Bug 40741

Summary:	91univention-saml.inst may fail due to extended attributes
Product:	UCS	Reporter:	Florian Best <best>
Component:	SAML	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Stefan Gohmann <gohmann>
Severity:	normal
Priority:	P5	CC:	gohmann, walkenhorst
Version:	UCS 4.1
Target Milestone:	UCS 4.1-1-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=40824
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	External feedback
Max CVSS v3 score:

Description Florian Best

2016-02-19 16:34:27 CET

During the creation of the LDAP-Only user for SAML required extended attributes may break the joinscript.
There is also a --ignore_exists missing!

E: Insufficient information
The following parameters are missing:
gender
primaryGroup
unixhome
EXITCODE=3

This causes the joinscript 91univention-saml.inst and 92univention-management-console-web-server.inst to fail.

Comment 1 Florian Best

2016-02-25 13:07:33 CET

Replaced with python :) (which ignores extended-attributes if not manually set up).
I hope this will never have side effects due to import errors aka Bug #33359 :D

univention-saml (3.0.27-2):
r67686 | Bug #40741: Update Copyright
r67685 | Bug #40741: don't fail to create SAML user due to extended attributes

univention-saml.yaml:
r67687 | YAML Bug #40741

Comment 2 Florian Best

2016-02-26 18:44:16 CET

*** Bug 40786 has been marked as a duplicate of this bug. ***

Comment 3 Florian Best

2016-02-29 12:10:45 CET

(In reply to Florian Best from comment #2)
> *** Bug 40786 has been marked as a duplicate of this bug. ***
Fixed the syntax error by indenting with space instead of tabs.

Comment 4 Stefan Gohmann

2016-03-02 09:01:59 CET

Now you use the admin user and no longer the join credentials.

Can you give an example with the extended attributes? Do we have an App which requires extended attributes for users?

Comment 5 Florian Best

2016-03-02 16:04:29 CET

(In reply to Stefan Gohmann from comment #4)
> Now you use the admin user and no longer the join credentials.
yes. is that really bad?

> Can you give an example with the extended attributes?
eval "$(ucr shell)"; udm settings/extended_attribute create --set name=test --set module=users/user --set ldapMapping=univentionFreeAttributes1 --set objectClass=univentionFreeAttributes --set shortDescription=test --set valueRequired=1 --set mayChange=1 --set CLIName=test --set deleteObjectClass=1 --position "cn=custom attributes,cn=univention,$ldap_base"

> Do we have an App which requires extended attributes for users?
I am not aware of one.

Comment 6 Florian Best

2016-03-02 16:16:46 CET

Ticket#2016021821000742

Comment 7 Florian Best

2016-03-02 17:13:40 CET

As it is only executed on the DC master it is okay to use cn=admin.

The creation of such extended attributes is prevent by Bug #40824.

Comment 8 Florian Best

2016-03-02 17:39:16 CET

ucs-test (6.0.33-33):
r67854 | Bug #40741: test SAML user exists

Comment 9 Stefan Gohmann

2016-03-07 21:12:17 CET

Tests: OK

ucs-test: OK

Code review: OK

YAML: OK (small adjustments: r67970)

Comment 10 Janek Walkenhorst

2016-03-09 15:51:58 CET

<http://errata.software-univention.de/ucs/4.1/128.html>