Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-2607

ldap sync deletion behaviour not flexible enough

    Details

    • ACT Numbers:

      20506

      Description

      The http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem says that the only way to turn off deletions in a ldap sync is to disable the scheduled sync.

      However, some customers want to keep the cron but turn off deletion.

      Attached is a patch to do this.

      Can it be included in next releases/

        Attachments

          Issue Links

            Activity

            Hide
            pholmeshiggin Paul Holmes-Higgin added a comment -

            Alex - is this your code? Thanks, Paul.

            Show
            pholmeshiggin Paul Holmes-Higgin added a comment - Alex - is this your code? Thanks, Paul.
            Hide
            dward Dave Ward [X] (Inactive) added a comment -

            The missing users would never be able to authenticate. How would this be useful?

            Show
            dward Dave Ward [X] (Inactive) added a comment - The missing users would never be able to authenticate. How would this be useful?
            Hide
            schambon Sylvain Chambon added a comment -

            Hi, I'm the one who raised this issue with support. And wrote the (trivial) code that exposes the "allowDeletions" property.

            David: the point is that if for some reason an administrator makes a configuration error when updating the ldap query to fetch groups or users, then all authorities are deleted and as a side effect so are their permissions on nodes. When the admin saw that the query was wrong, he changed back the query (the idea initially was to sync in more groups, but due to an error 0 groups were found). But by then all permissions had been deleted. We had to drop the repo and roll back from backup. That was in pre-production so no critical data was lost, but in production that would have been catastrophic.

            The default behaviour is I think all right for 99.9% of customers/users, but I know one who has had and will have to tinker with group sync during the lifetime of the repo, and with automatic deletion on it is just too much of a risk.

            Show
            schambon Sylvain Chambon added a comment - Hi, I'm the one who raised this issue with support. And wrote the (trivial) code that exposes the "allowDeletions" property. David: the point is that if for some reason an administrator makes a configuration error when updating the ldap query to fetch groups or users, then all authorities are deleted and as a side effect so are their permissions on nodes. When the admin saw that the query was wrong, he changed back the query (the idea initially was to sync in more groups, but due to an error 0 groups were found). But by then all permissions had been deleted. We had to drop the repo and roll back from backup. That was in pre-production so no critical data was lost, but in production that would have been catastrophic. The default behaviour is I think all right for 99.9% of customers/users, but I know one who has had and will have to tinker with group sync during the lifetime of the repo, and with automatic deletion on it is just too much of a risk.
            Hide
            dward Dave Ward [X] (Inactive) added a comment - - edited
            • synchronization.allowDeletions parameter introduced
            • default value is true (existing behaviour)
            • when false, no missing users or groups are deleted from the repository
            • instead they are cleared of their zones and missing groups are cleared of all their members
            • colliding users and groups from different zones are also 'moved' rather than recreated
            • unit test added
            Show
            dward Dave Ward [X] (Inactive) added a comment - - edited synchronization.allowDeletions parameter introduced default value is true (existing behaviour) when false, no missing users or groups are deleted from the repository instead they are cleared of their zones and missing groups are cleared of all their members colliding users and groups from different zones are also 'moved' rather than recreated unit test added
            Hide
            alfrescoqa Alfresco QA Team added a comment -

            Successfully validated on Alfresco Enterprise v3.4.10 (676).

            Show
            alfrescoqa Alfresco QA Team added a comment - Successfully validated on Alfresco Enterprise v3.4.10 (676).

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                amadon Alex Madon
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 4 hours
                  1d 4h