authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

LDAP sync tasks keep disappearing

Open sparkblaze opened this issue 1 year ago • 4 comments

Describe the bug LDAP sync tasks disappear from System Tasks and don't run after a few hours/days

To Reproduce Steps to reproduce the behavior:

  1. Add an LDAP sync source
  2. Sync it
  3. Wait a bit
  4. LDAP sync tasks disappear either entirely or in part (eg: no group membership, or groups only, or users only)

Expected behavior LDAP sync tasks stay and don't disappear

Screenshots image image image

Logs I haven't seen any that are even remotely useful...

Version and Deployment:

  • authentik version: 2023.10.7 (happened in 2023.10.4 as well
  • Deployment: Hashicorp Nomad via Docker

Additional context Restarting the deployment and forcing a sync makes the tasks re-appear for a while.

sparkblaze avatar Mar 07 '24 10:03 sparkblaze

Hello, It seams this problem is very similar or related to #8593

medir avatar Mar 12 '24 10:03 medir

hmm, I did see that issue and they do seem subtly different - I do get some scheduled tasks running for a little bit - eg: this one is still running after 6 days

image

What doesn't happen though, is if I click on 'Run sync again', the only action that happens is the one that a scheduled task exists for - ie: it will only sync a new group here, not new users or group membership

image

sparkblaze avatar Mar 13 '24 08:03 sparkblaze

@sparkblaze could you try upgrading to 2024.2.2? In 2024.2 we switched to storing the metadata for these tasks in the database instead of redis which should also fix this issue.

BeryJu avatar Mar 15 '24 16:03 BeryJu

Doesn't seem to have resolved it for me after upgrading to 2024.2.2 on Friday.

Came back in this morning to:

image

As far as I can tell, the last time the ldap_sync tasks ran was a few hours after updating it to 2024.2.2.

If I run the sync again, it does at least run all the enabled sync tasks, but it never runs on a schedule, so now I have a script that runs every hour to force a sync.

sparkblaze avatar Mar 18 '24 08:03 sparkblaze

If I run the sync again, it does at least run all the enabled sync tasks, but it never runs on a schedule, so now I have a script that runs every hour to force a sync.

@sparkblaze before I go digging through the API to do something similar are you able to share your script?

cardboardpig avatar Apr 14 '24 21:04 cardboardpig

We're mostly PowerShell for our automation, but essentially it's just an empty PATCH request to /api/v3/sources/ldap/<ldap-slug>/, go to sleep for a few seconds and then check on /api/v3/sources/ldap/<ldap-slug>/sync_status/ (note the trailing slashes)

$ldapConfigs = @(
    "ldap-slug"
)

$headers = @{
    Authorization = "Bearer <api-token>"
}

foreach ($ldapSource in $ldapConfigs) {

    try {
        $null = Invoke-RestMethod -Method "PATCH" -Uri "https://<authentik-fqdn>/api/v3/sources/ldap/$ldapSource/" -Headers $headers -ErrorAction Stop
    } catch {
        Write-Error -ErrorRecord $_ -ErrorAction Stop
        return
    }

    Start-Sleep -Seconds 5

    try {
        $task_results = Invoke-RestMethod -Method "GET" -Uri "https://<authentik-fqdn>/api/v3/sources/ldap/$ldapSource/sync_status/" -Headers $headers -ErrorAction Stop
    } catch {
        Write-Error -ErrorRecord $_ -ErrorAction Stop
        return
    }

    foreach ($task in $task_results.tasks) {

        if ($task.status -Eq "successful") {
            continue
        }

        Write-Warning -Message "$($task.full_name) has status of $($task.status)"
    }
}

sparkblaze avatar Apr 15 '24 09:04 sparkblaze

Unfortunately, we are experiencing the same issue. We added more details in Discord

https://discord.com/channels/809154715984199690/1229845342187556914

GiooiG avatar Apr 16 '24 20:04 GiooiG