Bug 41028 - Reject while syncing moved group members in write mode
Reject while syncing moved group members in write mode
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 41141
  Show dependency treegraph
Reported: 2016-04-08 22:53 CEST by Stefan Gohmann
Modified: 2016-05-04 18:15 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

bug41028.patch (626 bytes, patch)
2016-04-26 15:29 CEST, Stefan Gohmann
Details | Diff
reproducer-bug41028.sh (3.79 KB, text/x-sh)
2016-04-27 17:47 CEST, Felix Botner

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-04-08 22:53:37 CEST
Ticket #2015110521000528

The following traceback occurs in a UCS@school environment. The connector is configured in write mode.

One group member was moved from one OU to another OU. The rename has already performed in the AD. In the detailed debug it is shown that the old DN should be set in AD and the new DN should be removed:

07.04.2016 12:24:11,233 LDAP        (INFO   ): group_members_sync_from_ucs: members to add: [u'cn=user1,cn=schueler,cn=users,ou=oldou,dc=doma,dc=lan']
07.04.2016 12:24:11,234 LDAP        (INFO   ): group_members_sync_from_ucs: members to del: [u'CN=user1,CN=schueler,CN=users,OU=newou,DC=doma,DC=lan']

After a AD connector restart the traceback is resolved automatically.

I guess the group mapping cache is not cleaned during the move.

The traceback:

07.04.2016 12:24:11,248 LDAP        (WARNING): sync failed, saved as rejected
07.04.2016 12:24:11,249 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 721, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))):
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 2257, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 76, in group_members_sync_from_ucs
    return connector.group_members_sync_from_ucs(key, object)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 1450, in group_members_sync_from_ucs
    self.lo_ad.lo.modify_s(compatible_modstring(object['dn']),[(ldap.MOD_REPLACE, 'member', modlist_members)])
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 322, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': "00000525: NameErr: DSID-031A125B, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n", 'desc': 'No such object'}
Comment 1 Stefan Gohmann univentionstaff 2016-04-26 15:28:50 CEST
Unfortunately, I'm not able to reproduce this issue reliable. 

It seems to happen only if the user is in a group and the group is changed before the user is moved. This is hard to reproduce because the connector drops objects which will be synced later. The easiest way is to stop the notifier on the DC Master, do many changes and run the AD connector on the backup.

Fixed in UCS 4.1-1: r68913
Comment 2 Stefan Gohmann univentionstaff 2016-04-26 15:29:09 CEST
Created attachment 7622 [details]
Comment 3 Felix Botner univentionstaff 2016-04-27 17:47:39 CEST
Created attachment 7628 [details]

I can reproduce this with the attached script (setup: master + backup with ad-connector, script has to be started on the master)
Comment 4 Felix Botner univentionstaff 2016-04-27 17:50:36 CEST
OK - univention-ad-connector r68913 (can no longer reproduce this bug)
OK - jenkins ad connector jobs still succeed (in the same time)

OK - univention-ad-connector.yaml
Comment 5 Janek Walkenhorst univentionstaff 2016-05-04 18:15:39 CEST