required information and give the AD resource: you will find the AD entry CN=user1,CN=Users,DC=tirasa,DC=net
  • create role role1 and give the AD resource: you will find the AD entry CN=role1,CN=Users,DC=tirasa,dc=net
  • create user2 and assign him to role role1: you will find CN=user2,CN=Users,DC=tirasa,DC=net among members attribute values of CN=role1,CN=Users,DC=tirasa,dc=net and, viceversa, CN=role1,CN=Users,DC=tirasa,dc=net among memberOf attribute values of CN=user2,CN=Users,DC=tirasa,DC=net

Step 5: Synchronization testing

Some additional configuration is needed for enabling synchronization, e.g. ability to pull data from external Active Directory.

Go under Tasks > Synchronization Tasks and and click the Create new task button on bottom: a window will appear.

Set name and description you like more.

Specify Actions class provided at the step 1.

After flagging any checkbox (check Full reconciliation if and only if you want to perform a full reconciliation), click the Save button.

At this point Apache Syncope is fully enabled to manage users and groups from Active Directory.

IMPORTANT: if you are not performing a full reconciliation, execute once the Synchronization Task created above in order to initialize the latestSyncToken at the current date.

Create some sample users and groups in Active Directory, then go back to Apache Syncope admin console and execute again the Synchronization Task created above: you will find both users, roles and memberships in Apache Syncope, created according to data provided in Active Directory.

       

« Return