Bug 18680 - Removing group in group memberships in MS-AD is not replicated to UCS LDAP
Removing group in group memberships in MS-AD is not replicated to UCS LDAP
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Arvid Requate
Felix Botner
: 25192 44404 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2010-06-16 13:15 CEST by Daniel Hofmann
Modified: 2017-11-01 13:49 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Ticket number: 2017041921000128
Bug group (optional):
Max CVSS v3 score:

group_members_sync_to_ucs.patch (1.31 KB, patch)
2017-10-25 14:37 CEST, Felix Botner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Hofmann univentionstaff 2010-06-16 13:15:00 CEST
Festgestellt mit w2k8:
Legt man bei laufendem Connector im sync-Mode auf AD-Seite zunächst zwei globale Gruppen an, und macht dann eine davon zum Mitglied der anderen Gruppe, so kommt dies problemlos auf ucs-seite an, d.h. udm groups/group list zeigt die beiden Gruppen und die Attribute nestedGroup bzw. member mit den richtigen Werten an.

Entfernt man anschließend diese Mitgliedschaft wieder, so kommt diese Änderung nicht! auf UCS-Seite an, d.h. die Attribute nestedGroup bzw. member sind dort unverändert.
Comment 1 Daniel Hofmann univentionstaff 2010-06-16 13:21:43 CEST
Der UCS-Testfall 74sync_create_nested_ad_groups demonstriert das Problem geskriptet.
Comment 2 Stefan Gohmann univentionstaff 2011-12-05 20:10:40 CET
*** Bug 25192 has been marked as a duplicate of this bug. ***
Comment 3 Felix Botner univentionstaff 2012-02-23 14:10:13 CET
Das tritt auch auf, wenn die Änderung auf UCS Seite gemacht wird.
Comment 4 Stefan Gohmann univentionstaff 2016-09-28 07:50:29 CEST
I'm still able to reproduce it with 174sync_create_nested_ad_groups.
Comment 5 Arvid Requate univentionstaff 2017-04-19 15:38:14 CEST
This happened again in a 4.1-4 e408 customer environment.
Comment 6 Arvid Requate univentionstaff 2017-04-19 15:38:34 CEST
*** Bug 44404 has been marked as a duplicate of this bug. ***
Comment 7 Stefan Gohmann univentionstaff 2017-06-16 20:38:08 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 8 Lukas Oyen univentionstaff 2017-07-27 14:56:14 CEST
Fixed in r81473 (test enabled in r81475, advisory r81477)
Comment 9 Felix Botner univentionstaff 2017-10-24 18:44:15 CEST
i think this commit 57bdcc3a9a4f387e242ea117dc0828a2a3bfc9a5 breaks the 55_adconnector.005administrator_membership.test.


24.10.2017 17:58:32,570 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain admins,cn=groups,dc=four,dc
24.10.2017 17:58:32,696 LDAP        (INFO   ): group_members_sync_to_ucs: search for: CN=Administrator,CN=Users,DC=w2k12,DC=test
24.10.2017 17:58:32,697 LDAP        (INFO   ): group_members_sync_to_ucs: dn_mapping_ucs_member_to_ad={'uid=administrator,cn=users,dc=four,dc=two': u'CN=Administrator,CN=Users,DC=w2k12,DC=test'}
24.10.2017 17:58:32,698 LDAP        (INFO   ): group_members_sync_to_ucs: ucs_members: ['uid=Administrator,cn=users,dc=four,dc=two']
24.10.2017 17:58:32,698 LDAP        (INFO   ): group_members_sync_to_ucs: ucs_members_from_ad: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []}
24.10.2017 17:58:32,698 LDAP        (INFO   ): group_members_sync_to_ucs: uid=administrator,cn=users,dc=four,dc=two was found in group member ucs cache of cn=domain admins,cn=groups,dc=four,dc=two
24.10.2017 17:58:32,699 LDAP        (INFO   ): _ignore_object: ignore object because of ignore_filter (key: user)
24.10.2017 17:58:32,702 LDAP        (INFO   ): _ignore_object: Do not ignore uid=Administrator,cn=users,dc=four,dc=two (key: group)
24.10.2017 17:58:32,702 LDAP        (INFO   ): group_members_sync_to_ucs: members to add: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []}
24.10.2017 17:58:32,703 LDAP        (INFO   ): group_members_sync_to_ucs: members to del: {'group': [], 'user': ['uid=Administrator,cn=users,dc=four,dc=two'], 'windowscomputer': []}

so group_members_sync_to_ucs no longer ignores the Administrator because there is never a ignore filter for the Administrator in the group property

->  or not self._ignore_object('group', ucs_object)

i think this check should only be used for groups
Comment 10 Felix Botner univentionstaff 2017-10-25 14:37:46 CEST
Created attachment 9261 [details]

a proposal, check self._ignore_object for the type of object (user, group, ...) the connector has identified the obejct
Comment 11 Arvid Requate univentionstaff 2017-10-25 19:44:15 CEST
Patch looks good, package rebuilt with it. Advisory updated.
Comment 12 Felix Botner univentionstaff 2017-10-26 11:07:48 CEST
OK - group handling
OK - Administrator
Comment 13 Arvid Requate univentionstaff 2017-11-01 13:49:17 CET