Bug 58384 - univentionObjectIdentifier missing for some LDAP objects
Summary: univentionObjectIdentifier missing for some LDAP objects
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: LDAP
Version: UCS 5.2
Hardware: amd64 Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on: 58318
Blocks:
  Show dependency treegraph
 
Reported: 2025-06-11 13:06 CEST by Arvid Requate
Modified: 2026-01-13 10:45 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2026010621000104
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2025-06-11 13:06:54 CEST 
Bug #58318 introduced automatic adding of the univentionObjectIdentifier and a diagnostic module. In our CI tests we see that "univention-join/univention-server-join" creates e.g. DNS objects objects when attributes like dnsEntryZoneForward and dnsEntryZoneReverse and ip are set and those then don't have a univentionObjectIdentifier.
Comment 1 Florian Best univentionstaff 2025-07-03 18:32:01 CEST 
The diagnostic module for example shows (every Jenkins run every day):

  [dry-run] Updating univentionObjectIdentifier with entryUUID values.
  [dry-run] Would update 'relativeDomainName=slave,zoneName=ucs.test,cn=dns,dc=ucs,dc=test' | 'c9b6b3a0-ebeb-103f-963e-750a10220e05'
  [dry-run] Would update 'relativeDomainName=81.21,zoneName=207.10.in-addr.arpa,cn=dns,dc=ucs,dc=test' | 'c9bcbf3e-ebeb-103f-9645-750a10220e05'
  [dry-run] Would update 'relativeDomainName=backup,zoneName=ucs.test,cn=dns,dc=ucs,dc=test' | '97b19a96-ebf0-103f-9ac9-091f2f6ac5c4'
  [dry-run] Would update 'relativeDomainName=82.21,zoneName=207.10.in-addr.arpa,cn=dns,dc=ucs,dc=test' | '97b56af4-ebf0-103f-9acc-091f2f6ac5c4'
  [dry-run] Would update 'relativeDomainName=member,zoneName=ucs.test,cn=dns,dc=ucs,dc=test' | '12b8fd66-ebf5-103f-89df-5f42322f6fe5'
  [dry-run] Would update 'relativeDomainName=83.21,zoneName=207.10.in-addr.arpa,cn=dns,dc=ucs,dc=test' | '12be9d8e-ebf5-103f-89e2-5f42322f6fe5'
  [dry-run] Updated 6 records.

And we have a PS/customer report about:
dn: univentionAppID=radius_9.0,cn=radius,cn=apps,cn=univention,dc=dev,dc=ucs,dc=example,dc=org
in a non-mixed environment.
Comment 3 Florian Best univentionstaff 2025-12-10 11:35:02 CET 
The license object doesn't have univentionObjectType either.
Comment 4 Florian Best univentionstaff 2025-12-10 12:06:38 CET 
The Jenkins test for the recyclebin revealed that there are also objects in the S4/AD Connector not having univentionObjectIdentifier. But they didn't show which ones.
Comment 5 Dirk Ahrnke univentionstaff 2025-12-16 16:22:28 CET 
I noticed the problem mentioned in the inital bug report in the training environment (after installation of univention-demodata).

It as appears as if DNS-objects in general do not get the univentionObjectIdentifier. 

root@dn1:~# univention-run-diagnostic-checks -t 58_univentionObjectIdentifier
Executing following checks: ['58_univentionObjectIdentifier']

You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log

ran 58_univentionObjectIdentifier successfully.

root@dn1:~# udm computers/windows create --position "cn=computers,"$ldap_base"" --set name=w2 --set network="cn=default,cn=networks,"$ldap_base""
Object created: cn=w2,cn=computers,dc=training,dc=ucs
root@dn1:~# univention-run-diagnostic-checks -t 58_univentionObjectIdentifier
Executing following checks: ['58_univentionObjectIdentifier']

You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log

############################################## Start 58_univentionObjectIdentifier ##############################################
## Check failed: 58_univentionObjectIdentifier - Validierung, dass alle Objekte den Univention Object Identifier gesetzt haben ##
Alle Objekte der Klasse "univentionObject" sollten das Attribut "univentionObjectIdentifier" tragen in OpenLDAP.

[dry-run] Updating univentionObjectIdentifier with entryUUID values.
[dry-run] Would update 'relativeDomainName=w2,zoneName=training.ucs,cn=dns,dc=training,dc=ucs' | 'abbba5e8-6edd-1040-9e85-b70369bce80e'
[dry-run] Would update 'relativeDomainName=114,zoneName=0.0.10.in-addr.arpa,cn=dns,dc=training,dc=ucs' | 'abbcd2ce-6edd-1040-9e88-b70369bce80e'
[dry-run] Updated 2 records.
############################################### End 58_univentionObjectIdentifier ###############################################

root@dn1:~# univention-app info
UCS: 5.2-4 errata298
Installed: cups=2.4.2 dhcp-server=16.0 samba4=4.21
Upgradable:


For me this rather looks more than a bug than a feature request, affecting most installed domains.
Comment 6 Finn David univentionstaff 2026-01-13 10:45:45 CET 
Another customer has issues regarding this:

After applying DNS settings at a computer object, the corresponding network objects beneath cn=dns and cn=dhcp are created without the attribute univentionObjectIdentifier, which results in diagnostic warning messages.

Because we warn the user about those objects, we should create the objects correctly. Therefore I changed this from feature -> bug.