Bug 41680 - AD Connector: Make global_ignore_subtree configurable via UCR
AD Connector: Make global_ignore_subtree configurable via UCR
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.1
Other Linux
: P5 enhancement (vote)
: UCS 4.1-3-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 47008
  Show dependency treegraph
Reported: 2016-06-28 13:02 CEST by Michael Grandjean
Modified: 2018-05-15 10:30 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback, Forked for project
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2016-06-28 13:02:31 CEST
The AD Connector mapping file uses 'global_ignore_subtree' to ignore a bunch of LDAP subtrees so they do NOT get synchronized. Unfortunately this is a hard coded list and not configurable. In some scenarios this ignore list must be extended so we should make this possible, just as other objects can be ignored via UCR, too (groups, users, containers ...)
Comment 1 Stefan Gohmann univentionstaff 2016-09-13 13:32:45 CEST
* Make the global_ignore_subtree configuration option configurable
  via the UCR variable connector/ad/mapping/ignoresubtree/* (Bug #41680)

4.1-3: r72540
4.2: r72541
YAML: r72542
Comment 2 Felix Botner univentionstaff 2016-09-14 10:59:09 CEST
OK - connector/ad/mapping/ignoresubtree

UCS 4.1-3 with ad connector + windows server 2012

# container ignore with two users ignore1 and ignore2
@ucs-> univention-ldapsearch -LLL -b "cn=ignore,$(ucr get ldap/base)" dn
dn: cn=ignore,dc=four,dc=test
dn: uid=ignore1,cn=ignore,dc=four,dc=test
dn: uid=ignore2,cn=ignore,dc=four,dc=test

# disabled sync of ignore container
@ucs-> ucr set connector/ad/mapping/ignoresubtree/ignore="cn=ignore,dc=four,dc=test"

configured/started ad connector (bidirectional)

# container and users NOT synced to ad
@ucs-> nivention-adsearch 'cn=ignore1'
@ucs-> nivention-adsearch 'cn=ignore2'
@ucs-> nivention-adsearch 'cn=ignore'
@ucs-> nivention-adsearch 'cn=ignore*'

OK - merged to 4.2-0
OK - yaml
Comment 3 Janek Walkenhorst univentionstaff 2016-09-14 15:38:58 CEST