syncope icon indicating copy to clipboard operation
syncope copied to clipboard
verified publisher icon apache

[SYNCOPE-1921] Separate membership attribute on __ACCOUNT__ and ldapGroups attribute for connector

Open markusokon opened this issue 6 months ago • 9 comments

Currently LDAPMembershipPropagationActions uses the same attribute for writing the result into the propagation data and fetching the preexisting group memberships of the user object in LDAP. This leads to the beforeObj.getAttributeByName() call never returning any groups in the default case and therefore Syncope trying to edit groups it doesn't own/control.

This is fixed in this pull request by separating the attribute name used into one which the connector receives, containing all the group memberships after the execution, and the attribute name which is used to get all current memberships from the LDAP object.

Furthermore I added a performance optimization by searching for the groups managed by Syncope only once and not potentially hundreds of times.

markusokon avatar Aug 21 '25 13:08 markusokon

Hi @markusokon please open an issue on JIRA to illustrate what issue this PR is going to solve.

Also, unless you have already contributed to other ASF projects, please submit your ICLA https://www.apache.org/licenses/contributor-agreements.html#clas

ilgrosso avatar Aug 21 '25 13:08 ilgrosso

@markusokon any update?

ilgrosso avatar Sep 03 '25 17:09 ilgrosso

Hi @ilgrosso

it's currently under discussion if this code also requires a CCLA to be signed and I will give you an update ASAP.

markusokon avatar Sep 04 '25 12:09 markusokon

Hi @markusokon it's been about a month since last update: please let us know if there is any news, thanks.

ilgrosso avatar Oct 02 '25 07:10 ilgrosso

Sorry for keeping you waiting, it took a bit longer than expected. I just sent the ICLA and CCLA to [email protected] and requested a JIRA account to open the issue.

markusokon avatar Oct 20 '25 14:10 markusokon

@markusokon you have a checkstyle error:

Error: src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java:[97,1] (whitespace) FileTabCharacter: File contains tab characters (this is the first instance).

ilgrosso avatar Oct 21 '25 14:10 ilgrosso

@markusokon as you can see, the following integration test is failing:

PropagationTaskITCase.issueSYNCOPE1473:835 expected: <2> but was: <1>

e.g. here: https://github.com/apache/syncope/blob/master/fit/core-reference/src/test/java/org/apache/syncope/fit/core/PropagationTaskITCase.java#L835

ilgrosso avatar Oct 21 '25 14:10 ilgrosso

@markusokon do you have any news to fix the failing integration test?

ilgrosso avatar Oct 30 '25 14:10 ilgrosso

@markusokon no feedback for 2 weeks: shall we close this PR?

ilgrosso avatar Nov 07 '25 12:11 ilgrosso

No feedback for 4 months, closing.

ilgrosso avatar Feb 18 '26 13:02 ilgrosso