Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-18218

Activiti LDAP sync does not add LDAP users to an LDAP Group, if that group has over 1,500 direct members

    Details

      Description

      Summary

      I have the following setup in Active Directory. I have my user search base pointed to an OU with 1,600 users. I have my group search base pointed to an OU which contains 1 group. That 1 group has all my 1,600 users as members.

      During a full sync, my 1 group is added to Process Services and my 1,600 users are found and imported into Process Services. However, none of the users are added to the group in Process Services.

      If I decrease the total number of users in my LDAP group to 1,500 or less, the user to group association works fine. I can view all 1,500 users as members of the LDAP group in Process Services. So there is currently some limitation of group memberships if there are more than 1500 users in a group.

      Steps to Reproduce

      1. Configure an Active Directory Domain to have two OUs. One OU serving as the Process Services User Search Base with 1,600 users. The other OU as the Process Services Group Search Base with 1 group.
      2. Add the 1,600 users to the LDAP group.
      3. Setup Alfresco Process Services 1.6.2. to sync with the configured Active Directory server.
      4. Wait for a full sync to start and complete.
      5. Inspect the number of members for the synced group in Identity Management > Organization.

      Expected Behavior
      The LDAP sync completed successfully and added all 1,600+ LDAP users to the LDAP group in Alfresco Process Services.

      Actual Behavior
      The LDAP sync completed successfully and created the LDAP users and the LDAP group in Alfresco Process Services, BUT it does not add any of the LDAP users to the LDAP group.

      Additional Information

      • Reproduced the behavior using 1.6.2 on an Oracle database, PostgreSQL database and the OOTB Box H2 database to verify issue is not dependent on db vendor.
      • Reproduction was performed several times with LDAP query paging enabled and disabled and different db insert and read batch sizes but the behaviour was always the same.
      • It is also reported by the customer that syncing Alfresco to this same LDAP server successfully adds all 1,500+ users as members of the LDAP group.
      • Attached to the Jira is the Activiti.log, spy.log, synclog, activiti-app.properties, and activiti-ldap.properties.
      • synclog shows that 1,600 users and 2 groups are found and created. I included a control test group with only 2 members. In the sync log, you can see this group is created and has its two members added. The 1,600 user group is only created and does not have its users added as members.
        created-group: created group 2userGroup
        added-user-to-group: created group membership of user CN=d1  d1\ ,OU=moreusers,DC=stealth,DC=ace for group 2userGroup
        added-user-to-group: created group membership of user CN=d0  d0\ ,OU=moreusers,DC=stealth,DC=ace for group 2userGroup
        created-group: created group 1600userGroup
        
      • spy.log is gathered from using p6spy for SQL debugging in Process Services. It shows the executed SQL during User creation, Group creation, and User to Group association.
      • AbstractExternalIdmSourceSyncService.java calls an addUserToGroup method which is defined in GroupServiceImpl.java. GroupServiceImpl.java calls a getCount method to determine if a user needs to be added to a synced group in Process Services. getCount is defined in UserGroupRepository.java and executes the following SQL query:

      @Query("select count(ug.userGroupPK.userId) from UserGroup ug where ug.userGroupPK.groupId = :groupId")

      This effectively means that this query will be executed for every user in every group. In my spy.log, you only see the above query being executed for the two members of my 2 user group. You do not see this query being executed at all for any of the 1,600 users.

      1498584633129|3|statement|connection 15|select count(usergroup0_.user_id) as col_0_0_ from USER_GROUP usergroup0_ where usergroup0_.user_id=? and usergroup0_.group_id=?|select count(usergroup0_.user_id) as col_0_0_ from USER_GROUP usergroup0_ where usergroup0_.user_id=1242 and usergroup0_.group_id=2
      
      1498584633134|3|statement|connection 15|select usergroup0_.group_id as group_id1_53_0_, usergroup0_.user_id as user_id2_53_0_ from USER_GROUP usergroup0_ where usergroup0_.group_id=? and usergroup0_.user_id=?|select usergroup0_.group_id as group_id1_53_0_, usergroup0_.user_id as user_id2_53_0_ from USER_GROUP usergroup0_ where usergroup0_.group_id=2 and usergroup0_.user_id=1242
      
      1498584633141|2|statement|connection 15|update USERS set last_update=? where id=?|update USERS set last_update='27-Jun-17' where id=1242
      
      1498584633144|0|statement|connection 15|select user0_.id as id1_49_, user0_.account_type as account_2_49_, user0_.company as company3_49_, user0_.created as created4_49_, user0_.email as email5_49_, user0_.external_id as external6_49_, user0_.external_original_src as external7_49_, user0_.first_name as first_na8_49_, user0_.last_name as last_nam9_49_, user0_.last_sync_timestamp as last_sy10_49_, user0_.last_sync_timestamp_epoch as last_sy11_49_, user0_.last_update as last_up12_49_, user0_.pass_word as pass_wo13_49_, user0_.picture_image_id as picture14_49_, user0_.primary_group_id as primary15_49_, user0_.status as status16_49_, user0_.tenant_id as tenant_17_49_ from USERS user0_ where user0_.external_id=?|select user0_.id as id1_49_, user0_.account_type as account_2_49_, user0_.company as company3_49_, user0_.created as created4_49_, user0_.email as email5_49_, user0_.external_id as external6_49_, user0_.external_original_src as external7_49_, user0_.first_name as first_na8_49_, user0_.last_name as last_nam9_49_, user0_.last_sync_timestamp as last_sy10_49_, user0_.last_sync_timestamp_epoch as last_sy11_49_, user0_.last_update as last_up12_49_, user0_.pass_word as pass_wo13_49_, user0_.picture_image_id as picture14_49_, user0_.primary_group_id as primary15_49_, user0_.status as status16_49_, user0_.tenant_id as tenant_17_49_ from USERS user0_ where user0_.external_id='d0.d0 '
      
      1498584633146|0|statement|connection 15|select groups0_.user_id as user_id2_49_1_, groups0_.group_id as group_id1_53_1_, group1_.id as id1_13_0_, group1_.external_id as external2_13_0_, group1_.last_sync_timestamp as last_syn3_13_0_, group1_.last_sync_timestamp_epoch as last_syn4_13_0_, group1_.last_update as last_upd5_13_0_, group1_.manager_group_id as manager_6_13_0_, group1_.name as name7_13_0_, group1_.parent_group_id as parent_g8_13_0_, group1_.status as status9_13_0_, group1_.tenant_id as tenant_10_13_0_, group1_.group_type as group_t11_13_0_ from USER_GROUP groups0_ inner join GROUPS group1_ on groups0_.group_id=group1_.id where groups0_.user_id=?|select groups0_.user_id as user_id2_49_1_, groups0_.group_id as group_id1_53_1_, group1_.id as id1_13_0_, group1_.external_id as external2_13_0_, group1_.last_sync_timestamp as last_syn3_13_0_, group1_.last_sync_timestamp_epoch as last_syn4_13_0_, group1_.last_update as last_upd5_13_0_, group1_.manager_group_id as manager_6_13_0_, group1_.name as name7_13_0_, group1_.parent_group_id as parent_g8_13_0_, group1_.status as status9_13_0_, group1_.tenant_id as tenant_10_13_0_, group1_.group_type as group_t11_13_0_ from USER_GROUP groups0_ inner join GROUPS group1_ on groups0_.group_id=group1_.id where groups0_.user_id=1452
      
      1498584633150|2|statement|connection 15|insert into GROUPS (external_id, last_sync_timestamp, last_sync_timestamp_epoch, last_update, manager_group_id, name, parent_group_id, status, tenant_id, group_type, id) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)|insert into GROUPS (external_id, last_sync_timestamp, last_sync_timestamp_epoch, last_update, manager_group_id, name, parent_group_id, status, tenant_id, group_type, id) values ('CN=2userGroup,OU=ACTGROUPS,DC=stealth,DC=ace', '27-Jun-17', 1498584516000, '27-Jun-17', NULL, '2userGroup', NULL, 0, 1, 1, 2)
      1498584633167|13|statement|connection 15|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values (?, ?, ?, ?, ?, ?, ?)|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values ('27-Jun-17', 'functionalGroupAdded', '{"groupName":"2userGroup"}', 1, NULL, 'system', 1)
      
      1498584633169|0|statement|connection 15|insert into USER_GROUP (group_id, user_id) values (?, ?)|insert into USER_GROUP (group_id, user_id) values (2, 1242)
      
      1498584633171|1|statement|connection 15|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values (?, ?, ?, ?, ?, ?, ?)|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values ('27-Jun-17', 'userAddedToGroup', '{"userName":"d1  d1 ","groupName":"2userGroup"}', 1, NULL, 'system', 2)
      
      1498584633172|0|statement|connection 15|select count(usergroup0_.user_id) as col_0_0_ from USER_GROUP usergroup0_ where usergroup0_.user_id=? and usergroup0_.group_id=?|select count(usergroup0_.user_id) as col_0_0_ from USER_GROUP usergroup0_ where usergroup0_.user_id=1452 and usergroup0_.group_id=2
      
      1498584633173|0|statement|connection 15|select usergroup0_.group_id as group_id1_53_0_, usergroup0_.user_id as user_id2_53_0_ from USER_GROUP usergroup0_ where usergroup0_.group_id=? and usergroup0_.user_id=?|select usergroup0_.group_id as group_id1_53_0_, usergroup0_.user_id as user_id2_53_0_ from USER_GROUP usergroup0_ where usergroup0_.group_id=2 and usergroup0_.user_id=1452
      
      1498584633176|0|statement|connection 15|update USERS set last_update=? where id=?|update USERS set last_update='27-Jun-17' where id=1452
      
      1498584633178|0|statement|connection 15|insert into USER_GROUP (group_id, user_id) values (?, ?)|insert into USER_GROUP (group_id, user_id) values (2, 1452)
      
      1498584633179|0|statement|connection 15|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values (?, ?, ?, ?, ?, ?, ?)|insert into TENANT_EVENT (event_time, event_type, extra_info, tenant_id, user_id, user_name, id) values ('27-Jun-17', 'userAddedToGroup', '{"userName":"d0  d0 ","groupName":"2userGroup"}', 1, NULL, 'system', 3)
      

        Attachments

        1. activiti.log
          37 kB
        2. activiti-app.properties
          18 kB
        3. activiti-ldap.properties
          10 kB
        4. spy.log
          6.36 MB
        5. synclog
          166 kB

          Activity

            People

            • Assignee:
              closedbugs Closed Bugs
              Reporter:
              ccollins Cody Collins
            • Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: