Univention Bugzilla – Bug 53061
gidNumber not synced from UCS to Samba if user/group is created in Samba
Last modified: 2021-06-22 15:02:29 CEST
UCS 5.0 primary with s4-connector/samba -> samba-tool user create sam1 Univention.99 -> univention-s4search cn=sam1 gidNumber # record 1 dn: CN=sam1,CN=Users,DC=five,DC=test -> samba-tool group add samgrp1 -> univention-s4search cn=samgrp1 gidNumber # record 1 dn: CN=samgrp1,CN=Users,DC=five,DC=test This works with UCS 4.4 -> univention-s4search cn=sam1 gidNumber # record 1 dn: CN=sam1,CN=Users,DC=four,DC=four gidNumber: 5001
git:6ef2304ad5fc925311787f81df2a52215c011323 Bug #50766 changed the sync_mode of gidNumber from sync to write.
I think the "echo" sync from UCS/OpenLDAP back to Samba/AD is suppressed by the PostRead Control usage introduced via Bug #52358. When i comment out the self._remember_entryCSN_commited_by_connector lines then the gidNumber sync starts to work again. I guess we need to decide how we want to handle this. Damping replication echos by using the PostRead LDAP control has its merits, but we need to conceicve a method to still detect LDAP changes silently added by UDM to be able to sync them back. I'm currently unsure if we still need the PostRead control to avoid the replication loop we faced in Bug #52358, because I also adjusted the sort order of sync_to_ucs changes back to the way it was in UCS 4.4. So one option would be to revert f773e67cec and watch the Jenkins tests.
OK, I reverted that commit in: univention-s4-connector (14.0.7-2) aeb58b115123 | Revert "Bug #52358: User LDAP post read control for all objects, not just msGPO." The commit which fixed the usn search logic: 66511ba17890482f3721724e694ebf4fc3c932de
a293005fd6 | Test case for gidNumber sync S4->OL 4709e5a79f | fixup Package: ucs-test Version: 10.0.5-10A~5.0.0.202104282308 Branch: ucs_5.0-0
OK: test case reproduces the problem OK: revert OK: no changelog necessary, interim bug TODO: a new bug to re-add the behavior and find a real solution has to be created
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".
To re-add the post-read-control, UDM might should return the addlist/modlist(s), which was actually send to OpenLDAP and the S4-Connector would have to evaluate this.