Univention Bugzilla – Attachment 6941 Details for
Bug 37259
GPO rejects SINGLE-VALUE attribute attribute specified more than once versionNumber, gPCUserExtensionNames, gPCMachineExtensionNames
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
produce_a_resolvable_conflict_like_bug_37259.sh
produce_a_resolvable_conflict_like_bug_37259.sh (text/plain), 2.15 KB, created by
Arvid Requate
on 2015-06-04 16:43:00 CEST
(
hide
)
Description:
produce_a_resolvable_conflict_like_bug_37259.sh
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2015-06-04 16:43:00 CEST
Size:
2.15 KB
patch
obsolete
>#!/bin/bash > >### Try to break diff mode for multi-value attributes: > >### Manipulate OpenLDAP values artificially in such a way, that we have a UCS to S4 changeset that would make S4-Connector want to create >### a multivalue in Samba4. For this the old OpenLDAP value must differ from the current Samba4 value. >### Let's create this situation by temporarily stopping the connector and changing the values on both sides to differing values. >### Then we start the connector again. >### In case the change gets rejected, e.g. when a Samba4 single-valued attribute is not declared as such in the S4-Connector mapping, >### the current Samba4 value will non the less synchronized back to OpenLDAP. >### In that situation OpenLDAP and and Samba4 will be in sync but the pickled "UCS rejected" changeset contains an obsolete modification: >### >### (pickled "old" value) != (current Samba4 value) AND (pickled "new" value) != (current Samba4 value) >### AND (current Samba4 value) == (current OpenLDAP value) >### >### In case the reason for the reject gets fixed at some point (e.g. by an errata update), this obsolete modification would roll-back the current Samba4 value. >### >### This is a conflict we can resolve automatically. > >/etc/init.d/univention-s4-connector stop > >ucs_gpo_ldif=$(univention-ldapsearch -xLLL '(&(objectclass=msGPOContainer)(cn={31B2F340-016D-11D2-945F-00C04FB984F9}))' | ldapsearch-wrapper | ldapsearch-decode64) >ucs_gpo_dn=$(sed -n 's/^dn: //p' <<<"$ucs_gpo_ldif") >old_version=$(sed -n 's/^msGPOVersionNumber: //p' <<<"$ucs_gpo_ldif") > >new_version=$(($old_version + 1)) >udm container/msgpo modify --dn "$ucs_gpo_dn" \ > --set msGPOVersionNumber="$new_version" > > >## Now the evil part: We also modify the S4-Object, but to a different value: > >new_version=$(($new_version + 1)) >s4_gpo_dn=$(univention-s4search '(&(objectClass=groupPolicyContainer)(cn={31B2F340-016D-11D2-945F-00C04FB984F9}))' dn | ldapsearch-wrapper | ldapsearch-decode64 | sed -n 's/^dn: //p') > >ldbmodify -H /var/lib/samba/private/sam.ldb <<%EOF >dn: $s4_gpo_dn >changetype: modify >replace: versionNumber >versionNumber: $new_version >%EOF > >/etc/init.d/univention-s4-connector start > >sleep 3 >univention-s4connector-list-rejected
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6941">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 37259
:
6864
|
6865
|
6866
|
6867
| 6941 |
6942