Univention Bugzilla – Bug 47370
Deactivated user is rejected on school slaves, when he is not created in a school ou
Last modified: 2021-05-14 16:34:21 CEST
The s4-connector gives the following traceback only on school slaves: --------------------------------------------------------------------------------- 12.07.2018 09:16:49,679 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=user01,cn=users,DC=schule,DC=de 12.07.2018 09:17:01,591 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=user01,cn=users,DC=schule,DC=de 12.07.2018 09:17:03,202 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=user01,cn=users,dc=schule,dc=de 12.07.2018 09:17:47,952 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=user01,cn=users,DC=schule,DC=de 12.07.2018 09:17:49,560 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=user01,cn=users,dc=schule,dc=de 12.07.2018 09:17:49,581 LDAP (ERROR ): Unknown Exception during sync_to_ucs 12.07.2018 09:17:49,648 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1599, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1366, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1674, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 582, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1221, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 823, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied ------------------------------------------------------------------------------ The slave cannot write back changes, because the user was not created in a school OU. That is a normal behaviour, but this was not the problem here. This traceback only occurs when the user is deactivated and the s4connector seems to find changes to replicate back. ------------------------------------------------------------------------------- 12.07.2018 10:30:35,297 LDAP (INFO ): The following attributes have been changed: ['whenChanged', 'userAccountControl', 'uSNChanged'] ------------------------------------------------------------------------------- But the deactivation was made in OpenLdap not in samba4 and 'userAccountControl' seems to be the attribute been changed. We applied a patch in the school environment to fix the reject.
Created attachment 9602 [details] /usr/share/pyshared/univention/admin/handlers/users/user.py
Hmm, thanks for the patch! Another layer in UDM should filter this out, I wonder why it doesn't work.
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.