Orginal bug report: https://help.univention.com/t/when-was-an-ldap-object-created-or-modified-display-ldap-operational-attributes-in-extended-attributes/20968/6?u=steuwer To reproduce I created the 4 Extended Attributes for groups and users and tried to copy a group using UMC. I also had the error message "Das LDAP-Objekt konnte nicht gespeichert werden: LDAP-Fehler: Constraint violation: createTimestamp: no user modification allowed." The same error occures if I want to copy a user object. I assume that UDM tries to write something in the "createTimestamp" LDAP attribute, which is not allowed. Looking at the documentation I think not setting the "copyable" flag should prevent such a behaviour, but that is not the case here (the value is "None"). Full definition of the Extended Attribute: DN: cn=createTimestamp,cn=custom attributes,cn=univention,[LDAP BASE] CLIName: createTimestamp copyable: None default: None deleteObjectClass: None disableUDMWeb: None doNotSearch: None fullWidth: None groupName: object creation groupPosition: 1 hook: None ldapMapping: createTimestamp longDescription: Database timestamp of the LDAP object creation, typically UTC mayChange: None module: users/user module: groups/group multivalue: None name: createTimestamp notEditable: 0 objectClass: top overwritePosition: None overwriteTab: None shortDescription: timestamp of object creation syntax: string tabAdvanced: None tabName: LDAP details tabPosition: 1 translationGroupName: de_DE: Objekterstellung translationLongDescription: de_DE: Zeitpunkt der Erstellung des LDAP Objekts, typischer Weise UTC translationShortDescription: de_DE: Zeitstempel der Objekterstellung translationTabName: de_DE: LDAP Details valueRequired: None version: 2
This might also be the root cause of Bug #55670
The property copyable is defined "wrong". At least in comparison to mayChange and the others. copyable=None or copyable=0 means results in the property being copyable copyable=1 means the property is not copyable. :/ So you would get what you look for if you set copyable=1
This is simply wrong - but only for extended attributes. I would propose to just fix it: diff --git management/univention-directory-manager-modules/modules/univention/admin/modules.py management/univention-directory-manager-modules/modules/univention/admin/modules.py index 8f7149c0b94..685a721882b 100644 --- management/univention-directory-manager-modules/modules/univention/admin/modules.py +++ management/univention-directory-manager-modules/modules/univention/admin/modules.py @@ -400,7 +400,7 @@ def update_extended_attributes(lo: univention.admin.uldap.access, module: UdmMod # value is editable (only via hooks or direkt module.info[] access) editable = attrs.get('univentionUDMPropertyValueNotEditable', [b'0'])[0] not in [b'1', b'TRUE'] - copyable = attrs.get('univentionUDMPropertyCopyable', [b'0'])[0] not in [b'1', b'TRUE'] + copyable = attrs.get('univentionUDMPropertyCopyable', [b'0'])[0] in [b'1', b'TRUE'] # value is required valueRequired = attrs.get('univentionUDMPropertyValueRequired', [b'0'])[0].upper() in [b'1', b'TRUE']