Univention Bugzilla – Bug 54183
Group Membership could not be updated caused by mismatching upper/lower case in memberUid
Last modified: 2024-02-06 16:57:22 CET
Now seen this in a customer environment with 4.4-8 01.12.2021 06:25:09.593 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=Remoteuser,OU=Standard,OU=Gruppen,OU=SUB,DC=schein,DC=me 01.12.2021 06:25:09.673 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=remoteuser,ou=standard,ou=gruppen,ou=sub,dc=schein,dc=me 01.12.2021 06:25:10.925 LDAP (ERROR ): Unknown Exception during sync_to_ucs 01.12.2021 06:25:11.017 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1374, in sync_to_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 187, in group_members_sync_to_ucs return connector.group_members_sync_to_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 2189, in group_members_sync_to_ucs ucs_admin_object.fast_member_remove(uniqueMember_del, memberUid_del, ignore_license=1) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/groups/group.py", line 418, in fast_member_remove return self.lo.modify(self.dn, ml, ignore_license=ignore_license) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 902, in modify raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: No such attribute: modify/delete: memberUid: no such value 01.12.2021 15:42:56.528 LDAP (INFO ): group_members_sync_to_ucs: members to del: {'group': [], 'user': ['uid=cm,cn=users,dc=sch-ein,dc=me'], 'windowscomputer': []} A group member could not be deleted, because memberUid: CM instead of cm +++ This bug was initially created as a clone of Bug #25838 +++ Bei folgender Gruppe # test, groups, update.test dn: cn=test,cn=groups,dc=update,dc=test sambaGroupType: 2 cn: test objectClass: top objectClass: posixGroup objectClass: univentionGroup objectClass: sambaGroupMapping objectClass: univentionObject univentionObjectType: groups/group gidNumber: 5014 sambaSID: S-1-5-21-2796199546-1396784971-2706387774-11029 uniqueMember: uid=Administrator,cn=users,dc=update,dc=test memberUid: administrator kann der Administrator nicht gelöscht werden, da administrator im Attribute memberUid kleingeschrieben wird. root@master:~# udm groups/group modify --dn cn=test,cn=groups,dc=update,dc=test --remove users="uid=Administrator,cn=users,dc=update,dc=test" Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 233, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.6/univention/admincli/admin.py", line 939, in doit dn=object.modify() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 344, in modify return self._modify(modify_childs,ignore_license=ignore_license) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 863, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 385, in modify raise univention.admin.uexceptions.ldapError, _err2str(msg) ldapError: No such attribute: modify/delete: memberUid: no such value Ändert man administrator in Administrator funktioniert es wieder: root@master:~# udm groups/group modify --dn cn=test,cn=groups,dc=update,dc=test --remove users="uid=Administrator,cn=users,dc=update,dc=test" Object modified: cn=test,cn=groups,dc=update,dc=test
This is a generic udm problem and not just confined to the ad connector. See bug 52760 comment 5 on how to reproduce this. The bug seems to be a regression. At least my system with errata 1009 does not have this problem.
Maybe a regression of Bug #48956?
Please at least include the errata version in the report, of the version of the packages that are part of the traceback. The traceback code for line number 418 in groups/group.py doesn't seem to fit to https://errata.software-univention.de/#/?erratum=4.4x1128 but it's hard to tell which package version the customer had. Ticket #2021120821000278 mentions errata 1118, so that would be prior to the change for Bug #48956.
Happend again in a customer environment. I have the reject before the upgrade and after that, hope that helps 03.05.2022 14:51:27.732 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=Administrators,CN=Builtin,DC=example,DC=local 03.05.2022 14:51:27.735 LDAP (PROCESS): sync to ucs: [ group] [ modify] u'cn=administrators,cn=builtin,dc=example,dc=local' 03.05.2022 14:51:27.755 LDAP (ERROR ): failed in post_con_modify_functions 03.05.2022 14:51:27.755 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1574, in sync_to_ucs raise File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 95, in group_members_sync_to_ucs return s4connector.group_members_sync_to_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1972, in group_members_sync_to_ucs ucs_admin_object.fast_member_remove(uniqueMember_del, memberUid_del, ignore_license=1) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/groups/group.py", line 418, in fast_member_remove return self.lo.modify(self.dn, ml, exceptions=True, ignore_license=ignore_license) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 902, in modify raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: No such attribute: modify/delete: memberUid: no such value ------------------------- Starting univention-upgrade. Current UCS version is 4.4-8 errata1077 Checking for package updates: found Please rerun command without --check argument to install. Starting dist-upgrade at Di 3. Mai 14:45:25 CEST 2022 -------------------------- After that update in Logfile with UCS: 4.4-9 errata1229 03.05.2022 14:51:58.060 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=Administrators,CN=Builtin,DC=example,DC=local 03.05.2022 14:51:58.063 LDAP (PROCESS): sync to ucs: [ group] [ modify] u'cn=administrators,cn=builtin,dc=example,dc=local' 03.05.2022 14:51:58.074 LDAP (WARNING): encode_s4_object: encode attrib terminalServer failed, ignored! 03.05.2022 14:51:58.085 LDAP (ERROR ): failed in post_con_modify_functions 03.05.2022 14:51:58.085 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1571, in sync_to_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 95, in group_members_sync_to_ucs return s4connector.group_members_sync_to_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1972, in group_members_sync_to_ucs ucs_admin_object.fast_member_remove(uniqueMember_del, memberUid_del, ignore_license=1) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/groups/group.py", line 424, in fast_member_remove return self.fast_member_remove(memberdnlist, uidlist, ignore_license=ignore_license, _retry_on_attribute_error=False) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/groups/group.py", line 430, in fast_member_remove raise univention.admin.uexceptions.ldapError(msg.args[0]['desc']) ldapError: No such attribute
MR with a patch successfully tested at the customer: https://git.knut.univention.de/univention/ucs/-/merge_requests/854 `memberUid` is case sensitive in contrast to `uniqueMember`. A LDAP remove operation must therefor happen with the correct case. The lowered set put always the lowercase variant into the the remove list. As we retrieved the current set values directly before this operation we can use the original case. It looks like that it was broken by git:db0d44f0ef5a56542293538c641e4de50d07f6de in UCS 5.0-0. But this doesn't explain why it failed in UCS 4.4 as well. No time to research this.
*** Bug 54503 has been marked as a duplicate of this bug. ***
Another customer affected 2023092921000204 UCS: 5.0-4 errata750 Installed: adconnector=12.0 admin-dashboard=2.1 privacyidea-saml=2.1.2 prometheus-node-exporter=2.0.1 samba-memberserver=4.16 self-service=5.0 self-service-backend=5.0 4.4/prometheus=2.35.0-5 Upgradable: admin-dashboard privacyidea-saml
The patch has been merged. Case sensitivity of the attribute `memberUid` is now respected when removing members from a group. univention-directory-manager-modules.yaml e7e5db22c487 | fix(udm): fix removal of non-lowercase group members in fast_member_remove() univention-directory-manager-modules (15.0.24-19) e7e5db22c487 | fix(udm): fix removal of non-lowercase group members in fast_member_remove()
OK: code review OK: changelog OK: advisory OK: test https://forge.univention.org/bugzilla/show_bug.cgi?id=52760#c5
<https://errata.software-univention.de/#/?erratum=5.0x832>