[jira] [Updated] (SYNCOPE-1921) LDAPMembershipPropagationActions deletes memberships of groups not managed by Syncope

Jira Tue, 21 Oct 2025 03:48:53 -0700


     [ 
https://issues.apache.org/jira/browse/SYNCOPE-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Francesco Chicchiriccò updated SYNCOPE-1921:
--------------------------------------------
    Description: 
When propagating a user with reverse group membership references to groups not 
managed by Syncope the propagation task currently deletes these memberships 
instead of preserving them.

For example the user is member in 4 Syncope groups and one group outside of 
Syncope named "200004_groupOutsideOfSyncope", which is part of the subtree 
Syncope searches in, therefore the expected value for "ldapGroups" in the 
propagation is the following:

{code}
{
            "name": "ldapGroups",
            "value": [
                
"cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"CN=200004_groupOutsideOfSyncope,OU=200004,OU=tuda,OU=campus-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
            ]

}
{code}
However in reality Syncope sends the following and therefore removes the 
membership:

{code}
{
            "name": "ldapGroups",
            "value": [
                
"cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
            ]

}
{code}

  was:
When propagating a user with reverse group membership references to groups not 
managed by Syncope the propagation task currently deletes these memberships 
instead of preserving them.

For example the user is member in 4 Syncope groups and one group outside of 
Syncope named "200004_groupOutsideOfSyncope", which is part of the subtree 
Syncope searches in, therefore the expected value for "ldapGroups" in the 
propagation is the following:

{
            "name": "ldapGroups",
            "value": [
                
"cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"CN=200004_groupOutsideOfSyncope,OU=200004,OU=tuda,OU=campus-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
            ]

}

However in reality Syncope sends the following and therefore removes the 
membership:

{
            "name": "ldapGroups",
            "value": [
                
"cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
                
"cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
            ]

}

 


> LDAPMembershipPropagationActions deletes memberships of groups not managed by 
> Syncope
> -------------------------------------------------------------------------------------
>
>                 Key: SYNCOPE-1921
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1921
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.0.12
>            Reporter: Markus Okon
>            Priority: Major
>             Fix For: 3.0.15, 4.0.3, 4.1.0
>
>
> When propagating a user with reverse group membership references to groups 
> not managed by Syncope the propagation task currently deletes these 
> memberships instead of preserving them.
> For example the user is member in 4 Syncope groups and one group outside of 
> Syncope named "200004_groupOutsideOfSyncope", which is part of the subtree 
> Syncope searches in, therefore the expected value for "ldapGroups" in the 
> propagation is the following:
> {code}
> {
>             "name": "ldapGroups",
>             "value": [
>                 
> "cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "CN=200004_groupOutsideOfSyncope,OU=200004,OU=tuda,OU=campus-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
>             ]
> }
> {code}
> However in reality Syncope sends the following and therefore removes the 
> membership:
> {code}
> {
>             "name": "ldapGroups",
>             "value": [
>                 
> "cn=T11,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=T1100,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=VIP,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de",
>                 
> "cn=T110099,ou=groups,ou=central-it,DC=ads-test,DC=tu-darmstadt,DC=de"
>             ]
> }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (SYNCOPE-1921) LDAPMembershipPropagationActions deletes memberships of groups not managed by Syncope

Reply via email to