Bug 49904 - UCS 4.4 Upgraded setups might lack univentionGroupType
UCS 4.4 Upgraded setups might lack univentionGroupType
Status: NEW
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Windows NT
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-22 21:11 CEST by Mathieu Simon
Modified: 2019-07-25 10:47 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Simon 2019-07-22 21:11:59 CEST
Discovered with #49903

Freshly deployed UCS 4.4 setups will at least set a AD Group type rendering into a working UCS AD connector. Likely to apply on any upgraded UCS domain that has been in existence for a rather long time.

The related Schema change was likely introduced way back with UCS 3.2[1], however domains such as the one in questions that were likely updated from even older releases may not have these attributes defined on Groups until i.e. the Group is edited via the Web Interface and the admin is informed that the attribute will be set (if not told otherwise to Global Security Group).

It may happen that a group has never been edited through the Web interface between all these years but rather through the UDM CLI which will not update that field if not specifically told to do so.

Hence this attribute will be left unset and in case of a unidirectional replication from UCS to AD results in rejections as follows:

- AD connector will detect that the group is missing on the AD side and will create it
- AD doesn't allow to create groups without any type set and thus will assume it is a Global Security Group if not told otherwise
- The Group will be created with its members during the first run
- During the next runs the AD connector will detect that AD has a groupType defined whereas UCS' univentionGroupType is empty and attempts to force into not configuring one (AD will not follow suit as this is not allowed in AD)

Issue: Until a group type is set on UCS side, you will get a reject every 10 sync attempts which will cause massive logfiles on the AD connector side.

What about either setting this group Type Attribute in the next major/point release as part of directory maintenance/prerequisites checks or provide a script that scans for such issues and helps in fixing them?

-- Mathieu

[1] https://github.com/univention/univention-corporate-server/commit/37fed876c0eaa2ffdf4b6565b48d85b90a0977fa