UST is failing to build a Group work list when adobe_groups are not provided in mapping section

[cbalanoiu]

Description UST is failing to build a Group-work-list after the LDAP read when no adobe_groups are configured in the mapping section in user-sync-config.This results in no new users created and no entitlement changes being applied.

Steps to reproduce

• Relevant config options users mapped adobe-users all process-groups
• Command-line options used user-wync.exe
• group mapping:
  • directory_group: "any_directory_group" adobe_groups:

Expected behavior This was discovered via an upgrade from 2.6.2 to 2.9.1 It was working in 2.6.2 with the same config so it should continue to work with 2.9.1

workaround Add "dummy" blank Admin Console groups with no actual entitlement. Adding ghe Admin Console groups to the mapping actually fixes the issue.

Environment

• UST version: 2.9.1
• OS type and version: Win Server 2019 Standard
• Any other relevant info:

2023-11-20 06:00:22 4460 DEBUG ldap - Total users loaded: 25572 2023-11-20 06:00:22 4460 DEBUG processor - Total directory users after filtering: 25572 2023-11-20 06:00:22 4460 DEBUG processor - Group work list: {}

[cbalanoiu]

@adorton-adobe I have another customer that is stuck with the same issue. They have updated to OAuth and previously were running UST 2.7 with no groups which was working fine. Without a working 2.9.1 they cannot update to OAuth without using groups.

Is this going to be fixed or is this the new expected behaviour?

[adorton-adobe]

I can reproduce the behavior in 2.9.1. When I run the same config with v2 I get the expected behavior. Please have the customer try using v2.10.0rc3 and let me know if it works any better. I suspect one of the fixes made in that release have resolved this issue.

[adorton-adobe]

Did the customer try 2.10.0rc3? Did it resolve the problem?

[edwardhuggett]

Hello - I have the exact same issue and have tried 2.10.0rc3. However when launched in test mode, the binary shows 2.10.0rc2 in the log. Is this a mistake or has the binary not actually been updated (running Windows executable). In any event, the issue persists.

[adorton-adobe]

@edwardhuggett will you please post a copy of your main config here, or if you'd prefer, email it to adorton [at] adobe [dot] com?

[edwardhuggett]

I have emailed this to you. The fix mentioned in here does appear to work, but will put all users in an empty group according to the test sync.

[adorton-adobe]

@edwardhuggett I'm still unable to reproduce the issue. Have you made any customizations to your LDAP query filters?

[edwardhuggett]

Tried search page size at 1000 as well ...

username: "ldapxxxxx@xxxxxxx.xxxx.xxx.uk" password: "xxxxx" host: "ldaps://xxxxxx base_dn: "dc=xxxxxxx,dc=xxxxx,dc=xxx,dc=uk" search_page_size: 0 require_tls_cert: False all_users_filter: "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" group_filter_format: "(&(objectCategory=group)(cn={group}))" group_member_filter_format: "(memberOf:1.2.840.113556.1.4.1941:={group_dn})" user_email_format: "{mail}"

[adorton-adobe]

Nothing too out of the ordinary with that config.

When you get an empty work list, what exact message do you see?

Does it look like this?

Group work list: {None: []}

Or this?

Group work list: {}

From: edwardhuggett @.> Date: Tuesday, August 13, 2024 at 1:12 AM To: adobe-apiplatform/user-sync.py @.> Cc: Andrew Dorton @.>, Mention @.> Subject: Re: [adobe-apiplatform/user-sync.py] UST is failing to build a Group work list when adobe_groups are not provided in mapping section (Issue #832)

EXTERNAL: Use caution when clicking on links or opening attachments.

Tried search page size at 1000 as well ...

username: @.**@.>" password: "xxxxx" host: "ldaps://xxxxxx base_dn: "dc=xxxxxxx,dc=xxxxx,dc=xxx,dc=uk" search_page_size: 0 require_tls_cert: False all_users_filter: "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" group_filter_format: "(&(objectCategory=group)(cn={group}))" group_member_filter_format: "(memberOf:1.2.840.113556.1.4.1941:={group_dn})" user_email_format: "{mail}"

— Reply to this email directly, view it on GitHubhttps://github.com/adobe-apiplatform/user-sync.py/issues/832#issuecomment-2285510406, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGCQO4WEXK4DQXEKHHINHALZRGWVJAVCNFSM6AAAAAA7TDNNQGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBVGUYTANBQGY. You are receiving this because you were mentioned.Message ID: @.***>

[cbalanoiu]

What I've experienced was: Group work list: {}

[adorton-adobe]

I've found that in v2.9.1, if you have no target Adobe groups and no groups to exclude then you will get Group work list: {}. The dict can only be empty if there are no Adobe groups at all. If there's at least once excluded group then you'll get Group work list: {None: []} if there are no target groups in the mapping.

This all seems moot, since I still can't reproduce the behavior in the latest release. I'm testing in v2, which is current to v2.10.0rc4 and can only get an empty group work list when I check out v2.9.1. But when testing against the latest commit I can remove all target groups and excluded groups and everything works as expected (new users are still created, users are still updated as needed).

[adorton-adobe]

Please let me know if I can close this. Without more information, I'm unable to reproduce the issue. It still seems to me to be resolved in the latest pre-release.

[edwardhuggett]

Hello, The only other thing we pass to launch the sync are these command line options: user-sync.exe --users mapped --process-groups

[adorton-adobe]

I'm closing this as it appears to be resolved in the latest release

[cbalanoiu]

I've confirmed that it works in 2.10