Univention Bugzilla – Bug 40233
Re-creating a user at a different position doesn't work
Last modified: 2015-12-22 16:04:42 CET
Created attachment 7366 [details] dont_remove_dn_mapping.patch In a UCS@school environment, a student has been removed at school A and added at school B. The new student is removed by the connector: From the logfile: sync from ucs: [ user] [ delete] cn=studentX,cn=schueler,cn=users,ou=schoolA,DC=test,DC=local sync from ucs: [ user] [ add] cn=studentX,cn=schueler,cn=users,ou=schoolB,DC=test,DC=local sync to ucs: [ user] [ modify] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local sync to ucs: [ user] [ delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local sync from ucs: [ user] [ delete] CN=studentX,cn=schueler,cn=users,ou=schoolB,DC=test,DC=local sync to ucs: [ user] [ delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local sync from ucs: [ user] [ add] cn=studentX,cn=schueler,cn=users,ou=schoolA,DC=test,DC=local Since the student has been removed from the internal DN mapping, the user is search via the samaccountname: __dn_from_deleted_object: get DN from lastKnownParent (CN=schueler,CN=users,OU=schoolA,DC=test,DC=local) and rdn (cn=studentX) object_from_element: DN of removed object: cn=studentX,CN=schueler,CN=users,OU=schoolA,DC=test,DC=local _ignore_object: Do not ignore cn=studentX,CN=schueler,CN=users,OU=schoolA,DC=test,DC=local samaccount_dn_mapping: samaccountname is:studentX samaccount_dn_mapping: olddn: uid=studentX,cn=schueler,cn=users,ou=schoolA,dc=test,dc=local samaccount_dn_mapping: newdn: uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local _ignore_object: Do not ignore uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local get_ucs_object: object found: uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local sync to ucs: [ user] [ delete] uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local Return result for DN (uid=studentX,cn=schueler,cn=users,ou=schoolB,dc=test,dc=local) I think we shouldn't remove the DN mapping while removing the user, see attached patch. Ticket #2015111821000638
Created attachment 7367 [details] 125sync_recreate_user_at_different_position The patch doesn't solve the issue. I wrote a simple test case which still fails.
Fix: r66292 → in case of a deletion, the premapped DN must be used YAML: r66293 + r66297 Test case: r66291 → 52_s4connector/125sync_recreate_user_at_different_position Waiting for the test results.
(In reply to Stefan Gohmann from comment #2) > Waiting for the test results. It seems to break the test case 52_s4connector/272read_ad_change_username.
(In reply to Stefan Gohmann from comment #3) > (In reply to Stefan Gohmann from comment #2) > > Waiting for the test results. > > It seems to break the test case 52_s4connector/272read_ad_change_username. OK, in case only the samAccountName was changed and the connector is in read modus, this "feature" has been used. I made a simple exception for this and in case the samAccountName was changed, the old behavior is used: r66325 + r66327
Two S4 Connector Jenkins tests failed last night. But it seems both are independent from these changes: * 52_s4connector.170sync_ucs_move_user.test: Jenkins output: ************************************************************************** (2015-12-14 20:35:09.873979)info 2015-12-14 20:35:09 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=ixgzdjki,cn=users,dc=AutoTest091c,dc=local$' [2015-12-14 20:35:10.078359]DN: uid=ixgzdjki,cn=users,dc=AutoTest091c,dc=local (2015-12-14 20:35:10.087881)info 2015-12-14 20:35:10 users/user object ixgzdjki exists (2015-12-14 20:35:10.561901)info 2015-12-14 20:35:10 Object CN=ixgzdjki,CN=Users,DC=AUTOTEST091C,DC=LOCAL doesn't exist (2015-12-14 20:35:10.562670)error 2015-12-14 20:35:10 Expected operation to succeed, but it failed (2015-12-14 20:35:10.563538)error 2015-12-14 20:35:10 **************** Test failed above this line (110) **************** ************************************************************************** S4 Connector log: ************************************************************************** 14.12.2015 20:35:22,442 MAIN (------ ): DEBUG_INIT 14.12.2015 20:35:22,511 LDAP (PROCESS): Building internal group membership cache 14.12.2015 20:35:22,516 LDAP (PROCESS): Internal group membership cache was created 14.12.2015 20:35:22,698 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=ixgzdjki,cn=users,DC=autotest091c,DC=local ************************************************************************** This is a timing issue because the user is synced at a later point. * 52_s4connector.259read_ad_create_non_domain_user.test: Jenkins output: ************************************************************************** (2015-12-14 21:43:26.003035)info 2015-12-14 21:43:26 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local$' [2015-12-14 21:43:26.202614]DN: uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local (2015-12-14 21:43:26.204019)info 2015-12-14 21:43:26 users/user object mfwkjbhk exists (2015-12-14 21:43:26.216938)info 2015-12-14 21:43:26 EXECUTING: udm-test 'groups/group' list --filter "cn=kyybpbhj" | egrep '^ *users: ' | sed 's/^ *users: //' (2015-12-14 21:43:26.380471)info 2015-12-14 21:43:26 Value of "users" is "", does not contain line "uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local" (2015-12-14 21:43:26.381252)error 2015-12-14 21:43:26 Expected operation to succeed, but it failed (2015-12-14 21:43:26.382469)error 2015-12-14 21:43:26 **************** Test failed above this line (110) **************** ************************************************************************** S4 Connector log: ************************************************************************** 14.12.2015 21:43:08,594 LDAP (PROCESS): Building internal group membership cache 14.12.2015 21:43:08,611 LDAP (PROCESS): Internal group membership cache was created 14.12.2015 21:43:08,800 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=mfwkjbhk,CN=Users,DC=autotest091c,DC=local 14.12.2015 21:43:08,813 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local 14.12.2015 21:43:08,957 LDAP (WARNING): password_sync_ucs_s4_to_ucs: Failed to get Password-Hash from S4 14.12.2015 21:43:30,777 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=domain users,cn=groups,dc=AutoTest091c,dc=local 14.12.2015 21:43:30,840 LDAP (PROCESS): sync to ucs: [ user] [ delete] uid=mfwkjbhk,cn=users,dc=AutoTest091c,dc=local 14.12.2015 21:43:31,13 LDAP (PROCESS): sync to ucs: [ group] [ delete] cn=kyybpbhj,cn=groups,dc=AutoTest091c,dc=local ************************************************************************** The sync order seems to be important. The test case fails from time to time, for example Build #123, Build #109.
Code review: Ok Update & Test: Ok Advisory: Ok
<http://errata.software-univention.de/ucs/4.1/39.html>