AD-Connector problem with groups due to case-insensitivity

dave · June 5, 2024, 7:30am

The AD Connector is supposed to import users and groups from Windows AD. Unfortunately, we have the problem that users occasionally get “kicked out” of the groups. However, in the UMC, they are still displayed as if they are in the group. If I remove and re-add the user there, everything is correct.

We have noticed that the users do not really get kicked out of the group, but that the group in the internal.sqlite database is not stored case-sensitively. If the group is added manually via the UMC, it is case-sensitive.

Does anyone have an idea what could be causing this?

dave · June 17, 2024, 9:52am

We have found the error. In the init.py in the folder /usr/lib/python3/dist-packages/univention/connector there is a .lower() after each variable.
If you remove all .lower() the groups will be properly synchronized again.

requate · June 20, 2024, 8:50am

Hi, not sure if I understand you correctly, there are a couple of lines in __init__.py, so it’s unclear to me which .lower() you adjusted.

In the mean time we adjusted something in univention/connector/ad/__init__.py in method group_members_sync_to_ucs which also may improve the behavior:
https://errata.software-univention.de/#/?erratum=5.0x990

dave · June 21, 2024, 7:33am

Hi,

I removed every .lower() so the groups are casesensitive.

This is our new init.py:
__init__new.py (81.1 KB)
and this is the original one:
__init__org.py (81.6 KB)

dave · September 12, 2024, 8:14am

Do you have any idea what to do now?

talleyrand · September 23, 2024, 3:32am

what MS say on the issue:

“Please note that disabling username sensitivity check can lead to security risks, as it can allow users to bypass two-factor authentication. It is recommended to keep this feature enabled unless it is absolutely necessary for legacy compatibility reasons.”