Univention Bugzilla – Full Text Bug Listing |
Summary: | connector overwrites Domain Admins in AD with Domain Admins from UCS in initial sync | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | AD Connector | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | ||
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=36354 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.114 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 36354 | ||
Attachments: | connector.log |
Description
Felix Botner
2016-11-28 18:40:16 CET
The problem seems to be that the connector initially syncs the group membership from ucs to ad: # UCS -> univention-ldapsearch -LLL cn=Domain\ Admins memberUid dn: cn=Domain Admins,cn=groups,dc=w2k12,dc=test memberUid: Administrator # AD -> ldbsearch -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test member: CN=fb3,DC=w2k12,DC=test member: CN=Administrator,CN=Users,DC=w2k12,DC=test fb3 is used as connector user, sync mode sync after the setup the uses exists in UCS but lost is Domain Admins membership in AD -> univention-ldapsearch -LLL uid=fb3 dn dn: uid=fb3,dc=w2k12,dc=test -> ldbsearch -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member # record 1 dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test member: CN=Administrator,CN=Users,DC=w2k12,DC=test connector.log group_members_sync_from_ucs: Object exists only in AD [uid=fb3,dc=w2k12,dc=test] group_members_sync_from_ucs: ad_members_from_ucs without members with this as their primary group: [u'cn=administrator,cn=users,dc=w2k12,dc=test'] members to del: [u'CN=fb\xf6,OU=\xfcdmins\\=\\,,OU=admins,DC=w2k12,DC=test', u'CN=fb3,DC=w2k12,DC=test'] Basically Domain Admins is overwritten by UCS during the initial sync. Created attachment 8253 [details]
connector.log
I think this is Bug #33319, merged the s4connector changes to univention-ad-connector. univention-ad-connector: r74831 univention-ad-connector.yaml merged to 4.2-0 Code review: OK Merge to UCS 4.2: OK Tests: OK, I've extended the test case 101sync_initial_membership_ad_to_ucs (r75143 + r75144) Jenkins tests: OK YAML: OK |