Bug 57510 – Connector deletes user, when an ou was moved and renamed afterwards

Bug 57510 - Connector deletes user, when an ou was moved and renamed afterwards


Summary:	Connector deletes user, when an ou was moved and renamed afterwards

Status:	VERIFIED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-8-errata
Assigned To:	Julia Bremer
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-08-09 16:52 CEST by Christina Scheinig
Modified:	2024-09-11 14:44 CEST (History)
CC List:	2 users (show)

See Also:	48440
What kind of report is it?:	Bug Report
What type of bug is this?:	7: Crash: Bug causes crash or data loss
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.160
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024073121000069
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2024-08-09 16:52:05 CEST

A customer moved an OU and renamed it afterwards in the UMC.
He moved ou=Einrichtungen,ou=Kitas,ou=Benutzerkonten,dc=schein,dc=me to OU=Einrichtungen,DC=schein,DC=me. And he renamed OU=Einrichtungen,DC=schein,DC=me to ou=kitas einrichtungen,dc=schein,dc=me


Later he found lots of users missing.

In the s4-connector logfile you see this:

31.07.2024 09:04:38.002 LDAP        (WARNING): delete subobject: 'uid=clevischerring1,ou=kitas einrichtungen,dc=schein,dc=me'
31.07.2024 09:04:38.003 LDAP        (PROCESS): sync UCS > AD: [          user] [    delete] 'CN=clevischerring1,OU=Einrichtungen,DC=schein,DC=me'

So with the deletion of the previous object the new located object is also deleted.

I could reproduce this with the customers ldap in my testenvironment. The users who got lost, are different.

Comment 3 Julia Bremer

2024-08-21 09:29:24 CEST

The reason for this behavior is, that some users were modified in AD when the OU of the corresponding object in openLDAP was already renamed.
This results in the connector updating their local DN mapping 
(e.g AD DN cn=test,ou=beforerename,$base = uid=test,ou=afterrename,$base).

The actual rename of the OU and the resulting move operation is later not recognized by the connector. In AD, the user remains in ou=beforerename.

Much later on, the ou=beforerename is deleted in openLDAP.
This triggers a subtree_delete in AD and all objects remaining in that OU are permanently deleted.

Comment 4 Julia Bremer

2024-09-11 13:53:24 CEST

Successful build
Package: univention-s4-connector
Version: 14.0.18-6
Branch: 5.0-0
Scope: errata5.0-8

Successful build
Package: univention-ad-connector
Version: 14.0.19-11
Branch: 5.0-0
Scope: errata5.0-8

Object will now be moved, even if the "new" position was already recongnized and saved in the dn mapping of the connector.
Due to this, no subobjects of an OU should be left over in the old ou after a rename and thus, not deleted when the old ou is removed.

Comment 5 Arvid Requate

2024-09-11 14:33:25 CEST

Verified:
* Code review
* Manual comparison of behavior w/o patch
* Package update test
* Advisories