Univention Bugzilla – Bug 34802
Rename of Domain Users fails
Last modified: 2014-05-27 11:21:48 CEST
It happens in the 00_base/96rename_domain_user test case, that the listener does not remove the old value on the RDN change. >>> import cPickle >>> dn,new,old,old_dn=cPickle.load(file('/var/lib/univention-connector/s4/1399725282.083920','r')) >>> dn 'cn=Domain Users,cn=groups,dc=deadlock19,dc=local' >>> new {'sambaGroupType': ['2'], 'hasSubordinates': ['FALSE'], 'entryCSN': ['20140510123418.795679Z#000000#000#000000'], 'cn': ['uvoldyyr', 'Domain Users'], 'objectClass': ['top', 'posixGroup', 'univentionGroup', 'sambaGroupMapping', 'univentionObject', 'univentionPolicyReference'], 'memberUid': ['Administrator', 'krbtgt', 'dns-master191'], 'univentionObjectType': ['groups/group'], 'creatorsName': [''], 'entryUUID': ['50236454-6c89-1033-87af-0f8e3bb35647'], 'gidNumber': ['5001'], 'modifyTimestamp': ['20140510123418Z'], 'sambaSID': ['S-1-5-21-1148340320-2302676676-2786630740-513'], 'createTimestamp': ['20140510122109Z'], 'modifiersName': ['cn=admin,dc=deadlock19,dc=local'], 'structuralObjectClass': ['posixGroup'], 'subschemaSubentry': ['cn=Subschema'], 'entryDN': ['cn=Domain Users,cn=groups,dc=deadlock19,dc=local'], 'uniqueMember': ['uid=Administrator,cn=users,dc=deadlock19,dc=local', 'uid=krbtgt,cn=users,dc=deadlock19,dc=local', 'uid=dns-master191,cn=users,dc=deadlock19,dc=local'], 'univentionPolicyReference': ['cn=default-umc-users,cn=UMC,cn=policies,dc=deadlock19,dc=local'], 'univentionGroupType': ['-2147483646']} >>> old {} >>> old_dn 'cn=uvoldyyr,cn=groups,dc=deadlock19,dc=local' >>> This results in the following traceback: 10.05.2014 14:34:46,882 LDAP (ERROR ): sync_from_ucs: traceback due to modlist: [(2, 'sAMAccountName', [u'uvoldyyr', u'Domain Users'])] 10.05.2014 14:34:46,888 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1399725282.083920 10.05.2014 14:34:46,909 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 767, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn,'utf8'), old)) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2435, in sync_from_ucs self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify) [...] TYPE_OR_VALUE_EXISTS: {'info': '0000200D: SINGLE-VALUE attribute sAMAccountName on CN=uvoldyyr,CN=Groups,DC=deadlock19,DC=local specified more than once', 'desc': 'Type or value exists'} This does not happen with the previous listener. +++ This bug was initially created as a clone of Bug #34355 +++ r49800 | Bug #34355 Listener: Remove old values on RDN change univention-directory-listener_8.0.0-9.220.201405051622
Should be released for 3.2-1-errata and 3.2-2-errata.
(In reply to Stefan Gohmann from comment #0) > >>> old_dn > 'cn=uvoldyyr,cn=groups,dc=deadlock19,dc=local' ... > CN=uvoldyyr,CN=Groups,DC=deadlock19,DC=local Again a difference in case, see Bug #34835. As the current code compares the BER-values, case might be an issue. Side note: Bug #34742 is not yet released for errata3.2-2.
After much debugging I found the following anomaly, which might be related to Bug #33594 using the univention-directory-logger running on the DC Master itself: DN: cn=Domain Users,cn=groups,dc=phahn,dc=dev ID: 33216 Modifier: uid=Administrator,cn=users,dc=phahn,dc=dev Timestamp: 23.05.2014 17:53:26 Action: modify Old values: New values: cn: sflrbcfb DN: cn=Domain Users,cn=groups,dc=phahn,dc=dev ID: 33218 Modifier: uid=Administrator,cn=users,dc=phahn,dc=dev Timestamp: 23.05.2014 17:53:26 Action: modify Old values: cn: sflrbcfb New values: Using the trace.so SLAPd overlay module I can see that this is the same connection doing the original move, that it "udm-cli": 19:53:26 conn=1009 op=1 trace op=BIND dn="uid=administrator,cn=users,dc=phahn,dc=dev" 19:53:26 conn=1009 op=9 trace op=MODRDN dn="cn=sflrbcfb,cn=groups,dc=phahn,dc=dev" 19:53:26 conn=1009 op=9 trace op=MODRDN RESPONSE dn="cn=sflrbcfb,cn=groups,dc=phahn,dc=dev" err=0 19:53:26 conn=1009 op=10 trace op=MODIFY dn="cn=domain users,cn=groups,dc=phahn,dc=dev" 19:53:26 conn=1009 op=10 trace op=MODIFY RESPONSE dn="cn=domain users,cn=groups,dc=phahn,dc=dev" err=0 19:53:26 conn=1009 op=12 trace op=MODIFY dn="cn=users,cn=groups,dc=phahn,dc=dev" 19:53:26 conn=1009 op=12 trace op=MODIFY RESPONSE dn="cn=users,cn=groups,dc=phahn,dc=dev" err=0 Enabling "ucr set directory/manager/cmd/debug/level=4" for a different run shows the following: # grep 'rjnidpxh\|Domain Users' /var/log/univention/directory-manager-cmd.log | cut -c 50- | nl 1 daemon [13195] [13196] arglist: ['/usr/sbin/univention-directory-manager', 'groups/group', 'modify', '--dn', 'cn=Domain Users,cn=groups,dc=phahn,dc=dev', '--set', 'name=rjnidpxh', '--binddn', 'uid=Administrator,cn=users,dc=phahn,dc=dev', '--bindpwd', 'univention'] 2 uldap.search filter=(&(objectClass=posixGroup)(uniqueMember=cn=Domain Users,cn=groups,dc=phahn,dc=dev)) base= scope=sub attr=['dn'] unique=0 required=0 timeout=-1 sizelimit=0 3 mod dn=cn=Domain Users,cn=groups,dc=phahn,dc=dev ml=[('cn', 'Domain Users', 'rjnidpxh')] 4 uldap.modify cn=Domain Users,cn=groups,dc=phahn,dc=dev: [('cn', 'Domain Users', 'rjnidpxh')] 5 rename cn=rjnidpxh 6 uldap.modify [(2, 'cn', 'rjnidpxh')] 7 mod dn=cn=Users,cn=groups,dc=phahn,dc=dev ml=[('uniqueMember', ['cn=Domain Users,cn=groups,dc=phahn,dc=dev'], ['cn=rjnidpxh,cn=groups,dc=phahn,dc=dev'])] 8 uldap.modify cn=Users,cn=groups,dc=phahn,dc=dev: [('uniqueMember', ['cn=Domain Users,cn=groups,dc=phahn,dc=dev'], ['cn=rjnidpxh,cn=groups,dc=phahn,dc=dev'])] 9 uldap.modify [(2, 'uniqueMember', ['cn=rjnidpxh,cn=groups,dc=phahn,dc=dev'])] 10 daemon [13195] [13466] arglist: ['/usr/sbin/univention-directory-manager', 'groups/group', 'modify', '--dn', 'cn=rjnidpxh,cn=groups,dc=phahn,dc=dev', '--set', 'name=Domain Users', '--binddn', 'uid=Administrator,cn=users,dc=phahn,dc=dev', '--bindpwd', 'univention'] 11 uldap.search filter=(&(objectClass=posixGroup)(uniqueMember=cn=rjnidpxh,cn=groups,dc=phahn,dc=dev)) base= scope=sub attr=['dn'] unique=0 required=0 timeout=-1 sizelimit=0 12 mod dn=cn=rjnidpxh,cn=groups,dc=phahn,dc=dev ml=[('cn', 'rjnidpxh', 'Domain Users')] 13 uldap.modify cn=rjnidpxh,cn=groups,dc=phahn,dc=dev: [('cn', 'rjnidpxh', 'Domain Users')] 14 rename cn=Domain Users 15 uldap.modify [(2, 'cn', 'Domain Users')] 16 mod dn=cn=Users,cn=groups,dc=phahn,dc=dev ml=[('uniqueMember', ['cn=rjnidpxh,cn=groups,dc=phahn,dc=dev'], ['cn=Domain Users,cn=groups,dc=phahn,dc=dev'])] 17 uldap.modify cn=Users,cn=groups,dc=phahn,dc=dev: [('uniqueMember', ['cn=rjnidpxh,cn=groups,dc=phahn,dc=dev'], ['cn=Domain Users,cn=groups,dc=phahn,dc=dev'])] 18 uldap.modify [(2, 'uniqueMember', ['cn=Domain Users,cn=groups,dc=phahn,dc=dev'])] Do in line 12-13 udm-cli is adding the second DN... So probably some timing in Listener changes and it's now fast enough to push that change its listener modules?
(In reply to Philipp Hahn from comment #3) > Do in line 12-13 udm-cli is adding the second DN... > So probably some timing in Listener changes and it's now fast enough to push > that change its listener modules? Yes, that makes sense. I think this would fix the rename issue: Index: univention-python/modules/uldap.py =================================================================== --- univention-python/modules/uldap.py (Revision 49891) +++ univention-python/modules/uldap.py (Arbeitskopie) @@ -490,7 +490,7 @@ ml=self.__encode_entry(ml) if rename: univention.debug.debug(univention.debug.LDAP, univention.debug.WARN, 'rename %s' % rename) - self.lo.rename_s(dn, rename, None, delold=0) + self.lo.rename_s(dn, rename, None, delold=1) dn=rename+dn[dn.find(','):] if ml: try:
(In reply to Stefan Gohmann from comment #4) > (In reply to Philipp Hahn from comment #3) > > So in line 12-13 udm-cli is adding the second DN... > > So probably some timing in Listener changes and it's now fast enough to push > > that change to its listener modules? > > Yes, that makes sense. I think this would fix the rename issue: Cloned to Bug #34971 r50649 | Bug #34802 Listener: assume delold in modrdn univention-directory-listener_8.0.1-5.229.201405261549
(In reply to Philipp Hahn from comment #5) > > Cloned to Bug #34971 OK, together with the fix from Bug #34971 it works in my environment. > r50649 | Bug #34802 Listener: assume delold in modrdn > > univention-directory-listener_8.0.1-5.229.201405261549 Code: OK YAML: OK
http://errata.univention.de/ucs/3.2/116.html