Type: Service Pack Request
Status: Open (View Workflow)
Affects Version/s: Alfresco Process Services 1.6.3, Alfresco Process Services 1.9
Fix Version/s: Alfresco Process Services 1.6.N
Component/s: APS Identify Manager
When a LDAP sync is performed in APS, users that are members of groups found in the group search base will be added as APS users despite not being found explicitly in the person search base and by the person query.
For example, I have the following Active Directory setup with 3 OU structures:
Contains 1 user and 1 group as immediate children. The user is a member of the group.
Contains 1 group. The group has 100 users as members in a 3rd OU called moreUsers.
Contains 100 users that are a member of the group in ActGroups OU.
Steps to Reproduce
- Configure an Active Directory Domain to have three OUs. OU1 serving as the Process Services User Search Base with 1 user. OU2 as the Process Services Group Search Base with 1 group. For OU3, create any number of users and add those users to the group in OU2
- Setup Alfresco Process Services 1.6.2. to sync with the configured Active Directory server.
- Wait for a full sync to start and complete.
- Inspect the number of total users that now exist under Users in Identity Management > Organization.
Only groups should be synced and created from the group search base and query. Only users found in the user search base and query should be synced and created in Process Services.
Users that are not found in the user search base and by the person query are created anyways if they are members of groups in the group search base. The group query will find and create both, users and groups.
- Reproduced with latest APS 1.6.3
- The log output during the LDAP sync, which initially states that only 1 user and group were found but later shows that more than just the one user found is processed: