Univention Bugzilla – Bug 46470
S4-Connector syncs back (to_ucs) old group membership of moved users
Last modified: 2018-09-18 07:45:21 CEST
probably related to bug#33466 ============================================================ When moving a student (user) to another school all his classes (groups) are removed before he is moved to the new ou and assigned to new classes. In some cases the S4-Connector doesn't find the DN of the user and fails to removed it from the old groups but resyncs the obsolete group membership back to ucs. Now the old classes (groups) contains the orphaned old student (user). ------------------------------------------------------------ 28.02.2018 09:43:28,221 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=school_B-09a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-05a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-06a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-07b,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-09b,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-08a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-07a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [ modify] cn=school_B-ikl_ii,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranetnet', 'CN=timahauc,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=diarasad,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=immakeun,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=manaahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=jonasche01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mehmdura,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=julipete,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=aliibra,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=julikimm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=elijzeng,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johabran,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=vaneselj,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=elijqufa,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=hannwebe01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=hanasala,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johaknol,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=fiolgebr,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=patrszec,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lorikamb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ermybere,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=danitsch,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=manaaldu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sofiwarm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ismabard,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=franelos,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=bariaydi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=amirahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=eduaknit,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johalich,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'cn=yarashic,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'cn=abdaalmo,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'CN=angehris,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lukakoll,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=tombeck,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=razvmari,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lawisula,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=glorscho,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=levkgerh,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leatomi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=momeahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=rawaasaa,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mahmyilm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sebasilb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=muazalaw,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=dilaceli,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=emmaladu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mihaandr,CN=schueler,CN=users,OU=school_C,DC=portal,DC=schulen,DC=intranet', 'CN=abdimoha,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=chrifoki,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ramamuha,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=laurtomi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sbhahabt,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=vanetiss,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=alesmoor,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leonerb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=kacplino,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=havvwerb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=eliskles,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=nezaahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=akrashaw,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=feribaya,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=patrjaku01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=emelnotz,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sabrahme,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=anacarlt,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leonsale,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=alidoul,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=fatiamit,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=jannherz,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'cn=mohamous,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'CN=marifain,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=willziem,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=antogros,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=henoashm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=simokies,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lanamata,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=timbeck,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=shahghum,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johaschi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=davikond,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=majafreu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=morischn01,CN=schueler,CN=users resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: Unable to find GUID for DN cn=mohamous,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet\n', 'desc': 'No such object'}
This would explain, why the following ucs-test scripts fails in Jenkins: http://jenkins.knut.univention.de:8080/job/UCSschool-4.3/job/Install%20Singleserver/lastCompletedBuild/Config=s4,TestGroup=import1/testReport/90_ucsschool/207_import-users_school_change/test/ [2018-03-11 21:18:44.247909] ### FAIL ### [2018-03-11 21:18:44.247932] User still has groups from OU 'eup': ['cn=schueler-rebfymby,cn=groups,ou=rebfymby,dc=autotest201,dc=local', 'cn=Domain Users rebfymby,cn=groups,ou=rebfymby,dc=autotest201,dc=local', 'cn=schueler-eup,cn=groups,ou=eup,dc=autotest201,dc=local'] [2018-03-11 21:18:44.247952] ### ###
Move to 4.3-0-errata. If a UCS 4.2 backport is needed, please clone this issue.
Ok, we should first apply Bug 46682 Comment 3, that might explain why a sync-back occurs at all.
Doesn't seem to be solved :( Test 207_import-users_school_change still produces these errors. I can also reproduce this by moving multiple users with the umc ldap directory module.
connector-s4.log at log level 4 please.
The write back occurred due to bug 46470 ... sorry But I still get the tracebacks. It seems the group_member_mapping_cache isn't cleared on a move operation. s4connector/s4/__init__.py:2476 There doesn't seem to be a move operation but instead just a modify operation with an old_dn.
Created attachment 9592 [details] bug46470-move.patch This patch seems to fix the behavior you observed.
(In reply to Arvid Requate from comment #7) > Created attachment 9592 [details] > bug46470-move.patch > > This patch seems to fix the behavior you observed. The patch works for me :)
The essence of the patch has been applied by Felix while fixing Bug #47636. *** This bug has been marked as a duplicate of bug 47636 ***
(In reply to Arvid Requate from comment #9) > The essence of the patch has been applied by Felix while fixing Bug #47636. > > *** This bug has been marked as a duplicate of bug 47636 *** OK