I have the following setup in Active Directory. I have my user search base pointed to an OU with 1,600 users. I have my group search base pointed to an OU which contains 1 group. That 1 group has all my 1,600 users as members.
During a full sync, my 1 group is added to Process Services and my 1,600 users are found and imported into Process Services. However, none of the users are added to the group in Process Services.
If I decrease the total number of users in my LDAP group to 1,500 or less, the user to group association works fine. I can view all 1,500 users as members of the LDAP group in Process Services. So there is currently some limitation of group memberships if there are more than 1500 users in a group.
Steps to Reproduce
- Configure an Active Directory Domain to have two OUs. One OU serving as the Process Services User Search Base with 1,600 users. The other OU as the Process Services Group Search Base with 1 group.
- Add the 1,600 users to the LDAP group.
- Setup Alfresco Process Services 1.6.2. to sync with the configured Active Directory server.
- Wait for a full sync to start and complete.
- Inspect the number of members for the synced group in Identity Management > Organization.
The LDAP sync completed successfully and added all 1,600+ LDAP users to the LDAP group in Alfresco Process Services.
The LDAP sync completed successfully and created the LDAP users and the LDAP group in Alfresco Process Services, BUT it does not add any of the LDAP users to the LDAP group.
- Reproduced the behavior using 1.6.2 on an Oracle database, PostgreSQL database and the OOTB Box H2 database to verify issue is not dependent on db vendor.
- Reproduction was performed several times with LDAP query paging enabled and disabled and different db insert and read batch sizes but the behaviour was always the same.
- It is also reported by the customer that syncing Alfresco to this same LDAP server successfully adds all 1,500+ users as members of the LDAP group.
- Attached to the Jira is the Activiti.log, spy.log, synclog, activiti-app.properties, and activiti-ldap.properties.
- synclog shows that 1,600 users and 2 groups are found and created. I included a control test group with only 2 members. In the sync log, you can see this group is created and has its two members added. The 1,600 user group is only created and does not have its users added as members.
- spy.log is gathered from using p6spy for SQL debugging in Process Services. It shows the executed SQL during User creation, Group creation, and User to Group association.
- AbstractExternalIdmSourceSyncService.java calls an addUserToGroup method which is defined in GroupServiceImpl.java. GroupServiceImpl.java calls a getCount method to determine if a user needs to be added to a synced group in Process Services. getCount is defined in UserGroupRepository.java and executes the following SQL query:
@Query("select count(ug.userGroupPK.userId) from UserGroup ug where ug.userGroupPK.groupId = :groupId")
This effectively means that this query will be executed for every user in every group. In my spy.log, you only see the above query being executed for the two members of my 2 user group. You do not see this query being executed at all for any of the 1,600 users.