Univention Bugzilla – Bug 46377
s4 connector does not sync users with flag functional
Last modified: 2019-10-30 10:32:59 CET
The S4 connector does not sync OpenLDAP users with univentionObjectFlag: functional. These users do not count against the ucs licence. At Bug #33214 an additional functional user is created on all UCS systems, which is required to be synced to S4
These objects aren't even users/user objects. There is already a bug to change this.
Nowerdays the user is a "users/ldap" account. They don't get syncronized as well. Why is the syncronisation necessary, Erik? dn: uid=sys-idp-user,cn=users,l=school,l=dev uid: sys-idp-user objectClass: person objectClass: univentionPWHistory objectClass: simpleSecurityObject objectClass: top objectClass: uidObject objectClass: univentionObject userPassword:: e2NyeXB0fSQ2JDRiSGFqMjd0RDJyWmkvMXEkNGN1dFdBNE1uVmhGVW5oSm16TGZKSGlIN0l6anFmZ1FtQVJlNWhxWXhaZk1ZN1VnVWtNZDRoSVczSURZbi5yc2dqaXNVcUt3NTJUWE1nR3dsektsdTA= pwhistory: $6$BEwCS4k5NL63V1qD$MPJ6wHOgbrGuayxXa00..THAI6yfKDKc8HOTKgqses8tC.8PydXjjAJ84CLMeveUtWKcOde/m4zZGWgGWyBi11 sn: idp-user univentionObjectType: users/ldap cn: idp-user univentionObjectFlag: functional univentionObjectFlag: hidden
If i remember correctly the idea was to use this account not only for the SAML IdP ldap access but also as the kerberos service principal. We implemented another solution so there is currently no requirement anymore. I am resolving this as invalid.
OK