Bug 40741 - 91univention-saml.inst may fail due to extended attributes
91univention-saml.inst may fail due to extended attributes
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Florian Best
Stefan Gohmann
:
: 40786 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-19 16:34 CET by Florian Best
Modified: 2016-03-09 15:51 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-02-19 16:34:27 CET
During the creation of the LDAP-Only user for SAML required extended attributes may break the joinscript.
There is also a --ignore_exists missing!

E: Insufficient information
The following parameters are missing:
gender
primaryGroup
unixhome
EXITCODE=3

This causes the joinscript 91univention-saml.inst and 92univention-management-console-web-server.inst to fail.
Comment 1 Florian Best univentionstaff 2016-02-25 13:07:33 CET
Replaced with python :) (which ignores extended-attributes if not manually set up).
I hope this will never have side effects due to import errors aka Bug #33359 :D

univention-saml (3.0.27-2):
r67686 | Bug #40741: Update Copyright
r67685 | Bug #40741: don't fail to create SAML user due to extended attributes

univention-saml.yaml:
r67687 | YAML Bug #40741
Comment 2 Florian Best univentionstaff 2016-02-26 18:44:16 CET
*** Bug 40786 has been marked as a duplicate of this bug. ***
Comment 3 Florian Best univentionstaff 2016-02-29 12:10:45 CET
(In reply to Florian Best from comment #2)
> *** Bug 40786 has been marked as a duplicate of this bug. ***
Fixed the syntax error by indenting with space instead of tabs.
Comment 4 Stefan Gohmann univentionstaff 2016-03-02 09:01:59 CET
Now you use the admin user and no longer the join credentials.

Can you give an example with the extended attributes? Do we have an App which requires extended attributes for users?
Comment 5 Florian Best univentionstaff 2016-03-02 16:04:29 CET
(In reply to Stefan Gohmann from comment #4)
> Now you use the admin user and no longer the join credentials.
yes. is that really bad?

> Can you give an example with the extended attributes?
eval "$(ucr shell)"; udm settings/extended_attribute create --set name=test --set module=users/user --set ldapMapping=univentionFreeAttributes1 --set objectClass=univentionFreeAttributes --set shortDescription=test --set valueRequired=1 --set mayChange=1 --set CLIName=test --set deleteObjectClass=1 --position "cn=custom attributes,cn=univention,$ldap_base"

> Do we have an App which requires extended attributes for users?
I am not aware of one.
Comment 6 Florian Best univentionstaff 2016-03-02 16:16:46 CET
Ticket#2016021821000742
Comment 7 Florian Best univentionstaff 2016-03-02 17:13:40 CET
As it is only executed on the DC master it is okay to use cn=admin.

The creation of such extended attributes is prevent by Bug #40824.
Comment 8 Florian Best univentionstaff 2016-03-02 17:39:16 CET
ucs-test (6.0.33-33):
r67854 | Bug #40741: test SAML user exists
Comment 9 Stefan Gohmann univentionstaff 2016-03-07 21:12:17 CET
Tests: OK

ucs-test: OK

Code review: OK

YAML: OK (small adjustments: r67970)
Comment 10 Janek Walkenhorst univentionstaff 2016-03-09 15:51:58 CET
<http://errata.software-univention.de/ucs/4.1/128.html>