Univention Bugzilla – Full Text Bug Listing |
Summary: | AD Connector: make mapping configurable | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | AD Connector | Assignee: | Max Pohle <pohle> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | enhancement | ||
Priority: | P5 | CC: | best, botner, gohmann, grandjean, gulden, heidelberger, hpeter, michelsmidt, requate, scheinig, schnick, stephan.hendl, steuwer, stoeckigt, voelker |
Version: | UCS 4.3 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.4-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://git.knut.univention.de/univention/ucs/-/merge_requests/39 | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=51280 https://forge.univention.org/bugzilla/show_bug.cgi?id=51869 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.091 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2019072621000249, 2020072821000322, 2020101421000281 | Bug group (optional): | Forked for project, Roadmap discussion (moved) |
Max CVSS v3 score: | |||
Bug Depends on: | 48410 | ||
Bug Blocks: | 51869, 53340 |
Description
Florian Best
2019-08-08 15:47:15 CEST
diff --git a/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping b/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping index c33315affd..cb9061e65c 100644 --- a/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping +++ b/services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping @@ -461,3 +461,10 @@ if configRegistry.is_false('connector/ad/mapping/group/exchange', True): ad_mapping['group'].attributes.pop('Exchange-Nickname') if configRegistry.get('connector/ad/mapping/group/language') not in ['de', 'DE']: ad_mapping['group'].mapping_table.pop('cn') + +try: + mapping_hook = imp.load_source('localmapping', os.path.join(os.path.dirname(__file__), 'localmapping.py')).mapping_hook +except (IOError, AttributeError): + pass +else: + s4_mapping = mapping_hook(as_mapping) Customer request to sync users into an OU= Another customer announces the need for a configurable AD mapping. The background is the deviation of the UCS Samba cn value from the MS AD. In MS AD first and last name (DisplayName) are used, in UCS the user name is entered. For the connection of a third party application an attribute is required for groups and users that contains a "speaking" name. In a pure MS AD this is done by using cn. In UCS / UCS Samba this is the username that should not be used. It would be possible to extend groups by a univention extended attribute, which consists of the LDAP DisplayName. The AD Connector will not synchronize this to groups without mapping adjustment. A configurable mapping would be the solution here. The configuration option asked for in Comment 4 is not possible just by adjusting the mapping, currently. That would require a change in the samaccountname_dn_mapping function in the connector. I guess we should keep feature requests like that separate from this bug, which wants to solve a different issue. The request in comment 4 is not changing the mapping of cn, as we have discussed in our chat. The solution would be to use the in AD and LDAP existing attribute displayName and extend groups by implementing a custom attribute displayName. For this purpose only AD-Conn and S4-Conn mapping must be customized, which would be easier by fixing this bug. REOPEN: git:36fc68ee212303368cd5a59a0abab7b941e7603e Missing ".py" in: +Benutzerdefinierte Mapping-Datei <filename>/etc/univention/connector/ad/localmapping</filename> +<filename>/etc/univention/connector/ad/localmapping</filename> custom mapping file Please print error messages to stderr. services/univention-ad-connector/conffiles/etc/univention/connector/ad/mapping: PEP8: 34 col 1 error| 'sys' imported but unused [F401] 34 col 10 error| multiple imports on one line [E401] 514 col 1 error| expected 2 blank lines after class or function definition, found 1 [E305] The test case 55_adconnector/169sync_custom_mapping_nonstandard_attribs is failing: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-6/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/55_adconnector/169sync_custom_mapping_nonstandard_attribs/master091/ It would be best to remove the sentences about overwriting the old mapping.py and suggest only to use localmapping for extending/adjusting the mapping. @Florian: I have integrated the changes from your Comment 7 The test failed for some roles only and that has also be fixed by deactivating the test for those where it is not applicable, namely non-ad @Florian: The hint you were referring to in comment 9 has already been removed. ucs-test fix: 9.0.5-27A~4.4.6.202011191011 univention-ad-connector fix: 13.0.0-58A~4.4.6.202011190952 Mapping extended attributes: OK Adjusting existing mapping: OK Testcase: OK Test successful in jenkins: OK YAML: OK Doku: OK Doku spelling: univention-spell currently finds mistakes in the words "Mappings", "Mapping-Datei" and so on. But those are correct. -> OK Verified REOPEN: No ucs 5 merge request was created. Created: https://git.knut.univention.de/univention/ucs/-/merge_requests/39 Could you set the bug back to verified? Max is currently sick. (In reply to Julia Bremer from comment #14) > Created: > https://git.knut.univention.de/univention/ucs/-/merge_requests/39 > Could you set the bug back to verified? Max is currently sick. I can't. I added 7 gitlab comments. And another thing: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-6/view/Documentation/job/HandbookUCS/lastSuccessfulBuild/artifact/webroot/handbuch-4.4.html#ad-connector:details-zur-vorkonfigurierten-synchronisation """ In der Grundeinstellung werden einige Container durch Filter von der Synchronisation ausgeschlossen. Diese finden sich in der Konfigurationsdatei /etc/univention/connector/ad/mapping Benutzerdefinierte Mapping-Datei /etc/univention/connector/ad/localmapping.py unter der Einstellung global_ignore_subtree. """ → This does not make sense grammatically. Please remove * "Benutzerdefinierte Mapping-Datei <filename>/etc/univention/connector /ad/localmapping.py</filename>" from windows-de.xml 1375 (and windows-en) * please also change (de and en) - The contents of the <code>ad_mapping</code> variable can be modified to + The contents of the <command>ad_mapping</command> variable can be modified to <code> is not used currently (and this seems to confuse the spell checker * add "Mappings" to doc-common/spell/dicts/undecided.dic Thank you @Felix, @Florian. Your feedback is highly appreciated and all changes were made. The current fix is: 13.0.0-59A~4.4.6.202011241514 Build failed > version bump > fix is now: 13.0.0-60A~4.4.6.202011241539 OK - test OK - Jenkins OK - doku MR will be "qaed" separately |