LDAP Workgroup roles are changed by default

[LucNig]

We use ldap groups for creation of workgroups, with MS AD as ldap server and this works fine.

I see the following behavior: Users rights are overwritten by the default role, reader. This is also the case if i set the role by hand in the admin interface. Think this is per design? ( despite of not having the option to sync admin rights as stated in de user manual)

Two questions:
Can i change this behavior? so can i change a parameter to set custom role settings wich persist despite of the roles by sync?

Other thing; How should i config my groups and/or users to set the role from MS AD LDAP? there's a preview for openLDAP in the manual but i do not understand how to fix this in AD? Tried to nest a contributors group into my workgroup but no avail.

I use Debian 9 with latest linshare version 2.2.3

[fmartin-linagora]

Hello,
I do not understand what you mean by this sentence "Think this is per design?"
Default role for LDAP synchronisation is READER and is not configurable.
You can find some documentation about how it works there.

Basicaly you can have a LDAP group named foo, which will have one nested LDAP group name writor which will contains all your members ex:

dn: cn=foo
dn: cn=writor,cn=foo

If I don't awnser to your questions, I may not understand you. Please rephrase.

[LucNig]

The sync overwrites my role settings set in the admin interface on a LDAP group. With "Think this is per design" i mean; This behavior is "as designed"

I tried to nest a contributor group but in the admin interface i can't see the users nor the contributor group/role.

[fmartin-linagora]

"The sync overwrites my role settings set in the admin interface on a LDAP group. With "Think this is per design" i mean; This behavior is "as designed"" Yes it is because the main point to be synchronise with LDAP is to avoid managing membership in the product.
By default users are simple reader and if you add them in the nested contributor group, they will be updated to a contributor. Few month ago we were facing a bug, when a user is in both the default (reader) group and the contributor group, it was not updated.
Maybe it is the issue you're facing, isn't it ?
Can you upload a ldif file of your groups ?

[LucNig]

Hi Fmartin,

So i just added a test user in the main group, as reader and nested the contributor group in the main group with myself as contributor. In the program i can see the the test user as reader but i do not see the contributor groep or myself as contributor.

See Attached;
output_Test_group.txt
output_contributors.txt

[fmartin-linagora]

Hi,
The synchronisation process is running every 4 hours, you can change it if you want using this key:
job.ldapgroups.cron.expression=0 0 0/4 * * ?
Did you have a look to tomcat's logs ?

Maybe the issue is the case, cn=Contributors => cn=contributors.

[LucNig]

Yes i know about the cron job, somehow the shortest time i can set is 1 hour. when i set it to 10 min it's won't run at all. Anyway not first world issue.

My tomcat log gave me a hint, although it was a strange one, it was complaining about a missing email adres on the group. I fixed that but now it starts complaining about the given namen:

[ERROR]:org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4:20190311.070000:org.linagora.linshare.ldap.JScriptGroupMemberLdapQuery:dnToObject:Can
not convert dn : 'CN=Contributors,OU=External,OU=Groups_Linshare,OU=Nettest,DC=nettest,DC=com
[ERROR]:org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4:20190311.070000:org.linagora.linshare.ldap.JScriptGroupMemberLdapQuery:dnToObject:The field 'member_firstname' (ldap attribute : 'givenName') must existin your ldap directory, it is required by the
system.

So i think it sees the group as a normal user instead of a group.

I tried a group without capital letters but has same result.

Any suggestions to get this forward?