Univention Bugzilla – Bug 57235
AD Connector fails when syncuser cannot access toplevel infos
Last modified: 2024-04-25 13:16:05 CEST
In a customer test setup the sync user for the AD Connector was configured (via CLI) on AD forrest side that way, that the user was within the to-sync OU and has been limited by deny rules to only access the subtree/basedn it was configured to. --- connect failed, failure was: --- Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/connector/ad/main.py", line 247, in main connect(options) File "/usr/lib/python3/dist-packages/univention/connector/ad/main.py", line 119, in connect ad.init_ldap_connections() File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 544, in init_ldap_connections self.ad_sid = decode_sid(self.ad_search_ext_s(self.ad_ldap_base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'])[0][1]['objectSid'][0]) IndexError: list index out of range Most likely the sync user couldn't access needed data from the toplevel tree. AD Connector should give a (better) errormessage that gives a clue what is going wrong. After the customer removed the toplevel deny rule the sync worked.
I git blamed the line back to it's original inclusion into connector/ad/__init__.py and that was moved into the main AD-C while addressing Bug 47901. Maybe we can avoid it for non-AD-Member setups. Or we try to make nicer error messages. Bugs like this are exactly what we expected to pop up when limiting the access rights for the sync user. I guess we need to iterate over the requirements of different use cases here to improve usability for each case while not adding regressions to the others.