Univention Bugzilla – Bug 50463
UMC should prevent creation of usernames that conflict with a group
Last modified: 2019-11-14 13:52:39 CET
In OpenLDAP you can name a User the same like a group. e.g.: uid=foobar,cn=users,dc=domain,dc=tld cn=foobar,cn=groups,dc=domain,dc=tld If both objects are synchronised via S4-Connector the Name of each object is mapped to 'sAMAccountName' which must be unique. Whatever object is synchronised first wins and the other one is rejected: ------------------------------------------------------------ 06.11.2019 11:22:11.574 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=foobar,cn=groups,dc=domain,dc=tld 06.11.2019 11:22:11.577 LDAP (ERROR ): sync_from_ucs: traceback during modify object: cn=foobar,cn=groups,dc=domain,dc=tld 06.11.2019 11:22:11.577 LDAP (ERROR ): sync_from_ucs: traceback due to modlist: [(2, 'sAMAccountName', [u'foobar'])] 06.11.2019 11:22:11.601 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1573035528.166958 06.11.2019 11:22:11.602 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 877, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2596, in sync_from_ucs self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ALREADY_EXISTS: {'info': "00002071: samldb: samAccountName 'foobar' already in use!", 'desc': 'Already exists'} ------------------------------------------------------------ Naming a group the same like a user should be prevented by the UMC.
Created attachment 10224 [details] UMC message when trying to create a group How can you reproduce to create a user and a group with the same name? On UCS 4.4-2e325 i get "The LDAP object could not be saved: The groupname is already in use as groupname or as username : test"
(In reply to Erik Damrose from comment #1) > Created attachment 10224 [details] > UMC message when trying to create a group > > How can you reproduce to create a user and a group with the same name? On > UCS 4.4-2e325 i get > > "The LDAP object could not be saved: The groupname is already in use as > groupname or as username : test" Maybe the system is an older one, which doesn't have "directory/manager/uid_gid/uniqueness" = true.
Since Bug #38796 UCS 4.0-3-errata a uid/group-name collision is prevented in UDM/UMC - for new installations.
> Since Bug #38796 UCS 4.0-3-errata a uid/group-name collision is prevented in UDM/UMC - for new installations. Nah, that one was about uidNumber/gidNumber (commit 3e2f0f47fe). The name uniqueness check has been introduced in UCS 3.1 via Bug 26289: UCRV: directory/manager/user_group/uniqueness *** This bug has been marked as a duplicate of bug 26289 ***