Written by massi
Following our LDAP example, I tried to apply the same approach to the first beta release of the new ConnId connector for FreeIPA.
The aim of this post is to show how we can manage users and groups of a FreeIPA installation with Apache Syncope.
To test the new connector we need an Apache Syncope installed and configured properly and the FreeIPA connector bundle under the right directory, the famous
-Dbundles.directory=/opt/syncope/bundles
The latest SNAPSHOT can be downloaded from here, or added as Maven dependency to your Syncope project as
<dependency> <groupId>org.connid.bundles</groupId> <artifactId>org.connid.bundles.freeipa</artifactId> <version>0.1-SNAPSHOT</version> </dependency>
And, of course, a FreeIPA server. Are you ready?
First of all we have to configure the connector and then the resource associated to it.
NB: to see below images in real width, open it in other tab.
In addition to standard LDAP attributes as host, port, admin user and password, there are others attributes specifically used by FreeIPA:
After filling all the attributes, by clicking on check connection we can test if the connector has been properly configured.
In order to provision an user onto a FreeIPA server, only two attributes are required (all other typical FreeIPA attributes are also supported):
in our configuration we add also mail attribute, only for example.
Now we can create and configure a resource to manage the FreeIPA server. Nothing special but, IMPORTANT, choose
org.apache.syncope.core.propagation.impl.LDAPMembershipPropagationActions
as Actions Class. This will maintain the association between users and roles on the FreeIPA resource as defined in Apache Syncope.
Ok, now we are ready to test our environment. Let's start with the "most difficult" operation: getting all existing FreeIPA users and groups into Syncope; some additional configuration is needed for enabling synchronization, e.g. ability to pull data from external FreeIPA server.
Go under Tasks > Synchronization Tasks and and click the Create new task button on bottom: a window will appear.
Set name and description you like more.
IMPORTANT: choose
org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions
as Actions class; this will maintain the association between users and roles on Apache Syncope as defined on the LDAP resource.
After flagging any checkbox, click the Save button.
At this point we are really ready to try the new connector. We can click on sync button. Following the images that explain my experiment.
What else? What do you want. Enjoy creating, updating and deleting users and groups.
During synchronization, Apache Syncope can query the FreeIPA server in two distinct ways: either the full list of entries (that will need to be parsed in order to catch the actual modifications performed since last run) or just such actual modifications.
This fact has an impact on the configuration: