Bug 58737 - sync_to_ucs: Changing sAMAccountName and then CN leads to reject
Summary: sync_to_ucs: Changing sAMAccountName and then CN leads to reject
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: AD Connector
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.0-10-errata
Assignee: Arvid Requate
QA Contact: Jürn Brodersen
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on: 58738
Blocks: 58793
  Show dependency treegraph
 
Reported: 2025-10-24 13:39 CEST by Arvid Requate
Modified: 2025-11-11 12:47 CET (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2025100221000098
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2025-10-24 13:39:57 CEST 
A sAMAccountName change doesn't update `DN Mapped CON` cache and then a subsequent change of CN (leading to a modrdn DN change in AD) causes a traceback in the connector-ad.log, because the connector doesn't find the cached `olddn` (AD-DN mapped to UCS-DN) because it doesn't match reality any more. But even during the first step there's already a traceback, because the `post_ucs_modify_functions` can't find the object any longer using `ucs_object['dn']`:

===
23.10.2025 17:29:39.685 LDAP        (INFO   ): object_from_element: olddn: CN=oster hase,CN=Users,DC=ad,DC=test
[...]
23.10.2025 17:29:39.690 LDAP        (INFO   ): The following attributes have been changed: ['whenChanged', 'uSNChanged', 'sAMAccountName', 'userPrincipalName', 'msDS-RevealedDSAs']
23.10.2025 17:29:39.692 LDAP        (INFO   ): get_ucs_object: object found: uid=oster.hase,cn=users,dc=ucs,dc=test
23.10.2025 17:29:39.692 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=oster.hase,cn=users,dc=ucs,dc=test
[...]
23.10.2025 17:29:39.745 LDAP        (INFO   ): Call post_ucs_modify_functions: <function password_sync at 0x7ff333dfaf28>
[...]
23.10.2025 17:29:39.750 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
[...]
ldap.NO_SUCH_OBJECT: {'desc': 'No such object', 'matched': 'cn=users,dc=ucs,dc=test'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1463, in sync_to_ucs
    post_ucs_modify_function(self, property_type, object)
  File "/usr/lib/python3/dist-packages/univention/connector/ad/password.py", line 487, in password_sync
    ucs_result = connector.lo.search(base=ucs_object['dn'], attr=['sambaPwdLastSet', 'sambaNTPassword', 'krb5PrincipalName', 'krb5Key', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'pwhistory'])
  File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 672, in search
    raise univention.admin.uexceptions.noObject(_err2str(msg))
univention.admin.uexceptions.noObject: No such object.
===
Comment 1 Arvid Requate univentionstaff 2025-10-25 18:48:39 CEST 
5fdad6ef909 | feat(ad-connector): update object['dn'] in modify_in_ucs
0d7638d649e | test(adconnector): AD-Connector cache 'DN Mapping CON' update on uid change

Package: univention-ad-connector
Version: 14.0.24
Release: 5.0-0
Scope: errata5.0-10

Package: ucs-test
Version: 10.0.24-26
Release: 5.0-0
Scope: errata5.0-10
Comment 2 Jürn Brodersen univentionstaff 2025-11-04 16:38:15 CET 
Looks good to me

Jenkins: OK
Manual test: OK
yaml: OK
Comment 3 Dirk Wiesenthal univentionstaff 2025-11-05 13:46:02 CET 
<https://errata.software-univention.de/#/?erratum=5.0x1341>