First Last Prev Next    This bug is not in your last search results.
Bug 57263 - Group based service plan settings are not applied during user creation/activation in certain cases
Group based service plan settings are not applied during user creation/activa...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Office 365
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Mail maintainers
Mail maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-07 20:19 CEST by Julia Bremer
Modified: 2024-05-09 14:25 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2024-05-07 20:19:50 CEST 
It is possible to configure allowed / disallowed service plans in Azure globally via UCR.
It is also possible to configure those allowed/disallowed service plans on groups via UDM. 

During the user creation or activation in Office365, the group memberships of that user object are evaluated, to get the service plan configuration for that user object.

This doesn't work anymore during user creation, when the group membership is adjusted during creation. 

The office365-user.py is a listener and thus gets its data directly from the listener and thus from openLDAP. 
The create operation won't contain the group membership, even if the group membership is set during the UDM creation operation.
On LDAP level, there are one create and two mod operations. 
First, the user creation (without memberOf) takes place,
then the group modification, where the user is added to memberUid / uniqueMembers and 
finally the user modification, where memberOf is updated. 

The office365 listener will only assign new subscriptions during a create operation or when the user is activated for o365.
Thus whenever activation an a group membership update or a creation and a group membership update take place, the new group membership won't be evaluated. 

Surprisingly, this has worked before.
While the LDAP operation sequence hasn't changed, UDM has.

The office365 listener takes the LDAP object and translates it to UDM before evaluating group memberships, by doing something like:
obj = mod.object(None, self.lo, self.po, dn, attributes=attributes)
obj.open()
Where attributes are the LDAP values gotten from the listener. 

Previously, the group membership was not loaded from the given LDAP attributes, but during open() via a dedicated LDAP search on the group objects. 

Since Bug #55269 this was changed, so that memberOf is used to gather the group membership on the user. Thus, the translated UDM object doesn't contain the group membership when fed with an LDAP object that doesn't contain the memberOf value yet. 


TL;DR: 
Doing something like:

udm users/user create --set username=test --set lastname=test --set group=cn=testgroup,$base --set UniventionOffice365Enabled=1 
OR
udm users/user modify --dn=uid=test,$base --append groups=cn=testgroup,$base --set UniventionOffice365Enabled=1 

will result in the office365 listener not evaluating the settings of the group testgroup during subscription assignment.
Comment 1 Iván.Delgado univentionstaff 2024-05-09 14:25:22 CEST 
This issue can be avoided until a solution is found by using the UCR variable directory/manager/user/group-memberships-via-memberof.

$ ucr set directory/manager/user/user/group-memberships-via-memberof=no
First Last Prev Next    This bug is not in your last search results.