second release candidate of v2.1.1

This release should be code-complete for v2.1.1, and includes a live push of the docs.

BUILD NOTE: If you build this release yourself, you will need a fresh python environment that doesn't include pycrypto (which we used to use). We have moved to pycryptodome which is a more modern, well-maintained plug-compatible module.

Release Notes for User Sync Tool Version 2.1.1

These notes apply to v2.1.1rc2 of 2017-06-07.

New Features

To address Issue 198, we have added support for private key encryption in both PKCS#5 and PKCS#8 formats, and allowed the passphrase for an encrypted private key to be stored in the platform secure credential store. See the docs for details on the new feature.

Bug Fixes

There is one fix for some obscure Unicode edge cases (that were found only by code inspection): Issue 167.

User Sync no longer crashes if a user's LDAP email address is present but empty: Issue 201.

The proper packages were not present for secure credential storage on Linux platforms: Issue 199.

Compatibility with Prior Versions

This version is fully backwards-compatible with version 2.1.

First release candidate for 2.1.1rc1

v2.1.1 is planned as a bug-fix release. This is the first release candidate.

Enhancement Release: unicode and security

1. We now have full Unicode support. See Issue 167 for details, including the new --config-file-encoding command-line option.
2. We now support secure handling for all credential settings and credential files. See Issue 159 for design discussion, and read the docs for associated config changes.

NOTE: This release is stable and can be used reliably by customers who need the additional security or unicode features. We have left the pre-release flag on because customers have discovered issues on Linux and Windows with security (#199, #198). We will issue a double-dot that fixes these issues.

Second release candidate for v2.1

The base functionality of rc1 is stable, but there have been some server-side behavior changes we need to accommodate (see #189), and we want to eke out a bit more debugging info when requests fail on the server side (see #181). This release does that.

1st release candidate: security and unicode enhancements

1. We now have full Unicode support. See Issue 167 for details, including the new --config-file-encoding command-line option.
2. We now support secure handling for all credential settings and credential files. See Issue 159 for design discussion, and read the docs for associated config changes.

User Sync version 2.0

This is the 2.0 release of User Sync from Adobe. This release has extensive feature and performance enhancements and, while it can be configured so as to have the same function as prior releases, its default invocation and configuration behavior is not backwards compatible. Please read these release notes carefully, and refer to the complete documentation for details.

New Arguments & Configuration Syntax

There has been an extensive overhaul of both the configuration file syntax and the command-line argument syntax. See Issue 95 and the docs for details.

New Features

1. You can now exclude Adobe users from being updated or deleted by User Sync. See the docs for details.
2. There is more robust reporting for errors in configuration files.
3. The log now reports the User Sync version and gives the details of how it was invoked.
4. You can now create and manage users of all identity types, including Adobe IDs, both when operating from an LDAP directory and from CSV files.
5. You can now distinguish, when a customer directory user is disabled or removed, whether to remove the matching Adobe-side user's product configurations and user groups, to remove the user but leave his cloud storage, or to delete his storage as well.

Significant Bug Fixes

1. There were many bugs fixed related to managing users of identity types other than Federated ID.
2. There were many bugs fixes related to managing group membership of all identity types.
3. There was a complete overhaul of how users who have adobe group memberships in multiple organizations are managed.

Changes in Behavior

All options now apply to users of all identity types. Previously, some had applied only to Federated ID and some to Enterprise ID.

Compatibility with Prior Versions

All existing configuration files, user input files, and command-line scripts will need to be revamped to be compatible with the new formats. Here is a quick cheat sheet of what needs to be done.

Configuration Files

• replace dashboard: with adobe_users:
• replace directory: with directory_users:
• add a connectors: section under adobe_users: similar to the one under directory_users
• change owning to be umapi and put it under connectors
• if you access multiple organizations, remove secondaries, and put all the umapi specifications under umapi as a list, like this:

adobe_users:
  connectors:
    umapi:
      - primary-config.yml
      - org1: org1-config.yml
      - org2: org2-config.yml

• change dashboard_groups to adobe_groups
• under limits, change max_missing_users to max_adobe_only_users and remove all other settings
• if you have an extension, do the following:
  • remove the per-context: user setting
  • move all the settings under it to the top level in a new file, call it extension.yaml
  • change extensions to extension, move it into the directory_users section, and put the relative path to the new extension.yaml file as its value.

User Input Files

If you have a file that lists users for input (--users file f), the column head user should be changed to username.

Removed User Input Files

The format for files containing users to be removed/deleted has changed, and you will need to regenerate these files rather than using any existing ones.

Command Line Scripts

• All of the options related to Adobe user removal have been changed to use the new --adobe-only-user-action argument.
• The --source-filter argument has been removed. Use the configuration setting all_users_filter instead.

Second release candidate for v2.0

There were a few bugs found, mostly cosmetic, since the v2.0rc1 release, and there have been a lot of doc updates. We decided to do an rc2 to give users outside the development team more time to test. As with the rc1 build, please be sure to read the release notes and the updated docs for info about all of the changes in config file format and invocation arguments.

First release candidate for version 2.0

Testing on the alpha build went every well, and this build has all known issues resolved. It should be ready for widespread testing. Please be sure to read the release notes and the updated docs for info about all of the changes in config file format and invocation arguments.

Internal 2.0 alpha 1 build

Nosetests don't work, but functionality should.

Second release candidate for 1.2

Important Note: We will be dropping the 1.2 release in favor of 2.0. Any further testing should move there.

Note: This build is for testing purposes only. It should NOT be distributed to customers nor used for production work.

This has all the features and bug fixes comleted and seems quite stable. Items to take special note of, because these affect the invocation args and configuration files:

• All pathnames found in config files are now interpreted relative to the file that contains them (full fix of #30). This means you can put the config file anywhere, and it can refer to files relative to its location (e.g., it can refer to the connector configs via relative pathnames), and then the referred to files can refer to other files relative to their location (e.g., a connector config could refer relatively to a private key file).
• There has been a rename of arguments so that, instead of referring to nonexistent-users (whatever those are), we talk about unmatched-users (that is, users on the Adobe side that have no match on the customer side). You can now specify any one of the following processing args for unmatched users:
  --remove-entitlements-for-unmatched-users, --remove-unmatched-users, or --delete-unmatched users. (Note that there is still some debate about this renaming, so it's possible the arg names will go back to what they were in the GM build.)
• We used to have separate arguments for outputting unmatched users to or inputting unmatched users from a file, one for each kind of processing (remove-entitlements vs remove vs delete). These have been collapsed into just two: they are now --output-unmatched-users (to write the file) and --input-unmatched-users (to read the file).
• The limits settings on processing unmatched users have changed: they are now max_unmatched_users (used to be max_missing_users) and max_removed_users (used to be max_deletions_per_run).

A lot of the underlying processing related to the various removal options for users has been overhauled and made way more consistent and efficient, especially in those cases where you have accessor orgs as well as an owning organization. In all cases, the code now assumes that only those users in the owning organization are to be matched against customer users (and controlled by the exclude settings), and the accessor orgs are never used except to update group mappings (or do org removal). The attributes in accessor orgs are never consulted or updated, and we never consider or touch users in those orgs other than the ones that are also in the owning org.

Unless we find problems between now and end-of-day Monday 27 March, expect the final release to come Tuesday morning, 28 March.