The platform-supported LDAP module currently synchronizes LdapGroup and LdapUser objects based only on their distinguished names, it doesn't record the objectGUID on the Mendix side. It uses distinguished name for groups and typically sAMAccountName for users in Active Directory.
If changes occur, such as renaming an Active Directory group or changing a user's username, the LDAP Module will not update the existing LDAP group or user object. Instead, it will create a new LDAP group or user object because it cannot find a match in the Active Directory for the existing objects.
For example, during the initial synchronization, if the AD group "Test" is imported into Mendix as an LdapGroup object with the distinguished name "Test," and later the AD group is renamed to "Test2," instead of the LdapGroup being updated to reflect the new name, a new LdapGroup object "Test2" is created. This results in duplication and inconsistency within the system.
And in scenarios where employee names change if they get married and their username changes, it's crucial for the synchronization process to reflect these changes accurately in Mendix.
To address this issue, we propose enhancing the module's synchronization mechanism to incorporate the objectGUID attribute from Active Directory. By leveraging objectGUID, the LDAP Module can accurately identify and update LdapGroup and LdapUser objects, ensuring that changes in AD are properly reflected in Mendix.
Implementing this enhancement would greatly improve the reliability and consistency of our application, particularly in dynamic environments where changes occur frequently.