Bug 55150

Summary: AD-Connector fails sync, missing match filter, but all filter criterias are fulfilled [5.0]
Product: UCS Reporter: Iván.Delgado <ivan.delgado>
Component: AD ConnectorAssignee: Iván.Delgado <ivan.delgado>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: best, botner, bremer, gulden, ivan.delgado, kiok, requate, schwarz, steuwer, turfeld
Version: UCS 5.0   
Target Milestone: UCS 5.0-2-errata   
Hardware: Other   
OS: Linux   
URL: https://git.knut.univention.de/univention/ucs/-/merge_requests/496
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 37351, 52263    
Bug Blocks:    

Description Iván.Delgado univentionstaff 2022-08-31 07:54:12 CEST 
+++ This bug was initially created as a clone of Bug #52263 +++

univention-app info
UCS: 4.4-6 errata776
Installed: adconnector=12.0 itslearning=3.2 self-service=4.0 self-service-backend=4.0 ucs-to-school-transformer=1.3.2 ucsschool=4.4 v7 ucsschool-kelvin-rest-api=1.1.1
Upgradable: ucsschool-kelvin-rest-api


AD-Connector is in sync mode

Some users are not synced correctly from AD to UCS, because the AD-Connector reports a missing valid match filter, but all mandatory attributes are present (and thousands of other users are synced correctly in this environment). We were not able to detect any differences between rejected users and not rejected users, because they are all created the same way in AD.
Comment 1 Iván.Delgado univentionstaff 2022-09-02 12:25:07 CEST 
When objects where changed in Microsoft Active Directory, the AD-Connector checked if the object should be ignored. The decision is based on three criteria, `match_filter`, `ignoresubtree` and the `ignorelist` from which the `ignore_filter` is constructed. Since Bug 37351 has been fixed in `errata4.0-1` this check is not only applied to the new object, but also to the object existing in UDM, which represents the old state at the time of sync. In scenarios where an object is present in UDM and Microsoft Active Directory but matches the `ignore_filter` this had the negative side effect, that the AD object would still be ignored even if the administrator changed an attribute in a way that the new object did not match the `ignore_filter` any longer. This affected user objects.
This problem has been fixed by restricting the change for Bug 37351 to apply only to ojects matching the criteria of a `windowscomputer`, as these don't have an `ignore_filter`.

univention-ad-connector.yaml
cbcac1dc836c | Bug #55150: Update advisory
463085bf4f29 | Bug #55150: Update changelog and advisory

univention-ad-connector (14.0.10-6)
463085bf4f29 | Bug #55150: Update changelog and advisory

univention-ad-connector (14.0.10-5)
8f3a35acdaf7 | Bug #55150: check it property_type is "windowscomputer" before check _ignore_object

ucs-test (10.0.7-22)
69dcef6aeb21 | Bug #55150: Update changelog

ucs-test (10.0.7-21)
be3495dc8577 | Bug #55150: Create new ucs-test to check this bug

univention-ad-connector 14.0.10-6A~5.0.0.202209021201
ucs-test 10.0.7-22A~5.0.0.202209021205
Comment 2 Arvid Requate univentionstaff 2022-09-05 11:25:01 CEST 
Verified:
* Code review
* Package update
* Functional test (with the new testcase)
* Advisory