LDAP users can't be edited for many minutes after being added

[ooboyle]

I've noticed a delay in being able to edit a new user added from LDAP. The user account gets created locally as expected but when I go into the account to assign it a group membership or directly assign it privileges, my changes are not saved and revert to being empty. It take over 5 minutes for this to clear and I'm still unsure if it clears on it's own or because I clicked 100 different buttons while I was waiting.

Is this a known issue?

Oliver

[franco]

Hi Oliver,

I don't recall this being ever reported. Can you check the config history (System: Configuration: History) and see if the changes get applied? You can review each change in a diff between the old an new versions or confirm it does not write new versions until the 5 minutes are over.


Thanks,
Franco

[ooboyle]

Ok, here's the timeline. In this case, it took about 3 minutes, and 3 attempts during that period, for the LDAP account to show its membership in the group I added it too.


Added the LDAP user:

--- /conf/backup/config-1474914232.0974.xml   2016-09-26 14:23:52.098111000 -0400
+++ /conf/config.xml   2016-09-26 14:23:55.225032000 -0400
@@ -845,7 +845,7 @@
   </widgets>
   <revision>
     <username>admin@192.168.1.164</username>
-    <time>1474914231.4041</time>
+    <time>1474914235.217</time>
     <description>/system_usermanager_import_ldap.php made changes</description>
   </revision>
   <cert>

1st attempt at adding it to a group:

--- /conf/backup/config-1474914281.1166.xml   2016-09-26 14:24:41.117074000 -0400
+++ /conf/config.xml   2016-09-26 14:24:44.028389000 -0400
@@ -845,7 +845,7 @@
   </widgets>
   <revision>
     <username>admin@192.168.1.164</username>
-    <time>1474914280.5169</time>
+    <time>1474914284.0206</time>
     <description>/system_usermanager_import_ldap.php made changes</description>
   </revision>
   <cert>

2nd attempt at adding it to a group:

--- /conf/backup/config-1474914352.377.xml   2016-09-26 14:25:52.377883000 -0400
+++ /conf/config.xml   2016-09-26 14:25:55.215759000 -0400
@@ -845,7 +845,7 @@
   </widgets>
   <revision>
     <username>admin@192.168.1.164</username>
-    <time>1474914351.7208</time>
+    <time>1474914355.2077</time>
     <description>/system_usermanager_import_ldap.php made changes</description>
   </revision>
   <cert>

3rd attempt at adding it to a group:

--- /conf/backup/config-1474914423.9222.xml   2016-09-26 14:27:03.922753000 -0400
+++ /conf/config.xml   2016-09-26 14:27:03.930653000 -0400
@@ -195,6 +195,7 @@
       <gid>1999</gid>
       <member>0</member>
       <member>2000</member>
+      <member>2007</member>
       <priv>page-all</priv>
       <priv>user-shell-access</priv>
     </group>
@@ -225,6 +226,10 @@
       <descr>Oliver O'Boyle</descr>
       <password>$6$$uvbAZquGaG4XqHeTo2ZZO5SJRYs1RutnSksO458ZD5mGaKZyaKYLOVPJNGe7LKrjagR9EdwExN./YlOQxNse71</password>
       <uid>2007</uid>
+      <expires/>
+      <authorizedkeys/>
+      <ipsecpsk/>
+      <otp_seed/>
     </user>
     <nextuid>2008</nextuid>
     <nextgid>2001</nextgid>
@@ -845,8 +850,8 @@
   </widgets>
   <revision>
     <username>admin@192.168.1.164</username>
-    <time>1474914384.6145</time>
-    <description>/system_usermanager_import_ldap.php made changes</description>
+    <time>1474914423.9228</time>
+    <description>/system_usermanager.php made changes</description>
   </revision>
   <cert>
     <refid>56fe90d2e373c</refid>

[franco]

We've recently had a few LDAP users who also imported users but didn't run into this: could edit users right away. Not sure how this could be setup specific, though.

In those cases they wanted to edit user passwords in the local copies, which required a small patch we are going to add to 17.1.1.

Kind of off-topic, but maybe we can pick this back up now.


Cheers,
Franco