Bug 41938 – Moving users to non-readable location confuses AD-Connector

Bug 41938 - Moving users to non-readable location confuses AD-Connector


Summary:	Moving users to non-readable location confuses AD-Connector

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-3-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-08-09 15:49 CEST by Michael Grandjean
Modified:	2016-09-21 20:28 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.137
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Forked for project
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
excerpt from connector.log at debug level 3 (6.30 KB, text/x-log) 2016-08-09 15:49 CEST, Michael Grandjean	Details
bug41938.patch (3.76 KB, patch) 2016-08-18 21:25 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2016-08-09 15:49:49 CEST

Created attachment 7861 [details]
excerpt from connector.log at debug level 3

This is most probably related to S4-Connector Bug 32542 and/or Bug 41884, but affects the AD-Connector. 

1) create 2 OUs (e.g. gsmitte and gsnord)
2) create at least one user in gsmitte
3) install and configure univention-ad-connector on school server gsmitte
4) move the user via import script from gsmitte to gsnord.
5) check connector.log of school server for gsmitte (the server should have NO read access for gsnord)

See attached log file with debug level 3.

Instead of running the function "group_members_sync_from_ucs", the AD-Connector decides to do this:
> move group from uid=mary,cn=schueler,cn=users,ou=tgbbz,dc=schule,dc=example,dc=org] to [cn=tgbbz-11a,cn=klassen,cn=schueler,cn=groups,ou=tgbbz,DC=intern,DC=cabbages,DC=ad]

... and fails, because the group already exists.

Please note: Installing univention-ad-connector on an UCS Slave is done as a customer implementation.

Comment 1 Arvid Requate

2016-08-18 21:25:41 CEST

Created attachment 7898 [details]
bug41938.patch

I've merged the S4-Connector patches mentioned by Michael to apply to the ad-connector.py listener module but the resulting behavior is still untested.

Comment 2 Stefan Gohmann

2016-09-13 14:13:53 CEST

(In reply to Arvid Requate from comment #1)
> Created attachment 7898 [details]
> bug41938.patch
> 
> I've merged the S4-Connector patches mentioned by Michael to apply to the
> ad-connector.py listener module but the resulting behavior is still untested.

Thanks, the patch works.

UCS 4.1-3: r72543
UCS 4.2: r72544
YAML: r72545

Comment 3 Felix Botner

2016-09-14 14:09:16 CEST

UCS 4.1-3 with new ad-connector

(1)
disabled access to subtree cn=ignore... for Administrator in slapd.conf
 access to dn.subtree="cn=ignore,dc=four,dc=test"
   by dn.base="uid=Administrator,cn=users,dc=four,dc=test" none
   by * +0 break

(2)
changed binddn from cn=admin... to uid=Administrator... in
/etc/service/univention-directory-listener/run

(3)
create normal user account
move user to cn=ignore
change description of some object (to trigger a normal change after the modrdn)

I get 

"14.09.16 13:47:57.695  LISTENER    ( ERROR   ) : The entryUUID attribute of the saved object (uid=test8,dc=four,dc=test) does not match the entryUUID attribute of the current object (dc=four,dc=test). This can be normal in a selective replication scenario.
14.09.16 13:47:57.697  LISTENER    ( ERROR   ) : rm old object
"

in the listener log. That is OK, the listener sees the 'r' for the user object, but not the 'a' (modrdn is 'r' + 'a'), the next change does not correspond to the current "old_dn" object (where the modrdn objects are stored) and is ignored.


Move from a readable container into another readable container still works as expected (modrdn in listener -> modify in connector).

OK - jenkins
OK - merged to 4.2-0
OK - yaml

Comment 4 Janek Walkenhorst

2016-09-14 15:39:01 CEST

<http://errata.software-univention.de/ucs/4.1/267.html>