Spike: LDAP group unique identifier and filter user errors

Description

  1. LDAP group unique identifier and filter user errors

  1.  

    1. Summary

There is a class of potential issues caused by user error related to unique identifiers and/or filters with LDAP group sync. Doing one of the following can cause issues:

1. Changing the configured value of `LdapSettings.GroupIdAttribute` in Mattermost
1. Changing the configured value of `LdapSettings.GroupFilter` in Mattermost
1. Changing the value of group(s) unique identifier on the LDAP side

  1.  

    1. Potential Issues

1. Groups are soft-deleted
1. For group-synced teams, team members records are soft-deleted
1. For group-synced teams, *all `ChannelMembers` records are hard-deleted* for that team (same as if you click "Leave Team" in the main menu)
1. For group-synced channels, *`ChannelMembers` records are hard-deleted* (same as if you click "Leave Channel" in the channel menu)

Issues 3 and 4 are particularly problematic because they cause a permanent loss of information because the remaining `ChannelMemberHistory` records do not contain enough information to restore the `ChannelMembers` records to their original state. `ChannelMemberHistory` records lacks `NotifyProps` as well as any information about the roles the channel member was assigned.

Similar issues have always existed in LDAP—prior to groups—related to changing a `LdapSettings.IdAttribute` but `Users.DeleteAt` fields can more simply be reset to `0` without further implications.

  1.  

    1. Spike

The [@enterpriseteam]( * @scott.bishel @farhan.munshi @martin.kraft @michael.gamble @rohitesh.gupta @hossein.ahmadian @dennis.kittrell @catalin.tomai * ) will do a spike with the following goals:

1. Identify changes that can be made to allow a customer to make errors with their groups and not permanently lose data
1. Provide customers with a tool or queries or guidance to resolve the state of their team and channel membership in the event of the above user errors

Things to consider in the spike include:

  • Soft-deleting channel memberships (obviously this is a performance concern)

  • Not removing users from channels when they are removed from group-synced teams, adjust all channel member queries to filter based on the `TeamMembers.DeleteAt`

  • Provide a CLI command to re-add `ChannelMembers` and/or `TeamMembers` of all group-synced teams and channels (would need to be paired with some sort of `DeleteSource` or `LeaveSource` or else users removed by non-group-synced means would also be restored).

Issue created from a message in Mattermost.

QA Test Steps

None

Mana

None

Assignee

Unassigned

QA Assignee

None

Reporter

Martin Kraft

Epic Link

None

Fix versions

None

Mattermost Team

Enterprise

Sprint

None

Labels

None

QA Testing Areas

None

GitHub Issue

None

Components

None
Configure