Bug 53741 - Wrong usage of LDAP attribute "secretary"
Wrong usage of LDAP attribute "secretary"
Status: NEW
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
All All
: P5 minor (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
Depends on: 24150 42206
  Show dependency treegraph
Reported: 2021-09-02 17:16 CEST by Michael Grandjean
Modified: 2023-09-18 18:14 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change, External feedback, Usability
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2021-09-02 17:16:11 CEST
This is still wrong and quite confusing.

+++ This bug was initially created as a clone of Bug #42206 +++

Das in der UMC als Superior / Vorgesetzer angezeigte Attribut wird intern auf das Attribut secretary des LDAP Schemas inetOrgPerson gemappt. Es sollte statt dessen auf das Attribut manager gemappt werden 
siehe Doku hier: https://docs.oracle.com/cd/E19225-01/820-6551/bzapc/index.html
Der Bug ist schon für UCS 2.4 beschrieben worden, aber auch noch in UCS 4.1 enthalten. Vermutlich ist es leicht zu beheben, aber dürfte bei Upgrades zu Schwierigkeiten führen. Evtl. sollte man ein kleines Skript mit anbieten, dass die Inhalte von secretary zu manager kopiert bzw. verschiebt.

+++ This bug was initially created as a clone of Bug #24150 +++

Ein Auszug der Ausgabe von udm users/user 

beinhaltet folgende Beschreibung:

    employeeNumber (person)                  Employee number
    employeeType (person)                    Employee type
    roomNumber (person)                      Room number
    departmentNumber (person)                Department number
    secretary (person,[])                    Superior

Es ist nun tatsächlich so, dass im LDAP-Attribut secretary der DN des/der Vorgesetzten gespeichert wird. Dafür sollte aber m.E. das Attribut manager gesetzt werden. Beide sind optional für die Objektklasse inetOrgPerson. 

Beschreibung der Attribute 

# 9.3.10.  Manager
#  The Manager attribute type specifies the manager of an object
#  represented by an entry.
#    manager ATTRIBUTE
#            distinguishedNameSyntax
#    ::= {pilotAttributeType 10}

# 9.3.17.  Secretary
#  The Secretary attribute type specifies the secretary of a person.
#  The attribute value for Secretary is a distinguished name.
#    secretary ATTRIBUTE
#            distinguishedNameSyntax
#    ::= {pilotAttributeType 21}
attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
	EQUALITY distinguishedNameMatch
Comment 1 Florian Best univentionstaff 2021-09-02 17:28:53 CEST
(In reply to Stefan Gohmann from Bug #42206 comment #1)
> Workaround (müsste aber nach jedem Update erneut ausgeführt werden, wenn das Paket python-univention-directory-manager aktualisiert wird):
> sed -i "s|mapping.register('secretary','secretary')|mapping.register('secretary', 'manager')|"> /usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py
Comment 2 Michael Grandjean univentionstaff 2021-09-05 18:52:31 CEST
Just in case for anyone else reading the workaround and wondering.

The workaround leads to the following:

UMC: Vorgesetzter (DE) / Superior (EN)
UDM: secretary
OpenLDAP: manager
Samba AD: nothing, does not get synced
Comment 3 M. Breidt 2023-09-18 11:39:39 CEST
(came here from https://help.univention.com/t/why-is-ldap-attribute-secretary-called-superior-in-ucs/20270 )

There is a standard LDAP attribute "secretary", which according to the official specs (see https://docs.ldap.com/specs/rfc4524.txt ) has the following intention:

The ‘secretary’ attribute specifies secretaries and/or administrative assistants, by distinguished name.

But the web UI of UCS labels this “superior”, which seems incompatible with the RFC.
Comment 4 M. Breidt 2023-09-18 11:47:28 CEST
To clarify:

IMO the UMC field "Superior" should be renamed into "secretary" or "assistant" and be mapped to LDAP attribute 'secretary', and another field called "manager" should be created and be mapped to LDAP attribute 'manager'.