Bug 41028

Summary: Reject while syncing moved group members in write mode
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: AD ConnectorAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: stoeckigt, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 4.1-1-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 41141    
Attachments: bug41028.patch
reproducer-bug41028.sh

Description Stefan Gohmann univentionstaff 2016-04-08 22:53:37 CEST 
Ticket #2015110521000528

The following traceback occurs in a UCS@school environment. The connector is configured in write mode.

One group member was moved from one OU to another OU. The rename has already performed in the AD. In the detailed debug it is shown that the old DN should be set in AD and the new DN should be removed:

07.04.2016 12:24:11,233 LDAP        (INFO   ): group_members_sync_from_ucs: members to add: [u'cn=user1,cn=schueler,cn=users,ou=oldou,dc=doma,dc=lan']
07.04.2016 12:24:11,234 LDAP        (INFO   ): group_members_sync_from_ucs: members to del: [u'CN=user1,CN=schueler,CN=users,OU=newou,DC=doma,DC=lan']

After a AD connector restart the traceback is resolved automatically.

I guess the group mapping cache is not cleaned during the move.

The traceback:

07.04.2016 12:24:11,248 LDAP        (WARNING): sync failed, saved as rejected
07.04.2016 12:24:11,249 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 721, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))):
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 2257, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 76, in group_members_sync_from_ucs
    return connector.group_members_sync_from_ucs(key, object)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 1450, in group_members_sync_from_ucs
    self.lo_ad.lo.modify_s(compatible_modstring(object['dn']),[(ldap.MOD_REPLACE, 'member', modlist_members)])
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 322, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_OBJECT: {'info': "00000525: NameErr: DSID-031A125B, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n", 'desc': 'No such object'}
Comment 1 Stefan Gohmann univentionstaff 2016-04-26 15:28:50 CEST 
Unfortunately, I'm not able to reproduce this issue reliable. 

It seems to happen only if the user is in a group and the group is changed before the user is moved. This is hard to reproduce because the connector drops objects which will be synced later. The easiest way is to stop the notifier on the DC Master, do many changes and run the AD connector on the backup.


Fixed in UCS 4.1-1: r68913
Comment 2 Stefan Gohmann univentionstaff 2016-04-26 15:29:09 CEST 
Created attachment 7622 [details]
bug41028.patch
Comment 3 Felix Botner univentionstaff 2016-04-27 17:47:39 CEST 
Created attachment 7628 [details]
reproducer-bug41028.sh

I can reproduce this with the attached script (setup: master + backup with ad-connector, script has to be started on the master)
Comment 4 Felix Botner univentionstaff 2016-04-27 17:50:36 CEST 
OK - univention-ad-connector r68913 (can no longer reproduce this bug)
OK - jenkins ad connector jobs still succeed (in the same time)

OK - univention-ad-connector.yaml
Comment 5 Janek Walkenhorst univentionstaff 2016-05-04 18:15:39 CEST 
<http://errata.software-univention.de/ucs/4.1/173.html>