If an APS administrator changes an LDAP synchronization property like ldap.synchronization.groupIdAttributeName, the changes are not applied and seen in APS until the group object in LDAP is updated. Even when doing a full sync.
Looking in 'AbstractExternalIdmSourceSyncService.java', the following lines suggest the group is only updated in APS if the whenChanged timestap is after the LAST_SYNC_TIMESTAMP in the GROUPS table, even when running a full sync.
Steps to reproduce
- Configure APS to sync with LDAP. Allow for APS to do a full sync and ensure that groups are found, synced into APS, and displayed in Identity Management > Organization.
- Note the name displayed in Identity Management > Organization. This is controlled by the property ldap.synchronization.groupIdAttributeName which I set to 'cn' by default.
- Change ldap.synchronization.groupIdAttributeName to another LDAP property like "description".
- Restart APS to apply changes.
- Note the same names still displayed in Identity Management > Organization and the group names are not displayed with the new property description.
- Modify one of the synced groups in LDAP such that the whenChanged timestamp is updated. You can do this by simply changing the group's description or other attributes.
- Allow for another full sync to happen.
- Note that the group display name has now been updated in APS Identity Management > Organization.
A full sync in APS should always update the already synced groups with new settings without taking last modification date into account as the full sync group query does normally not even use whenChanged.
A full sync is still doing a check against LAST_SYNC_TIMESTAMP and the whenChanged timestamp to determine if a group needs to be updated in APS.