Bug 50028 – Warn when users create OUs with names that are reserved in Active Directory

Bug 50028 - Warn when users create OUs with names that are reserved in Active Directory


Summary:	Warn when users create OUs with names that are reserved in Active Directory

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-08-19 18:25 CEST by Arvid Requate
Modified:	2019-08-19 18:34 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019072921000494
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2019-08-19 18:25:27 CEST

In Ticket#: 2019072921000494 a customer had some AD-Connecgtor rejects for some OUs that he had created in UDM (possibly via Samba/AD -> S4-Connector)

ou=Users
ou=Groups
ou=System


The AD-Connector could not write these to the Microsoft Windows 2012 R2 AD, apparently because MS now enforces this "Table of reserved words":

https://support.microsoft.com/en-gb/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

When I tested with Windows Server 2008 R2 it worked though.


The AD-Connector Traceback is:
=====================================================================
19.08.2019 18:22:30.957 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 785, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'))) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))):
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2522, in sync_from_ucs
    self.lo_ad.lo.add_s(compatible_modstring(object['dn']), compatible_addlist(addlist))  # FIXME encoding
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 210, in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 503, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 507, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ALREADY_EXISTS: {'info': '00000524: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0\n', 'desc': 'Already exists'}
=====================================================================

Maybe we should add this list of reserved words and forbid to add these via UDM / python-udm and explain this when a users attempts to do this via UMC.