Univention Bugzilla – Bug 55564
UDM tries to set defaults to readonly_when_synced attributes even if object is synced
Last modified: 2023-01-13 13:07:42 CET
A customer had his "cn=Domain Admins" group synced from AD. The object was not modifyable using UDM anymore. The reason was that the object didn't have the attribute mailAddress set. In def _ldap_pre_ready self['mailAddress'] is checked, which leads to UDM attaching the default value of the attribute (which is an empty string) to self.info. UDM then tries to modify the attribute because old(None) != new('') which fails in this case because this attribute is readonly_when_synced and the object was indeed synced and therefore readonly. def __getitem__ in UDM only attaches the default attribute value if the attribut is editable. We could extend the logic to skip this if the attribute is readonly_when_synced and the object is synced. Or we could modify the part in _ldap_pre_ready that calls this method.
Do you have a traceback and a reproducer tests case / Jenkins link?
I installed an ad membermode environment and picked a random group that had the flag "synced" and tried to modify it. ./usr/lib/python3/dist-packages/univention/admincli/admin.py groups/group modify --dn="cn=Domain Guests,cn=groups,dc=AutoTest221,dc=test" --policy-reference cn=default-umc-all,cn=UMC,cn=policies,dc=AutoTest221,dc=test Traceback (most recent call last): File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 354, in main _doit(arglist, stdout=stdout, stderr=stderr) File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 605, in _doit cli.modify(input, append, remove, parsed_append_options, parsed_remove_options, parsed_options, policy_reference, policy_dereference, ignore_not_exists=ignore_not_exists) File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 634, in modify return self._modify(self.module_name, self.module, self.dn, self.lo, self.position, self.superordinate, *args, **kwargs) File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 790, in _modify dn = object.modify() File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1342, in _modify self.__prevent_ad_property_change() File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1739, in __prevent_ad_property_change raise univention.admin.uexceptions.valueMayNotChange(_('key=%(key)s old=%(old)s new=%(new)s') % {'key': key, 'old': oldval, 'new': value}, property=key) univention.admin.uexceptions.valueMayNotChange: Value may not change: key=mailAddress old=None new=. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 952, in <module> main(sys.argv, sys.stdout, sys.stderr) File "./usr/lib/python3/dist-packages/univention/admincli/admin.py", line 360, in main raise OperationFailed(msg) __main__.OperationFailed: Value may not change: key=mailAddress old=None new=.
Thanks, that looks promising. I think something is broken when unmapping the mailAddress data. I can have a deeper look next week.