Bug 40233 – Re-creating a user at a different position doesn't work

Bug 40233 - Re-creating a user at a different position doesn't work


Summary:	Re-creating a user at a different position doesn't work

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-0-errata
Assigned To:	Stefan Gohmann
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	40234
	Show dependency tree / graph

Reported:	2015-12-12 13:56 CET by Stefan Gohmann
Modified:	2015-12-22 16:04 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
dont_remove_dn_mapping.patch (584 bytes, patch) 2015-12-12 13:56 CET, Stefan Gohmann	Details \| Diff
125sync_recreate_user_at_different_position (1.40 KB, text/plain) 2015-12-12 14:36 CET, Stefan Gohmann	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-12-12 13:56:07 CET

Created attachment 7366 [details]
dont_remove_dn_mapping.patch

In a UCS@school environment, a student has been removed at school A and added at school B. The new student is removed by the connector:

From the logfile:
sync from ucs: [          user] [    delete] cn=studentX,cn=schueler,cn=users,ou=schoolA,DC=test,DC=local
sync from ucs: [          user] [       add] cn=studentX,cn=schueler,cn=users,ou=schoolB,DC=test,DC=local
sync to ucs:   [          user] [    modify] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
sync to ucs:   [          user] [    delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
sync from ucs: [          user] [    delete] CN=studentX,cn=schueler,cn=users,ou=schoolB,DC=test,DC=local
sync to ucs:   [          user] [    delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
sync from ucs: [          user] [       add] cn=studentX,cn=schueler,cn=users,ou=schoolA,DC=test,DC=local

Since the student has been removed from the internal DN mapping, the user is search via the samaccountname:
__dn_from_deleted_object: get DN from lastKnownParent (CN=schueler,CN=users,OU=schoolA,DC=test,DC=local) and rdn (cn=studentX)
object_from_element: DN of removed object: cn=studentX,CN=schueler,CN=users,OU=schoolA,DC=test,DC=local
_ignore_object: Do not ignore cn=studentX,CN=schueler,CN=users,OU=schoolA,DC=test,DC=local
samaccount_dn_mapping: samaccountname is:studentX
samaccount_dn_mapping: olddn: uid=studentX,cn=schueler,cn=users,ou=schoolA,dc=test,dc=local
samaccount_dn_mapping: newdn: uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
_ignore_object: Do not ignore uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
get_ucs_object: object found: uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
sync to ucs:   [          user] [    delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local
Return  result for DN (uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local)

I think we shouldn't remove the DN mapping while removing the user, see attached patch.

Ticket #2015111821000638

Comment 1 Stefan Gohmann

2015-12-12 14:36:43 CET

Created attachment 7367 [details]
125sync_recreate_user_at_different_position

The patch doesn't solve the issue. I wrote a simple test case which still fails.

Comment 2 Stefan Gohmann

2015-12-12 20:09:58 CET

Fix: r66292 → in case of a deletion, the premapped DN must be used

YAML: r66293 + r66297

Test case: r66291 → 52_s4connector/125sync_recreate_user_at_different_position

Waiting for the test results.

Comment 3 Stefan Gohmann

2015-12-14 15:58:24 CET

(In reply to Stefan Gohmann from comment #2)
> Waiting for the test results.

It seems to break the test case 52_s4connector/272read_ad_change_username.

Comment 4 Stefan Gohmann

2015-12-14 21:42:12 CET

(In reply to Stefan Gohmann from comment #3)
> (In reply to Stefan Gohmann from comment #2)
> > Waiting for the test results.
> 
> It seems to break the test case 52_s4connector/272read_ad_change_username.

OK, in case only the samAccountName was changed and the connector is in read modus, this "feature" has been used. I made a simple exception for this and in case the samAccountName was changed, the old behavior is used: r66325 + r66327

Comment 5 Stefan Gohmann

2015-12-15 05:52:13 CET

Two S4 Connector Jenkins tests failed last night. But it seems both are independent from these changes:

* 52_s4connector.170sync_ucs_move_user.test:

Jenkins output:
**************************************************************************
(2015-12-14 20:35:09.873979)info 2015-12-14 20:35:09	 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=ixgzdjki,cn=users,dc=AutoTest091c,dc=local$'
[2015-12-14 20:35:10.078359]DN: uid=ixgzdjki,cn=users,dc=AutoTest091c,dc=local
(2015-12-14 20:35:10.087881)info 2015-12-14 20:35:10	 users/user object ixgzdjki exists
(2015-12-14 20:35:10.561901)info 2015-12-14 20:35:10	 Object CN=ixgzdjki,CN=Users,DC=AUTOTEST091C,DC=LOCAL doesn't exist
(2015-12-14 20:35:10.562670)error 2015-12-14 20:35:10	 Expected operation to succeed, but it failed
(2015-12-14 20:35:10.563538)error 2015-12-14 20:35:10	 **************** Test failed above this line (110) ****************
**************************************************************************

S4 Connector log:
**************************************************************************
14.12.2015 20:35:22,442 MAIN        (------ ): DEBUG_INIT
14.12.2015 20:35:22,511 LDAP        (PROCESS): Building internal group membership cache
14.12.2015 20:35:22,516 LDAP        (PROCESS): Internal group membership cache was created
14.12.2015 20:35:22,698 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=ixgzdjki,cn=users,DC=autotest091c,DC=local
**************************************************************************

This is a timing issue because the user is synced at a later point.

* 52_s4connector.259read_ad_create_non_domain_user.test:

Jenkins output:
**************************************************************************
(2015-12-14 21:43:26.003035)info 2015-12-14 21:43:26	 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local$'
[2015-12-14 21:43:26.202614]DN: uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local
(2015-12-14 21:43:26.204019)info 2015-12-14 21:43:26	 users/user object mfwkjbhk exists
(2015-12-14 21:43:26.216938)info 2015-12-14 21:43:26	 EXECUTING: udm-test 'groups/group' list --filter "cn=kyybpbhj" | egrep '^ *users: ' | sed 's/^ *users: //'
(2015-12-14 21:43:26.380471)info 2015-12-14 21:43:26	 Value of "users" is "", does not contain line "uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local"
(2015-12-14 21:43:26.381252)error 2015-12-14 21:43:26	 Expected operation to succeed, but it failed
(2015-12-14 21:43:26.382469)error 2015-12-14 21:43:26	 **************** Test failed above this line (110) ****************
**************************************************************************

S4 Connector log:
**************************************************************************
14.12.2015 21:43:08,594 LDAP        (PROCESS): Building internal group membership cache
14.12.2015 21:43:08,611 LDAP        (PROCESS): Internal group membership cache was created
14.12.2015 21:43:08,800 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=mfwkjbhk,CN=Users,DC=autotest091c,DC=local
14.12.2015 21:43:08,813 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local
14.12.2015 21:43:08,957 LDAP        (WARNING): password_sync_ucs_s4_to_ucs: Failed to get Password-Hash from S4
14.12.2015 21:43:30,777 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=domain users,cn=groups,dc=AutoTest091c,dc=local
14.12.2015 21:43:30,840 LDAP        (PROCESS): sync to ucs:   [          user] [    delete] uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local
14.12.2015 21:43:31,13 LDAP        (PROCESS): sync to ucs:   [         group] [    delete] cn=kyybpbhj,cn=groups,dc=AutoTest091c,dc=local
**************************************************************************

The sync order seems to be important. The test case fails from time to time, for example Build #123, Build #109.

Comment 6 Arvid Requate

2015-12-21 15:57:43 CET

Code review: Ok
Update & Test: Ok
Advisory: Ok

Comment 7 Arvid Requate

2015-12-22 16:04:42 CET

<http://errata.software-univention.de/ucs/4.1/39.html>