We’re experiencing a persistent issue with user group permissions in Agile 9.3.4 after running our scheduled LDAP synchronization. The sync completes successfully according to the logs, and new users appear in the system, but their group memberships and associated permissions aren’t updating correctly.
The LDAP group mapping appears correct in our configuration, and we’ve verified the Active Directory schema matches our setup documentation. Users who should have Engineering access remain in the default User group, requiring manual intervention. We’ve tried forcing a full sync instead of incremental, but the problem persists.
Has anyone encountered similar behavior where LDAP sync completes but permissions lag behind? We’re particularly concerned about the Agile Application Server cache potentially holding stale permission data. Should we be performing an application server restart after each sync cycle?
I’ve seen this exact behavior in 9.3.4. Check your LDAP Sync Manager settings under Admin > Server Settings. There’s a specific parameter ‘syncGroupMembership’ that needs to be set to true. Also verify that your LDAP filter is correctly targeting the group membership attributes in AD.
The permission cache issue is real. We implemented a scheduled restart of the Application Server service every night after our 2 AM LDAP sync. Not ideal, but it solved the problem. The alternative is manually clearing the cache through the Admin console, but that’s error-prone. Also double-check that your LDAP server timeout settings aren’t cutting off the group membership queries before they complete.
The DN format issue Tom mentioned is common, but there’s another aspect. Verify your group mapping in the LDAP configuration includes the ‘memberOf’ attribute correctly. In some AD configurations, nested groups require recursive queries that Agile’s default sync doesn’t handle well.
Thanks for the responses. I verified syncGroupMembership is set to true, and our LDAP filters look correct. The sync logs show successful group queries. I’m leaning toward the cache issue Raj mentioned. Is there a way to programmatically clear the permission cache without a full server restart? Our production environment makes nightly restarts challenging.