First step (gerrit #11885) has been integrated into Tuleap 10.3.99.142. Thanks @palm for this contribution.

This request is kept open until the synchronization triggered by hand does not launch an email notification.

If the email volume is an issue, then we're fine with setting the default to be off and let each individual admin turn it on if they need it.
As we have experienced a number of issues with users not being added and even users being incorrectly removed when the LDAP sync has failed, it is important for us to get this information pushed out to the project admins so we can immediately fix the user rosters before we get a storm of mails from users that complain about not having the promised access.
If the LDAP plugin was rock solid and didn't cause these kind of issues, then this feature would be less important, but as it stands right now, notifications of errors would save us a lot of time

That's a legitimate fear. What would be reasonable limitations of this feature?

Of course digest of this feed as email notifications is a great idea but my fear is that a user who is administrator of 10 projects will be spammed, even if Tuleap sends only 1 digest a day.

A feed would absolutely be a good way to show these very important errors to an admin. However, being able to receive 'digests' of this feed as email notifications would be the best for us, as things could go wrong at any time. In our situation, the widget is of limited use in comparison.

Those membership updates can be quite useful to have up-to-date information about. New people can enter the team and others will leave. As this happens, the LDAP sync can fail. Since the LDAP can be managed by a completely different team than Tuleap, getting this information early can be of great help.

Yes, by definition, failures information could be in project history but due to the very bad UX of this page, I don't know if it worth it… And even if we revamp this page, it will force the project admin to go deep in the project administration (sub tab, filters…) to find this kind of information.

As @vaceletm said, a project administration feed in project administration homepage (details tab) could be a good way to catch the attention of the administrator. However, this feed must contain only "warning, important, waiting for administrator action" stuff. Maybe it could be also a personal widget so an administrator won't have to go in the project administration to see if those kind of events happened?

I've marked it as Ready for Review and it should not be in WIP anymore.

The pull request can be found here: https://gerrit.tuleap.net/#/c/tuleap/+/11885/

It's still in WIP, is that ready for review?

Would it be worthwhile to add such failures to the project history? Perhaps to the LDAP sync preview?

To be honnest, I don't think it will be really used. Project history interface is messy ATM and storage format doesn't help to search. However it's where the changes in membership are recorded.

I don't know if there are many admins that care about those memberhship updates and when they do, how this information should be given.

It's something very close to what we have in site administration with system events. Most of the time you don't have to look at them but if there are errors or warnings it should be "visible".

Maybe we can think about a section in project admin homepage about those "events" (maybe also the restricted users that requested to be member of a project could be there as well).

@bdauton, what do you think ?

I've managed to implement email notifications for LDAP sync. The pull request can be found here: https://gerrit.tuleap.net/#/c/tuleap/+/11885/

However, I'd like to expand what is being logged by LDAP sync. It seems that the plugin logs search failures, such as when a user account is in LDAP but not in Tuleap, but the admins are never told this has happened. Would it be worthwhile to add such failures to the project history? Perhaps to the LDAP sync preview?

Some of the errors regarding LDAP sync, such as users registered in groups not being found (user account missing, etc) should be able to be emailed to an administrator. This can even include the regular events, such as users being added / removed by daily sync. A lot of this information is already logged, so it's more about delivering this to the admins in a convenient format.