Service Packs and Hot Fixes
  1. Service Packs and Hot Fixes
  2. MNT-2607

ldap sync deletion behaviour not flexible enough

    Details

    • ACT Numbers:

      20506

      Description

      The http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem says that the only way to turn off deletions in a ldap sync is to disable the scheduled sync.

      However, some customers want to keep the cron but turn off deletion.

      Attached is a patch to do this.

      Can it be included in next releases/

        Issue Links

          Activity

          Hide
          Paul Holmes-Higgin added a comment -

          Alex - is this your code? Thanks, Paul.

          Show
          Paul Holmes-Higgin added a comment - Alex - is this your code? Thanks, Paul.
          Hide
          dward added a comment -

          The missing users would never be able to authenticate. How would this be useful?

          Show
          dward added a comment - The missing users would never be able to authenticate. How would this be useful?
          Hide
          Sylvain Chambon added a comment -

          Hi, I'm the one who raised this issue with support. And wrote the (trivial) code that exposes the "allowDeletions" property.

          David: the point is that if for some reason an administrator makes a configuration error when updating the ldap query to fetch groups or users, then all authorities are deleted and as a side effect so are their permissions on nodes. When the admin saw that the query was wrong, he changed back the query (the idea initially was to sync in more groups, but due to an error 0 groups were found). But by then all permissions had been deleted. We had to drop the repo and roll back from backup. That was in pre-production so no critical data was lost, but in production that would have been catastrophic.

          The default behaviour is I think all right for 99.9% of customers/users, but I know one who has had and will have to tinker with group sync during the lifetime of the repo, and with automatic deletion on it is just too much of a risk.

          Show
          Sylvain Chambon added a comment - Hi, I'm the one who raised this issue with support. And wrote the (trivial) code that exposes the "allowDeletions" property. David: the point is that if for some reason an administrator makes a configuration error when updating the ldap query to fetch groups or users, then all authorities are deleted and as a side effect so are their permissions on nodes. When the admin saw that the query was wrong, he changed back the query (the idea initially was to sync in more groups, but due to an error 0 groups were found). But by then all permissions had been deleted. We had to drop the repo and roll back from backup. That was in pre-production so no critical data was lost, but in production that would have been catastrophic. The default behaviour is I think all right for 99.9% of customers/users, but I know one who has had and will have to tinker with group sync during the lifetime of the repo, and with automatic deletion on it is just too much of a risk.
          Hide
          dward added a comment - - edited
          • synchronization.allowDeletions parameter introduced
          • default value is true (existing behaviour)
          • when false, no missing users or groups are deleted from the repository
          • instead they are cleared of their zones and missing groups are cleared of all their members
          • colliding users and groups from different zones are also 'moved' rather than recreated
          • unit test added
          Show
          dward added a comment - - edited synchronization.allowDeletions parameter introduced default value is true (existing behaviour) when false, no missing users or groups are deleted from the repository instead they are cleared of their zones and missing groups are cleared of all their members colliding users and groups from different zones are also 'moved' rather than recreated unit test added
          Hide
          Alfresco QA Team added a comment -

          Successfully validated on Alfresco Enterprise v3.4.10 (676).

          Show
          Alfresco QA Team added a comment - Successfully validated on Alfresco Enterprise v3.4.10 (676).

            People

            • Assignee:
              Closed Bugs
              Reporter:
              Alex Madon
            • Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 4 hours
                1d 4h