Description Julia Bremer 2020-10-07 12:23:21 CEST

+++ This bug was initially created as a clone of Bug #51904 +++

At Bug #51904 we found out that changing ONLY the password attribute in AD does not trigger a synchronization.

This has been introduced with Bug #51518, where the UCR Variable connector/ad/mapping/attributes/irrelevant has been created.
This Variable is used to ignore changes to certain attributes to reduce load created by the ad connector. These attributes change almost every time anything is changed in AD and it makes sense to ignore these.

But the password attributes are not attributes we can see in the LDAP and changes to the password are only checked as a post_con_modify_function, which happens after the "normal" sync.

With a normal password change, the synchronization still works, since 'pwdLastSet' usually changes with the password. This attribute is not on the 'irrelevant' list, the sync is triggered, the password change is detected and the password is synced. 

There is one case though where a password change is undetected. 
That is, when the flag 'pwdChangeNextLogin' is set on the user object and the password is resetted while keeping the 'pwdChangeNextLogin' flag.
PwdLastSet is set to '0' in this case, to indicate that the password should be changed at next login. The password is resetted, but pwdLastSet is kept at value '0'.
Now the only detected changed attributes are 'uSNChanged', 'whenChanged', which are on the 'irrelevant' list. 

Even though this problem exists, we decided to leave the default behavior for now, since most environment will profit more from the reduced load and not run into this issue.

There might be other corner cases in which a synchronization is skipped because of this problem, but we haven't found any yet. 



The current workaround is unsetting the UCR var connector/ad/mapping/attributes/irrelevant.