Bug 51915

Summary: AD-Connector: Regression for "domainrewrite" extension
Product: UCS Reporter: Arvid Requate <requate>
Component: AD ConnectorAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Andreas Peichert <peichert>
Severity: normal    
Priority: P5 CC: bremer, peichert
Version: UCS 4.4Flags: requate: Patch_Available+
Target Milestone: UCS 4.4-5-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.114 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2020081721000369 Bug group (optional): External feedback, Regression
Max CVSS v3 score:
Bug Depends on: 51518    
Bug Blocks:    

Description Arvid Requate univentionstaff 2020-08-27 10:56:11 CEST 
Commit https://git.knut.univention.de/univention/ucs/-/commit/e8afe067cc for Bug #51518 caused a regression in a customer project, which uses a specialized adjusted AD-Connector mapping ("domainrewrite"):

================================================================================
25.08.2020 19:28:09.658 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1148, in add_in_ucs
    function(self, property_type, ucs_object)
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 103, in set_primary_group_user
    connector.set_primary_group_to_ucs_user(key, ucs_object)
  File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1564, in set_primary_group_to_ucs_user
    if not ad_group_rid_resultlist[0][0] in ['None', '', None]:
IndexError: list index out of range
================================================================================

The project specific "domainrewrite" extension in itself has a conceptual bug, which triggers this code path, where the __search_ad for the primary group doesn't return a result, because the rewritten UDM-uid is always != the AD sAMAccountName. None the less, this regression shows a bug in the error handling of the standard AD-Connector. I'll attach a trivial patch.
Comment 2 Arvid Requate univentionstaff 2020-08-27 11:13:30 CEST 
552cc11caf | Patch
c77a934354 | debian/changelog
2d3fa6dadf | Advisory
Comment 3 Andreas Peichert univentionstaff 2020-08-27 15:22:39 CEST 
Tested in customer environment with "domainrewrite" extension. With the changes and after restarting the service, the Traceback is gone. AD Users are again successfully synced to UCS 4.4.

univention-ad-connector (13.0.0-50A~4.4.0.20200827) 
OK: changelog
OK: YAML