Bug 35507 - Script for renaming Well Known SID objects in OpenLDAP to match AD object names
Script for renaming Well Known SID objects in OpenLDAP to match AD object names
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
Blocks: 34091
  Show dependency treegraph
Reported: 2014-07-29 12:03 CEST by Arvid Requate
Modified: 2014-08-07 17:44 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-07-29 12:03:30 CEST
When using the AD Connector against a non-english AD, there are some diffetences in group and account names. These objects are identifiable by their Well Known SIDs. The AD-Takeover backend code contains a mechanism to match corresponding objects by their SID and to rename them in OpenLDAP. We should isolate this mechanism into a script which my be called e.g. by the AD Member setup wizard.
Comment 1 Arvid Requate univentionstaff 2014-07-29 12:22:19 CEST
The script has been added and gets installed as /usr/share/univention-ad-connector/scripts/well-known-sid-object-rename. As an example it gets called by uinvention.lib.admember.configure_ad_member().

Advisory: 2014-07-03-univention-ad-connector.yaml
Comment 2 Arvid Requate univentionstaff 2014-07-29 19:31:15 CEST
The script and corresponding library function rename_well_known_sid_objects needed some adjustment:

The UMC wizard for AD Member mode setup needs to call this function *before* the univention-samba join, so the script cannot use the machine account at that point. The wizard now passes the given Administrator credentials and the script uses them to search in AD. The script takes care not to use kerberos or the connector/ad/ldap/bind* UCR settings for this step.
Comment 3 Felix Botner univentionstaff 2014-07-31 11:37:00 CEST
OK, tested with french and german AD.

31.07.14 12:31:00.778  LDAP        ( PROCESS ) : Renaming 'cn=Domain Users,cn=groups,dc=w2k12,dc=test' to 'Domänen-Benutzer' in UCS LDAP.
31.07.14 12:31:00.779  LDAP        ( WARN    ) : rename cn=Domänen-Benutzer
31.07.14 12:31:00.801  LDAP        ( PROCESS ) : Modifying 'cn=default,cn=univention,dc=w2k12,dc=test' in UCS LDAP.
31.07.14 12:31:00.806  LDAP        ( PROCESS ) : Renaming 'cn=Domain Admins,cn=groups,dc=w2k12,dc=test' to 'Domänen-Admins' in UCS LDAP.
31.07.14 12:31:00.807  LDAP        ( WARN    ) : rename cn=Domänen-Admins
31.07.14 12:31:00.841  LDAP        ( PROCESS ) : Renaming 'cn=Domain Guests,cn=groups,dc=w2k12,dc=test' to 'Domänen-Gäste' in UCS LDAP.
31.07.14 12:31:00.841  LDAP        ( WARN    ) : rename cn=Domänen-Gäste

Comment 4 Janek Walkenhorst univentionstaff 2014-08-07 17:44:37 CEST