Bug 35507 – Script for renaming Well Known SID objects in OpenLDAP to match AD object names

Bug 35507 - Script for renaming Well Known SID objects in OpenLDAP to match AD object names


Summary:	Script for renaming Well Known SID objects in OpenLDAP to match AD object names

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	34091
	Show dependency tree / graph

Reported:	2014-07-29 12:03 CEST by Arvid Requate
Modified:	2014-08-07 17:44 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2014-07-29 12:03:30 CEST

When using the AD Connector against a non-english AD, there are some diffetences in group and account names. These objects are identifiable by their Well Known SIDs. The AD-Takeover backend code contains a mechanism to match corresponding objects by their SID and to rename them in OpenLDAP. We should isolate this mechanism into a script which my be called e.g. by the AD Member setup wizard.

Comment 1 Arvid Requate

2014-07-29 12:22:19 CEST

The script has been added and gets installed as /usr/share/univention-ad-connector/scripts/well-known-sid-object-rename. As an example it gets called by uinvention.lib.admember.configure_ad_member().

Advisory: 2014-07-03-univention-ad-connector.yaml

Comment 2 Arvid Requate

2014-07-29 19:31:15 CEST

The script and corresponding library function rename_well_known_sid_objects needed some adjustment:

The UMC wizard for AD Member mode setup needs to call this function *before* the univention-samba join, so the script cannot use the machine account at that point. The wizard now passes the given Administrator credentials and the script uses them to search in AD. The script takes care not to use kerberos or the connector/ad/ldap/bind* UCR settings for this step.

Comment 3 Felix Botner

2014-07-31 11:37:00 CEST

OK, tested with french and german AD.

31.07.14 12:31:00.778  LDAP        ( PROCESS ) : Renaming 'cn=Domain Users,cn=groups,dc=w2k12,dc=test' to 'Domänen-Benutzer' in UCS LDAP.
31.07.14 12:31:00.779  LDAP        ( WARN    ) : rename cn=Domänen-Benutzer
31.07.14 12:31:00.801  LDAP        ( PROCESS ) : Modifying 'cn=default,cn=univention,dc=w2k12,dc=test' in UCS LDAP.
31.07.14 12:31:00.806  LDAP        ( PROCESS ) : Renaming 'cn=Domain Admins,cn=groups,dc=w2k12,dc=test' to 'Domänen-Admins' in UCS LDAP.
31.07.14 12:31:00.807  LDAP        ( WARN    ) : rename cn=Domänen-Admins
31.07.14 12:31:00.841  LDAP        ( PROCESS ) : Renaming 'cn=Domain Guests,cn=groups,dc=w2k12,dc=test' to 'Domänen-Gäste' in UCS LDAP.
31.07.14 12:31:00.841  LDAP        ( WARN    ) : rename cn=Domänen-Gäste


YAML: OK

Comment 4 Janek Walkenhorst

2014-08-07 17:44:37 CEST

http://errata.univention.de/ucs/3.2/162.html