Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-19827

APS only updates group information on a full sync if the LDAP attribute whenChanged date is after the LAST_SYNC_TIMESTAMP date

    Details

    • Bug Priority:
      Category 1
    • ACT Numbers:

      00967745

      Description

      Summary

      If an APS administrator changes an LDAP synchronization property like ldap.synchronization.groupIdAttributeName, the changes are not applied and seen in APS until the group object in LDAP is updated. Even when doing a full sync.

      Looking in 'AbstractExternalIdmSourceSyncService.java', the following lines suggest the group is only updated in APS if the whenChanged timestap is after the LAST_SYNC_TIMESTAMP in the GROUPS table, even when running a full sync.

      // Existing group found, check the sync timestamp. If not the
      				// same, update properties
      				if (group.getLastSyncTimeStampEpoch() == null
      				        || !group.getLastSyncTimeStampEpoch().equals(externalGroup.getLastModifiedTimeStamp().getTime())) {
      

      Steps to reproduce

      1. Configure APS to sync with LDAP. Allow for APS to do a full sync and ensure that groups are found, synced into APS, and displayed in Identity Management > Organization.
      2. Note the name displayed in Identity Management > Organization. This is controlled by the property ldap.synchronization.groupIdAttributeName which I set to 'cn' by default.
      3. Change ldap.synchronization.groupIdAttributeName to another LDAP property like "description".
      4. Restart APS to apply changes.
      5. Note the same names still displayed in Identity Management > Organization and the group names are not displayed with the new property description.
      6. Modify one of the synced groups in LDAP such that the whenChanged timestamp is updated. You can do this by simply changing the group's description or other attributes.
      7. Allow for another full sync to happen.
      8. Note that the group display name has now been updated in APS Identity Management > Organization.

      Expected Behavior
      A full sync in APS should always update the already synced groups with new settings without taking last modification date into account as the full sync group query does normally not even use whenChanged.

      Actual Behavior
      A full sync is still doing a check against LAST_SYNC_TIMESTAMP and the whenChanged timestamp to determine if a group needs to be updated in APS.

        Attachments

          Structure

            Activity

              People

              • Assignee:
                djohnson Doug Johnson
                Reporter:
                ccollins Cody Collins
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Structure Helper Panel