Bug 53741 – Wrong usage of LDAP attribute "secretary"

Bug 53741 - Wrong usage of LDAP attribute "secretary"


Summary:	Wrong usage of LDAP attribute "secretary"

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	All All

Importance:	P5 minor (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	24150 42206
Blocks:
	Show dependency tree / graph

Reported:	2021-09-02 17:16 CEST by Michael Grandjean
Modified:	2023-09-18 18:14 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	API change, External feedback, Usability
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2021-09-02 17:16:11 CEST

This is still wrong and quite confusing.

+++ This bug was initially created as a clone of Bug #42206 +++

Das in der UMC als Superior / Vorgesetzer angezeigte Attribut wird intern auf das Attribut secretary des LDAP Schemas inetOrgPerson gemappt. Es sollte statt dessen auf das Attribut manager gemappt werden 
siehe Doku hier: https://docs.oracle.com/cd/E19225-01/820-6551/bzapc/index.html
Der Bug ist schon für UCS 2.4 beschrieben worden, aber auch noch in UCS 4.1 enthalten. Vermutlich ist es leicht zu beheben, aber dürfte bei Upgrades zu Schwierigkeiten führen. Evtl. sollte man ein kleines Skript mit anbieten, dass die Inhalte von secretary zu manager kopiert bzw. verschiebt.


+++ This bug was initially created as a clone of Bug #24150 +++

Ein Auszug der Ausgabe von udm users/user 

beinhaltet folgende Beschreibung:

...
  Organisation:
    employeeNumber (person)                  Employee number
    employeeType (person)                    Employee type
    roomNumber (person)                      Room number
    departmentNumber (person)                Department number
    secretary (person,[])                    Superior
...

Es ist nun tatsächlich so, dass im LDAP-Attribut secretary der DN des/der Vorgesetzten gespeichert wird. Dafür sollte aber m.E. das Attribut manager gesetzt werden. Beide sind optional für die Objektklasse inetOrgPerson. 


Beschreibung der Attribute 

# 9.3.10.  Manager
#
#  The Manager attribute type specifies the manager of an object
#  represented by an entry.
#
#    manager ATTRIBUTE
#        WITH ATTRIBUTE-SYNTAX
#            distinguishedNameSyntax
#    ::= {pilotAttributeType 10}
#

# 9.3.17.  Secretary
#
#  The Secretary attribute type specifies the secretary of a person.
#  The attribute value for Secretary is a distinguished name.
#
#    secretary ATTRIBUTE
#        WITH ATTRIBUTE-SYNTAX
#            distinguishedNameSyntax
#    ::= {pilotAttributeType 21}
#
attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
	EQUALITY distinguishedNameMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

Comment 1 Florian Best

2021-09-02 17:28:53 CEST

(In reply to Stefan Gohmann from Bug #42206 comment #1)
> Workaround (müsste aber nach jedem Update erneut ausgeführt werden, wenn das Paket python-univention-directory-manager aktualisiert wird):
> 
> sed -i "s|mapping.register('secretary','secretary')|mapping.register('secretary', 'manager')|"> /usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py

Comment 2 Michael Grandjean

2021-09-05 18:52:31 CEST

Just in case for anyone else reading the workaround and wondering.

The workaround leads to the following:

UMC: Vorgesetzter (DE) / Superior (EN)
UDM: secretary
OpenLDAP: manager
Samba AD: nothing, does not get synced

Comment 3 M. Breidt 2023-09-18 11:39:39 CEST

(came here from https://help.univention.com/t/why-is-ldap-attribute-secretary-called-superior-in-ucs/20270 )

There is a standard LDAP attribute "secretary", which according to the official specs (see https://docs.ldap.com/specs/rfc4524.txt ) has the following intention:

------
The ‘secretary’ attribute specifies secretaries and/or administrative assistants, by distinguished name.
------

But the web UI of UCS labels this “superior”, which seems incompatible with the RFC.

Comment 4 M. Breidt 2023-09-18 11:47:28 CEST

To clarify:

IMO the UMC field "Superior" should be renamed into "secretary" or "assistant" and be mapped to LDAP attribute 'secretary', and another field called "manager" should be created and be mapped to LDAP attribute 'manager'.