Univention Bugzilla – Bug 36486
Users which are both expired and deactivated are rejected
Last modified: 2015-01-26 12:19:27 CET
Created attachment 6319 [details] Excerpt from connector.log with traceback If a user in AD is both deactivated and an account expiry date is set, the sync to UCS fails and is rejected (excerpt from connector.log attached). If you set them one after the other, the sync works fine. But if you set both at once or if the account is already deactivated and expired before the initial sync, it breaks the sychronisation. Reported via Ticket#2014093021000791, verified with UCS 3.2-3 errata 234 and Windows Server 2012 R2. Customer suspects line #2194 in /usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py.
I just noticed that there are actually two slightly different tracebacks: > ldapError: Constraint violation: attribute 'shadowExpire' cannot have multiple values This occurs when I set the checkbox to deactivate the user account and specify an account expiry date. > ldapError: No such attribute: modify/delete: shadowExpire: no such value This seems to occur when I try to remove both settings at once. And then there's a third one when 1. both settings were set (and synced because I set them one after the other) 2. both settings were removed at once (and rejected with "shadowExpire: no such value") 3. I re-activate the account but keep the expiry date: > ValueError: time data '04.11.14' does not match format '%Y-%m-%d'
25.11.14 01:53:13.107 LDAP ( ALL ) : mod dn=uid=test2,cn=users,dc=ucs,dc=dev ml=[('cn', 'test2', 'test2'), ('krb5KDCFlags', ['254'], '254'), ('sambaAcctFlags', '[ULD ]', '[ULD ]'), ('shadowExpire', '11323', '1'), ('shadowExpire', '11323', ''), ('sambaKickoffTime', '978303600', ''), ('krb5ValidEnd', ['20010101000000Z'], '0')] 25.11.14 01:53:13.107 LDAP ( INFO ) : uldap.modify uid=test2,cn=users,dc=ucs,dc=dev 25.11.14 01:53:13.108 LDAP ( ALL ) : mod dn=uid=test2,cn=users,dc=ucs,dc=dev err={'info': 'modify/delete: shadowExpire: no such value', 'desc': 'No such attribute'} 25.11.14 01:53:13.111 ADMIN ( WARN ) : Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 393, in doit out=_doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 980, in _doit dn=object.modify() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 364, in modify return self._modify(modify_childs,ignore_license=ignore_license) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 943, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 419, in modify raise univention.admin.uexceptions.ldapError, _err2str(msg) ldapError: No such attribute: modify/delete: shadowExpire: no such value
modlist contains the key twice. Is that unusual? ('shadowExpire', '11323', '1'), ('shadowExpire', '11323', '')
(In reply to Florian Best from comment #3) > modlist contains the key twice. Is that unusual? > ('shadowExpire', '11323', '1'), ('shadowExpire', '11323', '') Indeed, this is not good ;) The error message from LDAP is wrong but nevertheless it has been fixed in svn r56316. *** This bug has been marked as a duplicate of bug 36330 ***
This issue has also been reported at Ticket #2015010821000327
http://errata.univention.de/ucs/4.0/43.html