Bug 32322 – Missing SID mapping compare function

Bug 32322 - Missing SID mapping compare function


Summary:	Missing SID mapping compare function

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:	interim-2

Duplicates:	27264 (view as bug list)
Depends on:
Blocks:	31695
	Show dependency tree / graph

Reported:	2013-08-22 19:22 CEST by Stefan Gohmann
Modified:	2014-03-19 17:43 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	UCS Performance
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2013-08-22 19:22:13 CEST

The SID mapping uses the normal lowercase compare function. The comparison is always false. The result is a modreplace in S4 which costs a lot of time in an environment with 30.000 users.

Comment 1 Stefan Gohmann

2013-08-28 06:45:32 CEST

A compare function has been added:
 Code: r43496
 Changelog: r43497

Comment 2 Stefan Gohmann

2013-08-28 09:03:14 CEST

Code: + r43499 + r43500 + r43502 + r43503

Comment 3 Felix Botner

2013-09-19 10:35:26 CEST

added some debug stuff in s4connector/s4/__init__.py and s4connector/__init__.py ...

OK - SID Changed in UCS:
------------------------

-> udm users/user modify --dn uid=test1,dc=hans,dc=de --set sambaRID=1111
-> connector-s4.log
  sync from ucs: [          user] [    modify] cn=test1,dc=hans,dc=de
  attr objectSid
  ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00']
  s4 value ['S-1-5-21-3545445158-2481910874-552132182-222']
  values not equal
  modlist [(2, 'objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00'])]
-> univention-ldapsearch uid=test1 | grep sambaSID && univention-s4search cn=test1 | grep Sid
sambaSID: S-1-5-21-3545445158-2481910874-552132182-333
objectSid: S-1-5-21-3545445158-2481910874-552132182-333

OK - displayName changed in UCS, SID not changed:
-------------------------------------------------

-> udm users/user modify --dn uid=test1,dc=hans,dc=de --set displayName=name
-> connector-s4.log
  sync from ucs: [          user] [    modify] cn=test1,dc=hans,dc=de
  attr objectSid
  ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00']
  s4 value ['S-1-5-21-3545445158-2481910874-552132182-333']
  values equal
  modlist []

OK - displayName changed S4, SID not changed:
---------------------------------------------

-> ldbedit test1 (displayName)
-> connector-s4.log
  sync to ucs:   [          user] [    modify] uid=test1,dc=hans,dc=de
  attr sambaRID
   ucs value 333
   s4 value 333
    equal
  attr displayName
   ucs value nameS44
   s4 value nameS444
    not equal
-> univention-ldapsearch uid=test1 | grep displayName && univention-s4search cn=test1 | grep displayName
displayName: nameS444
displayName: nameS444

OK - New user in S4:
--------------------

-> samba-tool user create test3 univention123AA
-> connector-s4.log
  sync to ucs:   [          user] [       add] uid=test3,cn=users,dc=hans,dc=de
  attr sambaRID
   ucs value None
   s4 value 1113
    not equal
  attr username
   ucs value None
   s4 value test3
    not equal

OK - SID changed in S4:
-----------------------

-> changed "/usr/share/univention-s4-connector/sync_krbtgt" to modify S4 sid
    ...
    def sync_password( self ):
        modlist=[]
        from samba.dcerpc import security
        from samba.ndr import ndr_pack, ndr_unpack
        sid = "S-1-5-21-3545445158-2481910874-552132182-555"
        sidValue = ndr_pack(security.dom_sid('%s' % sid))
        attr = "objectSid"
        modlist.append((ldap.MOD_REPLACE, attr, sidValue))
        dn = "CN=test1,DC=hans,DC=de"
        LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16'
        controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) ]
        self.lo_s4.lo.modify_ext_s(dn, modlist, serverctrls=controls)
    ...
-> connector-s4.log
  sync to ucs:   [          user] [    modify] uid=test1,dc=hans,dc=de
  attr sambaRID
   ucs value 333
   s4 value 555
    not equal
-> univention-s4search cn=test1 | grep -i objectSid && univention-ldapsearch uid=test1 | grep sambaSID
objectSid: S-1-5-21-3545445158-2481910874-552132182-555
sambaSID: S-1-5-21-3545445158-2481910874-552132182-555


OK -Changelog

Comment 4 Stefan Gohmann

2013-11-19 06:43:36 CET

UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".

Comment 5 Stefan Gohmann

2014-03-19 17:43:17 CET

*** Bug 27264 has been marked as a duplicate of this bug. ***