Univention Bugzilla – Bug 41028
Reject while syncing moved group members in write mode
Last modified: 2016-05-04 18:15:39 CEST
Ticket #2015110521000528 The following traceback occurs in a UCS@school environment. The connector is configured in write mode. One group member was moved from one OU to another OU. The rename has already performed in the AD. In the detailed debug it is shown that the old DN should be set in AD and the new DN should be removed: 07.04.2016 12:24:11,233 LDAP (INFO ): group_members_sync_from_ucs: members to add: [u'cn=user1,cn=schueler,cn=users,ou=oldou,dc=doma,dc=lan'] 07.04.2016 12:24:11,234 LDAP (INFO ): group_members_sync_from_ucs: members to del: [u'CN=user1,CN=schueler,CN=users,OU=newou,DC=doma,DC=lan'] After a AD connector restart the traceback is resolved automatically. I guess the group mapping cache is not cleaned during the move. The traceback: 07.04.2016 12:24:11,248 LDAP (WARNING): sync failed, saved as rejected 07.04.2016 12:24:11,249 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 721, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))): File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 2257, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 76, in group_members_sync_from_ucs return connector.group_members_sync_from_ucs(key, object) File "/usr/lib/pymodules/python2.6/univention/connector/ad/__init__.py", line 1450, in group_members_sync_from_ucs self.lo_ad.lo.modify_s(compatible_modstring(object['dn']),[(ldap.MOD_REPLACE, 'member', modlist_members)]) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 322, in modify_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) NO_SUCH_OBJECT: {'info': "00000525: NameErr: DSID-031A125B, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n", 'desc': 'No such object'}
Unfortunately, I'm not able to reproduce this issue reliable. It seems to happen only if the user is in a group and the group is changed before the user is moved. This is hard to reproduce because the connector drops objects which will be synced later. The easiest way is to stop the notifier on the DC Master, do many changes and run the AD connector on the backup. Fixed in UCS 4.1-1: r68913
Created attachment 7622 [details] bug41028.patch
Created attachment 7628 [details] reproducer-bug41028.sh I can reproduce this with the attached script (setup: master + backup with ad-connector, script has to be started on the master)
OK - univention-ad-connector r68913 (can no longer reproduce this bug) OK - jenkins ad connector jobs still succeed (in the same time) OK - univention-ad-connector.yaml
<http://errata.software-univention.de/ucs/4.1/173.html>