Bug 35905 – connector/s4/mapping/group/syncmode=write & group membership

Bug 35905 - connector/s4/mapping/group/syncmode=write & group membership


Summary:	connector/s4/mapping/group/syncmode=write & group membership

Status:	NEW

Product:	UCS Test
Classification:	Unclassified
Component:	S4 Connector
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	35251
Blocks:
	Show dependency tree / graph

Reported:	2014-09-11 14:51 CEST by Stefan Gohmann
Modified:	2018-04-14 14:15 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2014-09-11 14:51:47 CEST

Please check if a test case is possible.

+++ This bug was initially created as a clone of Bug #35251 +++

Even if connector/s4/mapping/group/syncmode is set to write, group members are synced back from S4 to OpenLDAP when a user was changed. The post hook functions should consider the connector/s4/mapping/group/syncmode variable.

Comment 1 Sönke Schwardt-Krummrich

2014-09-11 16:19:57 CEST

Within the customer environment, we were able to reproduce the bug:
1) create a new group (foo)
2) create a new user (bar)
3) remove the ldap attribute "sambaMungedDial" via ldapmodify
4) wait for S4 replication
5) udm users/user modify --dn "uid=bar,..." --append groups="cn=foo,cn=groups,..."

The udm now triggers 2 LDAP changes:
1) adding sambaMungedDial to the user object
2) modifying the group object

After 1) has been replicated to the DC slave and into the S4 AD, the S4 connector syncs back the group object from S4 AD to OpenLDAP before the change (2) has been synced from OpenLDAP to S4 AD → the old group values are copied back and the group change has been reverted.