The labeling of the LDAP sync configuration page is confusing where the word "all" if often used in the labels but rarely applies.
Archer versions 6.7 P3 through 6.9 P2 the below issues with the LDAP configuration labels were found.
Current label: "Create an account for all users in the LDAP source that are not in the system" Issue: "all" users who are returned by the LDAP sync are often NOT created in Archer when this option is selected even if the users do not exist in Archer and that is normal and expected functionality due to the other configuration options that may also be enabled on this LDAP sync.
Current label: "Update all users on each sync" The issues here are:
Not all Archer accounts in the system are getting updated. Only user accounts that are associated with this one specific LDAP sync will be updated. Non-LDAP users will not be updated and also users who are associated with other LDAP syncs even if they use the same server and Base DN will not be updated.
Inactive accounts associated with this LDAP sync that are not being reactivated (do not meet reactivation criteria) are also automatically skipped and are not updated by the RSA Archer LDAP Sync Service. Even if the account information in Archer is different from the account information that is retrieved through the LDAP sync for these inactivated accounts.
Current Label: "Update only user accounts where the LDAP attribute meets the following criteria".
Issue: This unexpectedly filters account creation.
If the account creation is enabled and the account does not meet this criterion, then the account is not created.
The label "Update only" does not match the functionality of the LDAP sync since this impacts both Update Create functionality for users retrieved from the LDAP sync.
Current label: "Deactivate all user accounts that do not have a matching LDAP user." Issue: This only applies to the users previously associated with THIS LDAP sync and not "all user accounts" and also not user accounts in other LDAP syncs.
The labeling of the configuration options in the LDAP sync is confusing and can conflict with each other where the expected result of the LDAP sync is not clear.
The LDAP sync configuration labels/documentation will be updated in a later release.