You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by dj...@apache.org on 2016/10/05 08:25:11 UTC
svn commit: r1763363 - in /jackrabbit/oak/branches/1.4: ./
oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/
oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/ba...
Author: dj
Date: Wed Oct 5 08:25:11 2016
New Revision: 1763363
URL: http://svn.apache.org/viewvc?rev=1763363&view=rev
Log:
OAK-4825 : Support disabling of users instead of removal in DefaultSyncHandler
Modified:
jackrabbit/oak/branches/1.4/ (props changed)
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfigImpl.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/package-info.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/TestIdentityProvider.java
jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md
Propchange: jackrabbit/oak/branches/1.4/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Oct 5 08:25:11 2016
@@ -1,3 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
-/jackrabbit/oak/trunk:1733615,1733875,1733913,1733929,1734230,1734254,1734279,1734941,1735052,1735081,1735141,1735267,1735405,1735484,1735549,1735564,1735588,1735622,1735638,1735919,1735983,1736176,1737309-1737310,1737334,1737349,1737998,1738004,1738136,1738138,1738207,1738234,1738252,1738775,1738795,1738833,1738950,1738957,1738963,1739712,1739760,1739867,1739894,1739959-1739960,1740114,1740116,1740250,1740333,1740349,1740360,1740625-1740626,1740774,1740837,1740879,1740971,1741016,1741032,1741339,1741343,1742077,1742117,1742125,1742363,1742520,1742888,1742916,1743097,1743172,1743343,1743674,1744265,1744292,1744589,1744670,1744672,1744959,1745038,1745127,1745197,1745336,1745368,1746086,1746117,1746342,1746345,1746408,1746696,1746981,1747198,1747200,1747341-1747342,1747380,1747387,1747406,1747492,1747512,1747654,1748505,1748553,1748722,1748870,1749275,1749350,1749424,1749443,1749464,1749475,1749645,1749662,1749815,1749872,1749875,1749899,1750052,1750076-1750077,1750287,1750457,1750462
,1750465,1750495,1750626,1750809,1750886,1751410,1751445-1751446,1751478,1751753,1751755,1751871,1752198,1752202,1752259,1752273-1752274,1752283,1752292,1752438,1752447-1752448,1752508,1752596,1752616,1752659,1752672,1753262,1753331-1753332,1753335-1753336,1753355,1753444,1754117,1754239,1755157,1755191,1756520,1756580,1757119,1757166,1758213,1758713,1759433,1760340,1760373,1760387,1760661-1760662,1761412,1761444,1761571,1761762,1761787,1761876,1762453,1762612,1762632,1762635,1763347
+/jackrabbit/oak/trunk:1733615,1733875,1733913,1733929,1734230,1734254,1734279,1734941,1735052,1735081,1735141,1735267,1735405,1735484,1735549,1735564,1735588,1735622,1735638,1735919,1735983,1736176,1737309-1737310,1737334,1737349,1737998,1738004,1738136,1738138,1738207,1738234,1738252,1738775,1738795,1738833,1738950,1738957,1738963,1739712,1739760,1739867,1739894,1739959-1739960,1740114,1740116,1740250,1740333,1740349,1740360,1740625-1740626,1740774,1740837,1740879,1740971,1741016,1741032,1741339,1741343,1742077,1742117,1742125,1742363,1742520,1742888,1742916,1743097,1743172,1743343,1743674,1744265,1744292,1744589,1744670,1744672,1744959,1745038,1745127,1745197,1745336,1745368,1746086,1746117,1746342,1746345,1746408,1746696,1746981,1747198,1747200,1747341-1747342,1747380,1747387,1747406,1747492,1747512,1747654,1748505,1748553,1748722,1748870,1749275,1749350,1749424,1749443,1749464,1749475,1749645,1749662,1749815,1749872,1749875,1749899,1750052,1750076-1750077,1750287,1750457,1750462
,1750465,1750495,1750626,1750809,1750886,1751410,1751445-1751446,1751478,1751753,1751755,1751871,1752198,1752202,1752259,1752273-1752274,1752283,1752292,1752438,1752447-1752448,1752508,1752596,1752616,1752659,1752672,1753262,1753331-1753332,1753335-1753336,1753355,1753444,1754117,1754239,1755157,1755191,1756520,1756580,1757119,1757166,1758213,1758713,1759433,1760340,1760373,1760387,1760661-1760662,1761412,1761444,1761571,1761762,1761787,1761876,1762453,1762612,1762632,1762635,1763347,1763355-1763356
/jackrabbit/trunk:1345480
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.java Wed Oct 5 08:25:11 2016
@@ -64,6 +64,16 @@ public interface SyncResult {
DELETE,
/**
+ * authorizable enabled
+ */
+ ENABLE,
+
+ /**
+ * authorizable disabled
+ */
+ DISABLE,
+
+ /**
* nothing changed. no such authorizable found.
*/
NO_SUCH_AUTHORIZABLE,
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.java Wed Oct 5 08:25:11 2016
@@ -206,6 +206,8 @@ public class DefaultSyncConfig {
private boolean dynamicMembership;
+ private boolean disableMissing;
+
/**
* Returns the duration in milliseconds until the group membership of a user is expired. If the
* membership information is expired it is re-synced according to the maximum nesting depth.
@@ -287,6 +289,22 @@ public class DefaultSyncConfig {
return this;
}
+ /**
+ * Controls the behavior for users that no longer exist on the external provider. The default is to delete the repository users
+ * if they no longer exist on the external provider. If set to true, they will be disabled instead, and re-enabled once they appear
+ * again.
+ */
+ public boolean getDisableMissing() {
+ return disableMissing;
+ }
+
+ /**
+ * @see #getDisableMissing()
+ */
+ public User setDisableMissing(boolean disableMissing) {
+ this.disableMissing = disableMissing;
+ return this;
+ }
}
/**
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java Wed Oct 5 08:25:11 2016
@@ -326,10 +326,16 @@ public class DefaultSyncContext implemen
log.info("won't remove local group with members: {}", id);
status = SyncResult.Status.NOP;
} else if (!keepMissing) {
- authorizable.remove();
- log.debug("removing authorizable '{}' that no longer exists on IDP {}", id, idp.getName());
+ if (config.user().getDisableMissing() && !authorizable.isGroup()) {
+ ((User) authorizable).disable("No longer exists on external identity provider '" + idp.getName() + "'");
+ log.debug("disabling user '{}' that no longer exists on IDP {}", id, idp.getName());
+ status = SyncResult.Status.DISABLE;
+ } else {
+ authorizable.remove();
+ log.debug("removing authorizable '{}' that no longer exists on IDP {}", id, idp.getName());
+ status = SyncResult.Status.DELETE;
+ }
timer.mark("remove");
- status = SyncResult.Status.DELETE;
} else {
status = SyncResult.Status.MISSING;
log.info("external identity missing for {}, but purge == false.", id);
@@ -430,9 +436,14 @@ public class DefaultSyncContext implemen
// synchronize external memberships
syncMembership(external, user, config.user().getMembershipNestingDepth());
}
+ if (this.config.user().getDisableMissing() && user.isDisabled()) {
+ status = SyncResult.Status.ENABLE;
+ user.disable(null);
+ } else {
+ status = SyncResult.Status.UPDATE;
+ }
// finally "touch" the sync property
user.setProperty(REP_LAST_SYNCED, nowValue);
- status = SyncResult.Status.UPDATE;
}
return new DefaultSyncResultImpl(createSyncedIdentity(user), status);
}
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java Wed Oct 5 08:25:11 2016
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("1.1.0")
+@Version("1.2.0")
@Export
package org.apache.jackrabbit.oak.spi.security.authentication.external.basic;
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfigImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfigImpl.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfigImpl.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfigImpl.java Wed Oct 5 08:25:11 2016
@@ -178,6 +178,22 @@ public class DefaultSyncConfigImpl exten
public static final String PARAM_USER_DYNAMIC_MEMBERSHIP = "user.dynamicMembership";
/**
+ * @see User#getDisableMissing()
+ */
+ public static final boolean PARAM_DISABLE_MISSING_USERS_DEFAULT = false;
+
+ /**
+ * @see User#getDisableMissing()
+ */
+ @Property(
+ label = "Disable missing users",
+ description = "If true, users that no longer exist on the external provider will be locally disabled, " +
+ "and re-enabled if they become valid again. If false (default) they will be removed.",
+ boolValue = false
+ )
+ public static final String PARAM_DISABLE_MISSING_USERS = "user.disableMissing";
+
+ /**
* @see DefaultSyncConfig.Group#getExpirationTime()
*/
public static final String PARAM_GROUP_EXPIRATION_TIME_DEFAULT = "1d";
@@ -253,6 +269,7 @@ public class DefaultSyncConfigImpl exten
.setName(params.getConfigValue(PARAM_NAME, PARAM_NAME_DEFAULT));
cfg.user()
+ .setDisableMissing(params.getConfigValue(PARAM_DISABLE_MISSING_USERS, PARAM_DISABLE_MISSING_USERS_DEFAULT))
.setMembershipExpirationTime(getMilliSeconds(params, PARAM_USER_MEMBERSHIP_EXPIRATION_TIME, PARAM_USER_MEMBERSHIP_EXPIRATION_TIME_DEFAULT, ONE_HOUR))
.setMembershipNestingDepth(params.getConfigValue(PARAM_USER_MEMBERSHIP_NESTING_DEPTH, PARAM_USER_MEMBERSHIP_NESTING_DEPTH_DEFAULT))
.setDynamicMembership(params.getConfigValue(PARAM_USER_DYNAMIC_MEMBERSHIP, PARAM_USER_DYNAMIC_MEMBERSHIP_DEFAULT))
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java Wed Oct 5 08:25:11 2016
@@ -344,6 +344,12 @@ final class Delegatee {
case DELETE:
op = "del";
break;
+ case ENABLE:
+ op = "ena";
+ break;
+ case DISABLE:
+ op = "dis";
+ break;
case NO_SUCH_AUTHORIZABLE:
op = "nsa";
break;
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/package-info.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/package-info.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/package-info.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/package-info.java Wed Oct 5 08:25:11 2016
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("2.0.0")
+@Version("2.1.0")
@Export
package org.apache.jackrabbit.oak.spi.security.authentication.external;
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java Wed Oct 5 08:25:11 2016
@@ -145,6 +145,10 @@ public abstract class AbstractExternalAu
// nothing to do
}
+ protected void addIDPUser(String id) {
+ ((TestIdentityProvider) idp).addUser(new TestIdentityProvider.TestUser(id, idp.getName()));
+ }
+
protected DefaultSyncConfig createSyncConfig() {
DefaultSyncConfig syncConfig = new DefaultSyncConfig();
Map<String, String> mapping = new HashMap<String, String>();
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/TestIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/TestIdentityProvider.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/TestIdentityProvider.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/TestIdentityProvider.java Wed Oct 5 08:25:11 2016
@@ -81,12 +81,12 @@ public class TestIdentityProvider implem
.withGroups("_gr_u_", "g%r%"));
}
- private void addUser(TestIdentity user) {
- externalUsers.put(user.getId().toLowerCase(), (TestUser) user);
+ public void addUser(TestIdentity user) {
+ externalUsers.put(user.getId().toLowerCase(), (ExternalUser) user);
}
private void addGroup(TestIdentity group) {
- externalGroups.put(group.getId().toLowerCase(), (TestGroup) group);
+ externalGroups.put(group.getId().toLowerCase(), (ExternalGroup) group);
}
@Nonnull
Modified: jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java Wed Oct 5 08:25:11 2016
@@ -386,6 +386,71 @@ public class DefaultSyncContextTest exte
}
@Test
+ public void testSyncDisabledUserById() throws Exception {
+ // configure to disable missing users
+ syncConfig.user().setDisableMissing(true);
+
+ // mark a regular repo user as external user from the test IDP
+ User u = userManager.createUser("test" + UUID.randomUUID(), null);
+ String userId = u.getID();
+ setExternalID(u, idp.getName());
+
+ // test sync with 'keepmissing' = true
+ syncCtx.setKeepMissing(true);
+ SyncResult result = syncCtx.sync(userId);
+ assertEquals(SyncResult.Status.MISSING, result.getStatus());
+ assertNotNull(userManager.getAuthorizable(userId));
+
+ // test sync with 'keepmissing' = false
+ syncCtx.setKeepMissing(false);
+ result = syncCtx.sync(userId);
+ assertEquals(SyncResult.Status.DISABLE, result.getStatus());
+
+ Authorizable authorizable = userManager.getAuthorizable(userId);
+ assertNotNull(authorizable);
+ assertTrue(((User)authorizable).isDisabled());
+
+ // add external user back
+ addIDPUser(userId);
+
+ result = syncCtx.sync(userId);
+ assertEquals(SyncResult.Status.ENABLE, result.getStatus());
+ assertNotNull(userManager.getAuthorizable(userId));
+ assertFalse(((User)authorizable).isDisabled());
+ }
+
+ @Test
+ public void testSyncDoesNotEnableUsers() throws Exception {
+ // configure to remove missing users, check that sync does not mess with disabled status
+ syncConfig.user().setDisableMissing(false);
+ // test sync with 'keepmissing' = false
+ syncCtx.setKeepMissing(false);
+
+ ExternalUser user = idp.listUsers().next();
+ assertNotNull(user);
+
+ SyncResult result = syncCtx.sync(user);
+ assertEquals(SyncResult.Status.ADD, result.getStatus());
+
+ Authorizable authorizable = userManager.getAuthorizable(user.getId());
+ assertTrue(authorizable instanceof User);
+ User u = (User) authorizable;
+
+ // disable user
+ u.disable("disabled locally");
+ root.commit();
+
+ // sync
+ syncCtx.setForceUserSync(true);
+ result = syncCtx.sync(user.getId());
+ assertEquals(SyncResult.Status.UPDATE, result.getStatus());
+ authorizable = userManager.getAuthorizable(user.getId());
+ assertNotNull(authorizable);
+ assertTrue(authorizable instanceof User);
+ assertTrue(((User)authorizable).isDisabled());
+ }
+
+ @Test
public void testSyncGroupById() throws Exception {
ExternalIdentity externalId = idp.listGroups().next();
Modified: jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md?rev=1763363&r1=1763362&r2=1763363&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md (original)
+++ jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md Wed Oct 5 08:25:11 2016
@@ -160,6 +160,7 @@ The default `SyncHandler` implementation
| User Dynamic Membership | `user.dynamicMembership` | Enabling dynamic membership for external users. |
| User Path Prefix | `user.pathPrefix` | The path prefix used when creating new users. |
| User property mapping | `user.propertyMapping` | List mapping definition of local properties from external ones. eg: 'profile/email=mail'.Use double quotes for fixed values. eg: 'profile/nt:primaryType="nt:unstructured" |
+| Disable missing users | `user.disableMissing` | By default, users that no longer exist on the external provider will be locally removed. Set this property to `true` to [disable](https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)) them instead and have them re-enabled if they become available again. |
| Group auto membership | `group.autoMembership` | List of groups that a synced group is added to automatically |
| Group Expiration Time | `group.expirationTime` | Duration until a synced group expires (eg. '1h 30m' or '1d'). |
| Group Path Prefix | `group.pathPrefix` | The path prefix used when creating new groups. |