Univention Bugzilla – Bug 57072
AD-Connector backtrace when synchronizing uniqueMember in a OU with special DN-characters
Last modified: 2024-03-07 13:07:36 CET
The following bracktrace was found in a project: === 19.02.2024 14:53:04.712 LDAP (ERROR ): Unknown Exception during sync_to_ucs 19.02.2024 14:53:04.714 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1427, in sync_to_ucs post_ucs_modify_function(self, property_type, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 109, in object_memberships_sync_to_ucs return connector.object_memberships_sync_to_ucs(key, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 1402, in object_memberships_sync_to_ucs self.one_group_member_sync_to_ucs(ucs_group_object, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 1435, in one_group_member_sync_to_ucs self.lo.lo.modify_s(ucs_group_object['dn'], ml) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 212, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 824, in modify_s self.lo.modify_ext_s(dn, ml) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.TYPE_OR_VALUE_EXISTS: {'desc': 'Type or value exists', 'info': 'modify/add: uniqueMember: value #0 already exists'} === And with higher debug level this was seen: === 19.02.2024 15:37:29.242 LDAP (INFO ): object_memberships_sync_to_ucs: sync_object: {'cn': [b'foobar1'], 'gidNumber': [b'5123'], 'sambaGroupType': [b'2'], 'univentionGroupType': [b'-2147483640'], 'description': [b'foo, bar1'], 'sambaSID': [b'S-1-5-21-0123456789-0123456789-012345678-12345'], 'objectClass': [b'oxGroup', b'top', b'univentionGroup', b'sambaGroupMapping', b'univentionObject', b'posixGroup'], 'univentionObjectType': [b'groups/group'], 'memberUid': [b'Vorname77.Nachname77', b'Vorname42.Nachname42', b'Vorname40.Nachname40', b'Vorname37.Nachname37', b'Vornam111.Nachnam111', b'Vornam116.Nachnam116', b'Vornam121.Nachnam121', b'Vornam137.Nachnam137', b'Vornam150.Nachnam150', b'Vornam153.Nachnam153', b'Vornam154.Nachnam154', b'Vornam172.Nachnam172', b'Vornam197.Nachnam197', b'Vorname10.Nachname10'], 'uniqueMember': [b'uid=vorname77.nachname77,ou=\\2B1,dc=domain,dc=org', b'uid=vorname42.nachname42,ou=\\2B1,dc=domain,dc=org', b'uid=vorname40.nachname40,ou=\\2B1,dc=domain,dc=org', b'uid=vorname37.nachname37,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam111.Nachnam111,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam116.Nachnam116,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam121.Nachnam121,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam137.Nachnam137,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam150.Nachnam150,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam153.Nachnam153,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam154.Nachnam154,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam172.Nachnam172,ou=\\2B1,dc=domain,dc=org', b'uid=Vornam197.Nachnam197,ou=\\2B1,dc=domain,dc=org', b'uid=vorname10.nachname10,ou=\\2B1,dc=domain,dc=org']} 19.02.2024 15:37:29.242 LDAP (ALL ): one_group_member_sync_to_ucs: modlist: [(0, 'uniqueMember', [b'uid=vorname10.nachname10,ou=\\+1,dc=domain,dc=org'])] === From a code analysis it could be that the __compare_lowercase function used in one_group_member_sync_to_ucs doesn't consider proper normalization of DNs for comparison. Florian pointed out that uldap.compare_dn() could be useful here.
b3fc7f6150 | Fix comparing uniqueMember with special DN-characters 2015ba7c30 | Fix DN comparison in group_members_sync_to_ucs 9acdf5d4a8 | Changelogs and Advisories 25a9c7bae8 | Basic test case for S4-C and AD-C 434fa9f7c5 | Reproducer test for delicate timing bug in AD-C c3bd08ce4b | reproduce the issue in read mode 900a14aa69 | Translate special escaped characters from AD DNs to OpenLDAP escaped hex notation Package: univention-ad-connector Version: 14.0.17-3 Branch: ucs_5.0-0 Scope: errata5.0-6 Package: univention-s4-connector Version: 14.0.16-4 Branch: ucs_5.0-0 Scope: errata5.0-6
OK: ADCON Syncing of special (e.g +1) ous and their subobjects don't create rejects anymore. OK: ADCON Membership of users with such DNs is correctly resolved OK: ADCON The Dn mapping cache is now written in such a way, that the UCS DN contains the DN in the way it is escaped in openLDAP and the AD DN contains the dn in the way it is escaped in AD/S4. OK: ADCON No rejects when adding a user to a group OK: ADCON No rejects when adding a group to a use OK: S4CON Syncing of special (e.g +1) ous and their subobjects don't create rejects anymore. OK: S4CON Membership of users with such DNs is correctly resolved OK: S4CON The Dn mapping cache is now written in such a way, that the UCS DN contains the DN in the way it is escaped in openLDAP and the AD DN contains the dn in the way it is escaped in AD/S4. OK: S4CON No rejects when adding a user to a group OK: S4CON No rejects when adding a group to a use OK: Package build OK: Upgrade OK: Jenkins OK: YAML Verified
<https://errata.software-univention.de/#/?erratum=5.0x984> <https://errata.software-univention.de/#/?erratum=5.0x990>