Univention Bugzilla – Bug 37632
Setting nestedGroup property of groups/group breaks with CamelCase LDAP base
Last modified: 2017-06-19 16:23:19 CEST
The nestedGroup property of groups/group doesn't seem to work properly with a mixed case LDAP base: root@master55:/usr/share/ucs-test# udm groups/group create --set name=uwmresrqObject created: cn=uwmresrq,dc=FooBar,dc=com root@master55:/usr/share/ucs-test# udm groups/group modify \ --dn="cn=Domain Admins,cn=groups,dc=FooBar,dc=com" \ --set description=bar Object modified: cn=Domain Admins,cn=groups,dc=FooBar,dc=com root@master55:/usr/share/ucs-test# udm groups/group modify \ --dn="cn=Domain Admins,cn=groups,dc=FooBar,dc=com" \ --set nestedGroup="cn=uwmresrq,cn=groups,dc=FooBar,dc=com" E: object not found Discovered via Bug 37595, test case 10_ldap/55slapd-crash-1270
Error in example above, here we go again: root@master55:/usr/share/ucs-test# udm groups/group create \ --position cn=groups,dc=FooBar,dc=com --set name=subgroup1 Object created: cn=subgroup1,cn=groups,dc=FooBar,dc=com root@master55:/usr/share/ucs-test# udm-test groups/group modify \ --dn="cn=subgroup1,cn=groups,dc=FooBar,dc=com" \ --set description=bar Object modified: cn=subgroup1,cn=groups,dc=FooBar,dc=com root@master55:/usr/share/ucs-test# udm groups/group modify \ --dn="cn=Domain Admins,cn=groups,dc=FooBar,dc=com" \ --set nestedGroup="cn=subgroup1,cn=groups,dc=FooBar,dc=com" E: object not found
Also found via ucs-test cases * 62_udm-groups/05_group_modification_append_nestedGroups * 62_udm-groups/06_group_creation_set_single_letter_name_nestedGroup * 62_udm-groups/08_rename_a_group_which_contains_a_nestedGroup * 62_udm-groups/09_rename_a_nestedGroup * 62_udm-groups/18_group_modification_recursion_set_nestedGroup_to_group_containing_self * 62_udm-groups/23_group_modify_grouptype
*** Bug 38088 has been marked as a duplicate of this bug. ***
This leads to 96univention-samba4slavepdc.inst breaking, because of E: object not found: DN not found: cn=domain guests,cn=groups,dc=uni,dc=dtr. When trying to create cn=Guests,cn=Builtin,$ldap_base with --append nestedGroup="cn=Domain Guests,cn=groups,$ldap_base". This renders a complete domain almost unusable, because on no further join succeeds.
Sidenote: core.schema defines the matching rule 'caseIgnoreIA5Match' for 'dc'. In general DNs are not case insensitive but follow the individual matching rules of the RDN parts. But there are few attributes with exact* matching rules. Unfortunately only the OpenLDAP server code currently implements DN (and attribute) matching properly, so the "proper" solution would be to ask the LDAP-Server (and possibly cache the results per session).
Fixed via Bug #43247. I reenabled the test cases. ucs-test (6.0.37-31): r75571 | Bug #37632: Bug #38088: reactivate test cases *** This bug has been marked as a duplicate of bug 43247 ***
r75572 | Bug #37632: Bug #38088: reactivate test cases
UCS 4.2 merge: ucs-test (7.0.6-38): r75574 | Bug #37632: Bug #38088: reactivate test cases r75573 | Bug #37632: Bug #38088: reactivate test cases
OK
<http://errata.software-univention.de/ucs/4.1/367.html>