Univention Bugzilla – Bug 18680
Removing group in group memberships in MS-AD is not replicated to UCS LDAP
Last modified: 2017-11-01 13:49:17 CET
Festgestellt mit w2k8: Legt man bei laufendem Connector im sync-Mode auf AD-Seite zunächst zwei globale Gruppen an, und macht dann eine davon zum Mitglied der anderen Gruppe, so kommt dies problemlos auf ucs-seite an, d.h. udm groups/group list zeigt die beiden Gruppen und die Attribute nestedGroup bzw. member mit den richtigen Werten an. Entfernt man anschließend diese Mitgliedschaft wieder, so kommt diese Änderung nicht! auf UCS-Seite an, d.h. die Attribute nestedGroup bzw. member sind dort unverändert.
Der UCS-Testfall 74sync_create_nested_ad_groups demonstriert das Problem geskriptet.
*** Bug 25192 has been marked as a duplicate of this bug. ***
Das tritt auch auf, wenn die Änderung auf UCS Seite gemacht wird.
I'm still able to reproduce it with 174sync_create_nested_ad_groups.
This happened again in a 4.1-4 e408 customer environment.
*** Bug 44404 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Fixed in r81473 (test enabled in r81475, advisory r81477)
i think this commit 57bdcc3a9a4f387e242ea117dc0828a2a3bfc9a5 breaks the 55_adconnector.005administrator_membership.test. connector.log 24.10.2017 17:58:32,570 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=domain admins,cn=groups,dc=four,dc ... 24.10.2017 17:58:32,696 LDAP (INFO ): group_members_sync_to_ucs: search for: CN=Administrator,CN=Users,DC=w2k12,DC=test 24.10.2017 17:58:32,697 LDAP (INFO ): group_members_sync_to_ucs: dn_mapping_ucs_member_to_ad={'uid=administrator,cn=users,dc=four,dc=two': u'CN=Administrator,CN=Users,DC=w2k12,DC=test'} 24.10.2017 17:58:32,698 LDAP (INFO ): group_members_sync_to_ucs: ucs_members: ['uid=Administrator,cn=users,dc=four,dc=two'] 24.10.2017 17:58:32,698 LDAP (INFO ): group_members_sync_to_ucs: ucs_members_from_ad: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []} 24.10.2017 17:58:32,698 LDAP (INFO ): group_members_sync_to_ucs: uid=administrator,cn=users,dc=four,dc=two was found in group member ucs cache of cn=domain admins,cn=groups,dc=four,dc=two 24.10.2017 17:58:32,699 LDAP (INFO ): _ignore_object: ignore object because of ignore_filter (key: user) 24.10.2017 17:58:32,702 LDAP (INFO ): _ignore_object: Do not ignore uid=Administrator,cn=users,dc=four,dc=two (key: group) 24.10.2017 17:58:32,702 LDAP (INFO ): group_members_sync_to_ucs: members to add: {'unknown': [], 'group': [], 'user': [], 'windowscomputer': []} 24.10.2017 17:58:32,703 LDAP (INFO ): group_members_sync_to_ucs: members to del: {'group': [], 'user': ['uid=Administrator,cn=users,dc=four,dc=two'], 'windowscomputer': []} so group_members_sync_to_ucs no longer ignores the Administrator because there is never a ignore filter for the Administrator in the group property -> or not self._ignore_object('group', ucs_object) i think this check should only be used for groups
Created attachment 9261 [details] group_members_sync_to_ucs.patch a proposal, check self._ignore_object for the type of object (user, group, ...) the connector has identified the obejct
Patch looks good, package rebuilt with it. Advisory updated.
OK - group handling OK - Administrator OK - YAML
<http://errata.software-univention.de/ucs/4.2/205.html>