Univention Bugzilla – Bug 56188
MS365 connector tries to modify onPremisesImmutableId
Last modified: 2023-06-21 18:03:59 CEST
The office365 connector can "connect" a user in UCS to a user in azure via the userPrincipalName. If the connector determines that a user shall be added to azure, but gets an error because the userPrincipalName is already given, it determines that that user with that userPrincipalName should be modified instead. This works fine, but there is one case where this raises a traceback. And that is, if the onPremisesImmutableId doesn't correspond to the entryUUID of the UCS user. In that case, the connector tries to modify the onPremisesImmutableId which is not allowed. This only happens in really specific circumstances. I was able to reproduce it, but I don't know how the customer got into that situation. He may have had synchronization problems before, so maybe users weren't disabled correctly in azure when the UCS ones were. Steps to reproduce: Create a user and let the connector sync it to azure. udm users/user create --set username=azuretest2 --set lastname=azure --set password=univention --set UniventionOffice365Enabled=1 --set mailPrimaryAddress=azuretest2@test.intranet --set UniventionOffice365ADConnectionAlias=o365domain "Break it" so that the user can't be disabled in azure during the following steps: ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f <(echo -e "dn: uid=azuretest2,dc=test,dc=intranet\nchangetype: modify\ndelete: univentionOffice365Data\n") I removed the univentionOffice365Data but maybe there may be a more elegant way. Remove the user: udm users/user remove --dn="uid=azuretest2,dc=test,dc=intranet" Re-create the user: udm users/user create --set username=azuretest2 --set lastname=azure --set password=univention --set UniventionOffice365Enabled=1 --set mailPrimaryAddress=azuretest2@test.intranet --set UniventionOffice365ADConnectionAlias=o365domain The following Traceback is then raised: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/listener/api_adapter.py", line 169, in _handler self._module_handler.error_handler(dn, old, new, command, exc_type, exc_value, exc_traceback) File "/usr/lib/python2.7/dist-packages/univention/listener/handler.py", line 261, in error_handler reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python2.7/dist-packages/univention/listener/api_adapter.py", line 161, in _handler self._module_handler.modify(dn, old, new, self._saved_old_dn if self._rename else None) File "/usr/lib/univention-directory-listener/system/office365-user.py", line 82, in modify self.connector.modify(new_object=new_udm_user, old_object=old_udm_user) File "/usr/lib/python2.7/dist-packages/univention/office365/connector/connector.py", line 563, in modify self.new_or_reactivate_user(new_object) File "/usr/lib/python2.7/dist-packages/univention/office365/connector/connector.py", line 470, in new_or_reactivate_user user_azure.create_or_modify() File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/objects/azureobjects.py", line 357, in create_or_modify user_azure.update(self) File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/objects/azureobjects.py", line 388, in update self._core.modify_user(self.id or other.id, data) File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/core.py", line 640, in modify_user expected_status=[204] File "/usr/lib/python2.7/dist-packages/univention/office365/microsoft/exceptions/core_exceptions.py", line 289, in inner raise e univention.office365.microsoft.exceptions.core_exceptions.MSGraphError: HTTP response status: 400 HTTP response expected status: [204] > request url: https://graph.microsoft.com/v1.0/users/ea018c71-ac59-457f-ace1-d83f2136edd7 > request header: { "Content-Length": "238", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "User-Agent": "Univention Microsoft 365 Connector", "Connection": "keep-alive", "Content-Type": "application/json", "Authorization": "XXX" } > request body: { "mailNickname": "i85ehi49sd", "accountEnabled": true, "surname": "bla", "onPremisesImmutableId": "NDc1NTQxNzAtYTQ4ZS0xMDNkLTk1YzgtMTdlNzZmNjdlZmNm", "otherMails": [ "i85ehi49sd@test.intranet" ], "displayName": "bla", "usageLocation": "DE" } > response header: { "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"Germany West Central\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"000\",\"RoleInstance\":\"FR1PEPF0000099C\"}}", "x-ms-resource-unit": "1", "Content-Encoding": "gzip", "Transfer-Encoding": "chunked", "request-id": "08ab8e32-7861-4222-9fc2-b4a83bc7200b", "Strict-Transport-Security": "max-age=31536000", "Vary": "Accept-Encoding", "client-request-id": "08ab8e32-7861-4222-9fc2-b4a83bc7200b", "Cache-Control": "no-cache", "Date": "Wed, 21 Jun 2023 15:38:26 GMT", "Content-Type": "application/json" } > response body: { "error": { "innerError": { "date": "2023-06-21T15:38:27", "request-id": "08ab8e32-7861-4222-9fc2-b4a83bc7200b", "client-request-id": "08ab8e32-7861-4222-9fc2-b4a83bc7200b" }, "message": "One or more properties contains invalid values.", "code": "Request_BadRequest" } }