Highlighted

User sync doesn't sync groups associated with the user in AEM 6.3

karthikreddii

20-04-2018

I'm trying to setup user synchronization in aem 6.3. I have one author and 2 publish instances.

I followed this below document and set up the user synchronization between publishers. I have a self registration component. User submits the form data and I create the user and add to the group(which was already created using useradmin console) which has necessary permissions. I also activated the tunnel service to get to author(verified in author communities console).

User Synchronization

The problem is Users are syncing with the profile. But the user group doesn't gets updated. So in the other publisher user is not part of that group. Please let me know if I'm missing anything to configure, appreciate your help.

Replies

Highlighted

sawan051

06-05-2019

Hi Karthik, were you able to figure out the root cause?

I also have same issue.

Please share your findings, thanks in advance.

Highlighted

Vish_dhaliwal

Employee

07-05-2019

Hello,

Some troubleshooting tips:

- Check if all the tests are passed on libs/granite/operations/content/diagnosis/tool.html/syncdiagnostics

- Check the socialpubsync queue on Author. Clear pending items.

http://localhost:4502/libs/granite/distribution/content/distribution-agent.html?agentName=socialpubs...

- Check the socialpubsync-reverse-queue on both Publishers. Clear pending items.

http://host:port/libs/granite/distribution/content/distribution-agent.html?agentName=socialpubsync-r...

- Make sure usersync-admin user has correct permissions on both publishers.

The user that is set up in the "Adobe Granite Distribution – Encrypted Password Transport Secret Provider" must have the following permissions on all publishers:

jcr:read, rep:write on /home

jcr:all on /home/users and /home/groups

rep:write on /etc/packages/sling/distribution jcr:read on /libs/sling/distribution rep:write on /var jcr:read, rep:write on /var/eventing jcr:read, rep:write on /var/sling/distribution

- Put debug log on following classes and check the logs.

Log Level -> Debug

Log File -> logs/usersync.log

Loggers

org.apache.sling.distribution

org.apache.sling.event

com.adobe.cq.social.sync

Regards,

Vishu

Highlighted

sawan051

09-05-2019

Hi,

We raised a daycare ticket for this issue, there was a property value missing in "Diff Observer Factory"

Property serviceUser.target

This was introduced in 6.3, thanks for looking into this.

Highlighted

Andrew_Khoury

Employee

09-05-2019

Thanks for the update Sawan.

What you mention is a match to product issue GRANITE-25203.

To add more details to this, usually the issue occurs with an error like this during user sync:

javax.jcr.nodetype.ConstraintViolationException: OakConstraint0025: Authorizable property rep:password may not be removed.

The issue can be resolved with the following steps:

1. Make sure that communities-user-admin and usersync-admin are members of administrators group on the publish instances.

2. Edit the configurations per the details below on the publish instances via the /system/console/configMgr UI:

Configuration #1:

com.adobe.granite.distribution.core.impl.diff.DiffEventListener

Set property serviceUser.target with value of (.serviceName=com.adobe.granite.distribution.core) including the parentheses.

Configuration #2

com.adobe.granite.distribution.core.impl.diff.DiffChangesObserver

Set property serviceUser.target with value of (.serviceName=com.adobe.granite.distribution.core) including the parentheses.