In case a customer has a localmapping.py with position_mapping = [("dc=dom,dc=com", "OU=SOME,DC=sub,DC=dom,DC=com")] the AD-Connector may get confused in object_mapping_ucs in case it already finds the object in AD via dn_mapping_function (which is samaccount_dn_mapping for account objects). In that case it additionally the object[dntype] already contains an AD DN and the AD-Connector additionally runs the position_mapping over that. Similar "duplicate DN mapping" has been observed and addressed in Bug 13745#c14, in that case between position_mapping and the default ldap_base substitution. In this case the "overlapping" base DNs lead the AD-C to generate a weird "Frankenstein" DN, where "dc=sub" appears somewhere in the DN: > UCS DN: uid=dirk.a,cn=lehrer,cn=users,ou=other,dc=dom,dc=com gets mapped to > CN=dirk.a,cn=lehrer,cn=users,ou=other,dc=sub,OU=SOME,DC=sub,DC=dom,DC=com
OK: Code fix OK: Was tested at the customer OK: YAML OK: No docs needed OK: Jenkins Verified
I think Comment 2 was intended to go to Bug #58556. I just merged the backport to 5.0-10 and built the package there too: e738b2249a6 | Bug #58547: Fix obect_mapping_ucs for overlapping position_mapping (same as in 5.2-3 w/o the structured logging) 6c163438f34 | Changelog & Advisory Package: univention-ad-connector Version: 14.0.23 Release: 5.0-0 Scope: errata5.0-10
OK: Code OK: Cherry-pick OK: YAML OK: Jenkins Verified
<https://errata.software-univention.de/#/?erratum=5.0x1327>