Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-18292

APS LDAP sync creates users found in the group search base and group query

    Details

    • Bug Priority:
      Category 2
    • ACT Numbers:

      00870912,00981680

    • Premier Customer:
      Yes

      Description

      Summary
      When a LDAP sync is performed in APS, users that are members of groups found in the group search base will be added as APS users despite not being found explicitly in the person search base and by the person query.

      For example, I have the following Active Directory setup with 3 OU structures:

      Ou: ActUsers
      Contains 1 user and 1 group as immediate children. The user is a member of the group.

      Ou: ActGroups
      Contains 1 group. The group has 100 users as members in a 3rd OU called moreUsers.

      Ou: moreUsers
      Contains 100 users that are a member of the group in ActGroups OU.

      Ldap properties:

      ldap.synchronization.userSearchBase=OU=ActUsers,DC=stealth,DC=ace
      ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\:\=CN\=g1,OU\=ActUsers,DC\=stealth,DC\=ace))
      
      ldap.synchronization.groupSearchBase=OU=ActGroups,DC=stealth,DC=ace
      ldap.synchronization.groupQuery=(objectclass\=group)
      

      Steps to Reproduce

      1. Configure an Active Directory Domain to have three OUs. OU1 serving as the Process Services User Search Base with 1 user. OU2 as the Process Services Group Search Base with 1 group. For OU3, create any number of users and add those users to the group in OU2
      2. Setup Alfresco Process Services 1.6.2. to sync with the configured Active Directory server.
      3. Wait for a full sync to start and complete.
      4. Inspect the number of total users that now exist under Users in Identity Management > Organization.

      Expected Behavior
      Only groups should be synced and created from the group search base and query. Only users found in the user search base and query should be synced and created in Process Services.

      Actual Behavior
      Users that are not found in the user search base and by the person query are created anyways if they are members of groups in the group search base. The group query will find and create both, users and groups.

      Supporting evidence

      • Reproduced with latest APS 1.6.3
      • The log output during the LDAP sync, which initially states that only 1 user and group were found but later shows that more than just the one user found is processed:
      2017-07-06 13:57:00,005 INFO  [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [pool-4-thread-3] Starting full LDAP synchronization
      2017-07-06 13:57:00,005 INFO  [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [pool-4-thread-3] Starting to process the LDAP users and groups.
      2017-07-06 13:57:00,042 INFO  [com.activti.idm.ldap.service.LdapRegistryServiceImpl] [pool-4-thread-3] Fetched 1 groups using 1 pages. This took 27 ms.
      2017-07-06 13:57:00,050 INFO  [com.activti.idm.ldap.service.LdapRegistryServiceImpl] [pool-4-thread-3] Fetched 1 users using 1 pages. This took 1 ms.
      2017-07-06 13:57:08,537 INFO  [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [pool-4-thread-3] Found 1 groups and 101 users in LDAP
      2017-07-06 13:57:20,464 INFO  [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [pool-4-thread-3] Finished processing 101 users
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                djohnson Doug Johnson
                Reporter:
                ccollins Cody Collins
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: