I made a number of posts about the Ad server getting “corrupted” by univention.
I think i know how it happens.
I had reported previously this error…
**29.07.2020 16:08:42.298 LDAP** (PROCESS): **sync to ucs: [ user] [ add]** uid=shawn.zheng,ou=leave user,dc=mirror-dx,dc=org,dc=dx1,dc=com
29.07.2020 16:08:43.632 LDAP (ERROR ): Unknown Exception during sync_to_ucs
29.07.2020 16:08:43.632 LDAP (ERROR ): Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1326, in sync_to_ucs
result = self.add_in_ucs(property_type, object, module, position)
File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1146, in add_in_ucs
return bool(ucs_object.create())
File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
dn = self._create(response=response, serverctrls=serverctrls)
File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1298, in _create
six.reraise(exc[0], exc[1], exc[2])
File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1282, in _create
self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 865, in add
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: No such object
now the interesting thing to note here is:
the time stamp: 29.07.2020 16:08:42.298 LDAP
and the OU group object ou=leave user,
it is not until AFTER this error is thrown … that the group is added!!!, luckily, this was added just after the failure
but normally for other users it can be a significant time before this occurs.
29.07.2020 16:08:43.772 LDAP (PROCESS): sync to ucs: [ ou] [ add] OU=Leave user,dc=dx1,dc=org,dc=mirror-dx,dc=com
so
then we have:
29.07.2020 16:26:54.562 LDAP (PROCESS): sync from ucs: [ ou] [ add] ou=leave user,DC=dx1,DC=org,DC=mirror-dx,DC=com
Then this!!!
29.07.2020 16:32:26.385 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=shawn.zheng,OU=Leave user,DC=dx1,DC=org,DC=mirror-dx,DC=com
29.07.2020 16:32:26.404 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=shawn.zheng,ou=leave user,dc=mirror-dx1,dc=org,dc=mirror-dx,dc=com
sucess!!!
but the group data still has to be re-synced BACK to the AD server…
so basically:
- we tried to add a user to a non-existent group->fail
- we then randomly added the group->success
- we added some other users ->sucess
- The group gets synced BACK to the AD, minus the unprocessed records.
- Finally at a later time the user that failed gets synced back.
during this sync time the AD can potentially get corrupted due to groups being synced back minus their complete user & access rights.
on a large installation it can take unto an hour of backwards & forwards, before the system becomes synced
during this time if the mode is bi-directional, all sorts of things can be going on with users access & rights.