Question

LDAP sync users removes association between user and userrole

1

Very occasionally the LDAP sync users program seems to error. It results in the association (userroles) between the user and userrole entities being removed. As such, users cannot access the application anymore (they can log in but they do not have any authorizations). The log does not provide a clear error. Does anyone have some advice on how to prevent this from occuring. Is this an issue with the LDAP module or with the Active directory. Wouldn't it be better if the LDAP module only removes the association if the full sync was succesfull?

asked 2011-09-26

Brian Golsteijn

3 answers

Brian Golsteijn · Answer 1 · 2011-09-27

Some more info: There is no error in the application log. Also the steps in the log seem comparable to previous ldap syncs (except for 1 more time : Ldap: Trying to authenticate MendixLDAP with LDAP). So it might be that the Mendix LDAP is working without errors. However, since 1 of the first steps in the process of Mendix LDAP is: INFO - Ldap: Removing existing LDAP data.

In cases where there is an issue with connection or communication with the LDAP server no rollback is done and the userroles cannot be restored anymore. As such all users lose their authorizations (and cannot work).

We resolved the issue by using mxadmin login and rerunning the ldap sync 1 or 2 times. During that time users could not use the application anymore.

How to prevent this from happening? Would it be possible to include a rollback like functionality?

Ronald Catersels · Answer 2 · 2012-09-07

I seem to have the same problem with the LDAP. After a failed attempt the user roles are gone. Should I file a bug report?

There should be an option that the LDAP does not touch the Mendix user roles.

Michel Langras · Answer 3 · 2012-03-02

Did you already solve this problem? We do see the same behavior with the association between User roles and LDAP groups.