Bug 56581 - Users are not removed from old groups when moved to limbo / transfer school
Summary: Users are not removed from old groups when moved to limbo / transfer school
Status: NEEDMOREINFO
Alias: None
Product: UCS@school
Classification: Unclassified
Component: Import scripts
Version: UCS@school 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS@school maintainers
QA Contact:
URL:
Keywords:
: 54829 (view as bug list)
Depends on: 50231
Blocks:
  Show dependency treegraph
 
Reported: 2023-09-13 15:49 CEST by Stefan Gohmann
Modified: 2024-11-21 09:13 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review: Yes
Ticket number: 2023090621000257, 2023082821000244, 2023091121000283
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Hook to diagnose group changes (2.20 KB, text/x-python)
2024-05-27 17:05 CEST, Jan-Luca Kiok 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2023-09-13 15:49:20 CEST 
It looks like users who are moved to the limbo / transfer school are not removed from every school group.

The result is that the password reset for the previous classes or working groups don't work.
Comment 3 Stefan Gohmann univentionstaff 2023-09-15 15:59:35 CEST 
If someone has a similar problem, I wrote a simple shell script which shows the udm commands:

cat remove-transfer-users-from-groups.sh

#!/bin/bash

eval $(ucr shell)

univention-ldapsearch -b "ou=transfer,$ldap_base" '(&(ucsschoolRole=student:school:transfer)(uid=*))' dn  | ldapsearch-wrapper | sed -ne 's|^dn: uid|uid|p' | while read u_dn; do
    univention-ldapsearch "(uniqueMember=$u_dn)" dn | ldapsearch-wrapper | sed -ne 's|^dn: cn|cn|p' | while read g_dn; do
        transfer="$(echo $g_dn | grep ',ou=transfer,')";
        if [ -n "$transfer" ]; then continue; fi;
        echo udm users/user modify --dn \"$u_dn\" --remove groups=\"$g_dn\";
        #  udm users/user modify --dn "$u_dn" --remove groups="$g_dn";
    done;
done
Comment 6 Jürn Brodersen univentionstaff 2024-05-07 11:21:12 CEST 
It might help if we avoid the changing the group first and removing the member immediately afterwards. See 57260
Comment 7 Jan-Luca Kiok univentionstaff 2024-05-27 17:05:35 CEST 
Created attachment 11213 [details]
Hook to diagnose group changes
Comment 8 Jan-Luca Kiok univentionstaff 2024-05-27 17:08:34 CEST 
All attempts to recreate this were futile and different approaches to rule various components out have not lead to success.

Attached is a hook that can be used to diagnose group changes via the following steps:

1. Install file to /usr/lib/python3/dist-packages/univention/admin/hooks.d/log_user_group_transfers.py
2. Activate hook: udm settings/extended_attribute modify --dn "cn=ucsschoolRoleUsers,cn=UCSschool,cn=custom attributes,cn=univention,$(ucr get ldap/base)" --set hook=UcsschoolUserGroupTransfers 
3. Restart Listener: service univention-directory-listener restart

Now the tool should debug group changes to /var/log/univention/ucsschool-user-group-transfers.log

After some data with affected users has been collected the hook should be deactivated:

1. udm settings/extended_attribute modify --dn "cn=ucsschoolRoleUsers,cn=UCSschool,cn=custom attributes,cn=univention,$(ucr get ldap/base)" --remove hook=UcsschoolUserGroupTransfers 
2. service univention-directory-listener restart

For the time being this bug will be outvoted by me as long as no new information is provided.
Comment 10 Jan-Luca Kiok univentionstaff 2024-11-21 09:08:59 CET 
*** Bug 54829 has been marked as a duplicate of this bug. ***