Crowd can fetch group members attributes from different nodes

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 4.2.3
    • Component/s: Directory - LDAP
    • None
    • 4
    • Severity 3 - Minor
    • 3

      Issue Summary

      When AD returns range attribute for group members, Crowd will fetch further ranges without transaction. This can result in using different connections for different ranges. When Crowd is connected to load balancer it is possible that Crowd will receive subsequent pages from different nodes. AD nodes can use different sorting on attributes, and this can lead to inconsistency in groups.

       

      Potential solution would be to use transactions for fetching subsequent pages with attributes. Thanks to that the same connection will be reused for each of requests.

      Steps to Reproduce

      1. Create AD cluster
      2. Use round robin load balancer
      3. Have a group with >1500 members
      4. Run synchronisation

      Expected Results

      Crowd correctly synchronises memberships.

      Actual Results

      Crowd can miss some of AD memberships.

      Workaround

      Workaround is to implement stickiness on load balancer so that Crowd will always hit the same AD node if it's present.

              Assignee:
              Unassigned
              Reporter:
              Jakub Podeszwik (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: