First Last Prev Next    This bug is not in your last search results.
Bug 56986 - uniqueMember / memberUid not updated on recursive container delete
uniqueMember / memberUid not updated on recursive container delete
Status: NEW
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-01-16 08:49 CET by Philipp Hahn
Modified: 2024-01-16 11:36 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2024-01-16 08:49:06 CET 
Since git:cf9a7ad6b3d5e5e838a9d22855cb9f8e169686e5 /usr/share/ucs-test/10_ldap/43replication_performance creates 50 sub-containers, users and groups in a temporary container. That temporary container is removed at the end of the test, which then recursively deletes all other 150 other entries.

The 50 users are also added to "cn=Domain Users,cn=groups,$ldap_base", which is *not* updated at the end: it still references the users via its attribute "uniqueMember" or "memberUid":

```console
# univention-ldapsearch -LLLb 'cn=Domain Users,cn=groups,dc=phahn50,dc=qa' uniqueMember memberUid
dn: cn=Domain Users,cn=groups,dc=phahn50,dc=qa
uniqueMember: uid=Administrator,cn=users,dc=phahn50,dc=qa
uniqueMember: uid=ucs-sso,cn=users,dc=phahn50,dc=qa
uniqueMember: uid=krbtgt,cn=Users,dc=phahn50,dc=qa
uniqueMember: uid=dns-dc20,cn=users,dc=phahn50,dc=qa
memberUid: Administrator
memberUid: ucs-sso
memberUid: krbtgt
memberUid: dns-dc20
memberUid:: cGkyw7xlM242
memberUid: kqthp4ae
memberUid: 563li4zy
memberUid: 00o4a5mb
memberUid:: w6Q1cTU4NcOkw7Y=
memberUid: de1ne6xe
memberUid: f0oay7jx
memberUid: kejz279l
memberUid: s4d748vx
memberUid: 58al79it
memberUid:: MWx3ZDk5w6Rh
memberUid:: Z25rw6R0w6R4ag==
memberUid:: w6RpZW00w7ZqbA==
memberUid:: c3hkdTPDtjc3
memberUid:: NDlnY3fDvHV5
memberUid: nh0fbahg
memberUid: 9opiba6n
memberUid:: NsO8ZjBiYnM0
memberUid: 2grkbcfw
memberUid: suosbc5x
memberUid:: NzfDtnliZHJx
memberUid:: dG9peGJlY8O8
memberUid: ld36be29
memberUid: nmutbfqy
memberUid: 97qbbgc3
memberUid: h8libg2g
memberUid: nn13bhob
memberUid:: NG5lNWJow7zDpA==
memberUid: uw9ubizc
memberUid:: w7zDvGYyYmptZA==
memberUid:: Nm85w7xia2F6
memberUid: 9ocibk0h
memberUid: zs94blm8
memberUid:: MHcxN2Jsw7xt
memberUid:: w6TDtsO8YWJteTU=
memberUid:: cm85Z2Jua8Ok
memberUid:: bHE1ZWJuw6Rr
memberUid: rkrjbowv
memberUid: y2xbbpiv
memberUid: s396bp76
memberUid:: anPDvDFicXVr
memberUid: jllzbrho
memberUid: 9by459z7
memberUid: nar8tmzy
memberUid: 8h0u3bms
memberUid:: NzhwdDRiw7xm
memberUid: u69i2cx7
memberUid:: c3V4b8O8ZGtx
memberUid: pq2prd9s
memberUid: qxjmjevo
```

There is a variante where "memberUid" is updated, but not "uniqueMember":

```console
# univention-ldapsearch -LLLb "cn=Domain Users,cn=groups,$(ucr get ldap/base)" uniqueMember memberUid
dn: cn=Domain Users,cn=groups,dc=AutoTest071,dc=test
memberUid: Administrator
memberUid: ucs-sso
memberUid: krbtgt
memberUid: dns-master071
uniqueMember: uid=Administrator,cn=users,dc=AutoTest071,dc=test
uniqueMember: uid=ucs-sso,cn=users,dc=AutoTest071,dc=test
uniqueMember: uid=krbtgt,cn=Users,dc=AutoTest071,dc=test
uniqueMember: uid=dns-master071,cn=users,dc=AutoTest071,dc=test
uniqueMember: uid=bh1asof8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=ib7xrozc,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPW9hw7Y1NXBlNSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=fnb53pw4,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPXdub2bDtnFiNyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPWFzw6RocnF0NCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPWptemF6ccO2Nyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPXdkNmd3csO8bSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPTIybcO8NnN1aSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPcOkMjNtZHRiMCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=k8yvmtt7,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPTczw6TDvMO8dMO8dCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=1i7weur5,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPWhucG0xdcO8eCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=gsr1xvsv,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPXdkN2xxdsO2cyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPWM4YTPDtndycyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPWjDpHFkYnfDpGcsY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
uniqueMember:: dWlkPXBmcmE4eHDDtixjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPXZqw7wzw7Z4ODksY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
uniqueMember:: dWlkPXR5w6TDtnR5b3ksY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
uniqueMember: uid=hftq5y7g,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=cymbuznd,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=b6r5uz65,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=o1zyn0oj,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=j5x3706c,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=u6jvo1u1,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=l541b2da,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=z4fol2u8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=0rjtt3a8,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=9q1ao3u0,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=4gk7i4a0,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=by5qs403,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=eaxc35h6,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=q1ep05z7,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=p8s5a6fz,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=f2z3f6xj,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember: uid=9u4ug7ce,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPWw1aWxkN3XDpCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=0sy9d8ah,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPXN0ZcOkajh0OCxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPTBwOXVtOMO2eSxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember: uid=dcc649se,cn=43replication_performance_16548_6759,dc=AutoTest071,dc=test
uniqueMember:: dWlkPW9ydXh1OcOkeixjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPW10a27DtsOkcDEsY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
uniqueMember:: dWlkPTg5NGhlw6Q4dyxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPXEwcsO8N8O2bmssY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
uniqueMember:: dWlkPWNydmQww7Y2Myxjbj00M3JlcGxpY2F0aW9uX3BlcmZvcm1hbmNlXzE2NTQ4XzY3NTksZGM9QXV0b1Rlc3QwNzEsZGM9dGVzdA==
uniqueMember:: dWlkPcOkNjXDpHHDvGx0LGNuPTQzcmVwbGljYXRpb25fcGVyZm9ybWFuY2VfMTY1NDhfNjc1OSxkYz1BdXRvVGVzdDA3MSxkYz10ZXN0
uniqueMember:: dWlkPcO2YXYzcMO8M2ssY249NDNyZXBsaWNhdGlvbl9wZXJmb3JtYW5jZV8xNjU0OF82NzU5LGRjPUF1dG9UZXN0MDcxLGRjPXRlc3Q=
```

The last one is detected by the failing test https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-6/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/10_ldap/92_memberOf/master071/


Interestingly enough this test only fails in a single scenario:
- AMI<5.0+join+upgrade=5.0, SambaVersion=s4,Systemrolle=master-part-II

PS: the broken state can also be detected by running "/usr/share/univention-directory-manager-tools/proof_uniqueMembers --check" manually. It fixes the first case, but not the second case.
Comment 1 Philipp Hahn univentionstaff 2024-01-16 11:03:13 CET 
Output from running ~/43replication_performance -vf:

> info 2024-01-16 10:33:36         remove cn with the dn cn=43replication_performance_15345_11040,dc=phahn50,dc=qa
> LDAP Error: Operation not allowed on non-leaf: subordinate objects must be deleted first.
> Object removed: cn=phahn50.qa,cn=domain,cn=mail,dc=phahn50,dc=qa

If it is an "LDAP Error" to delete a non-empty container, why is that container then still removed?

PS: Afterwards the group "Domain Users" is broken:
- the *deleted* users are still listed in "Mitglieder dieser Gruppe"
- you can select them and "Remove" them
- but as soon as you click on "Speichern" you can an error:
> Das LDAP-Objekt konnte nicht gespeichert werden: LDAP-Fehler: No such attribute: modify/delete: memberUid: no such value.
> OK

PPS: No, it is not "OK"
Comment 2 Philipp Hahn univentionstaff 2024-01-16 11:12:45 CET 
After fixing this please (partly) revert this work-around:

[5.0-6] 3d4d458624e fix(test): broken recursive container delete
 test/ucs-test/debian/changelog                        | 6 ++++++
 test/ucs-test/tests/10_ldap/43replication_performance | 7 ++++++-
 test/ucs-test/tests/10_ldap/92_memberOf               | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

Package: ucs-test
Version: 10.0.20-15
Branch: ucs_5.0-0
Scope: errata5.0-6
First Last Prev Next    This bug is not in your last search results.