Univention Bugzilla – Full Text Bug Listing |
Summary: | Adapt univention-ad-connector(-exchange) to recent Exchange versions | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | AD Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | alexander.wotschke, andree.hingst, gohmann, stephan.hendl |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | http://serverfault.com/questions/724223/difference-between-proxyadresses-and-mail-attributes-in-active-directory | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=40357 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.137 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016121621000432 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 43447, 48725 |
Description
Michael Grandjean
2016-12-19 11:15:37 CET
Ok, I have built an adjusted version of the mapping. Advisory: univention-ad-connector.yaml Now we map (mailPrimaryAddress, mailAlternativeAddress) <-> proxyAddresses instead of (mailPrimaryAddress <-> mail, mailAlternativeAddress <-> proxyAddresses) Currently this leaves the "mail" attribute unsynchronized, we need to discuss what to do about that, see: https://blogs.technet.microsoft.com/exchange/2005/01/10/fun-with-changing-e-mail-addresses/ "mail" is single-valued in the AD-Schema. Well, in an AD member mode environment the content of the AD attribute mail should be synchronized with the LDAP one too. Since on the LDAP side there can exist more than one value, at first the connector should check wether the value exists. If yes the process should be canceled - if no the attribute should be synchronized and added. Additionally the sync mode should be configurable via UCR variable (see bug 42618) so the customer can decide wether to sync the mail attribute or not. We have different semantics of OpenLDAP:mail and AD:mail, so I guess we have to treat them separately: 1. Sync OpenLDAP:mail <- proxyAdresses 2. Sync mailPrimaryAddress -> AD:mail (both single-value) I don't know if the second point is relevant with current Exchange versions, see http://serverfault.com/questions/724223/difference-between-proxyadresses-and-mail-attributes-in-active-directory > at first the connector should check wether the value exists. If yes the process should be canceled I guess we would sync anyway, shouldn't we? Stopping in case of a value exists would add a totally new behavior to the connector. That would be "write once". > Additionally the sync mode should be configurable via UCR variable (see bug 42618) so the customer can decide wether to sync the mail attribute or not. Yes, we would add a variable analogous to connector/ad/mapping/user/alternativemail, so it can be turned off or on. Well maybe I wrote it misunderstandable... If the contents of the AD mail attribute exists at the OpenLDAP side the address can be overwritten but should NOT be deleted in OpenLDAP. Also other existing values of the OpenLDAP mail attribute should not be deleted during the sync process. Ok, as discussed, we will postpone the merge from AD:proxyAddress to OpenLDAP:mail, that's split off as Bug 43447. To stay compliant with the AD/Exchange spec I've now additionally implemented: > 2. Sync mailPrimaryAddress -> AD:mail (both single-value) Test case 55_adconnector/130sync_user_mail_attributes has been adjusted to the new behavior. Advisory: univention-ad-connector.yaml Well, just to be safe: in AD member mode for an Exchange activated user the following attributes are synced: AD: ProxyAddresses with SMTP:<abc@example.com> -> OpenLDAP: mailPrimaryAddress AD: ProxyAddresses with smtp:<def@example.com> -> OpenLDAP: mailAlternativeAddress AD: mail -> OpenLDAP: mailPrimaryAddress or OpenLDAP: mail (see Bug 43447) The last sync can be disabled via UCR. Is this right? > AD: mail -> OpenLDAP: mailPrimaryAddress
It's the other way round:
OpenLDAP:mailPrimaryAddress -> AD:mail
But in AD member mode that's not active (connector/ad/mapping/syncmode=read).
OpenLDAP:mail is not touched, I explicitly covered that in our test case.
Jenkins tests: OK Changelog: OK UCS 4.2 merge: OK Code review: OK Tests: OK, it works as expected. |