I've finally got UserSync working on the 3 publishers I have running on AEM 22.214.171.124, and things are mostly ok until the distribution queue for two of the publishes gets blocked by a node ending in rep:cache which is happening pretty regularly, even when user nodes aren't being updated. We're currently testing UserSync features so it's not available to our users but with as often as the distribution queue is getting blocked and requiring manual clearing, I don't think we can push it out.
I've followed the steps here -- User Synchronization -- and under Vault Package Builder Factory, it says to add /home/users|-.*/rep:cache to the package filters. I'm not sure what it's for, but with the mention lower about /home/users|+.*/rep:policy being used to overwrite the existing nodes I figured the minus of rep:cache might prevent that from being passed. I'm not seeing any rep:cache nodes, so they're not replicating.
Can anyone help me figure out why the distribution queue is getting blocked and how I can prevent this so that syncing will actually work on it's own??
Since Oak 1.3.4 this UserPrincipalProvider optionally allows for temporary caching of the principal resolution mainly to optimize login performance (OAK-3003). An administrator may enable the group principal caching via the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi configuration. By default caching is disabled.
Check Apache Jackrabbit Oak UserConfiguration > Principal Cache Expiration in /system/console/configMgr
This filter in package definition would exclude the /rep:cache node to be synced even if it is enabled -
Could you validate the configuration of Apache Sling Distribution Packaging - Vault Package Builder Factory
to ensure that package filter is configured correctly as mentioned in docs?
If Principal cache expiration is enabled to 3000, then it would create rep:cache folders on publish servers. You can find out the reason of enabling it within your team and if it should remain enabled on publish servers. The primary reason to enable it is to allow for temporary caching of the principal resolution mainly to optimize login performance (assuming that you have such use case).
What version of AEM do you use?
Try to remove these "rep:cache" configuration and test if it works fine? The article below mentions to add these Vault configs only if you get specific error - "OakConstraint0034: Attempt to create or change the system maintained cache."