Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-1591

It is impossible to do a non differential ldap synchronisation on groups.

    Details

    • Type: Service Pack Request
    • Status: Closed
    • Resolution: Not a bug
    • Affects Version/s: 3.2 R, 3.2.1, 3.2, 3.3
    • Fix Version/s: 3.3.2
    • Labels:
      None
    • Environment:
      ldap sync on any platform
    • Bug Priority:
      Category 3
    • ACT Numbers:

      19300, 19658

      Description

      Description:
      =============

      It is impossible to do a non differential sync on groups. In other word we always use the

      ldap.synchronization.groupDifferentialQuery

      and never the

      ldap.synchronization.groupQuery

      How to reproduce?
      ==================

      1) setup a 3.3.0 system with ldap auth
      2) add to the alfresco-global.properties the two lines below:

      synchronization.syncOnStartup=true
      synchronization.synchronizeChangesOnly=false

      3) check that the users and groups are corectly populated
      4) kill alfresco
      5) start a packet sniffer to dump the sync request made by alfresco at boot time:

      tcpdump -i lo -s0 -w ldap1.pcap port 389

      Results:
      ========
      The LDAP search request for the group made at boot time does NOT respoect the value of:

      synchronization.synchronizeChangesOnly=false

      As you can see in packet 52 (attachment ldap1_pkt52.txt) of the dump file (attchment ldap1.pcap) the request made by alfresco is

      Lightweight-Directory-Access-Protocol
      LDAPMessage searchRequest(2) "ou=groups,DC=example,DC=foo" wholeSubtree
      messageID: 2
      protocolOp: searchRequest (3)
      searchRequest
      baseObject: ou=groups,DC=example,DC=foo
      scope: wholeSubtree (2)
      derefAliases: derefAlways (3)
      sizeLimit: 0
      timeLimit: 0
      typesOnly: False
      Filter: (&(objectclass=groupOfNames)(!(modifyTimestamp<=20100316150818Z)))
      attributes: 4 items
      AttributeDescription: cn
      AttributeDescription: description
      AttributeDescription: member
      AttributeDescription: modifyTimestamp

      that is the query stored in the JMX paramter:

      ldap.synchronization.groupDifferentialQuery=(&(objectclass=groupOfNames)(!(modifyTimestamp<=

      {0})))

      Expected results:
      =================

      When

      synchronization.synchronizeChangesOnly=false

      one would expect that the group query used is the one stored in "ldap.synchronization.groupQuery", that is:

      ldap.synchronization.groupQuery=(objectclass=groupOfNames)

      and not the one stored in "ldap.synchronization.groupDifferentialQuery" that is:

      ldap.synchronization.groupDifferentialQuery=(&(objectclass=groupOfNames)(!(modifyTimestamp<={0}

      )))

      All released versions from 3.2 to 3.3.0 (i.e. up to now) are affected.

      Note:
      =====
      as a customer could decide to change its group base after the first bootstrap, then this can potentially result in EMPTY GROUPS that can NOT be populated even when forcing a non differential sync (as this parameter is not taken into account). This is thus very high priority.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel