Bug 45310 – memberOf is not set for existing users on backup and slave systems

Bug 45310 - memberOf is not set for existing users on backup and slave systems


Summary:	memberOf is not set for existing users on backup and slave systems

Status:	CLOSED DUPLICATE of bug 46066

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Philipp Hahn
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-01 08:05 CEST by Stefan Gohmann
Modified:	2020-07-13 11:14 CEST (History)
CC List:	4 users (show)

See Also:	48545
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017083021000493, 2017100921000519
Bug group (optional):
Max CVSS v3 score:

Attachments
update-memberof (1.07 KB, text/plain) 2017-09-01 08:07 CEST, Stefan Gohmann	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2017-09-01 08:05:41 CEST

I've installed the memberof overlay module on slave and backup systems. Afterwards, I installed it on my master and executed the script /usr/share/univention-ldap-overlay-memberof/univention-update-memberof. The memberOf attribut was set on master but not on backup and slave systems.

Comment 1 Stefan Gohmann

2017-09-01 08:07:59 CEST

Created attachment 9163 [details]
update-memberof

The attached script can be used to set the memberOf attribute on backup and slave systems:
/etc/init.d/univention-directory-listener stop
./update-memberof
/etc/init.d/univention-directory-listener start

Comment 2 Felix Botner

2017-10-10 18:36:35 CEST

Seems that the trivial change (uniqueMember=$uniqueMember) in /usr/share/univention-ldap-overlay-memberof/univention-update-memberof is not replicated (replication.py). Therefor the memberOf overlay does not update memberof (the overlay updates memberof for every uniqueMember object for posixGroup's if uniqueMember has been changed (?)).

So we have to run /usr/share/univention-ldap-overlay-memberof/univention-update-memberof on every existing dc OR modify posixGroup and posixAccount in univention-update-memberof on the master

(1) modify /usr/share/univention-ldap-overlay-memberof/univention-update-memberof
(2) edit http://sdb.univention.de/index.php?action=artikel&cat=11&id=85&artlang=de

Comment 3 Philipp Hahn

2020-04-16 09:24:16 CEST

With Bug #46066 git:f72c1ec03bdd40ba4acf2b74b4cee9e6b8db58f2 changed the script to use univention.uldap.getRootDnConnection() instead, which automatically uses cn=admin on Master and cn=update on Backups and Slaves. Therefore the script works on all roles with a local LDAP server.

<https://help.univention.com/t/memberof-attribute-group-memberships-of-user-and-computer-objects/6439> already documents that the script needs to be called on all roles.

The procedure is described incomplete in the UCS manual, which is tracked by Bug #45308.

This is related to Bug #48545.

*** This bug has been marked as a duplicate of bug 46066 ***

Comment 4 Sönke Schwardt-Krummrich

2020-07-13 11:01:06 CEST

This is a duplicate → VERIFIED