Univention Bugzilla – Bug 49981
AD Connector: make mapping configurable
Last modified: 2021-05-27 11:36:03 CEST
Make the same possible for the AD Connector mapping. +++ This bug was initially created as a clone of Bug #48410 +++ +++ This bug was initially created as a clone of Bug #35589 +++ We should consider making the synchronisation of additional attributes between OpenLDAP and Samba 4/Microsoft AD more comfortable. Right now, when one wants to synchronize e.g. departmentNumber or pagerTelephoneNumber, one needs to modify the mapping.py and maintain an own version of it. Making this configurable through UCR would make maintaining these customizations much easier.
diff --git a/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping b/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping index c33315affd..cb9061e65c 100644 --- a/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping +++ b/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping @@ -461,3 +461,10 @@ if configRegistry.is_false('connector/ad/mapping/group/exchange', True): ad_mapping['group'].attributes.pop('Exchange-Nickname') if configRegistry.get('connector/ad/mapping/group/language') not in ['de', 'DE']: ad_mapping['group'].mapping_table.pop('cn') + +try: + mapping_hook = imp.load_source('localmapping', os.path.join(os.path.dirname(__file__), 'localmapping.py')).mapping_hook +except (IOError, AttributeError): + pass +else: + s4_mapping = mapping_hook(as_mapping)
Customer request to sync users into an OU=
Another customer announces the need for a configurable AD mapping. The background is the deviation of the UCS Samba cn value from the MS AD. In MS AD first and last name (DisplayName) are used, in UCS the user name is entered. For the connection of a third party application an attribute is required for groups and users that contains a "speaking" name. In a pure MS AD this is done by using cn. In UCS / UCS Samba this is the username that should not be used. It would be possible to extend groups by a univention extended attribute, which consists of the LDAP DisplayName. The AD Connector will not synchronize this to groups without mapping adjustment. A configurable mapping would be the solution here.
The configuration option asked for in Comment 4 is not possible just by adjusting the mapping, currently. That would require a change in the samaccountname_dn_mapping function in the connector. I guess we should keep feature requests like that separate from this bug, which wants to solve a different issue.
The request in comment 4 is not changing the mapping of cn, as we have discussed in our chat. The solution would be to use the in AD and LDAP existing attribute displayName and extend groups by implementing a custom attribute displayName. For this purpose only AD-Conn and S4-Conn mapping must be customized, which would be easier by fixing this bug.
REOPEN: git:36fc68ee212303368cd5a59a0abab7b941e7603e Missing ".py" in: +Benutzerdefinierte Mapping-Datei <filename>/etc/univention/connector/ad/localmapping</filename> +<filename>/etc/univention/connector/ad/localmapping</filename> custom mapping file Please print error messages to stderr. services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping: PEP8: 34 col 1 error| 'sys' imported but unused [F401] 34 col 10 error| multiple imports on one line [E401] 514 col 1 error| expected 2 blank lines after class or function definition, found 1 [E305]
The test case 55_adconnector/169sync_custom_mapping_nonstandard_attribs is failing: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-6/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/55_adconnector/169sync_custom_mapping_nonstandard_attribs/master091/
It would be best to remove the sentences about overwriting the old mapping.py and suggest only to use localmapping for extending/adjusting the mapping.
@Florian: I have integrated the changes from your Comment 7 The test failed for some roles only and that has also be fixed by deactivating the test for those where it is not applicable, namely non-ad
@Florian: The hint you were referring to in comment 9 has already been removed. ucs-test fix: 9.0.5-27A~4.4.6.202011191011 univention-ad-connector fix: 13.0.0-58A~4.4.6.202011190952
Mapping extended attributes: OK Adjusting existing mapping: OK Testcase: OK Test successful in jenkins: OK YAML: OK Doku: OK Doku spelling: univention-spell currently finds mistakes in the words "Mappings", "Mapping-Datei" and so on. But those are correct. -> OK Verified
REOPEN: No ucs 5 merge request was created.
Created: https://git.knut.univention.de/univention/ucs/-/merge_requests/39 Could you set the bug back to verified? Max is currently sick.
(In reply to Julia Bremer from comment #14) > Created: > https://git.knut.univention.de/univention/ucs/-/merge_requests/39 > Could you set the bug back to verified? Max is currently sick. I can't. I added 7 gitlab comments. And another thing: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-6/view/Documentation/job/HandbookUCS/lastSuccessfulBuild/artifact/webroot/handbuch-4.4.html#ad-connector:details-zur-vorkonfigurierten-synchronisation """ In der Grundeinstellung werden einige Container durch Filter von der Synchronisation ausgeschlossen. Diese finden sich in der Konfigurationsdatei /etc/univention/connector/ad/mapping Benutzerdefinierte Mapping-Datei /etc/univention/connector/ad/localmapping.py unter der Einstellung global_ignore_subtree. """ → This does not make sense grammatically.
Please remove * "Benutzerdefinierte Mapping-Datei <filename>/etc/univention/connector /ad/localmapping.py</filename>" from windows-de.xml 1375 (and windows-en) * please also change (de and en) - The contents of the <code>ad_mapping</code> variable can be modified to + The contents of the <command>ad_mapping</command> variable can be modified to <code> is not used currently (and this seems to confuse the spell checker * add "Mappings" to doc-common/spell/dicts/undecided.dic
Thank you @Felix, @Florian. Your feedback is highly appreciated and all changes were made. The current fix is: 13.0.0-59A~4.4.6.202011241514
Build failed > version bump > fix is now: 13.0.0-60A~4.4.6.202011241539
OK - test OK - Jenkins OK - doku MR will be "qaed" separately
<https://errata.software-univention.de/#/?erratum=4.4x821>