Univention Bugzilla – Bug 56986
uniqueMember / memberUid not updated on recursive container delete
Last modified: 2024-01-16 11:36:42 CET
Since git:cf9a7ad6b3d5e5e838a9d22855cb9f8e169686e5 /usr/share/ucs-test/10_ldap/43replication_performance creates 50 sub-containers, users and groups in a temporary container. That temporary container is removed at the end of the test, which then recursively deletes all other 150 other entries. The 50 users are also added to "cn=Domain Users,cn=groups,$ldap_base", which is *not* updated at the end: it still references the users via its attribute "uniqueMember" or "memberUid": ```console # univention-ldapsearch -LLLb 'cn=Domain Users,cn=groups,dc=phahn50,dc=qa' uniqueMember memberUid dn: cn=Domain Users,cn=groups,dc=phahn50,dc=qa uniqueMember: uid=Administrator,cn=users,dc=phahn50,dc=qa uniqueMember: uid=ucs-sso,cn=users,dc=phahn50,dc=qa uniqueMember: uid=krbtgt,cn=Users,dc=phahn50,dc=qa uniqueMember: uid=dns-dc20,cn=users,dc=phahn50,dc=qa memberUid: Administrator memberUid: ucs-sso memberUid: krbtgt memberUid: dns-dc20 memberUid:: cGkyw7xlM242 memberUid: kqthp4ae memberUid: 563li4zy memberUid: 00o4a5mb memberUid:: w6Q1cTU4NcOkw7Y= memberUid: de1ne6xe memberUid: f0oay7jx memberUid: kejz279l memberUid: s4d748vx memberUid: 58al79it memberUid:: MWx3ZDk5w6Rh memberUid:: Z25rw6R0w6R4ag== memberUid:: w6RpZW00w7ZqbA== memberUid:: c3hkdTPDtjc3 memberUid:: NDlnY3fDvHV5 memberUid: nh0fbahg memberUid: 9opiba6n memberUid:: NsO8ZjBiYnM0 memberUid: 2grkbcfw memberUid: suosbc5x memberUid:: NzfDtnliZHJx memberUid:: dG9peGJlY8O8 memberUid: ld36be29 memberUid: nmutbfqy memberUid: 97qbbgc3 memberUid: h8libg2g memberUid: nn13bhob memberUid:: NG5lNWJow7zDpA== memberUid: uw9ubizc memberUid:: w7zDvGYyYmptZA== memberUid:: Nm85w7xia2F6 memberUid: 9ocibk0h memberUid: zs94blm8 memberUid:: MHcxN2Jsw7xt memberUid:: w6TDtsO8YWJteTU= memberUid:: cm85Z2Jua8Ok memberUid:: bHE1ZWJuw6Rr memberUid: rkrjbowv memberUid: y2xbbpiv memberUid: s396bp76 memberUid:: anPDvDFicXVr memberUid: jllzbrho memberUid: 9by459z7 memberUid: nar8tmzy memberUid: 8h0u3bms memberUid:: NzhwdDRiw7xm memberUid: u69i2cx7 memberUid:: c3V4b8O8ZGtx memberUid: pq2prd9s memberUid: qxjmjevo ``` There is a variante where "memberUid" is updated, but not "uniqueMember": ```console # univention-ldapsearch -LLLb "cn=Domain Users,cn=groups,$(ucr get ldap/base)" uniqueMember memberUid dn: cn=Domain Users,cn=groups,dc=AutoTest071,dc=test memberUid: Administrator memberUid: ucs-sso memberUid: krbtgt memberUid: dns-master071 uniqueMember: uid=Administrator,cn=users,dc=AutoTest071,dc=test uniqueMember: uid=ucs-sso,cn=users,dc=AutoTest071,dc=test uniqueMember: uid=krbtgt,cn=Users,dc=AutoTest071,dc=test uniqueMember: uid=dns-master071,cn=users,dc=AutoTest071,dc=test uniqueMember: uid=bh1asof8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=ib7xrozc,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPW9hw7Y1NXBlNSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=fnb53pw4,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPXdub2bDtnFiNyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPWFzw6RocnF0NCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPWptemF6ccO2Nyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPXdkNmd3csO8bSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPTIybcO8NnN1aSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPcOkMjNtZHRiMCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=k8yvmtt7,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPTczw6TDvMO8dMO8dCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=1i7weur5,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPWhucG0xdcO8eCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=gsr1xvsv,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPXdkN2xxdsO2cyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPWM4YTPDtndycyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPWjDpHFkYnfDpGcsY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= uniqueMember:: dWlkPXBmcmE4eHDDtixjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPXZqw7wzw7Z4ODksY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= uniqueMember:: dWlkPXR5w6TDtnR5b3ksY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= uniqueMember: uid=hftq5y7g,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=cymbuznd,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=b6r5uz65,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=o1zyn0oj,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=j5x3706c,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=u6jvo1u1,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=l541b2da,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=z4fol2u8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=0rjtt3a8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=9q1ao3u0,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=4gk7i4a0,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=by5qs403,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=eaxc35h6,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=q1ep05z7,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=p8s5a6fz,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=f2z3f6xj,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember: uid=9u4ug7ce,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPWw1aWxkN3XDpCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=0sy9d8ah,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPXN0ZcOkajh0OCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPTBwOXVtOMO2eSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember: uid=dcc649se,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test uniqueMember:: dWlkPW9ydXh1OcOkeixjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPW10a27DtsOkcDEsY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= uniqueMember:: dWlkPTg5NGhlw6Q4dyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPXEwcsO8N8O2bmssY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= uniqueMember:: dWlkPWNydmQww7Y2Myxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA== uniqueMember:: dWlkPcOkNjXDpHHDvGx0LGNuPTQzcmVwbGljYXRpb25fcGVyZm9ybWFuY2VfMTY1NDhfNjc1OSxkYz1BdXRvVGVzdDA3MSxkYz10ZXN0 uniqueMember:: dWlkPcO2YXYzcMO8M2ssY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q= ``` The last one is detected by the failing test https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-6/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/10_ldap/92_memberOf/master071/ Interestingly enough this test only fails in a single scenario: - AMI<5.0+join+upgrade=5.0, SambaVersion=s4,Systemrolle=master-part-II PS: the broken state can also be detected by running "/usr/share/univention-directory-manager-tools/proof_uniqueMembers --check" manually. It fixes the first case, but not the second case.
Output from running ~/43replication_performance -vf: > info 2024-01-16 10:33:36 remove cn with the dn cn=43replication_performance_15345_11040,dc=phahn50,dc=qa > LDAP Error: Operation not allowed on non-leaf: subordinate objects must be deleted first. > Object removed: cn=phahn50.qa,cn=domain,cn=mail,dc=phahn50,dc=qa If it is an "LDAP Error" to delete a non-empty container, why is that container then still removed? PS: Afterwards the group "Domain Users" is broken: - the *deleted* users are still listed in "Mitglieder dieser Gruppe" - you can select them and "Remove" them - but as soon as you click on "Speichern" you can an error: > Das LDAP-Objekt konnte nicht gespeichert werden: LDAP-Fehler: No such attribute: modify/delete: memberUid: no such value. > OK PPS: No, it is not "OK"
After fixing this please (partly) revert this work-around: [5.0-6] 3d4d458624e fix(test): broken recursive container delete test/ucs-test/debian/changelog | 6 ++++++ test/ucs-test/tests/10_ldap/43replication_performance | 7 ++++++- test/ucs-test/tests/10_ldap/92_memberOf | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) Package: ucs-test Version: 10.0.20-15 Branch: ucs_5.0-0 Scope: errata5.0-6