The objectclass specification in synchronization activities in rare cases does not work quite as expected. The current implementation is that when used, the provisioning module selects one of objectType definitions in schemaHandling section of resource definition (the one with default being true if it exists, or an arbitrary one). It then uses its parameters to formulate the query on resource: objectClass and baseContext (maybe others as well).
So, for example, if one has the following two object types defined:
- kind: account, intent: default, default: true, base context: ou=people,dc=example,dc=com
- kind: account, intent: other, default: false, base context: ou=other-people,dc=example,dc=com
and runs the following task:
Then only the accounts in ou=people are synchronized:
(We have one account in ou=people and one account in ou=other-people.)
Suggested resolution: Change provisioning module to interpret objectclass=X queries so that they will cover all objects on given resource with given object class.