From a8055745902f2d2daa0e32f70cfa2b57b6222721 Mon Sep 17 00:00:00 2001 From: "Okon, Markus" Date: Thu, 21 Aug 2025 14:47:01 +0200 Subject: [PATCH 1/4] separate membership attribute on __ACCOUNT__ and ldapGroups attribute for connector --- .../LDAPMembershipPropagationActions.java | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java index c2de716df7d..0dbb1963755 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java @@ -76,11 +76,25 @@ public class LDAPMembershipPropagationActions implements PropagationActions { protected GroupDAO groupDAO; /** - * Allows easy subclassing for the ConnId AD connector bundle. + * Allows easy subclassing for different LDAP schemes. * - * @return the name of the attribute used to keep track of group memberships + * @return the name of the attribute used to keep track of group memberships on the __ACCOUNT__ object */ protected String getGroupMembershipAttrName() { + return "memberOf"; + } + + @Override + public Set moreAttrsToGet(Optional taskInfo, Provision provision) { + return Set.of(getGroupMembershipAttrName()); + } + + /** + * Attribute used inside the LDAP connector bundle to track group memberships + * + * @return the name of the attribute used to keep track of group memberships + */ + protected String getConnectorLdapGroupsAttrName() { return "ldapGroups"; } @@ -138,7 +152,7 @@ public void before(final PropagationTaskInfo taskInfo) { PropagationData data = taskInfo.getPropagationData(); // if groups were defined by resource mapping, take their values and clear up - Optional.ofNullable(AttributeUtil.find(getGroupMembershipAttrName(), data.getAttributes())). + Optional.ofNullable(AttributeUtil.find(getConnectorLdapGroupsAttrName(), data.getAttributes())). ifPresent(ldapGroups -> { Optional.ofNullable(ldapGroups.getValue()). ifPresent(value -> value.forEach(obj -> groups.add(obj.toString()))); @@ -164,8 +178,8 @@ public void before(final PropagationTaskInfo taskInfo) { forEach(value -> groups.add(String.valueOf(value))); }); - LOG.debug("Adding Group connObjectLinks to attributes: {}={}", getGroupMembershipAttrName(), groups); - data.getAttributes().add(AttributeBuilder.build(getGroupMembershipAttrName(), groups)); + LOG.debug("Adding Group connObjectLinks to attributes: {}={}", getConnectorLdapGroupsAttrName(), groups); + data.getAttributes().add(AttributeBuilder.build(getConnectorLdapGroupsAttrName(), groups)); if (data.getAttributeDeltas() != null && taskInfo.getUpdateRequest() != null) { Set groupsToAdd = new HashSet<>(); @@ -186,7 +200,7 @@ public void before(final PropagationTaskInfo taskInfo) { // if groups were already considered, take their values and clear up Optional.ofNullable( - AttributeDeltaUtil.find(getGroupMembershipAttrName(), data.getAttributeDeltas())). + AttributeDeltaUtil.find(getConnectorLdapGroupsAttrName(), data.getAttributeDeltas())). ifPresent(ldapGroups -> { Optional.ofNullable(ldapGroups.getValuesToAdd()). ifPresent(value -> value.forEach(obj -> groupsToAdd.add(obj.toString()))); @@ -198,9 +212,9 @@ public void before(final PropagationTaskInfo taskInfo) { if (!groupsToAdd.isEmpty() || !groupsToRemove.isEmpty()) { LOG.debug("Adding Group connObjectLinks to attribute deltas: {}={},{}", - getGroupMembershipAttrName(), groupsToAdd, groupsToRemove); + getConnectorLdapGroupsAttrName(), groupsToAdd, groupsToRemove); data.getAttributeDeltas().add( - AttributeDeltaBuilder.build(getGroupMembershipAttrName(), groupsToAdd, + AttributeDeltaBuilder.build(getConnectorLdapGroupsAttrName(), groupsToAdd, groupsToRemove)); } } From 6a7286c7f4543f9298e5a0edca17eaa1e691f20e Mon Sep 17 00:00:00 2001 From: "Okon, Markus" Date: Thu, 21 Aug 2025 15:15:56 +0200 Subject: [PATCH 2/4] only read connObjectLinks of groups managed by Syncope once --- .../LDAPMembershipPropagationActions.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java index 0dbb1963755..52ef9432c2a 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java @@ -133,7 +133,7 @@ public void before(final PropagationTaskInfo taskInfo) { orElseThrow(() -> new NotFoundException("User " + taskInfo.getEntityKey())); Set groups = new HashSet<>(); - // for each user group assigned to the resource of this task, compute and add the group's + // for each user group assigned to the resource of this task, compute and add the group's // connector object link userDAO.findAllGroupKeys(user).stream(). map(groupDAO::findById).flatMap(Optional::stream). @@ -162,16 +162,16 @@ public void before(final PropagationTaskInfo taskInfo) { LOG.debug("Group connObjectLinks after including the ones from mapping: {}", groups); // take groups already assigned from beforeObj and include them too + Set connObjectLinks = new TreeSet<>(String.CASE_INSENSITIVE_ORDER); + buildManagedGroupConnObjectLinks( + taskInfo.getResource(), + mapping.getConnObjectLink(), + connObjectLinks); + taskInfo.getBeforeObj(). map(beforeObj -> beforeObj.getAttributeByName(getGroupMembershipAttrName())). filter(Objects::nonNull). ifPresent(beforeLdapGroups -> { - Set connObjectLinks = new TreeSet<>(String.CASE_INSENSITIVE_ORDER); - buildManagedGroupConnObjectLinks( - taskInfo.getResource(), - mapping.getConnObjectLink(), - connObjectLinks); - LOG.debug("Memberships not managed by Syncope: {}", beforeLdapGroups); beforeLdapGroups.getValue().stream(). filter(value -> !connObjectLinks.contains(String.valueOf(value))). From 8bc4b42148fd23076a18838b3d4d79ead6f19a4d Mon Sep 17 00:00:00 2001 From: "Okon, Markus" Date: Tue, 21 Oct 2025 15:54:32 +0200 Subject: [PATCH 3/4] make unused arguments final --- .../java/propagation/LDAPMembershipPropagationActions.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java index 52ef9432c2a..b279785fc9b 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java @@ -85,7 +85,7 @@ protected String getGroupMembershipAttrName() { } @Override - public Set moreAttrsToGet(Optional taskInfo, Provision provision) { + public Set moreAttrsToGet(final Optional taskInfo, final Provision provision) { return Set.of(getGroupMembershipAttrName()); } From 1628a1655a009a1b8c9be2e8b98772e9013cdcd3 Mon Sep 17 00:00:00 2001 From: "Okon, Markus" Date: Tue, 21 Oct 2025 16:16:13 +0200 Subject: [PATCH 4/4] remove tab --- .../java/propagation/LDAPMembershipPropagationActions.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java index b279785fc9b..79b0da9d806 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java @@ -94,7 +94,7 @@ public Set moreAttrsToGet(final Optional taskInfo, * * @return the name of the attribute used to keep track of group memberships */ - protected String getConnectorLdapGroupsAttrName() { + protected String getConnectorLdapGroupsAttrName() { return "ldapGroups"; }