Univention Bugzilla – Bug 52192
Password is only updated if pwdLastSet is changed (sync to ucs)
Last modified: 2022-09-08 11:43:53 CEST
+++ This bug was initially created as a clone of Bug #51904 +++ At Bug #51904 we found out that changing ONLY the password attribute in AD does not trigger a synchronization. This has been introduced with Bug #51518, where the UCR Variable connector/ad/mapping/attributes/irrelevant has been created. This Variable is used to ignore changes to certain attributes to reduce load created by the ad connector. These attributes change almost every time anything is changed in AD and it makes sense to ignore these. But the password attributes are not attributes we can see in the LDAP and changes to the password are only checked as a post_con_modify_function, which happens after the "normal" sync. With a normal password change, the synchronization still works, since 'pwdLastSet' usually changes with the password. This attribute is not on the 'irrelevant' list, the sync is triggered, the password change is detected and the password is synced. There is one case though where a password change is undetected. That is, when the flag 'pwdChangeNextLogin' is set on the user object and the password is resetted while keeping the 'pwdChangeNextLogin' flag. PwdLastSet is set to '0' in this case, to indicate that the password should be changed at next login. The password is resetted, but pwdLastSet is kept at value '0'. Now the only detected changed attributes are 'uSNChanged', 'whenChanged', which are on the 'irrelevant' list. Even though this problem exists, we decided to leave the default behavior for now, since most environment will profit more from the reduced load and not run into this issue. There might be other corner cases in which a synchronization is skipped because of this problem, but we haven't found any yet. The current workaround is unsetting the UCR var connector/ad/mapping/attributes/irrelevant.
small update regarding the workaround: Do not simply unset die UCRV, as it will maybe reset. Just set it to something like: ucr get connector/ad/mapping/attributes/irrelevant DoNotUnsetThisUCR
Changes: Do not ignore changes in users when pwdLastSet is 0 even if all the modified attributes are set in connector/ad/mapping/attributes/irrelevant. Packages: Package: univention-ad-connector Version: 14.0.10-5A~5.0.0.202208301031 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: ucs-test Version: 10.0.7-19A~5.0.0.202208301034 Branch: ucs_5.0-0 Scope: errata5.0-2 Commits: 59e2fc7ba2ad | Bug #52192: changelog and advisory 01f9537dde30 | Bug #52192: Update test to not unset irrelevant attributes 7d8e191d9401 | Bug #52192: Check if pwdChangeNextLogin is set in users before skipping the object
Verified: * Code review * Functional test * No collateral regressions expected for non-updated systems * Test case * Documentation update not required * Advisory
<https://errata.software-univention.de/#/?erratum=5.0x407>