Bug 46971 - Traceback with cross-school users after being removed from a school (4.2)
Traceback with cross-school users after being removed from a school (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-4-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 25709 46682 47636
Blocks: 46692 47104
  Show dependency treegraph
 
Reported: 2018-05-07 16:19 CEST by Valentin Heidelberger
Modified: 2019-07-19 18:49 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018031621000473
Bug group (optional):
Max CVSS v3 score:


Attachments
bug46971-reproducer1.sh (1012 bytes, application/x-shellscript)
2018-05-25 13:12 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2018-05-07 16:19:20 CEST
+++ This bug was initially created as a clone of Bug #46682 +++

A school customer could now observe several times that the S4-Connector reproducibly throws tracebacks. It occurs in the following scenario:

A teacher is *only* at school1 and is temporarily set up as a cross-school user account for school "school1" and "school2". For this purpose, "school1" and "school2" are correctly entered in the user's LDAP attribute "ucsschoolSchool" and the user is additionally included in the groups "lehrer-school2" and "domain users school2". The teacher is then correctly replicated to the school2 slave and transferred to the AD via the S4 connector.
2 days later the user was removed from "school2" and the corresponding groups "lehrer-school2" and "domain users school2". This is said to have worked and the user has been correctly removed from LDAP and AD from the groups and the user object itself.
During the night the group "Domain Users school1" was modified. Since all groups "Domain User $SCHOOL" and "lehrer-$SCHOOL" are replicated to all schools, this change also arrived at the school DC dcschool2. The S4 connector has thrown the following traceback:

22.02.2018 07:15:16,924 LDAP        (WARNING): group_members_sync_from_ucs: failed to sync members: (cn=domain users school1,cn=groups,ou=school1,DC=schule,DC=customer,DC=de,[(2, 'member', ['cn=someteacher,cn=lehrer,cn=users,ou=school1,dc=schule,dc=customer,dc=de'])])
22.02.2018 07:15:16,930 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1519280106.726590
22.02.2018 07:15:16,967 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2720, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 79, in group_members_sync_from_ucs
    return s4connector.group_members_sync_from_ucs(key, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 1812, in group_members_sync_from_ucs
    self.lo_s4.lo.modify_s(compatible_modstring(object['dn']), [(ldap.MOD_REPLACE, 'member', modlist_members)])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 364, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 465, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 469, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': '00002030: Unable to find GUID for DN cn=someteacher,cn=lehrer,cn=users,ou=school1,dc=schule,dc=customer,dc=de\n', 'desc': 'No such object'}
Comment 1 Arvid Requate univentionstaff 2018-05-18 14:32:45 CEST
* Patch backported to branch 4.2-4
* Package imported and built in errata4.2-4
* d25f6c0f33 | Advisory
Comment 2 Felix Botner univentionstaff 2018-05-22 12:31:23 CEST
dont think that helps, object_memberships_sync_to_ucs already checks the sync mode

i could reproduce the traceback with

 * create users test1, test2
 * add test1 to domain admins
 * add test2 to domain admins (separate step ! )

 * create another user test3 to trigger the group_mapping_cache_ucs

 ( now the cache contains at least test1 and test2)

 * remove test1, the group_mapping_cache_ucs is not updated
   and still contains test1

 * add test1 as member to domain admins (via ldapvi) to simulate the ucssschool
   behavior


i think we should just remove the "object['dn'].lower()" from self.group_mapping_cache_ucs in sync_to_ucs() if property_type is user and object['modtype'] is delete
Comment 3 Arvid Requate univentionstaff 2018-05-25 13:12:24 CEST
Created attachment 9539 [details]
bug46971-reproducer1.sh
Comment 4 Arvid Requate univentionstaff 2018-05-25 13:14:16 CEST
Ok, when objects are deleted or moved remove the their DN from both group member mapping caches.

147232dc33 | Code cleanup: Improve readability
92f8e177e9 | Code cleanup: Improve readability
035dbabe63 | Fix traceback
c2985a6d52 | Changelog
6b3ee3f602 | Advisory
Comment 5 Arvid Requate univentionstaff 2018-05-25 13:32:12 CEST
I fixed a code comment:

7b9fef72c9 | Fix code comment
0e44caa94d | Changelog
528d008c4a | Advisory
Comment 6 Felix Botner univentionstaff 2018-05-30 14:21:36 CEST
OK - code cleanup
OK - fixed traceback
OK - manual group sync tests
OK - s4connector jenkins tests (4.2-4)
OK - yaml
Comment 7 Arvid Requate univentionstaff 2018-06-13 14:06:45 CEST
<http://errata.software-univention.de/ucs/4.2/420.html>