Bug 34093 - UCS in Active Directory domain: Show a warning while creating objects
UCS in Active Directory domain: Show a warning while creating objects
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on:
Blocks: 34091 34092 35610
  Show dependency treegraph
 
Reported: 2014-02-10 09:56 CET by Stefan Gohmann
Modified: 2014-08-14 11:45 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-02-10 09:56:13 CET
+++ This bug was initially created as a clone of Bug #34091 +++
Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Florian Best univentionstaff 2014-02-14 15:06:59 CET
r47820: show warning in frontend if the system is a member of an AD domain when creating objects which are not synced back to AD
Comment 2 Florian Best univentionstaff 2014-02-14 15:16:50 CET
TODO: The warning-text should be adapted (and translated).
TODO: The icon is currently shown twice (because the style-attribute of the Text widget is applied to two dom-elements (WTF))
Comment 3 Florian Best univentionstaff 2014-02-24 17:16:29 CET
(In reply to Florian Best from comment #2)
> TODO: The warning-text should be adapted (and translated).
> TODO: The icon is currently shown twice (because the style-attribute of the
> Text widget is applied to two dom-elements (WTF))

→ both in svn48026 48027: adapt wording of UCS in AD warning
Comment 4 Florian Best univentionstaff 2014-02-25 08:39:28 CET
The warning is shown for the object types configured by the following UCR variable:
directory/manager/web/modules/$module/show/adnotification

e.g.
directory/manager/web/modules/computers/computer/show/adnotification: true
directory/manager/web/modules/groups/group/show/adnotification: true
directory/manager/web/modules/users/user/show/adnotification: true
Comment 5 Florian Best univentionstaff 2014-02-25 11:34:13 CET
By default the warning is now shown for container/ou container/cn users/user and groups/group (set in umc-udm postinst).
Comment 6 Stefan Gohmann univentionstaff 2014-06-11 07:57:50 CEST
Please merge the changes to UCS 3.2-2. It should be released as erratum.
Comment 7 Florian Best univentionstaff 2014-07-03 12:38:02 CEST
Package: univention-management-console-module-udm
Version: 4.0.97-25.449.201407031234
Scope: errata3.2-2
Comment 8 Stefan Gohmann univentionstaff 2014-07-03 14:50:35 CEST
Currently, the template selection is shown first and then the warning. I think we should change the order.
Comment 9 Florian Best univentionstaff 2014-07-07 13:43:43 CEST
Merged also svn48117 and svn48140.
Comment 10 Felix Botner univentionstaff 2014-07-07 15:26:21 CEST
The "Password" dialog of the user wizard does not go away after "Create User" (should go back to a new empty "User information" dialog).
Comment 11 Florian Best univentionstaff 2014-07-08 09:58:04 CEST
(In reply to Stefan Gohmann from comment #8)
> Currently, the template selection is shown first and then the warning. I
> think we should change the order.
Yes, it has been changed for the specific modules (users/user, groups/group, …) but not for the navigation flavor because the object type selection is part of the template selection page.

(In reply to Felix Botner from comment #10)
> The "Password" dialog of the user wizard does not go away after "Create
> User" (should go back to a new empty "User information" dialog).
Yes, this has been fixed.

Package: univention-management-console-module-udm
Version: 4.0.97-27.451.201407080957
Comment 12 Dirk Wiesenthal univentionstaff 2014-07-24 12:24:32 CEST
directory/manager/web/modules/computers/computer/show/adnotification: true

=> does not work (probably due to checking for specific udm type, not the "main type"?)

Wording:
German: "UCS System" -> "UCS-System"; "Active Directory Domäne" -> "Active Directory-Domäne" (etc)
"Klicken Sie bitte auf Weiter um diese Warnung zu ignorieren" -> "Klicken Sie auf Weiter, um Benutzer nur für UCS-Systeme anzulegen."

English:
"Please press Next to ignore this warning." -> "Press Next to create users only available on UCS systems."
Comment 13 Dirk Wiesenthal univentionstaff 2014-07-24 12:54:03 CEST
What about DNS objects, DHCP etc. As far as I understand, Active Directory handles that for UCS now. Shouldn't we show a warning for other modules, too? Printers can also be added in AD...
Comment 14 Florian Best univentionstaff 2014-07-28 08:57:14 CEST
(In reply to Dirk Wiesenthal from comment #13)
> What about DNS objects, DHCP etc. As far as I understand, Active Directory
> handles that for UCS now. Shouldn't we show a warning for other modules,
> too? Printers can also be added in AD...
IIRC we wanted to disable those flavors directly via XML.
Comment 15 Stefan Gohmann univentionstaff 2014-07-28 09:14:34 CEST
(In reply to Florian Best from comment #14)
> (In reply to Dirk Wiesenthal from comment #13)
> > What about DNS objects, DHCP etc. As far as I understand, Active Directory
> > handles that for UCS now. Shouldn't we show a warning for other modules,
> > too? Printers can also be added in AD...
> IIRC we wanted to disable those flavors directly via XML.

DHCP is still possible without any problems.

For DNS we should change the module description that theses values should be configured in AD. The current module description: "Configuration of DNS settings in the domain" it could be changed to:
"Configuration of DNS settings in the UCS domain. Please use the Active Directory administration utilities to make theses changes available in the whole domain."

The printer administration should be still possible.
Comment 16 Florian Best univentionstaff 2014-07-28 09:55:11 CEST
(In reply to Dirk Wiesenthal from comment #12)
> directory/manager/web/modules/computers/computer/show/adnotification: true
> 
> => does not work (probably due to checking for specific udm type, not the
> "main type"?)
> 
> Wording:
> German: "UCS System" -> "UCS-System"; "Active Directory Domäne" -> "Active
> Directory-Domäne" (etc)
> "Klicken Sie bitte auf Weiter um diese Warnung zu ignorieren" -> "Klicken
> Sie auf Weiter, um Benutzer nur für UCS-Systeme anzulegen."
> 
> English:
> "Please press Next to ignore this warning." -> "Press Next to create users
> only available on UCS systems."

fixed in svn52265 (not yet merged to UCS4).
computers/computer is now evaluated. It was broken due to comment #8 (comment #11). The object selection was done on the first page but we display the notification before we know the type. Now the whole flavor can be disabled.
Comment 17 Dirk Wiesenthal univentionstaff 2014-07-29 20:49:02 CEST
Using navigation yields (for users/user):

Warnung! Neu erzeugte LDAP-Objekte werden nur auf UCS-Systemen und nicht in der Active Directory Domäne vorhanden sein

Could you please check whether it is possible (within a reasonable amount of time) to pass the verbose name of the object to that warning message? I know that we also have a "Create LDAP object" instead of "Create user" in navigation. But the sentence in this form is a bit too far-ranging (and "LDAP-Objekte dieses Typs" may be equally hacky to implement).

If this is not really possible I might accept it.
Comment 18 Dirk Wiesenthal univentionstaff 2014-07-29 20:50:39 CEST
Oh, real REOPEN: computers/computer warning now works fine in computers/computer flavor. But it does not in navigation.
Comment 19 Dirk Wiesenthal univentionstaff 2014-07-29 21:04:06 CEST
What about a module.addNotification(this.object.name + ' is part of the Active Directory domain. UCS can only change certain attributes.')?
Comment 20 Florian Best univentionstaff 2014-07-30 09:09:58 CEST
(In reply to Dirk Wiesenthal from comment #18)
> Oh, real REOPEN: computers/computer warning now works fine in
> computers/computer flavor. But it does not in navigation.
The question is:
should we set UCR variables for all computer types like:
directory/manager/web/modules/computers/comaincontroller_slave/show/adnotification=true
directory/manager/web/modules/computers/comaincontroller_master/show/adnotification=true
…

or just computers/computer to show the warning for all computers/* objects?
→ latter would have the disadvantage that it would disable every sub object type of that main type.

The change is very tricky because of the different behavior in 'navigation' and the wish to show the message before the selection of the real object type.

(In reply to Dirk Wiesenthal from comment #19)
> What about a module.addNotification(this.object.name + ' is part of the
> Active Directory domain. UCS can only change certain attributes.')?
What do you mean? instead of the dialog? When should the notification be added? yes, this would be much simpler.
Comment 21 Florian Best univentionstaff 2014-07-30 15:37:00 CEST
* fixed DNS
* fixed computer
* added notification in edit mode
* fixed object name in navigation flavor (works only when it was changed 1 time)
Comment 22 Florian Best univentionstaff 2014-07-30 15:37:13 CEST
merged to 3.2-3 and 4.0-0
Comment 23 Dirk Wiesenthal univentionstaff 2014-07-30 21:55:29 CEST
(In reply to Florian Best from comment #21)
> * added notification in edit mode

When editing Backup Join (non-AD I suppose), I get this warning nevertheless:

group "" is part of the Active Directory domain. UCS can only change certain attributes.

1. Warning should not be seen
2. group should be capitalized. Or I suggest translating "The %s "%s" is part" with "%s "%s" ist Teil"
3. Why is the name empty? Has this something to do with the group not really synced?
Comment 24 Dirk Wiesenthal univentionstaff 2014-07-30 22:18:25 CEST
(In reply to Florian Best from comment #21)
> * fixed computer

Really? I can still edit WIN7PRO. I have installed the latest packages and got ad/member with those. Or am I missing something?
Comment 25 Dirk Wiesenthal univentionstaff 2014-07-30 22:30:17 CEST
The new navigation warning works (almost). Why does it only get the real name when the user changed the type? First object type is computers/domaincontroller_backup

Additionally you include the value from the ComboBox, which makes sentences sound wrong:

Please use the Active Directory administration utilities to create new domain User.

User is capitalized and without any article. This only works in German (by accident).

I suggest rephrasing the whole warning a little bit for navigation.

Warning! Newly created LDAP objects of this type will only be available on UCS systems and not in the Active Directory domain. Please use the Active Directory administration utilities to create new domain LDAP objects of this type. Press Next to create **an LDAP object of this type** only available on UCS systems.

Is this possible? I guess it is even easier to implement. Or at least would have been if I suggested it earlier...
Comment 26 Dirk Wiesenthal univentionstaff 2014-07-30 22:35:41 CEST
(In reply to Dirk Wiesenthal from comment #23)
> (In reply to Florian Best from comment #21)
> group "" is part of the Active Directory domain. UCS can only change certain
> attributes.
> 

Seems to work for users, computer. But not for groups.

The warning is shown even when editing a completely AD unrelated object (Mail).
Comment 27 Dirk Wiesenthal univentionstaff 2014-07-30 22:41:20 CEST
DNS object "" is part of the Active Directory domain. UCS can only change certain attributes.

1. Empty name error
2. This DNS object is not really part of the Active Directory domain:
Bug #34092, comment #20:
> Currently we don't sync the DNS settings between UCS and AD. By default all
> UCS systems use the AD DNS.
Comment 28 Florian Best univentionstaff 2014-07-31 08:17:51 CEST
(In reply to Dirk Wiesenthal from comment #23)
> (In reply to Florian Best from comment #21)
> > * added notification in edit mode
> 
> When editing Backup Join (non-AD I suppose), I get this warning nevertheless:
> 
> group "" is part of the Active Directory domain. UCS can only change certain
> attributes.
> 
> 1. Warning should not be seen
fixed
> 2. group should be capitalized. Or I suggest translating "The %s "%s" is
> part" with "%s "%s" ist Teil"
fixed
> 3. Why is the name empty? Has this something to do with the group not really
> synced?
because the form.ready() was already done but the object was not loaded.
fixed

(In reply to Dirk Wiesenthal from comment #24)
> (In reply to Florian Best from comment #21)
> > * fixed computer
> 
> Really? I can still edit WIN7PRO. I have installed the latest packages and
> got ad/member with those. Or am I missing something?
with fixed computer was meant that the message is shown for computer objects (comment #16)

(In reply to Dirk Wiesenthal from comment #25)
> The new navigation warning works (almost). Why does it only get the real
> name when the user changed the type? First object type is
> computers/domaincontroller_backup
TODO: well something strange happens in initial form loading...

> Additionally you include the value from the ComboBox, which makes sentences
> sound wrong:
> 
> Please use the Active Directory administration utilities to create new
> domain User.
> 
> User is capitalized and without any article. This only works in German (by
> accident).
TODO
 
> I suggest rephrasing the whole warning a little bit for navigation.
> 
> Warning! Newly created LDAP objects of this type will only be available on
> UCS systems and not in the Active Directory domain. Please use the Active
> Directory administration utilities to create new domain LDAP objects of this
> type. Press Next to create **an LDAP object of this type** only available on
> UCS systems.
TODO
> Is this possible? I guess it is even easier to implement. Or at least would
> have been if I suggested it earlier...

(In reply to Dirk Wiesenthal from comment #26)
> (In reply to Dirk Wiesenthal from comment #23)
> > (In reply to Florian Best from comment #21)
> > group "" is part of the Active Directory domain. UCS can only change certain
> > attributes.
> > 
> 
> Seems to work for users, computer. But not for groups.
> 
> The warning is shown even when editing a completely AD unrelated object
> (Mail).
fixed, as said above.

(In reply to Dirk Wiesenthal from comment #27)
> DNS object "" is part of the Active Directory domain. UCS can only change
> certain attributes.
> 
> 1. Empty name error
fixed
> 2. This DNS object is not really part of the Active Directory domain:
> Bug #34092, comment #20:
> > Currently we don't sync the DNS settings between UCS and AD. By default all
> > UCS systems use the AD DNS.
Well, no univentionObjectFlag == synced
Comment 29 Stefan Gohmann univentionstaff 2014-08-01 09:08:36 CEST
(In reply to Florian Best from comment #28)
> (In reply to Dirk Wiesenthal from comment #25)
> > The new navigation warning works (almost). Why does it only get the real
> > name when the user changed the type? First object type is
> > computers/domaincontroller_backup
> TODO: well something strange happens in initial form loading...

I've created a new bug for this issue: Bug #35539

> > Additionally you include the value from the ComboBox, which makes sentences
> > sound wrong:
> > 
> > Please use the Active Directory administration utilities to create new
> > domain User.
> > 
> > User is capitalized and without any article. This only works in German (by
> > accident).
> TODO

Do you mean the message in LDAP navigation? this has been fixed with r52439.

> > I suggest rephrasing the whole warning a little bit for navigation.
> > 
> > Warning! Newly created LDAP objects of this type will only be available on
> > UCS systems and not in the Active Directory domain. Please use the Active
> > Directory administration utilities to create new domain LDAP objects of this
> > type. Press Next to create **an LDAP object of this type** only available on
> > UCS systems.
> TODO

Fixed with r52439.
Comment 30 Dirk Wiesenthal univentionstaff 2014-08-04 10:38:39 CEST
Ok, works. Minor adaptions.
YAML: Ok.
Comment 31 Janek Walkenhorst univentionstaff 2014-08-07 17:47:22 CEST
http://errata.univention.de/ucs/3.2/169.html