Univention Bugzilla – Bug 50629
S4C sync_from_ucs: Group members are replaced as whole instead of applying a diff
Last modified: 2024-03-08 12:41:35 CET
The S4-Connector replaces all group members by replacing the whole members with the new+current members when syncing from UCS to AD: services/univention-s4-connector/modules/univention/s4connector/s4/__init__.py 1528 » def group_members_sync_from_ucs(self, key, object): … 1696 » » » » self.lo_s4.lo.modify_s(compatible_modstring(object['dn']), [(ldap.MOD_REPLACE, 'member', modlist_members)]) Instead we should remove all members with ldap.MOD_DELETE and add all new members with ldap.MOD_ADD. The code is prone to race conditions if there are changes inbetween on AD side: causing a loss of group members. Especially in large environments with a lot of group members this might have an performance impact.
Untested patch in git:fbest/50629-group-member-sync-from-ucs
IIRC it's not so clear to decide which strategy is better. If you do a diff based approach, you may also have a race between third-party (Administrator) changes to the Samba/AD data and the S4-Connector. But I think you are right, that the diff based approach a) is more precise and b) performs better. If a change operation fails due to concurrent changes, then we would simply get a reject and we would retry later.