Univention Bugzilla – Bug 20235
make LDAP-"operational attributes" available as extended attribute
Last modified: 2023-02-13 12:31:43 CET
Ich habe gerade versucht "creatorsName" oder "modifyTimestamp" per Extended Attribute azuzeigen, die Felder sind aber leer. Es wäre sehr angenehm wenn das ginge. Ich vermute dass dazu beim Suchen nach Objekten "+" in die Liste der Attribute im search aufgenommen werden muss; wenn vorher kein Attribute angegeben war müsste man ["*","+"] mitgeben.
requested by 2013041021001785 situation is still the same with UCS 3.1. This patch for uldap.py makes extended attributes working at the command line (in UMC the attributes are empty?): root@schmaster:~# diff /usr/share/pyshared/univention/admin/uldap.py /usr/share/pyshared/univention/admin/uldap.py~ 337,341d336 < if len(attr) == 0: < attr = ['+','*'] < else: < attr.append('+') < DN: cn=modifyTimestamp,cn=internalAttributes,cn=custom attributes,cn=univention,dc=ucs,dc=test ARG: None objectClass: top groupPosition: None module: users/user [..further modules...] overwritePosition: None hook: None overwriteTab: None shortDescription: modifyTimestamp creatorsName: cn=admin,dc=ucs,dc=test groupName: None version: 2 valueRequired: None CLIName: modifyTimestamp fullWidth: None longDescription: None doNotSearch: None modifiersName: cn=admin,dc=ucs,dc=test tabName: History syntax: None modifyTimestamp: 20130809225142Z tabAdvanced: 1 name: modifyTimestamp default: None mayChange: None createTimestamp: 20130809225017Z multivalue: None ldapMapping: modifyTimestamp deleteObjectClass: None notEditable: 1 options: None tabPosition: None disableUDMWeb: None
*** Bug 40910 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Asked for in TT 2021-06-17/18
udm settings/extended_attribute create --set name=modifyTimestamp --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" --append module=users/user --set shortDescription=modifyTimestamp --set ldapMapping=modifyTimestamp --set objectClass=top --set notEditable=1 --set mayChange=0
We can find out the names of the operational attributes programmatically: >>> schema = lo.get_schema() >>> attrs = [schema.get_obj(ldap.schema.models.AttributeType, x) for x in schema.listall(ldap.schema.models.AttributeType)] >>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['directoryoperation']]) {'objectClasses', 'subschemaSubentry', 'attributeTypes', 'modifiersName', 'hasSubordinates', 'ldapSyntaxes', 'modifyTimestamp', 'creatorsName', 'matchingRuleUse', 'createTimestamp', 'entryDN', 'entryUUID', 'matchingRules', 'structuralObjectClass'} >>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['dsaoperation']]) {'vendorName', 'supportedLDAPVersion', 'supportedSASLMechanisms', 'dynamicSubtrees', 'supportedFeatures', 'supportedControl', 'altServer', 'entryTtl', 'namingContexts', 'supportedExtension', 'vendorVersion', 'memberOf'} >>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['distributedoperation']]) {'ref'}
(In reply to Florian Best from comment #8) > We can find out the names of the operational attributes programmatically: Unsure why that is needed, but: We just had a support case where a previous schema did define some attribute "wxVlan". The schema was later removed *before* all attributes where deleted, so they remained. `slaptest` printed a warning about the missing schema definition but `slapd` still started up. But joining a Backup/Replica server then failed because UDL is doing the equivalent of `ldapsearch * +` (all regular *and* operational attributes), which included the previous _regular_ attribute "wxVlan" as an _operation attribute_ "WXVLAN"! `replication.py` tried to insert that into the local LDAP which failed because of the missing schema definition. Searching explicitly for that attribute (`ldapsearch wxvlan=*`) did not work because the schema was already removed: a schema defines the "SYNTAX type and EQUALITY comparison" and without the information searching no longer work. Added to https://help.univention.com/t/problem-after-a-ldap-schema-was-removed-there-are-still-some-references-in-your-ldap/11810 and https://help.univention.com/t/remove-ldap-schema-extensions/6443
simpleLDAP._static_ldap_attributes can now be used to extended the fetched attributes. This is used by the initialization of extended attributes. univention-directory-manager-modules.yaml 757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute univention-directory-manager-modules (15.0.13-10) 757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute ucs-test (10.0.7-27) 757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute
QA: https://git.knut.univention.de/univention/ucs/-/merge_requests/528#note_100104
<https://errata.software-univention.de/#/?erratum=5.0x489>
FYI: I shared a more complex example use case her: https://help.univention.com/t/when-was-an-ldap-object-created-or-modified-display-ldap-operational-attributes-in-extended-attributes/20968