Bug 45011 - AD Connector treats DC Master object as computers/windows_domaincontroller
AD Connector treats DC Master object as computers/windows_domaincontroller
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.2
Other Linux
: P3 minor (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Felix Botner
:
: 44770 (view as bug list)
Depends on: 18501 11658 35559 40839
Blocks: 30368
  Show dependency treegraph
 
Reported: 2017-07-16 20:25 CEST by Florian Best
Modified: 2017-11-01 13:49 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Cleanup, Troubleshooting, Usability
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (4.90 KB, patch)
2017-07-18 16:44 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-07-16 20:25:14 CEST
Merge the changes also for the AD Connector.

+++ This bug was initially created as a clone of Bug #44976 +++

As the change requires changes in the S4-Connector as well, we continue working on the issue in this bug.
A patch for the S4-Connector is attached. The old behavior of Bug #30368 has temporarily been restored. svn r81065 should be reverted when the S4 Connector is ready.

+++ This bug was initially created as a clone of Bug #30368 +++

I tried to use univention.admin.objects.get to retrieve UDM computer objects. The problem was that there might be computer objects of a different kind. Hoping that the get method would handle this by either raising an exception or returning nothing, I called it for a Windows computer object with the UCC computer module without any errors. I was also able to call the open method on this object.

I took it a bit further and discovered that it doesn't seem to matter what kind of DN is presented to method:

univention.admin.objects.get(computer_module, co, lo, position=position, dn='uid=Administrator,cn=users,' + baseDN)

This returned a valid UCC object although it's user's object.

It would be very helpful to have some error handling for this method. At least the lookup method for finding objects makes sure I only get objects of the kind I was asking for. As far as I know a DN can't be fed to lookup but maybe there is a better way of how to open an object for a known DN that I'm not aware of.
Comment 1 Florian Best univentionstaff 2017-07-18 16:14:23 CEST
This doesn't break anything because the mapping in the AD connector doesn't synchronize the DC computer objects.
Comment 2 Florian Best univentionstaff 2017-07-18 16:44:00 CEST
Created attachment 9039 [details]
patch

Squashed patch.
Comment 3 Florian Best univentionstaff 2017-07-19 10:55:39 CEST
(In reply to Florian Best from comment #1)
> This doesn't break anything because the mapping in the AD connector doesn't
> synchronize the DC computer objects.
It seems I am wrong. The Jenkins test from today show that the traceback also occur there.
Comment 4 Florian Best univentionstaff 2017-07-19 11:03:09 CEST
univention-ad-connector (11.0.6-10):
r81241 | Bug #45011: fix handling of object types

univention-ad-connector.yaml:
NONE | YAML Bug #45011 Bug #45037
Comment 5 Florian Best univentionstaff 2017-07-21 10:02:52 CEST
(In reply to Florian Best from comment #3)
> (In reply to Florian Best from comment #1)
> > This doesn't break anything because the mapping in the AD connector doesn't
> > synchronize the DC computer objects.
> It seems I am wrong. The Jenkins test from today show that the traceback
> also occur there.
But this is only of cosmetic nature because we don't sync the computer (DC Master) object from AD to UCS. The ignore_filter() was just called after trying to determine the object type of the object with the computer-types from the mapping (which doesn't include computers/domaincontroller_master).

univention-ad-connector (11.0.6-11):
r81295 | Bug #45011: don't log tracebacks for objects which are ignored nevertheless

The logfiles before showed:
"""
(ERROR  ): get_ucs_object: could not identify UDM object type: cn=admember226a,cn=dc,cn=computers,dc=autotest226a,dc=local
(PROCESS): get_ucs_object: using default: computers/windows
(WARNING): get_ucs_object: failure was:

(WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 836, in get_ucs_object
    ucs_object = univention.admin.objects.get(module, co=None, lo=self.lo, position='', dn=searchdn)
  File "/usr/lib/pymodules/python2.7/univention/admin/objects.py", line 90, in get
    raise univention.admin.uexceptions.wrongObjectType('The object %s is not a %s.' % (dn, module.module,))
wrongObjectType: The object cn=admember226a,cn=dc,cn=computers,dc=autotest226a,dc=local is not a computers/windows.

(PROCESS): sync to ucs:   [windowscomputer] [       add] cn=admember226a,cn=dc,cn=computers,dc=autotest226a,dc=local
(PROCESS): The object (cn=admember226a,cn=dc,cn=computers,dc=autotest226a,dc=local) will be ignored because a valid match filter for this object was not found.
"""


Now it only displays:
"""
(PROCESS): The object 'cn=admember222,cn=dc,cn=computers,dc=autotest222,dc=local' will be ignored because a valid match filter for this object was not found.
"""
Comment 6 Florian Best univentionstaff 2017-08-15 16:41:30 CEST
*** Bug 44770 has been marked as a duplicate of this bug. ***
Comment 7 Felix Botner univentionstaff 2017-08-22 13:38:06 CEST
OK, connector uses the correct udm module
OK, YAML
Comment 8 Arvid Requate univentionstaff 2017-11-01 13:49:23 CET
<http://errata.software-univention.de/ucs/4.2/205.html>