24 Apr 2014
 

Unlock full FreeIPA features in Apache Syncope

Written by massi

Following our LDAP example, I tried to apply the same approach to the first beta release of  the new ConnId connector for FreeIPA.

Goal

The aim of this post is to show how we can manage users and groups of a FreeIPA installation with Apache Syncope.

Environment

To test the new connector we need an Apache Syncope installed and configured properly and the FreeIPA connector bundle under the right directory, the famous

-Dbundles.directory=/opt/syncope/bundles

The latest SNAPSHOT can be downloaded from here, or added as Maven dependency to your Syncope project as

<dependency>
  <groupId>org.connid.bundles</groupId>
  <artifactId>org.connid.bundles.freeipa</artifactId>
  <version>0.1-SNAPSHOT</version>
</dependency>

And, of course, a FreeIPA server. Are you ready?

Configuration

First of all we have to configure the connector and then the resource associated to it.

NB:  to see below images in real width, open it in other tab.

Connector configuration

In addition to standard LDAP attributes as host, port, admin user and password, there are others attributes specifically used by FreeIPA:

  •  Kerberos Realm
  • Server Base Home Directory (the directory where all the user directory where created)

After filling all the attributes, by clicking on check connection we can test if the connector has been properly configured.

Schema configuration

In order to provision an user onto a FreeIPA server, only two attributes are required (all other typical FreeIPA attributes are also supported):

  • sn
  • givenName

in our configuration we add also mail attribute, only for example.

 

Resource configuration and mapping

Now we can create and configure a resource to manage the FreeIPA server.  Nothing special but, IMPORTANT, choose

org.apache.syncope.core.propagation.impl.LDAPMembershipPropagationActions

as Actions Class. This will maintain the association between users and roles on the FreeIPA resource as defined in Apache Syncope.

 

 

 

Testing

Ok, now we are ready to test our environment. Let's start with the "most difficult" operation: getting all existing FreeIPA users and groups into Syncope; some additional configuration is needed for enabling synchronization, e.g. ability to pull data from external FreeIPA server.

Go under Tasks > Synchronization Tasks and and click the Create new task button on bottom: a window will appear.

Set name and description you like more.

IMPORTANT: choose

org.apache.syncope.core.sync.impl.LDAPMembershipSyncActions

as Actions class; this will maintain the association between users and roles on Apache Syncope as defined on the LDAP resource.

After flagging any checkbox, click the Save button.

At this point we are really ready to try the new connector. We can click on sync button. Following the images that explain my experiment.

 

 

 

 

Other tests

 What else? What do you want.  Enjoy creating, updating and deleting users and groups.

Changelog

During synchronization, Apache Syncope can query the FreeIPA server in two distinct ways: either the full list of entries (that will need to be parsed in order to catch the actual modifications performed since last run) or just such actual modifications.

This fact has an impact on the configuration:

  1. select the SYNC capability for the LDAP connector instance;
  2. unflag "Full reconciliation" from the synchronization task.
       

« Return