Description Florian Best 2021-06-25 22:00:58 CEST

We should investigate if we want to prevent this situation explicitly in the S4-Connector.

+++ This bug was initially created as a clone of Bug #53102 +++

root@srv-ucsm01:~# univention-app info
UCS: 4.4-7 errata873
Installed: letsencrypt=1.2.2-8 pkgdb=11.0 prometheus-node-exporter=1.1 samba4=4.10 ucsschool=4.4 v8
Upgradable: letsencrypt ucsschool

Scenario: A member of "Domain Admins" created a user named "lehrer" in the container "cn=users,ou=schule11,dc=schule-musterstadt,dc=de".

Observed behaviour: UCS created the user object just fine in OpenLDAP:
 uid=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de

However, there is also a container at the same level of the LDAP tree called:
 cn=lehrer,cn=users,ou=schule11,dc=schule-musterstadt,dc=de

Things start to get messy, when Samba AD and the S4-Connector are involved. In AD, user object DNs don't start with "uid=" but with "cn=". So, the user object in AD would be:
 CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de
And now we have the same DN for the user object and the container object.

At first, this will create a S4-Connector-Reject, because the S4-Connector can't add user attributes like objectSid to a container object.

However, when we delete the user "lehrer", the S4-Connector will delete "CN=lehrer,CN=users,OU=schule11,DC=schule-musterstadt,DC=de", which is the container, with all its subordinate objects(!), e.g. all teacher accounts of that school.


To prevent this, I think it should not be possible to create users with the same name as existing containers (at least on the same level of the LDAP tree).