Univention Bugzilla – Bug 55445
univention.admin.uexceptions.primaryGroup: None when opening the users UMC module
Last modified: 2023-04-12 15:43:35 CEST
When a user cannot read the default primary group of the domain but is allowed to user the users/user module in UMC a traceback occurs. It happens during pre-rendering a "create user" detail page in UMC which contains all default values for a user. # univention-ldapsearch -LLLb cn=default,cn=univention,dc=base,dc=de univentionDefaultGroup dn: cn=default,cn=univention,dc=base,dc=de univentionDefaultGroup: cn=Domain Users,cn=groups,dc=base,dc=de # univention-ldapsearch -D uid=tester,ou=users,ou=00,ou=0002,ou=tenants,dc=base,dc=de -w Univention1. -LLL -b 'cn=Domain Users,cn=groups,dc=base,dc=de' dn No such object (32) # univention-ldapsearch -LLL -b 'cn=Domain Users,cn=groups,dc=base,dc=de' dn dn: cn=Domain Users,cn=groups,dc=base,dc=de → The LDAP ACL's disallow reading the default primary group for that user. Interner Server-Fehler in "udm/properties (users/user)". Request: udm/properties (users/user) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/base.py", line 347, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3/dist-packages/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 124, in _decoarated ret = [func(self, request) for request.options in options] File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 124, in <listcomp> ret = [func(self, request) for request.options in options] File "/usr/lib/python3/dist-packages/univention/management/console/modules/decorators.py", line 184, in _response return function(self, request) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 867, in properties properties = module.get_properties(object_dn) File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 921, in get_properties for iprop in self.properties(ldap_dn): File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 979, in properties obj.open() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1163, in open self._set_default_group() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1195, in _set_default_group raise univention.admin.uexceptions.primaryGroup(self.dn) univention.admin.uexceptions.primaryGroup: None +++ This bug was initially created as a clone of Bug #42080 +++
We recognized the same issue since upgrade to UCS 5-0.2
(In reply to Sebastian from comment #1) > We recognized the same issue since upgrade to UCS 5-0.2 Yes it was introduced in: <https://errata.software-univention.de/#/?erratum=5.0x489> The question now is what is special about your environment? What special LDAP ACL's exsits? Why do your users don't have read access to the default primary group in the domain? The first customter which was affected solved this by setting another default primary group in: cn=default,cn=univention,dc=ldap,dc=base univentionDefaultGroup: cn=Domain Users,cn=groups,dc=ldap,dc=base
Thanks for your reply! > The question now is what is special about your environment? We organized our users in organizational units (OU). It is mandatory, that a user in ou A cannot see the other OU (like B, C ...) In every OU is a group of "ou admin users", they can create, edit and remove other users inside their OU. > What special LDAP ACL's exsits? Why do your users don't have read access to the default primary group in the domain? In our scenario, we don't have a classic domain context at all. We use the UMC to implement an IDM system. We simply would like to limit the visible groups for an "ou admin user" to these inside it's OU. The part in our custom LDAP ACL looks like this: access to dn.subtree="cn=groups,dc=test,dc=example,dc=com" by dn.subtree="ou=kommunen,dc=test,dc=example,dc=com" none by * none break
the workaround you mentioned, does not fit our szenario. Since we'd have a "default" group for each OU :-)
Reported again, UCS 5.0-2 errata498 Remark: Immer wenn ich Benutzer aufruffe. Ist mit einer AD domaine Verbunden.
Can you modify the LDAP ACLs so that the default group is readable for everyone, but not writable? That way users in the UMC module can again be opened, but users can still not be created in the central default group, as it's r/o.
(In reply to Daniel Tröder from comment #6) > Can you modify the LDAP ACLs so that the default group is readable for > everyone, but not writable? > That way users in the UMC module can again be opened, but users can still > not be created in the central default group, as it's r/o. So effectively changing your definition to: access to dn.exact="cn=Domain Users,cn=groups,dc=test,dc=example,dc=com" by dn.subtree="ou=kommunen,dc=test,dc=example,dc=com" +rscxd stop by * +0 break access to dn.subtree="cn=groups,dc=test,dc=example,dc=com" by dn.subtree="ou=kommunen,dc=test,dc=example,dc=com" none by * none break
Created attachment 11016 [details] usecase scenario
When an "ou admin user" creates a new user inside it's ou, the "unused" group "Domain Admins" is visible and selected via default. This doesn't make sense in our case.
(In reply to Sebastian from comment #9) > When an "ou admin user" creates a new user inside it's ou, the "unused" > group "Domain Admins" is visible and selected via default. This doesn't make > sense in our case. sorry, it's "Domain Users"
(In reply to Sebastian from comment #9) > When an "ou admin user" creates a new user inside it's ou, the "unused" > group "Domain Users" is visible and selected via default. This doesn't make > sense in our case. yes, I am sorry that it is this way but we cannot easily change it for now: We don't have a OU based concept. The current best way to circumvent this would be to create a user template with a pre-defined primary group and use this when creating new users.
Happend in the next customer environment. AD membermode To fix this the workaround from comment 2 worked root@ucs01:~# udm settings/default list DN: cn=default,cn=univention,dc=schein,dc=ig defaultClientGroup: cn=Computers,cn=groups,dc=schein,dc=ig defaultComputerGroup: cn=Windows Hosts,cn=groups,dc=schein,dc=ig defaultDomainControllerGroup: cn=DC Slave Hosts,cn=groups,dc=schein,dc=ig defaultDomainControllerMBGroup: cn=DC Backup Hosts,cn=groups,dc=schein,dc=ig defaultGroup: cn=Domänen-Benutzer,cn=groups,dc=schein,dc=ig defaultMemberServerGroup: cn=Computers,cn=groups,dc=schein,dc=ig name: default root@ucs01:~# udm settings/default modify --dn cn=default,cn=univention,dc=rzhnds,dc=mg --append defaultGroup='cn=Domain Users,cn=groups,dc=schein,dc=ig' WARNING: using --append on a single value property (defaultGroup). Use --set instead! Object modified: cn=default,cn=univention,dc=schein,dc=ig root@ucs01:~# udm settings/default modify --dn cn=default,cn=univention,dc=schein,dc=ig --set univentionDefaultGroup='cn=Domain Users,cn=groups,dc=schein,dc=ig' WARNING: No attribute with name 'univentionDefaultGroup' in this module, value not set. No modification: cn=default,cn=univention,dc=schein,dc=ig
Same in the next Membermode environment. After Errataupdates, the user module is not usable anymore. defaultGroup is again cn=Domänen-Benutzer The users are all in Domain Users. After fixing this udm settings/default modify --dn cn=default,cn=univention,dc=schein,dc=ig --set defaultGroup='cn=Domain Users,cn=groups,dc=schein,dc=ig' everything works again.
Version: 5.0-2 errata528 Error: Interner Server-Fehler in "udm/properties (users/user)". Request: udm/properties (users/user) Traceback (most recent call last): File "%PY3%/univention/management/console/base.py", line 347, in __error_handling six.reraise(etype, exc, etraceback) File "%PY3%/six.py", line 693, in reraise raise value File "%PY3%/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "%PY3%/univention/management/console/modules/udm/__init__.py", line 124, in _decoarated ret = [func(self, request) for request.options in options] File "%PY3%/univention/management/console/modules/udm/__init__.py", line 124, in <listcomp> ret = [func(self, request) for request.options in options] File "%PY3%/univention/management/console/modules/decorators.py", line 184, in _response return function(self, request) File "%PY3%/univention/management/console/modules/udm/__init__.py", line 867, in properties properties = module.get_properties(object_dn) File "%PY3%/univention/management/console/modules/udm/udm_ldap.py", line 912, in get_properties for iprop in self.properties(ldap_dn): File "%PY3%/univention/management/console/modules/udm/udm_ldap.py", line 970, in properties obj.open() File "%PY3%/univention/admin/handlers/users/user.py", line 1172, in open self._set_default_group() File "%PY3%/univention/admin/handlers/users/user.py", line 1206, in _set_default_group raise univention.admin.uexceptions.primaryGroup(self.dn) univention.admin.uexceptions.primaryGroup: Die primäre Standardgruppe existiert nicht. Role: domaincontroller_master
Version: 5.0-2 errata505 Error: Interner Server-Fehler in "udm/properties (users/user)". Request: udm/properties (users/user) Traceback (most recent call last): File "%PY3%/univention/management/console/base.py", line 347, in __error_handling six.reraise(etype, exc, etraceback) File "%PY3%/six.py", line 693, in reraise raise value File "%PY3%/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "%PY3%/univention/management/console/modules/udm/__init__.py", line 124, in _decoarated ret = [func(self, request) for request.options in options] File "%PY3%/univention/management/console/modules/udm/__init__.py", line 124, in <listcomp> ret = [func(self, request) for request.options in options] File "%PY3%/univention/management/console/modules/decorators.py", line 184, in _response return function(self, request) File "%PY3%/univention/management/console/modules/udm/__init__.py", line 867, in properties properties = module.get_properties(object_dn) File "%PY3%/univention/management/console/modules/udm/udm_ldap.py", line 921, in get_properties for iprop in self.properties(ldap_dn): File "%PY3%/univention/management/console/modules/udm/udm_ldap.py", line 979, in properties obj.open() File "%PY3%/univention/admin/handlers/users/user.py", line 1163, in open self._set_default_group() File "%PY3%/univention/admin/handlers/users/user.py", line 1195, in _set_default_group raise univention.admin.uexceptions.primaryGroup(self.dn) univention.admin.uexceptions.primaryGroup: None Role: domaincontroller_master