LDAP differential sync does not add restored users to group

[lethal1986]

In alfresco-content-repository-community:23.3.0 (and also in enterprise version) with LDAP differential sync we are facing a strange phenomenon.

It seems that differential synchronisation does not puts back a user to a group, if the user was previously removed and after that restored in AD.

In order to detail the problem we set up an OpenLDAP server and configure Alfresco to use this OpenLdap server ldap-authentication.properties settings.

Here are the steps we have done:

• in OpenLDAP server: create an AD group (called: alfresco-users) and include 3 users (t1u1, t2u2 and t3u3).
• Make a full sync in Alfresco JS console to obtain new group(s), users and user-group relations:

  
  var ctxt, synchronizer;
  ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
  synchronizer = ctxt.getBean('userRegistrySynchronizer', Packages.org.alfresco.repo.security.sync.UserRegistrySynchronizer);

synchronizer.synchronize(true, true);

* Groups/users are synchronised into Alfresco, group "GROUP_alfresco-users" contains the following users: t1u1, t1u2 and t1u3.
here is the relevant log file:  [alfresco_full_sync.log](https://github.com/user-attachments/files/17377139/alfresco_full_sync.txt)
> 3 user(s) and 4 group(s) are synchronised.
* Now in OpenLDAP server remove users "t1u2" and "t1u3" (and also remove them from group "alfresco-users").
* Running a differential sync (in Alfresco JS console) removes users t1u2 and t1u3, and also removes them from "GROUP_alfresco-users".
```javascript
var ctxt, synchronizer;
ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
synchronizer = ctxt.getBean('userRegistrySynchronizer', Packages.org.alfresco.repo.security.sync.UserRegistrySynchronizer);

synchronizer.synchronize(false, true);

• As expected users are removed from the group: alfresco_diff_sync_remove_users.log
• Now in OpenLDAP server restore user "t1u2" and put back into group "alfresco-users" and make another differential sync query in Alfresco (in JS console)
• In this case user "t1u2" in Alfresco is not synchronised at all, and not member of the group: alfresco_diff_sync_add_t2u2.log
• Running a full sync in Alfresco - again - results that group "alfresco-users" and users are synchronised, every user (t1u1, t1u2 and t1u3) is a member of group "GROUP_alfresco-users". alfresco_full_sync_2.log

  2 user(s) and 4 group(s) processed

Here is the same log for enterprise version, with the same output: alfresco_enterprise.log

Additional note: It seems that the phenomenon happens, if the user has to created by Alfresco due to the differential sync.

Expected behaviour: In case of differential sync users and group membership also synchronised.

[nbarithel]

Hello,

Was the modifyTimestamp attribute updated when you restored user t1u2? Maybe you need to manually update it on OpenLDAP side?

[lethal1986]

Hello Nicolas,

Thanks for the hint. You were right, in OpanLDAP the modifyTimestamp attribute does not changed for user "t1us2" in this case. Therefore the differential sync does not synch this user.