[jira] [Created] (SYNCOPE-1182) Use Remote Key in the Mapping to fetch external entities

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

[jira] [Created] (SYNCOPE-1182) Use Remote Key in the Mapping to fetch external entities

JIRA jira@apache.org
Francesco Chicchiriccò created SYNCOPE-1182:

             Summary: Use Remote Key in the Mapping to fetch external entities
                 Key: SYNCOPE-1182
                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1182
             Project: Syncope
          Issue Type: Improvement
          Components: core
            Reporter: Francesco Chicchiriccò
            Assignee: Francesco Chicchiriccò
             Fix For: 2.0.5, 2.1.0

For several operations, but in particular *before* and *after* executing a Propagation Task, Syncope queries the External Resource to see if a matching item is found, and it does that via ConnId's [GetApiOp|https://github.com/Tirasa/ConnId/blob/master/java/connector-framework/src/main/java/org/identityconnectors/framework/api/operations/GetApiOp.java].
Such operation is implemented at Framework level, e.g. before reaching out any effective Connector, via a [plain search|https://github.com/Tirasa/ConnId/blob/master/java/connector-framework-internal/src/main/java/org/identityconnectors/framework/impl/api/local/operations/GetImpl.java] where the key is the special {{\_\_UID__}} attribute and the value is the one passed as argument, alongside with ObjectClass.

Using {{GetApiOp}} used to make entirely sense in the old days of ConnId 1.3 and Syncope 1.1, when the Mapping Item identified as {{AccountId}} (now {{Remote Key}}) was forced to [blank the external attribute name|https://pasteboard.co/GCRf497.png]: in such cases, in fact, {{\_\_UID__}} was used as external attribute.

ConnId 1.4 slightly changed the way how the {{\_\_UID__}} attribute is managed: as a result, since Syncope 1.2, it is mandatory to [specify an external attribute name for the Remote Key|https://pasteboard.co/GCRixXp.png].

To give an idea, the 1.1 sample would result in querying the External Resource for

{{\_\_UID__ == 'ilgrosso'}}

while the 2.0 sample from *should* result in

{{uid == 'ilgrosso'}}

but will instead produce the same query as in the past.

The problem here is that what actually {{\_\_UID__}} means is left to any Connector's implementation: LDAP configures that via the {{UidAttribute}} property (and {{GidAttribute}} in 1.5.2-SNAPSHOT), AD does something similar, others do differently.

From one side, in fact, the {{Remote Key}} is defined in Syncope at high level (e.g. as part of the Resource configuration, in the Mapping), while the raw {{\_\_UID__}} is still used under the hoods in some cases (before executing a Propagation Task, as said above, for example), hence it is the low level configuration (not Resource's but Connector's) that comes into play.

The improvement is to get rid of {{GetApiOp}} and replace its usage in Syncope with search, using as key the External attribute name defined in the mapping, rather than {{\_\_UID__}}.

With reference to LDAP, in fact, with such change Users will be looked up by {{uid}}, Groups by {{cn}} and Realms by {{ou}} (if respective Mappings were set in these ways).

This message was sent by Atlassian JIRA