[jira] [Commented] (OAK-12079) user.membershipNestingDepth=0 not respected for dynamic membership during external user sync

Wed, 28 Jan 2026 06:24:07 -0800 


    [ 
https://issues.apache.org/jira/browse/OAK-12079?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18054860#comment-18054860
 ] 

Angela Schreiber commented on OAK-12079:
----------------------------------------

[~nscendoni] thanks for the report. to your finding:

 

[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java#L312-L320]

 
{color:#808080}/**
{color}{color:#808080} * Returns the maximum depth of group nesting when 
membership relations are synced. A value of 0 effectively
{color}{color:#808080} * disables group membership lookup. A value of 1 only 
adds the direct groups of a user. This value has no effect
{color}{color:#808080} * when syncing individual groups only when syncing a 
users membership ancestry.
{color}{color:#808080} * {color}{color:#808080}@return 
{color}{color:#808080}the group nesting depth
{color}{color:#808080} */
{color}{color:#000080}public long {color}getMembershipNestingDepth() {
{color:#000080}return {color}{color:#660e7a}membershipNestingDepth{color};
}
 
this is not respected in the DynamicSyncConfig.
while adding the extra check is straight forward, it results (not so 
surprising) in plenty of test failures and we need to take a look if by fixing 
one bug we introduce other issues.

> user.membershipNestingDepth=0 not respected for dynamic membership during 
> external user sync
> --------------------------------------------------------------------------------------------
>
>                 Key: OAK-12079
>                 URL: https://issues.apache.org/jira/browse/OAK-12079
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>            Reporter: Nicola Scendoni
>            Priority: Major
>
> When setting user.membershipNestingDepth to 0, external group membership are 
> removed when the user is sync.
> h3. *Expected Result*
>  * With user.membershipNestingDepth=0, no external group memberships should 
> be resolved or modified.
>  * Existing external group memberships should remain untouched.
>  * Effectively, group synchronization should be disabled.
> h3. *Actual Result*
>  * During user synchronization, external group memberships are removed from 
> the user.
>  * Dynamic membership processing still affects the user despite 
> user.membershipNestingDepth being set to 0.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to