Bug 56929 – No changes in AD created groups are possible anymore

Bug 56929 - No changes in AD created groups are possible anymore


Summary:	No changes in AD created groups are possible anymore

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-6-errata
Assigned To:	Iván.Delgado
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Duplicates:	56788 (view as bug list)
Depends on:	53453
Blocks:
	Show dependency tree / graph

Reported:	2023-12-20 11:41 CET by Christina Scheinig
Modified:	2024-02-28 13:17 CET (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:	Yes
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023121421000182
Bug group (optional):	Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2023-12-20 11:41:21 CET

If an app like kopano is installed in an ad membermode domain, it was possible in UCS 4.4-9 to make a group created in AD to a kopano group and enable it via UMC. 
This is not possible anymore with UCS5. Saving the group you will receive this error message and the group cannot be made to a kopano group.

Notification
The LDAP object could not be  saved: Value may not change: key=mailAddress old=None new=.

Comment 1 Christina Scheinig

2023-12-20 11:58:37 CET

*** Bug 56788 has been marked as a duplicate of this bug. ***

Comment 2 Florian Best

2023-12-20 12:49:31 CET

Reproducer:

# /usr/lib/python3/dist-packages/univention/admincli/admin.py groups/group modify --dn "cn=kopano_test,cn=users,dc=example-ad,dc=org" --set description=foo
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 366, in main
    _doit(arglist, stdout=stdout, stderr=stderr)
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 617, in _doit
    cli.modify(input, append, remove, parsed_append_options, parsed_remove_options, parsed_options, policy_reference, policy_dereference, ignore_not_exists=ignore_not_exists)
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 646, in modify
    return self._modify(self.module_name, self.module, self.dn, self.lo, self.position, self.superordinate, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 802, in _modify
    dn = object.modify()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response, serverctrls=serverctrls)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1346, in _modify
    self.__prevent_ad_property_change()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1749, in __prevent_ad_property_change
    raise univention.admin.uexceptions.valueMayNotChange(_('key=%(key)s old=%(old)s new=%(new)s') % {'key': key, 'old': oldval, 'new': value}, property=key)
univention.admin.uexceptions.valueMayNotChange: Value may not change: key=description old=None new=foo.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 964, in <module>
    main(sys.argv, sys.stdout, sys.stderr)
  File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 372, in main
    raise OperationFailed(msg)
__main__.OperationFailed: Value may not change: key=description old=None new=foo.

Comment 3 Florian Best

2023-12-20 13:11:42 CET

It's a regression from git:ae47c0e6c1ecf13c98e32046471573cb17c4d858 Bug #53453.

(In reply to Florian Best from comment #2)
> Reproducer:
> 
> # /usr/lib/python3/dist-packages/univention/admincli/admin.py groups/group
> modify --dn "cn=kopano_test,cn=users,dc=example-ad,dc=org" --set
> description=foo
Err, I meant: --set kopano-group=1

> univention.admin.uexceptions.valueMayNotChange: Value may not change:
> key=description old=None new=foo.
Then it becomes:
univention.admin.uexceptions.valueMayNotChange: Value may not change: key=mailAddress old=None new=.

(Pdb) oldval
(Pdb) key
'mailAddress'
(Pdb) value
''

The problem lies in Bug #44944 - which causes that obj['mailAddress'] sets the default value '', which is different to the old state of `None`.

A potential fix is:
diff --git management/univention-directory-manager-modules/modules/univention/admin/handlers/groups/group.py management/univention-directory-manager-modules/modules/univention/admin/handlers/groups/group.py                                
index 002e3d1baf..0e14ac6149 100644
--- management/univention-directory-manager-modules/modules/univention/admin/handlers/groups/group.py
+++ management/univention-directory-manager-modules/modules/univention/admin/handlers/groups/group.py
@@ -462,7 +462,7 @@ class object(univention.admin.handlers.simpleLdap):
                 raise univention.admin.uexceptions.groupNameAlreadyUsed(self['name'])

         # get lock for mailPrimaryAddress
-        if self['mailAddress'] and (not self.exists() or self.hasChanged('mailAddress') and self['mailAddress'].lower() != self.oldinfo.get('mailAddress', '').lower()):                                                                     
+        if self.get('mailAddress') and (not self.exists() or self.hasChanged('mailAddress') and self['mailAddress'].lower() != self.oldinfo.get('mailAddress', '').lower()):                                                                 
             try:
                 self.request_lock('mailPrimaryAddress', self['mailAddress'])
             except univention.admin.uexceptions.noLock:


Maybe we should do this at mulitple places, in users/user is the same case for mailPrimaryAddress.
Maybe we can relax the restriction to:
diff --git management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
index e15ab5b163..f210194720 100644
--- management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
+++ management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
@@ -1726,6 +1726,8 @@ class simpleLdap(object):
             if self.descriptions[key].readonly_when_synced:
                 value = self.info.get(key)
                 oldval = self.oldinfo.get(key)
+                if not oldval and not value:  # '' != None != []
+                    continue
                 if oldval != value:
                     raise univention.admin.uexceptions.valueMayNotChange(_('key=%(key)s old=%(old)s new=%(new)s') % {'key': key, 'old': oldval, 'new': value}, property=key)

Comment 4 Christina Scheinig

2023-12-20 14:49:37 CET

The first patch is applied in the customer environment and it works now.

Comment 7 Iván.Delgado

2024-02-27 14:53:52 CET

univention-directory-manager-modules.yaml
e6d0329f5834 | Bug #56929: Fix groups changes are not sync to AD

univention-directory-manager-modules (15.0.25-9)
e6d0329f5834 | Bug #56929: Fix groups changes are not sync to AD

Comment 8 Iván.Delgado

2024-02-27 14:54:51 CET

Package: univention-directory-manager-modules
Version: 15.0.25-9
Branch: ucs_5.0-0
Scope: errata5.0-6

Comment 9 Iván.Delgado

2024-02-28 07:57:49 CET

Bug #53453 for UCS 5.0-0-errata groups/group and other modules are checking whether properties are locked.

Access to those properties, like `mailAddress` is done via `self[property]`, which sets the default value of that property (due to Bug #44944). 
We now ignore null-equal values when checking if a property change is blocked for AD.

This regression caused the modification operation to fail when an attribute that should not be synchronized with AD had no value assigned in AD and the default value in UCS was different, e.g. string vs. Nonetype.

Comment 10 Florian Best

2024-02-28 11:04:54 CET

OK: comparison for null-like values is done when checking if a property might be changed on a AD-synced object
OK: code review
OK: Jenkins-Tests
OK: advisory

Comment 11 Iván.Delgado

2024-02-28 13:17:24 CET

<https://errata.software-univention.de/#/?erratum=5.0x974>