Bug 35626 – Rejects for well known groups

Bug 35626 - Rejects for well known groups


Summary:	Rejects for well known groups

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-3-errata
Assigned To:	Stefan Gohmann
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-08-18 11:20 CEST by Sönke Schwardt-Krummrich
Modified:	2014-09-11 07:58 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2014-08-18 11:20:31 CEST

A customer with a UCS@school environment tried to rejoin the UCS@school slave. 
After rejoin the S4 connector showed several rejects for (?all?) well known 
groups. The UCS@school environment has been set up a while ago so the AD 
groups do not use the well known RIDs in LDAP.
While syncing the group initially from LDAP to AD the pickle file is rejected due to a constraint violation (objectSID seems to be a single_value attribute but is handled as a multi value attribute).

Comment 1 Sönke Schwardt-Krummrich

2014-08-18 11:33:11 CEST

For investigation the file connector-s4.log and the output of 
univention-s4connector-list-rejected is attached to Ticket 2014081821000262.

Comment 2 Janis Meybohm

2014-08-19 10:16:08 CEST

Error message for better search results:

CONSTRAINT_VIOLATION: {'info': "attribute 'objectSid': attribute on 'CN=DnsAdmins,CN=Groups,DC=schule,DC=foo' specified, but with 0 values (illegal)", 'desc': 'Constraint violation'}

Comment 3 Stefan Gohmann

2014-08-19 11:02:41 CEST

I've added a test case for this issue:
 52_s4connector/133sync_sid

Comment 4 Stefan Gohmann

2014-08-19 13:38:59 CEST

The SID mapping has been fixed: r52816

YAML: r52817

Comment 5 Stefan Gohmann

2014-08-19 15:07:25 CEST

10.02.2014 15:17:57,101 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 780, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2465, in sync_from_ucs
    if len(attribute_type[attribute].mapping) > 0 and attribute_type[attribute].mapping[0]:
AttributeError: attribute instance has no attribute 'mapping'

Comment 6 Stefan Gohmann

2014-08-19 16:53:17 CEST

The traceback has been fixed: r52829

Comment 7 Arvid Requate

2014-08-20 16:57:10 CEST

Verified:
* Code
* New package passes test case, old package doesn't.
* Re-Join of an UCS@school R2v1 Samba4 Slave Ok
* YAML OK.

Comment 8 Stefan Gohmann

2014-09-11 07:58:38 CEST

http://errata.univention.de/ucs/3.2/182.html