Bug 20235 - make LDAP-"operational attributes" available as extended attribute
make LDAP-"operational attributes" available as extended attribute
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM - Extended Attributes
UCS 4.4
Other Linux
: P5 enhancement with 3 votes (vote)
: UCS 5.0-2-errata
Assigned To: Florian Best
Peter Stoll
https://git.knut.univention.de/univen...
:
: 40910 (view as bug list)
Depends on:
Blocks: 55670 25907 31857 40910
  Show dependency treegraph
 
Reported: 2010-10-04 14:15 CEST by Ingo Steuwer
Modified: 2023-02-13 12:31 CET (History)
6 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2013041021001785
Bug group (optional): Forked for project
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2010-10-04 14:15:37 CEST
Ich habe gerade versucht "creatorsName" oder "modifyTimestamp" per Extended Attribute azuzeigen, die Felder sind aber leer. Es wäre sehr angenehm wenn das ginge.

Ich vermute dass dazu beim Suchen nach Objekten "+" in die Liste der Attribute im search aufgenommen werden muss; wenn vorher kein Attribute angegeben war müsste man ["*","+"] mitgeben.
Comment 1 Ingo Steuwer univentionstaff 2013-08-19 10:31:03 CEST
requested by 2013041021001785

situation is still the same with UCS 3.1.

This patch for uldap.py makes extended attributes working at the command line (in UMC the attributes are empty?):

root@schmaster:~# diff /usr/share/pyshared/univention/admin/uldap.py /usr/share/pyshared/univention/admin/uldap.py~
337,341d336
<               if len(attr) == 0:
<                       attr = ['+','*']
<               else:
<                       attr.append('+')
< 



DN: cn=modifyTimestamp,cn=internalAttributes,cn=custom attributes,cn=univention,dc=ucs,dc=test
ARG: None
  objectClass: top
  groupPosition: None
  module: users/user
 [..further modules...]
  overwritePosition: None
  hook: None
  overwriteTab: None
  shortDescription: modifyTimestamp
  creatorsName: cn=admin,dc=ucs,dc=test
  groupName: None
  version: 2
  valueRequired: None
  CLIName: modifyTimestamp
  fullWidth: None
  longDescription: None
  doNotSearch: None
  modifiersName: cn=admin,dc=ucs,dc=test
  tabName: History
  syntax: None
  modifyTimestamp: 20130809225142Z
  tabAdvanced: 1
  name: modifyTimestamp
  default: None
  mayChange: None
  createTimestamp: 20130809225017Z
  multivalue: None
  ldapMapping: modifyTimestamp
  deleteObjectClass: None
  notEditable: 1
  options: None
  tabPosition: None
  disableUDMWeb: None
Comment 2 Florian Best univentionstaff 2016-03-18 06:16:44 CET
*** Bug 40910 has been marked as a duplicate of this bug. ***
Comment 3 Stefan Gohmann univentionstaff 2017-06-16 20:37:57 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 4 Florian Best univentionstaff 2017-06-28 14:52:44 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 5 Philipp Hahn univentionstaff 2021-06-18 17:16:44 CEST
Asked for in TT 2021-06-17/18
Comment 6 Florian Best univentionstaff 2022-06-24 09:39:07 CEST
udm settings/extended_attribute create --set name=modifyTimestamp --position "cn=custom attributes,cn=univention,$(ucr get ldap/base)" --append module=users/user --set shortDescription=modifyTimestamp --set ldapMapping=modifyTimestamp --set objectClass=top  --set notEditable=1 --set mayChange=0
Comment 8 Florian Best univentionstaff 2022-10-07 15:19:10 CEST
We can find out the names of the operational attributes programmatically:

>>> schema = lo.get_schema()
>>> attrs = [schema.get_obj(ldap.schema.models.AttributeType, x) for x in schema.listall(ldap.schema.models.AttributeType)]
>>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['directoryoperation']])
{'objectClasses', 'subschemaSubentry', 'attributeTypes', 'modifiersName', 'hasSubordinates', 'ldapSyntaxes', 'modifyTimestamp', 'creatorsName', 'matchingRuleUse', 'createTimestamp', 'entryDN', 'entryUUID', 'matchingRules', 'structuralObjectClass'}
>>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['dsaoperation']])
{'vendorName', 'supportedLDAPVersion', 'supportedSASLMechanisms', 'dynamicSubtrees', 'supportedFeatures', 'supportedControl', 'altServer', 'entryTtl', 'namingContexts', 'supportedExtension', 'vendorVersion', 'memberOf'}
>>> set([a.names[0] for a in attrs if a.usage == ldap.schema.models.AttributeUsage['distributedoperation']])
{'ref'}
Comment 9 Philipp Hahn univentionstaff 2022-10-07 15:58:43 CEST
(In reply to Florian Best from comment #8)
> We can find out the names of the operational attributes programmatically:

Unsure why that is needed, but:
We just had a support case where a previous schema did define some attribute "wxVlan". The schema was later removed *before* all attributes where deleted, so they remained. `slaptest` printed a warning about the missing schema definition but `slapd` still started up.
But joining a Backup/Replica server then failed because UDL is doing the equivalent of `ldapsearch * +` (all regular *and* operational attributes), which included the previous _regular_ attribute "wxVlan" as an _operation attribute_ "WXVLAN"! `replication.py` tried to insert that into the local LDAP which failed because of the missing schema definition.

Searching explicitly for that attribute (`ldapsearch wxvlan=*`) did not work because the schema was already removed: a schema defines the "SYNTAX type and EQUALITY comparison" and without the information searching no longer work.

Added to https://help.univention.com/t/problem-after-a-ldap-schema-was-removed-there-are-still-some-references-in-your-ldap/11810 and https://help.univention.com/t/remove-ldap-schema-extensions/6443
Comment 10 Florian Best univentionstaff 2022-10-13 14:45:36 CEST
simpleLDAP._static_ldap_attributes can now be used to extended the fetched attributes.
This is used by the initialization of extended attributes.

univention-directory-manager-modules.yaml
757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute

univention-directory-manager-modules (15.0.13-10)
757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute

ucs-test (10.0.7-27)
757da3937555 | Bug #20235: Make LDAP operational attributes available as extended attribute