Bug 47370 - Deactivated user is rejected on school slaves, when he is not created in a school ou
Deactivated user is rejected on school slaves, when he is not created in a sc...
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-18 11:38 CEST by Christina Scheinig
Modified: 2021-05-14 16:34 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018071221000295
Bug group (optional):
Max CVSS v3 score:
scheinig: Patch_Available+


Attachments
/usr/share/pyshared/univention/admin/handlers/users/user.py (1.29 KB, patch)
2018-07-18 11:40 CEST, Christina Scheinig
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-07-18 11:38:04 CEST
The s4-connector gives the following traceback only on school slaves:
---------------------------------------------------------------------------------
12.07.2018 09:16:49,679 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=user01,cn=users,DC=schule,DC=de
12.07.2018 09:17:01,591 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=user01,cn=users,DC=schule,DC=de
12.07.2018 09:17:03,202 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=user01,cn=users,dc=schule,dc=de
12.07.2018 09:17:47,952 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=user01,cn=users,DC=schule,DC=de
12.07.2018 09:17:49,560 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=user01,cn=users,dc=schule,dc=de
12.07.2018 09:17:49,581 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
12.07.2018 09:17:49,648 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1599, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1366, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1674, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 582, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1221, in _modify
    self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 823, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
------------------------------------------------------------------------------
The slave cannot write back changes, because the user was not created in a school OU. That is a normal behaviour, but this was not the problem here. This traceback only occurs when the user is deactivated and the s4connector seems to find changes to replicate back.
-------------------------------------------------------------------------------
12.07.2018 10:30:35,297 LDAP        (INFO   ): The following attributes have been changed: ['whenChanged', 'userAccountControl', 'uSNChanged']
-------------------------------------------------------------------------------
But the deactivation was made in OpenLdap not in samba4 and 'userAccountControl' seems to be the attribute been changed.

We applied a patch in the school environment to fix the reject.
Comment 1 Christina Scheinig univentionstaff 2018-07-18 11:40:40 CEST
Created attachment 9602 [details]
/usr/share/pyshared/univention/admin/handlers/users/user.py
Comment 2 Florian Best univentionstaff 2019-03-15 22:40:42 CET
Hmm, thanks for the patch! Another layer in UDM should filter this out, I wonder why it doesn't work.
Comment 3 Ingo Steuwer univentionstaff 2021-05-14 15:42:06 CEST
This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.