Bug 32322 - Missing SID mapping compare function
Missing SID mapping compare function
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 3.0
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Stefan Gohmann
Felix Botner
: interim-2
: 27264 (view as bug list)
Depends on:
Blocks: 31695
  Show dependency treegraph
 
Reported: 2013-08-22 19:22 CEST by Stefan Gohmann
Modified: 2014-03-19 17:43 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): UCS Performance
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2013-08-22 19:22:13 CEST
The SID mapping uses the normal lowercase compare function. The comparison is always false. The result is a modreplace in S4 which costs a lot of time in an environment with 30.000 users.
Comment 1 Stefan Gohmann univentionstaff 2013-08-28 06:45:32 CEST
A compare function has been added:
 Code: r43496
 Changelog: r43497
Comment 2 Stefan Gohmann univentionstaff 2013-08-28 09:03:14 CEST
Code: + r43499 + r43500 + r43502 + r43503
Comment 3 Felix Botner univentionstaff 2013-09-19 10:35:26 CEST
added some debug stuff in s4connector/s4/__init__.py and s4connector/__init__.py ...

OK - SID Changed in UCS:
------------------------

-> udm users/user modify --dn uid=test1,dc=hans,dc=de --set sambaRID=1111
-> connector-s4.log
  sync from ucs: [          user] [    modify] cn=test1,dc=hans,dc=de
  attr objectSid
  ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00']
  s4 value ['S-1-5-21-3545445158-2481910874-552132182-222']
  values not equal
  modlist [(2, 'objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00'])]
-> univention-ldapsearch uid=test1 | grep sambaSID && univention-s4search cn=test1 | grep Sid
sambaSID: S-1-5-21-3545445158-2481910874-552132182-333
objectSid: S-1-5-21-3545445158-2481910874-552132182-333

OK - displayName changed in UCS, SID not changed:
-------------------------------------------------

-> udm users/user modify --dn uid=test1,dc=hans,dc=de --set displayName=name
-> connector-s4.log
  sync from ucs: [          user] [    modify] cn=test1,dc=hans,dc=de
  attr objectSid
  ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00']
  s4 value ['S-1-5-21-3545445158-2481910874-552132182-333']
  values equal
  modlist []

OK - displayName changed S4, SID not changed:
---------------------------------------------

-> ldbedit test1 (displayName)
-> connector-s4.log
  sync to ucs:   [          user] [    modify] uid=test1,dc=hans,dc=de
  attr sambaRID
   ucs value 333
   s4 value 333
    equal
  attr displayName
   ucs value nameS44
   s4 value nameS444
    not equal
-> univention-ldapsearch uid=test1 | grep displayName && univention-s4search cn=test1 | grep displayName
displayName: nameS444
displayName: nameS444

OK - New user in S4:
--------------------

-> samba-tool user create test3 univention123AA
-> connector-s4.log
  sync to ucs:   [          user] [       add] uid=test3,cn=users,dc=hans,dc=de
  attr sambaRID
   ucs value None
   s4 value 1113
    not equal
  attr username
   ucs value None
   s4 value test3
    not equal

OK - SID changed in S4:
-----------------------

-> changed "/usr/share/univention-s4-connector/sync_krbtgt" to modify S4 sid
    ...
    def sync_password( self ):
        modlist=[]
        from samba.dcerpc import security
        from samba.ndr import ndr_pack, ndr_unpack
        sid = "S-1-5-21-3545445158-2481910874-552132182-555"
        sidValue = ndr_pack(security.dom_sid('%s' % sid))
        attr = "objectSid"
        modlist.append((ldap.MOD_REPLACE, attr, sidValue))
        dn = "CN=test1,DC=hans,DC=de"
        LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16'
        controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) ]
        self.lo_s4.lo.modify_ext_s(dn, modlist, serverctrls=controls)
    ...
-> connector-s4.log
  sync to ucs:   [          user] [    modify] uid=test1,dc=hans,dc=de
  attr sambaRID
   ucs value 333
   s4 value 555
    not equal
-> univention-s4search cn=test1 | grep -i objectSid && univention-ldapsearch uid=test1 | grep sambaSID
objectSid: S-1-5-21-3545445158-2481910874-552132182-555
sambaSID: S-1-5-21-3545445158-2481910874-552132182-555


OK -Changelog
Comment 4 Stefan Gohmann univentionstaff 2013-11-19 06:43:36 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".
Comment 5 Stefan Gohmann univentionstaff 2014-03-19 17:43:17 CET
*** Bug 27264 has been marked as a duplicate of this bug. ***