Bug 46470 - S4-Connector syncs back (to_ucs) old group membership of moved users
S4-Connector syncs back (to_ucs) old group membership of moved users
Status: CLOSED DUPLICATE of bug 47636
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks: 44310 46692
  Show dependency treegraph
 
Reported: 2018-03-02 17:58 CET by Nico Stöckigt
Modified: 2018-09-18 07:45 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018020121000154
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
bug46470-move.patch (3.15 KB, patch)
2018-07-11 19:24 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2018-03-02 17:58:37 CET
probably related to bug#33466
============================================================

When moving a student (user) to another school all his classes (groups) are removed before he is moved to the new ou and assigned to new classes. In some cases the S4-Connector doesn't find the DN of the user and fails to removed it from the old groups but resyncs the obsolete group membership back to ucs. Now the old classes (groups) contains the orphaned old student (user).

------------------------------------------------------------

28.02.2018 09:43:28,221 LDAP        (PROCESS): sync from ucs: [         group] [    modify] cn=school_B-09a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-05a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-06a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-07b,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-09b,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-08a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-07a,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranet group] [    modify] cn=school_B-ikl_ii,cn=klassen,cn=schueler,cn=groups,ou=school_B,DC=portal,DC=schulen,DC=intranetnet', 'CN=timahauc,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=diarasad,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=immakeun,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=manaahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=jonasche01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mehmdura,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=julipete,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=aliibra,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=julikimm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=elijzeng,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johabran,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=vaneselj,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=elijqufa,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=hannwebe01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=hanasala,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johaknol,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=fiolgebr,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=patrszec,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lorikamb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ermybere,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=danitsch,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=manaaldu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sofiwarm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ismabard,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=franelos,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=bariaydi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=amirahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=eduaknit,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johalich,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'cn=yarashic,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'cn=abdaalmo,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'CN=angehris,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lukakoll,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=tombeck,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=razvmari,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lawisula,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=glorscho,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=levkgerh,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leatomi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=momeahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=rawaasaa,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mahmyilm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sebasilb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=muazalaw,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=dilaceli,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=emmaladu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=mihaandr,CN=schueler,CN=users,OU=school_C,DC=portal,DC=schulen,DC=intranet', 'CN=abdimoha,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=chrifoki,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=ramamuha,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=laurtomi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sbhahabt,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=vanetiss,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=alesmoor,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leonerb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=kacplino,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=havvwerb,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=eliskles,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=nezaahma,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=akrashaw,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=feribaya,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=patrjaku01,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=emelnotz,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=sabrahme,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=anacarlt,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=leonsale,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=alidoul,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=fatiamit,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=jannherz,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'cn=mohamous,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet', 'CN=marifain,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=willziem,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=antogros,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=henoashm,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=simokies,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=lanamata,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=timbeck,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=shahghum,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=johaschi,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=davikond,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=majafreu,CN=schueler,CN=users,OU=school_B,DC=portal,DC=schulen,DC=intranet', 'CN=morischn01,CN=schueler,CN=users    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: Unable to find GUID for DN cn=mohamous,cn=schueler,cn=users,ou=school_A,dc=portal,dc=schulen,dc=intranet\n', 'desc': 'No such object'}
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-03-12 13:25:20 CET
This would explain, why the following ucs-test scripts fails in Jenkins:
http://jenkins.knut.univention.de:8080/job/UCSschool-4.3/job/Install%20Singleserver/lastCompletedBuild/Config=s4,TestGroup=import1/testReport/90_ucsschool/207_import-users_school_change/test/

[2018-03-11 21:18:44.247909] ### FAIL ###
[2018-03-11 21:18:44.247932] User still has groups from OU 'eup': ['cn=schueler-rebfymby,cn=groups,ou=rebfymby,dc=autotest201,dc=local', 'cn=Domain Users rebfymby,cn=groups,ou=rebfymby,dc=autotest201,dc=local', 'cn=schueler-eup,cn=groups,ou=eup,dc=autotest201,dc=local']
[2018-03-11 21:18:44.247952] ###      ###
Comment 2 Stefan Gohmann univentionstaff 2018-03-15 06:26:36 CET
Move to 4.3-0-errata. If a UCS 4.2 backport is needed, please clone this issue.
Comment 3 Arvid Requate univentionstaff 2018-04-09 14:33:30 CEST
Ok, we should first apply Bug 46682 Comment 3, that might explain why a sync-back occurs at all.
Comment 4 Jürn Brodersen univentionstaff 2018-07-09 14:35:06 CEST
Doesn't seem to be solved :(

Test 207_import-users_school_change still produces these errors.

I can also reproduce this by moving multiple users with the umc ldap directory module.
Comment 5 Arvid Requate univentionstaff 2018-07-09 15:35:43 CEST
connector-s4.log at log level 4 please.
Comment 6 Jürn Brodersen univentionstaff 2018-07-11 10:21:29 CEST
The write back occurred due to bug 46470 ... sorry

But I still get the tracebacks. It seems the group_member_mapping_cache isn't cleared on a move operation.

s4connector/s4/__init__.py:2476

There doesn't seem to be a move operation but instead just a modify operation with an old_dn.
Comment 7 Arvid Requate univentionstaff 2018-07-11 19:24:13 CEST
Created attachment 9592 [details]
bug46470-move.patch

This patch seems to fix the behavior you observed.
Comment 8 Jürn Brodersen univentionstaff 2018-07-12 10:31:56 CEST
(In reply to Arvid Requate from comment #7)
> Created attachment 9592 [details]
> bug46470-move.patch
> 
> This patch seems to fix the behavior you observed.

The patch works for me :)
Comment 9 Arvid Requate univentionstaff 2018-08-30 22:11:20 CEST
The essence of the patch has been applied by Felix while fixing Bug #47636.

*** This bug has been marked as a duplicate of bug 47636 ***
Comment 10 Stefan Gohmann univentionstaff 2018-09-18 07:45:21 CEST
(In reply to Arvid Requate from comment #9)
> The essence of the patch has been applied by Felix while fixing Bug #47636.
> 
> *** This bug has been marked as a duplicate of bug 47636 ***

OK