Incremental sync for services
In most cases we use LDAP (or the getusers/getgroups API endpoints) to keep local users accounts in a service updated and create new accounts for newly created uffd users. Both (standard) LDAP and the getusers/getgroups API endpoints do not offer a way to get recent changes. So this is realised by regularly (once every 15 minutes, in some cases once per day) performing full syncs of all users.
This has a few problems:
- Unnecessary performance impact on both the service and uffd: The current syncs with ~550 users usually run serveral minutes with significant load, limiting the frequency in which we can run the syncs.
- Latency: Even running a sync every 15 minutes can be annoying for newly registered users or if someone is granted a role to get urgently needed access to something. Running syncs at a lower frequency is a pretty bad user experience.
- Since the service syncs by performing queries, uffd has no idea of the state the service is in. There are also no metrics available to detect whether some number users is not synced correctly.
My proposal is a new incremental sync API for services, i.e. a new API endpoint that service can call to get a list of changed users and a mechansim to confirm when the service has updated the corresponding local accounts. Since the build-in LDAP support of most services is already insufficient (or horribly broken) and we already use custom sync scripts, we can rewrite those scripts to use the new sync API.
Such an API could also allow deletion of user accounts in services, which is neccessary for deletion of uffd user accounts.