Univention Bugzilla – Bug 46971
Traceback with cross-school users after being removed from a school (4.2)
Last modified: 2019-07-19 18:49:12 CEST
+++ This bug was initially created as a clone of Bug #46682 +++ A school customer could now observe several times that the S4-Connector reproducibly throws tracebacks. It occurs in the following scenario: A teacher is *only* at school1 and is temporarily set up as a cross-school user account for school "school1" and "school2". For this purpose, "school1" and "school2" are correctly entered in the user's LDAP attribute "ucsschoolSchool" and the user is additionally included in the groups "lehrer-school2" and "domain users school2". The teacher is then correctly replicated to the school2 slave and transferred to the AD via the S4 connector. 2 days later the user was removed from "school2" and the corresponding groups "lehrer-school2" and "domain users school2". This is said to have worked and the user has been correctly removed from LDAP and AD from the groups and the user object itself. During the night the group "Domain Users school1" was modified. Since all groups "Domain User $SCHOOL" and "lehrer-$SCHOOL" are replicated to all schools, this change also arrived at the school DC dcschool2. The S4 connector has thrown the following traceback: 22.02.2018 07:15:16,924 LDAP (WARNING): group_members_sync_from_ucs: failed to sync members: (cn=domain users school1,cn=groups,ou=school1,DC=schule,DC=customer,DC=de,[(2, 'member', ['cn=someteacher,cn=lehrer,cn=users,ou=school1,dc=schule,dc=customer,dc=de'])]) 22.02.2018 07:15:16,930 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1519280106.726590 22.02.2018 07:15:16,967 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2720, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 79, in group_members_sync_from_ucs return s4connector.group_members_sync_from_ucs(key, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 1812, in group_members_sync_from_ucs self.lo_s4.lo.modify_s(compatible_modstring(object['dn']), [(ldap.MOD_REPLACE, 'member', modlist_members)]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 364, in modify_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': '00002030: Unable to find GUID for DN cn=someteacher,cn=lehrer,cn=users,ou=school1,dc=schule,dc=customer,dc=de\n', 'desc': 'No such object'}
* Patch backported to branch 4.2-4 * Package imported and built in errata4.2-4 * d25f6c0f33 | Advisory
dont think that helps, object_memberships_sync_to_ucs already checks the sync mode i could reproduce the traceback with * create users test1, test2 * add test1 to domain admins * add test2 to domain admins (separate step ! ) * create another user test3 to trigger the group_mapping_cache_ucs ( now the cache contains at least test1 and test2) * remove test1, the group_mapping_cache_ucs is not updated and still contains test1 * add test1 as member to domain admins (via ldapvi) to simulate the ucssschool behavior i think we should just remove the "object['dn'].lower()" from self.group_mapping_cache_ucs in sync_to_ucs() if property_type is user and object['modtype'] is delete
Created attachment 9539 [details] bug46971-reproducer1.sh
Ok, when objects are deleted or moved remove the their DN from both group member mapping caches. 147232dc33 | Code cleanup: Improve readability 92f8e177e9 | Code cleanup: Improve readability 035dbabe63 | Fix traceback c2985a6d52 | Changelog 6b3ee3f602 | Advisory
I fixed a code comment: 7b9fef72c9 | Fix code comment 0e44caa94d | Changelog 528d008c4a | Advisory
OK - code cleanup OK - fixed traceback OK - manual group sync tests OK - s4connector jenkins tests (4.2-4) OK - yaml
<http://errata.software-univention.de/ucs/4.2/420.html>